Learning Reverse Engineering 211
TheBoostedBrain writes "Mike Perry and Nasko Oskov have written a very complete article about reverse engineering. It provides an introduction to reverse engineering software under both Linux and Windows."
Mirror (Score:2, Informative)
Re:Mirror (Score:5, Funny)
We would use wget -r.
GNU-style flags are annoying to us lazy folk
Re:Mirror (Score:2, Informative)
Re:Mirror (Score:3, Informative)
Re:Mirror (Score:1)
http://www.slimdevices.com/temp/reveng/www.acm.
For origional, seems just the structure has been modified.
JG
What happens when the original 404s? (Score:5, Funny)
Re:What happens when the original 404s? (Score:2)
Re:What happens when the original 404s? (Score:3, Funny)
Re:What happens when the original 404s? (Score:2, Funny)
Re:What happens when the original 404s? (Score:2)
I like this one the best =D
Re:Mirror (Score:1)
As a sidenote: congrats to Perry and Nasko!
A note from the sysadmin of www.acm.uiuc.edu (Score:3, Informative)
Thanks, but no need - we've got boatloads of bandwidth at uiuc, and the web server is hardly noticing:
[staffin@winston staffin]$ uptime
21:20:19 up 79 days, 18:17, 3 users, load average: 0.24, 0.27, 0.32
Not bad. It's an ultra5/360 running Debian with 256mb of ram, btw. I think this pretty much demonstrates that the slashdot effect is all about bandwidth, not the speed of the server.
Re:A note from the sysadmin of www.acm.uiuc.edu (Score:2)
Often, an article (esp controversial material) disappears due to administrative action. Other times even small text pages can cause a site to shut down due to CPU-intensive dynamic generation or usage quotas.
Besides, it only took all of three seconds to webwhack it.
Betting pool anyone? (Score:3, Insightful)
Re:Betting pool anyone? (Score:2)
Re:Betting pool anyone? (Score:5, Funny)
No need to. We'll take care of it just fine.
Re:Betting pool anyone? (Score:2)
Re:Betting pool anyone? (Score:2)
DMCA i.r.t. Reverse Engineering (Score:5, Informative)
`(2) Notwithstanding the provisions of subsections (a)(2) and (b), a person may develop and employ technological means to circumvent a technological measure, or to circumvent protection afforded by a technological measure, in order to enable the identification and analysis under paragraph (1), or for the purpose of enabling interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability, to the extent that doing so does not constitute infringement under this title.
`(3) The information acquired through the acts permitted under paragraph (1), and the means permitted under paragraph (2), may be made available to others if the person referred to in paragraph (1) or (2), as the case may be, provides such information or means solely for the purpose of enabling interoperability of an independently created computer program with other programs, and to the extent that doing so does not constitute infringement under this title or violate applicable law other than this section.
`(4) For purposes of this subsection, the term `interoperability' means the ability of computer programs to exchange information, and of such programs mutually to use the information which has been exchanged.
DMCA [eff.org]
Re:DMCA i.r.t. Reverse Engineering (Score:3, Insightful)
Re:DMCA i.r.t. Reverse Engineering (Score:2)
Re:DMCA i.r.t. Reverse Engineering (Score:3, Interesting)
Second, you may have missed the bit in the standard warranty and EULA that says the vendor accepts no responsibility if the software doesn't do what they say it will do
Re:DMCA i.r.t. Reverse Engineering (Score:3, Insightful)
You are correct for the most part. What I was talking about was the circumvention of copy protection for the purpose of performing testing. I suppose it would have been
Microsoft API's (Score:2)
Re:Microsoft API's (Score:2)
So this means that attempts to figure out [how] to program to any of a number of Windows API's are not DCMA circumvention violations?
No, the process that you describe, Windows code developers call "code development" or "debugging"; newcomers often mistakenly call this "spelunking" or "skeet shooting after sunset".
Re:Betting pool anyone? (Score:3, Funny)
Re:Betting pool anyone? (Score:2)
So you're expecting a few bunker busters courtesy of G. W. Bush in their server room anytime now?
Reverse Engineered (Score:2, Funny)
So, I would suspect the site will have to be taken down if it is just a copy of the copyrighted reverse enginieering process. However, if it was properly reversed engineered, then it would not be considered a copy...or, uh, something like that.
This is another one... (Score:1)
That'll come in handy (Score:3, Funny)
whatabout truss/strace/ktrace? (Score:5, Informative)
truss under Solaris is even more useful than strace under Linux or ktrace under the BSDs; you can also trace function entry points into user-level ELF solibs.
Re:whatabout truss/strace/ktrace? (Score:3, Informative)
http://www.acm.uiuc.edu/sigmil/RevEng/x288.htm#
No it's not -- that's just a TOC entry (Score:5, Interesting)
For the readership out there, I'm sure those will be covered in the future; in the meantime, read your strace/ktrace/truss man pages. Run them on the application you're trying to RE before doing *anything* else. Sometimes, those dumps can provide *amazing* insight into the behaviour and structure of the program (particularly if you're good with 'grep'), especially if you're trussing and using the program interactively.
Yes, the book does cover strace/truss (Score:2)
strace/truss(Solaris) These programs trace system calls a program makes as it makes them. Useful options:
1. -f (follow fork)
2. -ffo filename (output trace to filename.pid for forking)
3. -i (Print instruction pointer for each system call)
Re:whatabout truss/strace/ktrace? (Score:2)
Thanks for the pointer! (Score:2)
I suppose I could go the upgrade route, but that'd mean a new kernel, which needs a new gcc, which needs a new glibc *argh*
Maybe I'll just dig up ltrace.c and see if it'll go.
Re:whatabout truss/strace/ktrace? (Score:5, Informative)
Re:whatabout truss/strace/ktrace? (Score:3, Informative)
Unfortunately, not under 2.6. It does work on 2.8+ and can occasionaly be a lifesaver. 'ltrace' under Linux does pretty much the same thing.
Truss (Score:2)
However, you can do most RE of 2.x binaries under 2.8, due to the wonderfully static ABI.
Re:whatabout truss/strace/ktrace? (Score:2)
Cygwin has strace
Re:whatabout truss/strace/ktrace? (Score:2)
really dumb question... (Score:2, Interesting)
Re:really dumb question... (Score:3, Informative)
Good info (Score:2, Insightful)
Oh come on, it's easy (Score:5, Funny)
mimosa: ~ $ echo 'engineering' | rev
gnireenigne
What more do you need to know?
Re:Oh come on, it's easy (Score:5, Funny)
How to make it stop, that's what!
bash-2.05a$ rev
moo
oom
exit
tixe
quit
tiuq
Ctrl-D
D-lrtC
OK now it's just being a smartass.
Re:Oh come on, it's easy (Score:1)
Re:Oh come on, it's easy (Score:2)
?
README: From the Authors (Score:5, Informative)
In fact, the book looks more complete than it actualy is. Most of the chapters are basically just an outline that we've been filling in as we go along.
Keep checking the book periodically for more updates, as again, this is a work in progress. If you notice any ommissions, or have any contributions, we would be glad to take them.
Thanks,
Nasko Oskov & Mike Perry
Re:README: From the Authors (Score:1)
Re:README: From the Authors (Score:1)
Re:README: From the Authors (Score:4, Insightful)
Re:README: From the Authors (Score:2, Informative)
Zip works fine, but if you're aiming for 100% cross-platform, tarballs are king.
Info-ZIP UnZip [info-zip.org] is claimed to be the third most portable C program.
Tarballs are used on every Unix and Unix clone OS in existence, not just Linux.
Microsoft Windows ME and Microsoft Windows XP operating systems ship with Microsoft Compressed Folders, a feature that can read and write .zip files in a manner similar to that of WinZip and WinRAR but cannot make head nor tail of .tar.gz files.
Re:README: From the Authors (Score:2)
Re:README: From the Authors (Score:2)
.rar is not any sort of standard. Since you are going out on a limb, why didn't you just add Microsoft .cab to your list?
Once you find a publisher (Score:2)
Good work so far, my other comment notwithstanding.
Wow, that is a long article...any ideas for POS? (Score:5, Interesting)
Very Good article, and I admit that I did not understand all of it, nor did I read all of it. However I did forward it along to a couple of friends who do not regularly /.
Here is a reverse engineering feat for you all...POS(Point of Sale) terminal equipment. Specifically to replace NSC(National Systems Corporation) and similar diamond touch gear. If you can reverse engineer a system for taking customer's orders(think pizza/food), showing it on multiple screens around the store, and keeping track of inventory, sales numbers and statistics, customer tracking and history...wow you would be great. Nobody wants to spend $15-30,000 for a new POS system. Nobody.
Biggest problem is that these small operators spend that much money on the system, that they are obligated and forced into using it for 10+ years, well after the hardware(monitors/keyboards) wear out. Then get stuck purchasing proprietary stuff at the same cost it was at the original purchase price...several hundred dollars for a custom keyboard...get real.
Somebody please show me where there is a project to reverse engineer this with an X window under RedHat/Slack. Even terminal would be fine. The current system runs text only...over 1 pair of copper in a phone plug(rj11).
Re:Wow, that is a long article...any ideas for POS (Score:2)
Wow. Good luck. (Score:3, Interesting)
As far as specifications go with hardware...the simpler it is the better. Honestly, do you want to code to something that is unfamiliar? No. You want to run x11 on a Plain old P4 or something with 5 pci video cards in it. vga monitors. Not monochrome monitors running off two wires that make ugly text displays. Something simple to program, and even simpler to replace.
Seriously, you could sell this commercially if you found a backer.
Re:Wow, that is a long article...any ideas for POS (Score:1)
google:"Fravia" + "+orc" (Score:2)
Not for the Faint of Heart.
It's nice to see this coming back, but all of this was discussed ad naseum ~1996ish.
Also has a nice 404 :) (Score:3, Interesting)
Ooo.. now i see. it's ".edu"
Learn from the masters. (Score:5, Interesting)
Along with reversing tutorials and materials, there is a rich history behind this stuff. A man named +ORC published a tutorial on how to reverse engineer a Windows program called pooldemo.exe. From this text, an era was born. The Fravia website was created and was home to the +HCU. Many people sought after the true identity of +ORC, and he left a strainer (riddle) behind that would take you to a URL where he would be unmasked supposedly. Just look up "ORC riddle" on google for details. Neat stuff!
Re:Learn from the masters. (Score:2)
Heh. I remember those days. I already knew most of the R-E techniques +ORC expounded upon, but I did find his recipe for the martini-vodka most refreshing.
Re:OT, Way OT (Score:2)
Painfully bad, isn't it? :)
Re:Learn from the masters. (Score:2)
Although the more fun and obscure stuffs like copy protections back in the 5.25" floppy era isn't covered (i.e. most of the cracks on the site make use of software techniques only, not a lot of hardware tricks), it serves as a good starting point for newbies.
Remember, the DMCA does not limit people who reverse engineer stu
Very useful... (Score:3, Interesting)
Re:Very useful... (Score:2)
Play "Black Box" for a while. (Score:4, Interesting)
There was a slick plastic game called Black Box back when thinking games like Mastermind were raking in the dough. There are Java and PalmOS varieties of the game. It's a nice three-minute game to while away a bus stop wait, and it helps you get in the mindset of what reverse engineering really means.
The inside of the Black Box is an 8x8 square. There are 8 ports on each side of the square. One player sets some marbles inside the covered square, and the other player tries to deduce their locations by the behavior of "rays" entering and exiting the box ports. Some rays go all the way through, some reflect off the balls inside, and some glance off the balls and go out some other side of the box.
Re:Play "Black Box" for a while. (Score:4, Informative)
Re:Play "Black Box" for a while. (Score:2)
(compiling tonight's CVS now - and believe me, the nightly compiles really are - if I don't go to bed early enough, it won't be ready in the morning. Here's fingers crossed for kgpg and sound to be back again)
Complete? My ass! (Score:2, Funny)
When will I be able to get this in paperback so I can read it while I'm sittin' on the can?
This book falls short (Score:4, Informative)
Re:This book falls short (Score:3, Interesting)
Looks like they're trying to have Slashdot readers write their book for them. It's not a bad idea, but it would be easier if they added editing/comme
Re:This book falls short (Score:2)
(unless I'm mistaken here) they weren't at all inolved in the posting of a link to slashdot.
Re:This book falls short (Score:2)
Obviously, they're not going to target solely Slashdot readers. And perhaps, they didn't want the link to go out to soon. But either way, they chose to publish an incomplete draft of their book out in the open and they seem open to the idea that other people send them contributions.
Re:This book falls short (Score:2)
Sure, with that number of editors the result can only be good. (NOT)
Re:This book falls short (Score:2)
At this point, I am just pointing out a way to easily collect more information. When all that content is gathered in a semi-organized fashion, those two guys can and should restructure/rewrite the entire book from scratch.
Immature (Score:5, Insightful)
"We don't know about you, but to us, software that we don't have source code to just pisses us off. So we figure: screw it, lets do some damage.
Cheap comments like this really degrade this book.
Re:Immature (Score:2, Insightful)
Banned from bibliographies (Score:3, Insightful)
Is it supposed to cause certain groups of people to turn their noses up at this? What group would that be?
How about the "I'm not going to cite this book in a bibliography because I cite only works that I would recommend to fellow professionals, who by the way do not appreciate obscene humor in the context of their jobs" group?
I can't think of any group or person with that reaction who would be of the inclination to reverse engineer things.
You mean like Compaq? Lots of Big Corporations(tm) reverse-
reverse engineer data formats!!! (Score:2)
It's the format used on siemens cellphones to play midi (subtypes 0,1)! Siemens says it is closed...
When you transfer a
Re:reverse engineer data formats!!! (Score:2)
Ollydbg (Score:5, Informative)
Here are a couple of beginner-level articles I've written on reverse-engineering malicious code:
Reverse Engineering Hostile Code [lurhq.com]
Alien Autopsy: Reverse Engineering Win32 Trojans on Linux [lurhq.com]
Ida Pro (Score:2)
Re:Ollydbg (Score:5, Interesting)
Code Reading - The Open Source Perspective (Score:5, Informative)
Mod Parent Up (Score:2)
How do you do it? Well, I hope this book can give me more insights.
Re:Code Reading - The Open Source Perspective (Score:2)
To be honest, from what I can see of this book, it doesn't seem to help that much.
Easily getting into a large project means more than just doing a make tags. Personally, I find an elising editor is great for getting the overview, but I
can't have a book on reversing without (Score:2, Informative)
3 cheers for Nasko and Perry (and SIGMil) (Score:2, Insightful)
Good job guys! Keep it up!
They also run the most excellent ACM Special Interest Group at U of Illinois- Urbana Champaign. Anybody who's interested in this kind of research should check it out when they host meetings in the fall.
RE/Cracking tutorials and games (Score:5, Informative)
There's a few games/challenges out there about reverse engineering, cracking, logic and programming. Give them a try if you wish (Arcanum is really nice):
AngularVision [virtualave.net], Apotheosis [hypermart.net], Arcanum [arcanum.co.nz], Aspect [l8nite.net], Aspect2 [aspectgames.net], C&CDisIncorporated [virtualave.net], CyberArmy [cyberarmy.com], Disavowed [disavowed.net], Electrica [caesum.com], Escape [angelfire.com], HackME [members.home.nl], HackersGames [hackergames.net], HackersLab [hackerslab.org], HackQuest [hackquest.com], Hybrid [lameindustries.org], ICEFortress [icefortress.com], Lamebulun [lamebulun.net], Mod-X [mod-x.co.uk], NetSplit [nsplit.com], NGSEC'sSecurityGame [ngsec.biz], ProblemSetArchive [acm.uva.es], ReverserCourse [reverser-course.de], SlyFX [slyfx.com], TheGame [prohosting.com], and Try2hack [try2hack.nl].
have fun
Using Sniffer to Reverse Engineer (Score:3, Interesting)
complete? (Score:2, Informative)
area is reverse engineering. The book only
talks about low level reverse engineering
(i.e. executable code). Most of the research
in the area is at the source level.
This is not a criticism targeted at theauthors,
but at the submitter.
Re:complete? (Score:2)
device drivers? (Score:3, Interesting)
Let's say for example, a certain manufacturer of popular media cards actually has linux drivers for their hardware, running on an ARM in a setup box, but refuses to release these drivers, open or closed, to pc users. If I had said drivers in hand, could I port them to i386?
Re:incomplete (Score:2)
Re:Will This Let Me... (Score:1, Offtopic)
Program in Pascal (Score:3, Funny)
"Official" PDF version here (Score:4, Informative)