REVIEW: Reversing: Secrets of Reverse Engineering

This is a review for Reversing: Secrets of Reverse Engineering by Eldad Eilam. Unlike Practical Malware Analysis, this book does not solely focus on malware. It also covers topics such as legalities of reversing, auditing, digital rights management (DRM), and copy protections. As such, I feel this book complements PMA, but there is a lot of overlap between the two.

This book was published in 2005 and suffers from some of the same problems as Practical Malware Analysis in which the software used has been discontinued, is out of date, or better alternatives are available. This is not such a big deal, as the concepts are still very much the same; you’d just end up using different tooling to achieve the same results.

Verdict

I thought this was a good book and would recommend it to people who are beginners with reverse engineering. I would not recommend this book to those who have a bit of experience with reversing. As with many technical books, this focuses on the basics and does not go too deep into most of the topics presented.

I particularly enjoyed Part 2: Applied Reversing. Each of the chapters in this part of the book walks through a reverse engineering topic in-depth and provided appropriate examples for the reader to follow along with.

The citations appendix provided links to a lot of academic whitepapers, books, and articles regarding reverse engineering topics. I appreciated this section because I was able to supplement my reading with relevant papers that took a much deeper dive than what was presented in the text.

Read the overview section below to see if this book would be interesting to you.

Buy it here: https://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817

Overview

This book is 595 pages long, containing 13 chapters split into 4 parts:

  • Part 1: Reversing 101
  • Part 2: Applied Reversing
  • Part 3: Cracking
  • Part 4: Beyond Reversing

Four appendixes are provided:

  • Appendix A: Deciphering Code Structures
  • Appendix B: Understanding Compiled Arithmetic
  • Appendix C: Deciphering Program Data
  • Appendix D: Citations

The example code and software can be downloaded here: https://www.wiley.com/en-us/Reversing%3A+Secrets+of+Reverse+Engineering+-p-9780764574818

Part 1: Reversing 101

Chapter 1: Foundations

This chapter covers the basics of what reverse engineering is, why one would reverse engineer software, the types of tools involved, and briefly touches on the legalities of reversing. I feel that most people reading this book would likely know most of this already.

The legalities section focused on DMCA and software licensing. I felt this section provided the most value in the chapter.

Chapter 2: Low-Level Software

This chapter outlines fundamental computer science concepts:

  • Programming languages
    • C
    • C++
    • Java
    • C#
  • Control Flow
  • Data Structures
  • Stacks
  • Heaps
  • Assembly Language
  • Compilers
  • Virtual Machines
    • CLR
    • JVM
  • Just-in-time Compilers
  • Interpreters

I think most people with a development background can skip this chapter, but it did a good job of providing a high-level overview of how software works.

Chapter 3: Windows Fundamentals

This chapter covers Windows-specific topics:

  • Memory Management
    • Virtual Memory
    • Paging
    • Page Faults
    • Kernel Memory
    • User Memory
    • VAD Trees
    • Memory Management APIs
      • VirtualAlloc
      • VirtualProtect
      • VirtualQuery
      • VirtualFree
  • Handles
  • Objects
  • Processes
  • Threads
  • Context Switching
  • Synchronization Objects
    • Events
    • Mutexes
    • Semaphores
    • Critical Sections
  • Process Initialization
  • Win32 API
  • Native API
  • Syscalls
  • PE files
  • Input and Output
  • Structured Exception Handling (SEH)

This chapter covers a lot of ground to a deep topic and did a good job explaining the fundamentals. It recommends reading these books for more insight, which I also recommend:

  • Operating Systems: Design and Implementation
  • Windows Internals

Chapter 4: Reversing Tools

This chapter introduces the reader to the tools involved with reversing, and the strategies employed by these tools:

  • Offline Code Analysis (Dead-listing)
  • Live Code Analysis
  • Disassemblers
    • IDA Pro
    • ILDasm
  • Debuggers
    • User-Mode Debuggers
      • OllyDbg
      • WinDbg
      • IDA Pro
      • PEBrowse Professional Interactive
    • Kernel-Mode Debuggers
      • WinDbg
      • SoftICE
      • Kernel Debugging on Virtual Machines
  • Decompilers
  • System Monitoring Tools
    • FileMon
    • TCPView
    • TDIMon
    • RegMon
    • PortMon
    • WinObj
    • Process Explorer
  • Patching Tools
    • Hex Workshop
  • Miscellaneous
    • Dumpbin
    • PEView
    • PEBrowse Professional

Part 2: Applied Reversing

Chapter 5: Beyond the Documentation

I really liked this chapter. It covered reversing undocumented APIs. This chapter introduced me to Splay Trees, which I had never heard of before. Because I am a nerd who finds these kinds of algorithms interesting, I went down a few rabbit holes reading about them.

Chapter 6: Deciphering File Formats

This chapter covers reverse engineering file formats. Most of the reverse engineering material I’ve been exposed to so far covers reversing software. Every now and then I find a nice paper about reversing network protocols or file formats.

This chapter covers reverse engineering a custom file format used by some software written by the book’s author named Cryptex, which can be downloaded here: https://www.wiley.com/en-us/Reversing%3A+Secrets+of+Reverse+Engineering+-p-9780764574818

I really enjoyed this chapter and working through reversing this software on my own.

Chapter 7: Auditing Program Binaries

This chapter covers auditing software that you do not have access to the source code for vulnerabilities. An example walkthrough of IIS, looking for MS01-044 is provided. This chapter provides a very brief introduction on how one would use reversing for security research.

Chapter 8: Reversing Malware

This chapter touches the basics of reversing malware. Specifically, it provides a walkthrough of reversing Backdoor.Hacarmy.D malware. I really liked this chapter because the example malware was easy to reverse, but covered a lot of ground such as network communication, persistence, and packing.

Part 3: Cracking

Chapter 9: Piracy and Copy Protection

This chapter provides a high-level overview of software piracy and the means which companies will take to protect their software from piracy.

  • Piracy
  • Class Breaks
  • Media-Based Protection
  • Serial Numbers
  • Challenge/Response
  • Online Activations
  • Hardware-Based Protection
  • Software as a Service (SaaS)
  • Digital Rights Management (DRM)
  • Watermarking
  • Trusted Computing

Surreptitious Software book covers these topics deeper.

Chapter 10: Antireversing Techniques

This chapter covers methods that developers can use to prevent their software from being reverse-engineered.

  • Stripping symbols
  • Obfuscation
  • Antidebugging Code
    • IsDebuggerPresent
    • SystemKernelDebuggerInformation
  • Code Encryption
  • Trap Flag
  • Checksums
  • Confusing Disassemblers and Decompilers
    • Table Interpretation
    • Inlining and Outlining
    • Interleaving Code
    • Ordering Transformations
    • Restructuring Arrays
    • Variable Encoding
  • Control Flow Transformations
    • Opaque Predicates

Chapter 11: Breaking Protections

This chapter outlines ways to break software protections. It provides a walkthrough of breaking a crackme named Defender.

Here are some of the topics covered in this chapter:

  • Patching
  • Key Generators
  • Brute Forcing
  • Decryption

This chapter recommends reading Applied Cryptography.

Part 4: Beyond Disassembly

Chapter 12: Reversing .NET

This covers the basics of reversing .NET binaries.

  • CLR
  • MSIL
  • C#
  • Managed Code
  • Intermediate Language
  • Common Type System (CTS)
  • Linked Lists
  • .NET Decompilers
  • Obfuscators
  • Reversing Obfuscated .NET Code
  • XenoCode
  • DotFuscator
  • Remotesoft Obfuscator
  • Remotesoft Protector
  • Precompiled Assemblies
  • Encrypted Assemblies

Chapter 13: Decompilation

This chapter covers how decompilers work.

Appendix A: Deciphering Code Structures

This appendix shows how various high-level code is represented as assembler.

Appendix B: Understanding Compiled Arithmetic

Appendix C: Deciphering Program Data

  • Calling Conventions
    • cdecl
    • fastcall
    • stdcall
    • thiscall
  • Global and Local Variables
  • Stack Variables
  • Imported Variables
  • Registers
  • Constants
  • Thread-Local Storage (TLS)
  • Alignment
  • Arrays
  • Linked Lists
    • Singly-linked
    • Doubly-linked
  • Trees
  • Classes
  • Virtual Functions

Appendix D: Citations

I was not able to find links to everything cited in this section.

One thought on “REVIEW: Reversing: Secrets of Reverse Engineering

  1. Pingback: Week 01 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s