CalvinBackup/Embedded-Hacking
1
0
Fork 0
mirror of https://github.com/mytechnotalent/Embedded-Hacking.git synced 2026-04-01 17:10:20 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Embedded-Hacking/WEEK02/WEEK02-03.md
Kevin Thomas 1457a4bb8e Refactor E and S
2026-03-19 15:01:07 -04:00

83 lines
2.6 KiB
Markdown
Raw Permalink Blame History

# Embedded Systems Reverse Engineering
[Repository](https://github.com/mytechnotalent/Embedded-Hacking)
## Week 2
Hello, World - Debugging and Hacking Basics: Debugging and Hacking a Basic Program for the Pico 2
### Non-Credit Practice Exercise 3: Examine Memory Around Your String
#### Objective
Inspect the byte-level layout of your injected string in SRAM and correlate bytes to characters.
#### Prerequisites
- Pico 2 connected with OpenOCD, GDB, and a serial monitor ready
- `build\0x0001_hello-world.elf` flashed and running
- Ability to break before `__wrap_puts` at `0x1000023c`
- A payload already written to SRAM (e.g., at `0x20000000` from Exercise 1)
#### Task Description
You will use `x/20b` to view the bytes surrounding your injected string, decode the characters, and confirm the presence of control characters and the null terminator.
#### Step-by-Step Instructions
##### Step 1: Connect and Halt
```gdb
(gdb) target extended-remote :3333
(gdb) monitor reset halt
```
##### Step 2: Break Before `puts()` and Run
```gdb
(gdb) b *0x1000023c
(gdb) c
```
##### Step 3: Ensure a String Exists in SRAM
If needed, re-inject a payload:
```gdb
(gdb) set {char[14]} 0x20000000 = {'h','a','c','k','y',',',' ','w','o','r','l','d','\r','\0'}
(gdb) set $r0 = 0x20000000
```
##### Step 4: Examine Bytes Around the String
```gdb
(gdb) x/20b 0x20000000
```
##### Step 5: Decode the Output
- Map each byte to ASCII: e.g., `0x68` ? `h`, `0x0d` ? `\r`, `0x00` ? `\0`.
- Note any bytes before/after the string to ensure you did not overwrite adjacent data.
##### Step 6: Resume Execution
```gdb
(gdb) c
```
#### Expected Output
- A byte dump where the sequence matches your string (`68 61 63 6b 79 2c 20 77 6f 72 6c 64 0d 00`).
- Confirmation of the carriage return (`0x0d`) and null terminator (`0x00`).
- Stable program output in PuTTY after resuming.
#### Questions for Reflection
###### Question 1: Which bytes mark the end of the printable string, and why are they needed?
###### Question 2: How would misaligned writes show up in the byte view?
###### Question 3: What risks arise if you overwrite bytes immediately after your string?
#### Tips and Hints
- Use `x/20bx` if you prefer hex with ASCII side-by-side.
- Keep the dump length modest (20 bytes) to avoid clutter while still seeing context.
- If the bytes look incorrect, re-run the injection command to reset the buffer.
#### Next Steps
- Try viewing a different address (e.g., `0x20001000`) to compare layouts.
- Experiment with longer strings and observe how the byte dump grows.
- Move on to Exercise 4 to automate the hack workflow.
Reference in New Issue View Git Blame Copy Permalink