Skip to content

Book Review - The IDA Pro Book

About two weeks ago I received a copy of Chris Eagle's new book The IDA Pro Book (Official Website / Amazon). The publisher No Starch Press was nice enough to send me a free copy of the book to write a review for it. Thank you No Starch Press. And even though I've sworn the official RE blogger's oath to uphold my blog to the highest journalistic standards, this obviously means that my review is completely biased because I hope that No Starch Press will continue to send me books for free (please contact me for a precise list of the books I'm interested in, thanks in advance).

Anyway, less talk about No Starch Press and more about The IDA Pro Book. Written by Chris Eagle, The IDA Pro Book is the latest book that tries to guide reverse engineers through the exciting world of binary files you've "lost" the source code for. The approximately 580 pages of the book (it's not 640 pages long as claimed on Amazon) are divided into 26 chapters which are themselves grouped into six parts.

The first part is called "Introduction to IDA" and contains the chapters "Introduction to Disassembly", "Reverse Engineering and Disassembly Tools", and "IDA Pro Background". These chapters give a brief overview of disassemblers, the disassembly process, other RE tools which are not IDA Pro, and all kinds of product information about IDA Pro. I knew this book would be good when I read the sentence "These exist but aren't relevant to this book and will not be discussed" about 4th generation programming languages right on the second page. Comparable sentences exist throughout the book. Finally an author who knows when to stop.

In the chapters "Getting Started with IDA Pro", "IDA Pro Displays", "Disassembly Navigation", "Disassembly Manipulation", "Datatypes and Data Structures", "Cross References and Graphing", and "The Many Faces of IDA", the second part, "Basic IDA Usage", explains the GUI of IDA Pro and what you can do with it. This part is about the aspects of IDA Pro most people use every time they work with IDA Pro. Examples include the individual IDA Pro windows (Disassembly window, Names window, ...), how to navigate through the disassembly and the stack, how to comment and modify parts of the disassembled code, and so on. Most people who have already used IDA Pro for a while will probably be familiar with more than 80% of these chapters.

The third part, "Advanced IDA Usage", is where things begin to get really interesting. In the chapters "Customizing IDA", "Library Recognition using FLIRT Signatures", "Extending IDA's Knowledge", and "Patching Binaries and Other Limitations", Chris Eagle begins to discuss more advanced features of IDA Pro. While the customization chapter is probably not too interesting to most IDA Pro users, the explanation of IDA's FLIRT signatures and how to create your own signature libraries is very detailed and useful. Chris Eagle explains how IDA Pro recognizes functions and matches function signatures and how to create new signature libraries for your own library files.

The fourth part, "Extending IDA's Capabilities", is where the book really starts to shine. In the chapters "Scripting with IDC", "The IDA Software Development Kit", "The IDA Plug-In Architecture", "Binary Files and IDA Loader Modules", and "IDA Processor Modules", Chris Eagle starts to tread on ground that is only sparsely documented elsewhere on the internet. Starting with simple IDC scripts and ending with your own loader and processor modules (with full source code available on the official website of the book) everything there is to know about extending IDA Pro using scripts and plugins is explained. Especially the last two chapters about IDA Loader Modules and IDA Processor Modules are of immense value because these plugin types belong to the least documented parts of IDA Pro and such a thorough explanation of these plugin types can probably not be found anywhere else.

Part five, "Real World Applications", contains four chapters where Chris Eagle tries to give real world examples of binary code and how to apply the knowledge from the first four parts of the book to reverse engineer the code. In "Compiler Variations" the reader learns how to recognize certain possibly interesting parts of code (like switch statements, the main function, ...) when compiled with different compilers like Visual C++ or GCC. In "Obfuscated Code Analysis" a few small examples of obfuscated code and how to deobfuscate them using either a static or a dynamic approach are given. "Vulnerability Analysis" gives a few introductory facts about discovering vulnerabilites in software and how to develop exploits for them. "Real world IDA Plug-Ins" is a short review of popular IDA Pro plugins like Hex-Rays or IDA Python.

The sixth and last part of the book is called "The IDA Debugger". It is kind of amusing that this section comes after the "Real World Applications" part, implying that the debugger is not useful in the real world. If you consider that the IDA Pro debugger is the red-headed stepchild of the IDA world this is probably not surprising. Anyway, this part is divided into three chapters "The IDA Debugger", "Disassembler / Debugger Integration", and "Linux, OS X, and Remote Debugging Debugging with IDA". In the first chapter the reader is taught what options exist in the debugger and how to use them. The second chapter is the "Real World Applications" equivalent for the debugger with obfuscated code given as the example and reason to switch from static analysis to dynamic analysis. The third chapter explains what debugging options are available on what platform.

Following the sixth part, there are three additional appendices. The first one (Using IDA Freeware 4.9) and the third one (What's new in IDA Pro 5.3) are probably not too interesting but the second one (IDC / SDK Cross-Reference) is rather cool. In this appendix Chris Eagle lists many (all?) IDC functions available in IDA Pro and their equivalent C functions in the IDA SDK. This should turn out to be really useful in practice.

Alright, that was the description of the book. Now it's time for my thoughts about it.

One of the last books I reviewed was Reverse Engineering Code with IDA Pro, an incredibly bad book edited by Dan Kaminsky. Back then I complained about pretty much everything including the number of typos, the bad layout, the unreadable screenshots, and so on. The IDA Pro Book is the complete opposite of Kaminsky's book. It does have a well-defined audience, a clear outline, it is very well edited, screenshots and figures are clearly readable, .... From a didactic point of view, this book is basically what I want books to be like.

The content is great too. The biggest value of the book is that it goes much deeper than the official IDA Pro documentation and provides all important parts of advanced IDA Pro usage in one place. I guess the book eliminates the need to search the web for some of the more esoteric and sparsely documented aspects of the IDA Pro SDK although I can't say that for sure before I've actually used the book while writing a more advanved IDA Pro plugin.

However, this book does not turn you into a knowledgeable reverse engineer. It will turn you into a knowledgeable IDA Pro user but nothing more. That's perfectly fine, of course. It's like reading a 1000 pages Photoshop tome. Reading one of those will teach you what buttons to press to activate a certain function but it will not turn you into an artist or a designer. This is not a criticism of Chris Eagle's book. Far from it. I actually like the precise focus on IDA Pro without trying to cover all the other topics you need to learn about in the RE world. This gives the book depth that is missing from many other books who try to cover all topics somehow. I only want to make clear to the reader of this review that if you want to learn reverse engineering of binary code you need additional literature. The IDA Pro book alone is not going to cut it.

To sum up my review, this book does definitely get a strong buy recommendation from me. It's well written and it covers IDA Pro more comprehensively than any other written document I am aware of (including the actual IDA Pro Manual). Furthermore I'm confident that everybody, even people who used IDA Pro for a decade, will learn something from the book and can use it as a reference in daily work.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
Form options

Submitted comments will be subject to moderation before being displayed.