Reverse Engineering Code with IDA Pro (英語) ペーパーバック – 2008/3/26
Kindle 端末は必要ありません。無料 Kindle アプリのいずれかをダウンロードすると、スマートフォン、タブレットPCで Kindle 本をお読みいただけます。
If you want to master the art and science of reverse engineering code with IDA Pro for security R&D or software debugging, this is the book for you. Highly organized and sophisticated criminal entities are constantly developing more complex, obfuscated, and armored viruses, worms, Trojans, and botnets. IDA Pro's interactive interface and programmable development language provide you with complete control over code disassembly and debugging. This is the only book which focuses exclusively on the world's most powerful and popular took for reverse engineering code.*Reverse Engineer REAL Hostile Code
To follow along with this chapter, you must download a file called !DANGER!INFECTEDMALWARE!DANGER!... 'nuff said.
*Download the Code!
The companion Web site to this book offers up really evil code for you to reverse engineer and really nice code for you to automate tasks with the IDC Scripting Language.
*Portable Executable (PE) and Executable and Linking Formats (ELF)
Understand the physical layout of PE and ELF files, and analyze the components that are essential to reverse engineering.
*Break Hostile Code Armor and Write your own Exploits
Understand execution flow, trace functions, recover hard coded passwords, find vulnerable functions, backtrace execution, and craft a buffer overflow.
Debug in IDA Pro, use a debugger while reverse engineering, perform heap and stack access modification, and use other debuggers.
Anti-reversing, like reverse engineering or coding in assembly, is an art form. The trick of course is to try to stop the person reversing the application. Find out how!
*Track a Protocol through a Binary and Recover its Message Structure
Trace execution flow from a read event, determine the structure of a protocol, determine if the protocol has any undocumented messages, and use IDA Pro to determine the functions that process a particular message.
*Develop IDA Scripts and Plug-ins
Learn the basics of IDA scripting and syntax, and write IDC scripts and plug-ins to automate even the most complex tasks.
Dan Kaminsky is the Director of Penetration Testing for IOActive. Previously of Cisco and Avaya, Dan has been operating professionally in the security space since 1999. He is best known for his "Black Ops" series of talks at the well respected Black Hat Briefings conferences. He is also the only speaker who has attended and spoken at every single "Blue Hat" Microsoft internal training event. Dan focuses on design level fault analysis, particularly against massive-scale network applications. Dan regularly collects detailed data on the health of the worlwide Internet, and recently used this data to detect the worldwide proliferation of a major rootkit. Dan is one of the few individuals in the world to combine both technical expertise with executive level consulting skills and prowess.
Most of this book is just filler stuff, it seems like every page was written with the sole purpose of trying to add fluff so that the book was long enough that it looked like it contained substance. Do we really need half a page to print a table that does nothing but list every possible form a MOV instruction can take?
Later in the book, you read entire chapters and at the end of the chapter you reflect on the contents, and realize you've learned nothing. What's worse, you realize the book HAS SAID NOTHING.
The comments about the source code and the publisher are accurate as well. For heaven's sake, the book was published FOUR MONTHS AGO, and already the repository for the book's source and binaries has disappeared?! Come on, this is unacceptable. Every time the book dedicates an entire chapter to disassembling a binary, you have to pretty much skip the entire chapter, because the binary isn't available for you to disassemble. You can't follow along.
Not that it would have helped much anyway. In one example you try to disassemble and debug a version of the common netcat utility that has a vulnerability. The binary and source are available for download from a publi website. So you download it and start following the book, and nothing matches up. It's totally different, even though this is a public download! Why? Because there's no symbols available in the public download, and the one in the book was reversed with symbols. So now you have to build your own copy of it, but now the generated code is different because you're not using the same compiler, so you STILL can't follow along. Furthermore, the very first step in the walkthrough of finding this bug in the book says "The bug is in the SessionWriteShellThreadFn function, so we will start there". WOW THAT WAS SO OBVIOUS! I'm sure glad 80% of the problem came pre-solved so that we could get right down to the fluff and skip the actual learning part.
What's the target audience here? Should the reader be comfortable with IA32 instructions? Because the book tries to explain something about assembly, but it is so short that I don't even understand why filling a few pages with that. Also, the book does many assumptions about what the reader should know, how the IDA screen will look like (if you download the free version and do EXACTLY as they say, you won't have the same on the screen), etc.
And finally, there is information in the index of a chapter, but the pages are not there! It is not a problem of my book, it is a problem of the edition itself!
Chapter 1: Introduction - Five pages. Two screenshots of IDA and about' 300 words. In my opinion, even the introduction fell short. Absolutely nothing to learn here. Just two screenshots of IDA.
Chapter 2: Assembly and RevEng Basics >> 27 pages of what? 27 pages that if you are a beginner (who does not know anything about ASM) better not to read it because you will really want to run away ASM. If you have an intermediate level, you won't believe the assumptions that the author of this part made. It's like trying to compress the Britannica in 4 pages. Come on, it's much better to point the reader to a good ASM book or webpage. Trying to do a "complete" book that packs everything needed inside, is a fantasy.
In other words, this "Assembly Basics" chapter is not targeting any reader. No reader will benefit from that, and if I'm wrong, I would love to know.
Chapter 3: PE and ELF Formats >> Can you imagine something more boring to start with? Imaging trying to learn something that is fun and long. OK, now imagine starting from the most boring parts. Hey! A book is not a blog where you just drop unsorted info. It is a book. The authors and editor should take care of the order and to choose the best material for it. I can't believe that a reader who wants to learn RevEng with IDA Pro should read all this before going to the good staff.
Chapter 4: Walktroughs One and Two >> Now this chapter is really funny. The page 67 (Chapter 4) claims to have this items:
Understanding Execution Flow, Tracing Functions, Recovering Hard Coded Password, Finding Vulnerable Functions, Backtracing Execution, Crafting a Buffer Overflow.
The problem is that the editors (Syngress) forgot to include the latest three. Yes, exactly as you hear it: the editors forgot to place those pages on the book. What to listen again? The book says it has ABCDEF but when you open it, it has only ABC. If you have it on your hands, go to page 67 check it by yourself.
So because those "vanished chapters" were very interesting for me, I mailed the customercare of syngress three times: May 21, June 03, and June 10. No reponses from them.
Syngress does not seem to care a lot because they did not even reply to my emails.
In one line, the book falls very short on everything. You won't learn IDA from here. The samples are not EXACTLY as you will get on your screen. There are parts of the book that do not exist, and the authors do many assumptions. If you want to learn about the subject, I suggest you going with: [Advanced Windows Debugging - Mario Hewardt] and [Reversing: Secrets of Reverse Engineering - Eldad Eilam].
Good luck with your RevEng quest, and if you become a master, join the good guys! :) (And write good books) :)
>> Update on 15/Sept/2008 <<
It is funny that now Syngress has changed the names of the authors :) The original authors of this book simply vanished and now we have THE SAME BOOK "written" by Chris Paget which nobody knows, while in Amazon UK you have again THE SAME BOOK written by Joshua Pennel!!! :)
It is obvious that Syngress is teasing us. Why are they changing the authors? It is AMAZING. I want my money BACK but they refused to reply my emails!