Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Programming IT Technology

Learning Reverse Engineering 211

TheBoostedBrain writes "Mike Perry and Nasko Oskov have written a very complete article about reverse engineering. It provides an introduction to reverse engineering software under both Linux and Windows."
This discussion has been archived. No new comments can be posted.

Learning Reverse Engineering

Comments Filter:
  • Mirror (Score:2, Informative)


    Mirror here, just in case [slimdevices.com].

    What would we do without wget --recursive?
  • by Surak ( 18578 ) * <.surak. .at. .mailblocks.com.> on Sunday July 06, 2003 @05:09PM (#6379282) Homepage Journal
    How long before this site is taken down for DMCA violations?

    • How will they be able to gather evidence after it gets /.ed??
    • by phalse phace ( 454635 ) on Sunday July 06, 2003 @05:13PM (#6379307)
      ... taken down for DMCA violations?

      No need to. We'll take care of it just fine.

    • That's why I'm using my beautiful wget before this is lost forever.
    • by heli0 ( 659560 ) on Sunday July 06, 2003 @05:25PM (#6379366)
      `(f) REVERSE ENGINEERING- (1) Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.

      `(2) Notwithstanding the provisions of subsections (a)(2) and (b), a person may develop and employ technological means to circumvent a technological measure, or to circumvent protection afforded by a technological measure, in order to enable the identification and analysis under paragraph (1), or for the purpose of enabling interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability, to the extent that doing so does not constitute infringement under this title.

      `(3) The information acquired through the acts permitted under paragraph (1), and the means permitted under paragraph (2), may be made available to others if the person referred to in paragraph (1) or (2), as the case may be, provides such information or means solely for the purpose of enabling interoperability of an independently created computer program with other programs, and to the extent that doing so does not constitute infringement under this title or violate applicable law other than this section.

      `(4) For purposes of this subsection, the term `interoperability' means the ability of computer programs to exchange information, and of such programs mutually to use the information which has been exchanged.


      DMCA [eff.org]
      • The letter of the law means nothing when Microsoft/SCO/**AA/All that is evil in the world/etc. sicks a team of lawyers on the poor unsuspected guy who posted it. It's not what the law is, it's how much money you can spend on lawyers. Haven't you figured that out yet?
      • Interesting that this doesn't include a provision for circumventing protection for the purpose of black box testing. It seems to me that one of the most practical uses of reverse engineering in industry is to verify that the software does what you need it to do reliably and predictably. Such a legitimate use of reverse engineering is good for the supplier, the customer, and the end user, because it ensures the efficacy of the product for a particular use. For the end user, this ensures that the product perf
        • First I thought black box testing was testing specifically without knowledge of the internals of the system ie. you provide input after independently calculating the answer and then see if the output is the same as your expected answer. If you do it enough times and the answers are the same as your calcs then you can rely on the black box.

          Second, you may have missed the bit in the standard warranty and EULA that says the vendor accepts no responsibility if the software doesn't do what they say it will do

          • First I thought black box testing was testing specifically without knowledge of the internals of the system ie. you provide input after independently calculating the answer and then see if the output is the same as your expected answer. If you do it enough times and the answers are the same as your calcs then you can rely on the black box.

            You are correct for the most part. What I was talking about was the circumvention of copy protection for the purpose of performing testing. I suppose it would have been

      • So this means that attempts to figure out to program to any of a number of Windows API's are not DCMA circumvention violations?

        • So this means that attempts to figure out [how] to program to any of a number of Windows API's are not DCMA circumvention violations?

          No, the process that you describe, Windows code developers call "code development" or "debugging"; newcomers often mistakenly call this "spelunking" or "skeet shooting after sunset".

    • DMCA? They have weapons of mass decompilation, dammit!
    • Undoubtedly, someone will have a copyright/patent on reverse engineering methodologies.

      So, I would suspect the site will have to be taken down if it is just a copy of the copyrighted reverse enginieering process. However, if it was properly reversed engineered, then it would not be considered a copy...or, uh, something like that.
  • that's about to gain a permanent spot in my book collection. 'Nuff said.
  • by multipartmixed ( 163409 ) on Sunday July 06, 2003 @05:14PM (#6379314) Homepage
    I can't believe they left out truss/strace/ktrace. Even without debugging symbols, these utilities can tell you what system calls are being called, when they are called, and what arguments are being passed.

    truss under Solaris is even more useful than strace under Linux or ktrace under the BSDs; you can also trace function entry points into user-level ELF solibs.
  • by Anonymous Coward
    do the authors of the book linked have the text available as a single PS or PDF file?
  • Good info (Score:2, Insightful)

    by melete ( 640855 )
    I'm not sure that their claim that anyone who's read a "How to Learn [C|C++|Java|*] in nn Days" should be able to follow the article is correct, but it's a good intro nonetheless. The section on binary formats (ELF, etc.) is particularly useful.
  • by BabyDave ( 575083 ) on Sunday July 06, 2003 @05:22PM (#6379358)

    mimosa: ~ $ echo 'engineering' | rev
    gnireenigne

    What more do you need to know?

  • by mikepery ( 131050 ) <slashdot@untrust ... YOems minus city> on Sunday July 06, 2003 @05:31PM (#6379398) Homepage
    Well this was most unexpected. We still have a lot of work to do on this book, and are still in the process of looking for a publisher. In fact, both Nasko and I were working on the book as this was posted (quite a shock!). We're still putting together screenshots, describing debugging utilities, etc..

    In fact, the book looks more complete than it actualy is. Most of the chapters are basically just an outline that we've been filling in as we go along.

    Keep checking the book periodically for more updates, as again, this is a work in progress. If you notice any ommissions, or have any contributions, we would be glad to take them.

    Thanks,

    Nasko Oskov & Mike Perry
    • Wow took a second glance at your username, looked like 'mikeperv' for a minute. Was thinking, what kind of books do you guys right with a username like that!
    • Post an article ot slashdot when you feel finished. And a tar.gz of the HTML files would be nice.
    • Let me know, and I'll find you some purchasers.

      Good work so far, my other comment notwithstanding.
  • by skogs ( 628589 ) on Sunday July 06, 2003 @05:34PM (#6379414) Journal
    Kudos go out to the guy that found this and submited it. Hopefully you knew the guys involved, and didn't just accidently find this information while searching the internet for self worth.

    Very Good article, and I admit that I did not understand all of it, nor did I read all of it. However I did forward it along to a couple of friends who do not regularly /.

    Here is a reverse engineering feat for you all...POS(Point of Sale) terminal equipment. Specifically to replace NSC(National Systems Corporation) and similar diamond touch gear. If you can reverse engineer a system for taking customer's orders(think pizza/food), showing it on multiple screens around the store, and keeping track of inventory, sales numbers and statistics, customer tracking and history...wow you would be great. Nobody wants to spend $15-30,000 for a new POS system. Nobody.

    Biggest problem is that these small operators spend that much money on the system, that they are obligated and forced into using it for 10+ years, well after the hardware(monitors/keyboards) wear out. Then get stuck purchasing proprietary stuff at the same cost it was at the original purchase price...several hundred dollars for a custom keyboard...get real.

    Somebody please show me where there is a project to reverse engineer this with an X window under RedHat/Slack. Even terminal would be fine. The current system runs text only...over 1 pair of copper in a phone plug(rj11).

    • Let me guess and release it all open source? You have the big problem that people with programming experience dont have a buring need for POS software. Granted there are quite a few vendors out there that would love it for the support contract. But your seeing one of the flaws of open source you have to find an interested group of programmers to write one for free generaly.
    • "Here is a reverse engineering feat for you all...POS(Point of Sale) terminal ........" You would be inviting an attack by the legal representation of mad squirrels! Squirrels are very teritorial little creatures. http://www.squirrelsystems.com/press/pr/Mar0502.ht ml
    • google search for fravia and "+orc". Lots of indepth articles at reverse engineering, how compilers work, etc. Much more practical and interesting, not to mention loads of indepth information that, honestly, surpass what's present in these articles.

      Not for the Faint of Heart.
      It's nice to see this coming back, but all of this was discussed ad naseum ~1996ish.
  • by arcanumas ( 646807 ) on Sunday July 06, 2003 @05:38PM (#6379430) Homepage
    The part i had time to read before the *you know what* was really good. But there is something else. This server probably has the best 404 page i have seen. Some people spend some time to make a really nice 404 page?
    Ooo.. now i see. it's ".edu"
    :)
  • by JohnwheeleR ( 662355 ) on Sunday July 06, 2003 @05:39PM (#6379436)
    For an excellent source of reverse engineering material, you really should check out the old Fravia pages [anticrack.de]. This is the original stuff right here.

    Along with reversing tutorials and materials, there is a rich history behind this stuff. A man named +ORC published a tutorial on how to reverse engineer a Windows program called pooldemo.exe. From this text, an era was born. The Fravia website was created and was home to the +HCU. Many people sought after the true identity of +ORC, and he left a strainer (riddle) behind that would take you to a URL where he would be unmasked supposedly. Just look up "ORC riddle" on google for details. Neat stuff!
    • A man named +ORC published a tutorial on how to reverse engineer a Windows program called pooldemo.exe. From this text, an era was born.

      Heh. I remember those days. I already knew most of the R-E techniques +ORC expounded upon, but I did find his recipe for the martini-vodka most refreshing.

    • As the author of an essay on Fravia's pages I can attest how useful the site is. If you go through 5 maybe 10 of the essays you'll know a lot obout reverse engineering today's software.

      Although the more fun and obscure stuffs like copy protections back in the 5.25" floppy era isn't covered (i.e. most of the cracks on the site make use of software techniques only, not a lot of hardware tricks), it serves as a good starting point for newbies.

      Remember, the DMCA does not limit people who reverse engineer stu
  • Very useful... (Score:3, Interesting)

    by Realistic_Dragon ( 655151 ) on Sunday July 06, 2003 @05:42PM (#6379447) Homepage
    Given some of the code I get to deal with (19(7/8)0s vintage C, much of which is older than I am) it's probably easier to reverse engineer the binary and look at it there...
  • by Speare ( 84249 ) on Sunday July 06, 2003 @05:46PM (#6379462) Homepage Journal

    There was a slick plastic game called Black Box back when thinking games like Mastermind were raking in the dough. There are Java and PalmOS varieties of the game. It's a nice three-minute game to while away a bus stop wait, and it helps you get in the mindset of what reverse engineering really means.

    The inside of the Black Box is an 8x8 square. There are 8 ports on each side of the square. One player sets some marbles inside the covered square, and the other player tries to deduce their locations by the behavior of "rays" entering and exiting the box ports. Some rays go all the way through, some reflect off the balls inside, and some glance off the balls and go out some other side of the box.

  • Only two sections are complete.

    When will I be able to get this in paperback so I can read it while I'm sittin' on the can?
  • by JohnwheeleR ( 662355 ) on Sunday July 06, 2003 @05:50PM (#6379480)
    This book is pretty weak. I skimmed through it and no where did I see win32dasm dead listings or hands on reversing. It seems like it just tries to explain different windows and unix tools people might use for reversing. Comments like this certainly should have been left out: If you don't know assembly language, at the end of this book you will literally know it inside-out I mean gimme a break. In less than a hundred pages of text, no one is going to learn x86 asm "inside-out." Chapter 9, which many people would be interested in, is incomplete. I wouldn't waste my time. Go search for "fravia pages reverse engineering" on google. That material took years to put together.
    • "TO SLASHDOT READERS: Yes, this book is incomplete. Yes it has mistakes. Yes, we are working as hard as we can to fix them. Please email the authors directly rather than simply ranting/flaming on slashdot. We will take your comments into consideration, and will list you in the credits. We've already built up a large queue of fixes thanks to helpful emails."

      Looks like they're trying to have Slashdot readers write their book for them. It's not a bad idea, but it would be easier if they added editing/comme

      • Looks like they're trying to have Slashdot readers write their book for them.

        (unless I'm mistaken here) they weren't at all inolved in the posting of a link to slashdot.
        • (unless I'm mistaken here) they weren't at all inolved in the posting of a link to slashdot.

          Obviously, they're not going to target solely Slashdot readers. And perhaps, they didn't want the link to go out to soon. But either way, they chose to publish an incomplete draft of their book out in the open and they seem open to the idea that other people send them contributions.

      • but it would be easier if they added editing/commenting capablities directly onto their site.

        Sure, with that number of editors the result can only be good. (NOT)
        • "Sure, with that number of editors the result can only be good. (NOT)"

          At this point, I am just pointing out a way to easily collect more information. When all that content is gathered in a semi-organized fashion, those two guys can and should restructure/rewrite the entire book from scratch.

  • Immature (Score:5, Insightful)

    by mslinux ( 570958 ) on Sunday July 06, 2003 @05:59PM (#6379511)
    Quote from the introduction of the book:

    "We don't know about you, but to us, software that we don't have source code to just pisses us off. So we figure: screw it, lets do some damage. :)"

    Cheap comments like this really degrade this book.
    • Re:Immature (Score:2, Insightful)

      by peachpuff ( 638856 )
      I believe those are known as "jokes."
  • I need help reverse engineering "si3" files.

    It's the format used on siemens cellphones to play midi (subtypes 0,1)! Siemens says it is closed...

    When you transfer a .mid to the cellphone, first time you play it, it gets converted to .si3
    • Start by generating pairs of midi files that are similar exept for one different parameter, convert them to si3, and then study the differenses between the si3 files. Repeat until you know how every parameter is represented in an si3 file. Viola!

  • Ollydbg (Score:5, Informative)

    by httptech ( 5553 ) on Sunday July 06, 2003 @06:39PM (#6379698) Homepage
    Hadn't seen this mentioned in the book or in any comments so far: If you are wanting to get started reverse-engineering on Windows, you don't need to shell out big bucks (or pirate) softice unless you plan to do hard-core driver/kernel debugging. Seriously, check out Ollydbg [t-online.de] It's freeware AND it kicks ass. I'm using it to do almost all my reverse engineering now.

    Here are a couple of beginner-level articles I've written on reverse-engineering malicious code:

    Reverse Engineering Hostile Code [lurhq.com]

    Alien Autopsy: Reverse Engineering Win32 Trojans on Linux [lurhq.com]

  • by MavEtJu ( 241979 ) <slashdot&mavetju,org> on Sunday July 06, 2003 @06:46PM (#6379730) Homepage
    Recently I came by this book: Code Reading - The Open Source Perspective [spinellis.gr], which has the same idea except for when you have the source of a program and not only a binary.
    • I was looking for a book like this, since many small linux-based companies are working and leveraging existing open-source software. I mean, everyone needs 99% of the program, but you need to add a small feature or two to a million++ line program(i.e. samba).

      How do you do it? Well, I hope this book can give me more insights.
    • Reading source code and navigating your way around a large system isn't easy. I work with large and complicated propietary systems as well as open source code. I can't say that one is better documented than the other. Both are equally a problem when getting into the code.

      To be honest, from what I can see of this book, it doesn't seem to help that much.

      Easily getting into a large project means more than just doing a make tags. Personally, I find an elising editor is great for getting the overview, but I

  • by Anonymous Coward
    a mention of IDA pro, W32Dasm, softice. These are the tools of the trade.
  • These are cool guys, I've gone to a few of their SIGMil meetings. Its cool to think i've partied with some guys who've been slashdoted (also perry TA'd a class i took in the fall). Nasko likes to hit on my girlfriend (tho he's only seen her twice).

    Good job guys! Keep it up!

    They also run the most excellent ACM Special Interest Group at U of Illinois- Urbana Champaign. Anybody who's interested in this kind of research should check it out when they host meetings in the fall.
  • by sICE ( 92132 ) on Sunday July 06, 2003 @09:54PM (#6380564) Homepage
    you might want to have a look at AntiCrack [anticrack.de] which is a huge collection of tutorials cracking , reverse engineering, and programming. They also have a copy of the Old Fravia'Site, [anticrack.de] the new one [searchlores.org] being about searching).

    There's a few games/challenges out there about reverse engineering, cracking, logic and programming. Give them a try if you wish (Arcanum is really nice):
    AngularVision [virtualave.net], Apotheosis [hypermart.net], Arcanum [arcanum.co.nz], Aspect [l8nite.net], Aspect2 [aspectgames.net], C&CDisIncorporated [virtualave.net], CyberArmy [cyberarmy.com], Disavowed [disavowed.net], Electrica [caesum.com], Escape [angelfire.com], HackME [members.home.nl], HackersGames [hackergames.net], HackersLab [hackerslab.org], HackQuest [hackquest.com], Hybrid [lameindustries.org], ICEFortress [icefortress.com], Lamebulun [lamebulun.net], Mod-X [mod-x.co.uk], NetSplit [nsplit.com], NGSEC'sSecurityGame [ngsec.biz], ProblemSetArchive [acm.uva.es], ReverserCourse [reverser-course.de], SlyFX [slyfx.com], TheGame [prohosting.com], and Try2hack [try2hack.nl].

    have fun ;-)
  • by Radical Rad ( 138892 ) on Sunday July 06, 2003 @10:01PM (#6380601) Homepage
    Are there any lawyers here that can say whether packet sniffing is indeed a form of Reverse Engineering and could then be prohibited by an EULA? Common sense would tell me that it can not because it would be analogous to having a reasonable expectation of privacy when talking with someone inside your home but not when shouting to your neighbor through an open window.
  • complete? (Score:2, Informative)

    by codegen ( 103601 )
    Not exactly complete. My research
    area is reverse engineering. The book only
    talks about low level reverse engineering
    (i.e. executable code). Most of the research
    in the area is at the source level.

    This is not a criticism targeted at theauthors,
    but at the submitter.
  • device drivers? (Score:3, Interesting)

    by Quickening ( 15069 ) on Sunday July 06, 2003 @11:44PM (#6381002) Homepage
    What we need most are methods to reverse engineer device drivers.

    Let's say for example, a certain manufacturer of popular media cards actually has linux drivers for their hardware, running on an ARM in a setup box, but refuses to release these drivers, open or closed, to pc users. If I had said drivers in hand, could I port them to i386?

Talent does what it can. Genius does what it must. You do what you get paid to do.

Working...