Skip to content

Book Review - Reverse Engineering Code with IDA Pro

This week I managed to read Reverse Engineering Code with IDA Pro. I was pretty curious about the book because it's the first book specifically about everyone's favourite disassembler IDA Pro and it turned out to be very different from what I expected.

Co-authored by Dan Kaminsky (editor), Justin Ferguson, Jason Larsen, Luis Miras, and Walter Pearce, Reverse Engineering Code with IDA Pro sets out to give an introduction to IDA Pro and how to use it to reverse engineer software. The book is approximately 310 pages long and divided into nine chapters ("Introduction", "Assembly and Reverse Engineering Basics", "Portable Executable and Executable and Linking Formats", "Walkthroughs One and Two", "Debugging", "Anti-Reversing", "Walkthrough Four", "Advanced Walkthrough", "IDA Scripting and Plug-Ins").

Let's skip the Introduction chapter because it's only four small paragraphs long and does not say a lot. The second chapter called "Assembly and Reverse Engineering Basics" tries to make sure that everybody who reads the book has some kind of idea about IA-32 assembly. That's probably a good idea since the entire book deals exclusively with IA-32 code and people from all kinds of different backgrounds might be interested in the book. There are a few problems with this chapter though. According to the authors "The point of this chapter is simply to give those who are either unfamiliar with or a little rusty on the subjects presented in this book a base to work from [...]". This is not what the chapter does though. Some parts of this chapter read like a monologue of Grandpa Simpson who can't stop rambling on and on. In the beginning of the chapter, you read all the stuff you expect from an IA-32 refreshment chapter but while explaining basic IA-32 stuff, the authors can't find a cut-off point and mention more and more advanced concepts which are completely irrelevant for the rest of the book because the whole book deals with user-land IA-32 Windows programs. The two most striking examples are on page 14 (where the authors keep digging deeper and deeper into the differences between Ring-0 and Ring-3) and on page 18 (where - for whatever reason - address translation/paging mechanisms of the IA-32 architecture are explained).

Another problem with this chapter and indeed with the entire book is the quality of the screenshots/figures. Most figures are very blurry. Most screenshots are very pixelated. Some figures are so blurry that I am unsure whether people who don't already know their content can even read them. One of the worst examples is figure 3-4. Can people who have never read the name of the PE header field SizeOfStackReserve before read the name in this figure?

The third chapter is called "Portable Executable and Executable and Linking Formats". It gives a brief overview of the 32-bit Windows Portable Executable format and the ELF format used by Linux. It's pretty curious that the authors decided to describe the ELF format considering that all code examples and reverse engineering examples mentioned later in the book are Win32 examples. Linux is basically never mentioned again after this chapter. If you can deal with the extremely blurry figures that describe the PE format, the PE part of the chapter is solid enough. Note that the description of the PE format is intentionally incomplete. This is perfectly fine of course as the chapter is only supposed to make sure that the reader knows enough about the PE format to understand later chapters.

Chapter four ("Walkthroughs One and Two") is where the fun begins. Enough with the refreshers and on with the reverse engineering stuff. The first walkthrough is a small crackme where the reader is supposed to find a hardcoded password in a binary file. While walking the reader through the crackme, various IDA options and commands are explained (change the base of number literals, what hotkeys are provided by IDA, how to rename functions, ...) and what to look for in disassembled code. The second walkthrough is promised as "[...] and then leverage this knowledge in order to find [sic] vulnerability within the binary. Applying these two approaches, we'll finally be able to understand the steps actually needed to exploit the application". I'm not sure if the authors keep this promise. Maybe I just missed this second walkthrough but according to CTRL-F "vulnerability" and "exploit" are never mentioned again in this chapter.

The fifth chapter is all about debugging with IDA Pro. The authors introduce the IDA Pro debugger by toying around with an exploitable version of netcat and walking the reader through a short analysis of the exploit. Breakpoints are set, instructions are single-stepped, parts of the memory are modified. Related concepts about debugging and things to look out for (like stack cookies) are mentioned too. Even the screenshots are of better quality in this chapter. At the end of the chapter alternative debuggers are mentioned too. I can not rule out that this chapter is supposed to be the second walkthrough mentioned in the previous chapter. After all the fifth chapter is about exploiting a vulnerability. However, the quote from the fourth chapter I mentioned above and the name of the fourth chapter strongly suggest that the fifth chapter is not the second walkthrough.

The sixth chapter, "Anti-Reversing" explains that many programs don't like to be debugged or disassembled. To give the reader an idea about anti-debugging tricks, the authors first explain how debugging works on the IA-32 architecture. This is followed by an example. Curiously enough, the example falls into the realm of anti-disassembling and not really into anti-debugging. An example file is given which doesn't use a regular import table but loads its required imports dynamically using the hashs-of-functionnames trick. Furthermore the authors promise that they "[...] will explore mostly ring-3 based implementations of circumventing both disassembly and debugging, but to spice things up some we will also touch on some ring-0 based concepts". I think I missed the spice again and CTRL-F only finds two locations where ring-0 is mentioned later in this book (both locations are about the existence of ring-0 debuggers). Entry point obfuscation is also briefly mentioned (but not really explained) in the last paragraph of this chapter. I guess that justifies the use of plural ("concepts") at the beginning of the chapter.

The 7th chapter is called "Walkthrough Four". The alert reader might notice at this point that book does not contain a "Walkthrough Three". Like I mentioned I'm also not finding a "Walkthrough Two" but at least "Walkthrough Two" was advertised. "Walkthrough Three" is never even mentioned anywhere. Maybe that anti-disassembling stuff from the last chapter is supposed to be Walkthrough Three but I can only guess so because the word "walkthrough" is not even mentioned a single time in the whole chapter. Anyway, this chapter is about determining the structure of a network protocol. The first thing that's introduced is a new problem with the figures. The authors present control flow diagrams (figures 7.1 and 7.2) that do not have arrows on the edges that connect the nodes. This makes them harder to understand than necessary. While recovering the protocol of a sample file, the IDA concepts of tracing, IDC scripting, and IDAPython are introduced.

Chapter 8 is another walkthrough chapter called "Advanced Walkthrough". It's about reversing some kind of UPX-packed adware. At first the UPX layer is removed with the help of the Universal Unpacker plugin. Afterwards FLIRT signatures are applied to the disassembly and the reader gets to play around with the disassembled code.

The 9th and final chapter is about "IDA Scripting and Plug-ins" (available as a free sample chapter). In the first half of the chapter, the authors introduce the IDC scripting language. What's cool about this part is the list of useful IDC functions. For the poor souls who still write IDC scripts, this section provides a very nice overview of IDC functions with just the right signal/noise ratio. The second half of the chapter is about writing plugins using the IDA SDK. The reader is told how to set up his development environment and what the main parts of the IDA SDK are. Useful IDC and SDK examples are given in this chapter too. I consider this chapter to be the most useful chapter of the book. The only downside is that I refuse to believe that anybody proof-read this chapter. Sometimes there are two spelling mistakes in just one sentence.

Alright, let's wrap this up. The entire book feels like it was supposed to be much more than it actually is. Then the deadline was coming and the book had to be released in a half-finished state. Some guy on IRC (who is actually trying to learn about IDA Pro) made the following comment about the book: However much it sucks, it seems preferable so far to learning about GAEM HAX from forums full of elitist 14 year old idiots. That's probably true.

Later this year Chris Eagle's IDA Pro book will be released. Let's see if he can do a better job.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

frank boldewin on :

hi sebastian,

that's exactly what i expected. it's the same kind of book quality like "disassembling with ida pro and softice". good enough as introduction for the reversing newbie, but nothing interesting here for intermediate or advanced people. i really hope chris eagle's book will be more advanced. a good book recommendation for you might be this one:

http://www.amazon.com/Advanced-Debugging-Addison-Wesley-Microsoft-Technology/dp/0321374460

well written by skilled ms people and spiked with dozens of good ideas to enhance the power of a debugger. ;-)

sp on :

Hi Frank,

the Advanced Windows Debugging book is indeed a good recommendation. I've actually been reading it for a while (I'm in chapter 6 now) and it's very good. I'll probably post a review of it in the next 14 days.

Suggestions on improving debuggers is obviously something I need. :-)

jf on :

As one of the authors on that book, you're absolutely right. The entire project was a nightmare and I will never deal with syngress again. Interestingly enough, for every problem you listed there is actually a reason why it turned out that way.

Intro chapter overly long/defines things not necessary: The outline changed a couple times, and this was one of the first chapters written.

ELF?: The outline changed a couple times, and this was one of the first chapters written. Publisher agreed with author that chapter should be dropped for being a nonsequitor, then put it in there anyways.

Missing walkthrough: ack, i didnt know that. I knew it wasn't done because the author writing it flaked out and stopped doing anything, I didn't know the publisher did so poorly as to not remove references.

Anti-reversing: deadlines and a PM who was a nazi about the 30-page per chapter count. I was really disappointed by this and that I was pressed out of time and didn't get to finish the chapter. Actually, you'll note that several of the chapters just come to an abrupt end, every time that was people freaking out on deadlines or page counts.

sp on :

Hi jf,

I'm sorry to hear about your problems with the publisher. I had heard about the problems with changing authors before I read the book, but I never knew that the whole writing and publishing process was in such a sorry state.

asdf on :

Mr. Ferguson: would you be able to say which authors worked on which chapters? Thanks.

jf on :

Hi asdf, sure, if you send me an email (can get from sp), or provide me an email I can provide that information.

new@reversing on :

I am reading the book now found it online. Hope that it will teach a newbie. IOActive has a presence larger than life primarily because of the twitterverse.

JF same as Milw0rm's JF?

new@reversing on :

I am reading the book now found it online. Hope that it will teach a newbie. IOActive has a presence larger than life primarily because of the twitterverse.

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
Form options

Submitted comments will be subject to moderation before being displayed.