Introduction to Reverse Engineering

UPDATE: This training is going to be filmed for our members away from home this weekend. 🙂

As you may know HacDC will be holding it’s second training event. June 28, 2008 we are inviting Bow Sineath to HacDC to teach our members (and even non-members, bring your friends!) about the intricacies of reversing binaries using some of the latest tools in the field.

The following is an abstract from the trainer:

Over the past few years, reverse engineering has become a highly marketable and valuable skill backed by a number of powerful tools. With uses in incident response, vulnerability analysis, exploit development, malware analysis, DRM, and many others, the ability to reverse engineer code is becoming a very popular and desired skill. This class will teach the basics of reverse engineering, including the use of common tools, basic theory, the x86 instruction set, and identifying common code constructs. We may also delve into other issues, depending on time.

The class assumes basic programming knowledge (particularly C and/or C++) and no previous experience with IDA or the x86 instruction set. The class will consist of both lecture and practical exercises using “real world” binaries (with the exception of one).

The following are the tools we will be using:

Name: IDA Pro 4.9 freeware
This is the freeware version of the Interactive DisAssembler, the most powerful commercial disassembler on the market. IDA will disassemble a number of different executable formats and supports a wide range of processors (depending on the version), in addition it has a powerful API and scripting language that can be used to further enhance its capabilities. The freeware version is version 4.9 and is fairly old, most of the latest plugins and scripts will likely not work. The latest release, 5.2 supports a number of new features (eg debugging, better analysis, graphing, API enhancements) and processor formats.

Name: ImmDBG
The Immunity Debugger is a powerful debugger that has a number of very powerful features. Its specific purpose is exploit development, however it can be used for a number of other purposes as well. It has a Python API which is fairly well documented, uses a GUI and has a powerful command line, and allows for remote debugging sessions. Best of all, it is free 🙂

Name: 010 Editor
010 Editor is a wonderful text editor and, there are alternatives (eg Hex Workshop), this is what I have been using for a while and have become familiar with. It isn’t incredibly expensive ($50 for home/academic use), but it is very powerful and allows you to analyze binary file formats using scripts and “templates”. You can see the website for screenshots, this is a lifesaver for anyone meddling in file formats.

I will also be posting some binaries (mostly DLLs) that I’ll use for the class at some point this week, most of them are from Microsoft, but one of them will be something I wrote so that they can compare the source to what the compiler produces. I would highly recommend that people go ahead and load them into IDA as soon as I get them out, I’m hoping to do it in a timely fashion (eg by Tuesday) so that they can go ahead and have the initial autoanalysis performed and we don’t have to wait around for it. I can provide a brief description of how to do this (although it is relatively self explanatory) when I send out the binaries.

Special thanks to Bow for coming out to teach the class!

See you the 28th @ 2:00PM !