.

Place to start

<<

nknacd

Newbie
Newbie

Posts: 2

Joined: Thu Jan 24, 2008 2:37 pm

Post Tue Mar 16, 2010 10:27 am

Place to start

Hi all,

Does anyone know of a good place to start for learning how to reverse engineer software/malware? Basically looking for a good foundation to start learning how to find vulnerabilities. Having searched the interwebs, It's hard to find any free information on this learning this and due to my lack of funds am unable to purchase anything, ie books.

any insight would be greatly appreciated.
<<

pizza1337

Full Member
Full Member

Posts: 156

Joined: Mon Mar 08, 2010 5:29 pm

Post Tue Mar 16, 2010 10:57 am

Re: Place to start

Knowledge Resource is Power.
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Tue Mar 16, 2010 11:38 am

Re: Place to start

-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Tue Mar 16, 2010 1:32 pm

Re: Place to start

You might find OllyDbg useful, it's a free reverse engineering tool.

http://www.ollydbg.de/

I would suggest learning some programming, especially assembly.

@Pizza, http://tuts4you.com looks really good, thanks :P
ZF
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Mar 16, 2010 2:39 pm

Re: Place to start

Additionally I'd recommend Reversing: Secrets of Reverse Engineering and Hacking: The Art of Exploitation.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Mar 16, 2010 4:32 pm

Re: Place to start

I second pizza's recommendation.  This is probably the best set of reversing tutorials I am aware of.  I when through a bunch of them and learned quite a bit.  Lena knows her stuff.

http://www.tuts4you.com/download.php?list.17
~~~~~~~~~~~~~~
Ketchup
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Tue Mar 16, 2010 5:45 pm

Re: Place to start

Agreed, the Lena151 tutorials are extremely useful for using Ollydbg and understanding the logic of disassembly. I would also suggest looking for Tigas tutorials. They will give you some insight into usage with IDA Pro.

If you are serious about RE and malware analysis. You will need to consider looking at gaining a basic / moderate understanding of ASM. You will not need to develop with it, but rather appreciate how it works and have the ability to understand loops, counters and jumps.

For that, there are plenty of examples and books that are free. The main one being The Art of Assembly.

A great way for beginners is also to start compiling simple hello world examples and viewing them in a debugger. Then improving on this with inclusion of functions, pointers and structs etc to see how these are represented in disassembly. This can also be used to code vulnerable apps and view how buffer overflows look in disassembly.

Additional to that, I would also begin to explore the PE (Portable executable) format. This will assist you with reversing in a windows environment.

Improving on this, start with simple UPX unpacking tutorials and crackmes (crackmes.de) to get an intro to file packing and obfuscation. Identify how you can unpack these files and navigate from the packed layer to unpacked code. This will then introduce you to the world of import rebuilding with tools such as ImpRec / LordPE which is vital for reversing malware. All the while gaining an appreciation for manual tracing and executable dumping using dynamic analysis with debuggers.

Going further... You will then be introduced to anti-debugging mechanisms (as a result of file packers / cryptors ). These are used by programs and malware alike and serve to make your life as a reverser difficult.

Less technical, but equally important is learning to use virtualisation. So I would suggest setting up a VMware/VirtualBox lab. You can then use this to test/reverse malware on. This lab will also contain your debugger, hex editor and dynamic analysis tools (see sysinternals tools, iDefense malware pack). These labs can also contain IRC servers etc which can then be used to view how malware interacts with C&C irc servers. Again, this is more advanced, but the sort of thing you can look forward to doing after a small but of learning and research!

Apologies for large post and info overload. Happy to discuss further if any of this is overly complicated and needs clarification.
Last edited by n1p on Tue Mar 16, 2010 5:49 pm, edited 1 time in total.
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Wed Mar 17, 2010 9:16 am

Re: Place to start

n1p wrote:A great way for beginners is also to start compiling simple hello world examples and viewing them in a debugger. Then improving on this with inclusion of functions, pointers and structs etc to see how these are represented in disassembly. This can also be used to code vulnerable apps and view how buffer overflows look in disassembly.


Exactly how I started. Write simple programs and view them in a debugger. Good suggestion :P
ZF
<<

nknacd

Newbie
Newbie

Posts: 2

Joined: Thu Jan 24, 2008 2:37 pm

Post Wed Mar 17, 2010 9:39 am

Re: Place to start

thanks for the suggestions, the tuts4you seems like exactly what i was looking for. guess my google kung fu still needs some work.

Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software