Pico Hacking (Part 12 - Debugging float)

For a complete table of contents of all the lessons please click below as it will give you a brief of each lesson in addition to the topics it will cover. https://github.com/mytechnotalent/Reverse-Engineering-Tutorial

Let's review our example. 0x05_float.c as follows.

#include <stdio.h>
#include "pico/stdlib.h"

int main() 
{
  stdio_init_all();

  while(1) 
  {
    float x = 40.5;

    printf("%f\n", x); 

    sleep_ms(1000);
  }

  return 0;
}

Let's fire up in our debugger.

radare2 -w arm -b 16 0x05_float.elf

Let's auto analyze.

aaaa

Let's seek to main.

s main

Let's go into visual mode by typing V and then p twice to get to a good debugger view.

We see the format specifier in [0x0000033c].

:> psz @ [0x0000033c]
%f

The float is at [0x00000340].

:> pff @ [0x00000340]
0x00004000 = 9.32830524e-09

Do not worry that the float is inaccurate as this machine is x64. What is important to see is the value 0x00004000. You then ask yourself, hey, that is not 40.5! What is the deal?

OK...

The Pico does not have its own math coprocessor so it handles floats and doubles using software. Therefore 0x00004000 would be the representation of 40.5 decimal.

So if the value was 40.4, for example, it would be 0x00003333. Conversely 40.6 would be 0x00004ccc.

Take a look at the following table which will help illustrate the point.

0x3ff00000 = 1.000000
0x3ff00001 = 1.000001
0x3ff00002 = 1.000002
...
0x3ff0000f = 1.000015
0x3ff00010 = 1.000016
0x3ff00011 = 1.000017
etc...

Ultimately the values in these 4 bytes (32-bits) will determine the value of the float.

In our next lesson we will hack the float and demonstrate this logic.