Introduction To Reverse Engineering Software

Welcome    Why?    Training    Games    ChangeBlog    External Resources    Submit Content

 

Creator:     (2011) Matt Briggs  

Instructor: (2013-current) Frank Poz  @knowmalware


License:    Creative Commons: Attribution, Share-Alike

(http://creativecommons.org/licenses/by-sa/3.0/)


Class Prerequisites: Introduction to Intel x86 or equivalent knowledge.


Lab Requirements: Windows system with IDA Pro (Free 5.0 is acceptable). Microsoft Visual Studio 2008 redistributable package.


Class Textbooks: “Reversing: Secrets of Reverse Engineering” by Eldad Eilam,

The IDA Pro Book” by Chris Eagle


Recommended Class Duration: 2 days


Creator Available to Teach In-Person Classes: Yes


Author Comments:


Throughout the history of invention curious minds have sought to understand the inner workings of their gadgets. Whether investigating a broken watch, or improving an engine, these people have broken down their goods into their elemental parts to understand how they work. This is Reverse Engineering (RE), and it is done every day from recreating outdated and incompatible software, understanding malicious code, or exploiting weaknesses in software.


In this course we will explore what drives people to reverse engineer software and the methodology and tools used to do it.


Topics include, but are not limited to:

•Uses for RE

•The tricks and pitfalls of analyzing compiled code

•Identifying calling conventions

•How to navigate x86 assembly using IDA Pro

•Identifying Control Flows

•Identifying the Win32 API

•Using a debugger to aid RE

•Dynamic Analysis tools and techniques for RE


During the course students will complete many hands on exercises.


This class serves as the prerequisite for Reverse Engineering Malware




Latest Class Materials

reclass_2014.zip (TiddlyWiki (html+javascript) & analyzed binaries (PE))


To bypass exe filters, e.g. so this can be sent through email, this is an encrypted zip with a password of “reclass2014”. All of the .exe files have been renamed to .ex_. On Mac OS X 10.6 and below, you will have to open the zip file from Terminal in order to get the password prompt.



Class Materials (2013)

reclass_2013.zip (TiddlyWiki (html+javascript) & analyzed binaries (PE))


To bypass exe filters, e.g. so this can be sent through email, this is an encrypted zip with a password of “reclass2013”. All of the .exe files have been renamed to .ex_. On Mac OS X 10.6 and below, you will have to open the zip file from Terminal in order to get the password prompt.



Full quality downloadable and .torrent QuickTime, h.264, and Ogg videos at Archive.org:

Day 1 Part 1 (5:25) - What is RE and What Can it Tell Me?

Day 1 Part 2 (30:03) - Refresher

Day 1 Part 3 (34:57) - Know Your Tools

Day 1 Part 4 (2:24) - The basic RE algorithm

Day 1 Part 5 (7:14) - Applying the RE Algorithm to the Bomb Lab

Day 1 Part 6 (22:29) - Lab Outline

Day 1 Part 7 (6:33) - Creating the Bomb Lab Answers File

Day 1 Part 8 (6:41) - Phase 2 Introduction

Day 1 Part 9 (28:23) - Phase 2 Walkthrough

Day 1 Part 10 (6:54) - Phase 3 Introduction

Day 1 Part 11 (22:21) - Phase 3 Walkthrough

Day 1 Part 12 (8:57) - Phase 4 Introduction

Day 1 Part 13 (14:08) - Phase 3 Introduction

Day 1 Part 14 (32:40) - Debugging

Day 1 Part 15 (3:32) - Day 1 review

Day 2 Part 1 (15:12) - Day 1 review 2

Day 2 Part 2 (11:21) - Phase 5 Introduction

Day 2 Part 3 (22:14) - Phase 5 Walkthrough

Day 2 Part 4 (20:50) - Phase 6 Introduction

Day 2 Part 5 (27:47) - Phase 6 Introduction 2

Day 2 Part 6 (19:25) - Phase 6 Walkthrough

Day 2 Part 7 (38:31) - Phase 6 Walkthrough 2

Day 2 Part 8 (12:15) - Analyzing C++

Day 2 Part 9 (7:39) - Next Class, Other Languages, & Day 2 Review

(6:47:55 total, sans lab time)





Class Materials (2011)


All Material (TiddlyWiki (html+javascript) & analyzed binaries (PE))


To bypass exe filters, e.g. so this can be sent through email, this is an encrypted zip with a password of “reclass2011”. All of the .exe files have been renamed to .ex_. On Mac OS X 10.6 and below, you will have to open the zip file from Terminal in order to get the password prompt.



Full quality downloadable QuickTime, h.264, and Ogg videos at Archive.org:

Day 1 Part 1 (57:36, 706 MB)

Day 1 Part 2 (1:17:18, 1 GB)

Day 1 Part 3 (29:49, 453 MB)

Day 1 Part 4 (38:36, 530 MB)

Day 1 Part 5 (36:06, 500 MB)

Day 2 Part 1 (49:29)

Day 2 Part 2 (54:58)

Day 2 Part 3 (40:09)

Day 2 Part 4 (1:10:10)

Day 2 Part 5 (58:51)

(8:33:02 total, sans lab time)




The videos are useful for students, but also more useful for potential instructors who would like to teach this material. By watching the video, you will better understand the intent of some slides which do not stand on their own. You are recommended to watch the largest size video so that the most possible text is visible without having to follow along in the slides.



Revision History:


08-17-2014 - (1) Refined "Basic RE Algorithm" (2) Added Java Decompiler references (3) Added attribution for "Programs = Algorithms + Data Structures" quote (4) Added .NET deobfuscator reference (de4dot) (5) Minor formatting changes

09-29-2013 - Added materials & videos from Frank Poz’s updated version of the class which was delivered in 2013. Frank added the following sections to the class wiki - "Dealing with DLLs", "Other Languages", and "Basic RE Algorithm". He also added more coverage of object oriented (C++) code.

03-17-2013 - Made fine-grain class map more prominent

07-08-2012 - Day 2 videos uploaded to YouTube, & both days uploaded to Archive.org

07-01-2012 - Day 1 videos uploaded to YouTube

01-27-2012 - Created some 'missing' content, fixed a few flaws, and added a write-up for the last task

06-16-2011 - Initial class content upload


If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes.