Reading: The IDA Pro Book, Posting: My Notes

For the few that may stumble across my blog. This is an exercise in public note taking. It helps me by keeping me accountable (I have about a dozen half read books now), and helps others by sharing some quick info. 

I do suggest that you pick up this book if you are interested in:
  • Hacking (yeah that general, IDA is very widely used)
  • Exploit development
  • Reverse engineering
  • Being better at CTF's
  • Look... chances are if you're reading this, you know this already.
*****BEGIN NOTES*******
Chapter 1
  • Disassembly - "undoes assembly process" 
    • 0's and 1's as input, assembly language as output
  • Decompilers - "attempts to give higher level language"
    • assembly language as input high level code as output
  • Compilation is Lossy 
    • no variable names
    • no function names
    • no type declarations (explicitly)
  • Decompilers
    • hardly ever get it 100% right
    • are dependent on the language 
    • are dependent on OS, ie. Windows API
    • Hex-Rays is the best on the market, more on that later...
  • Uses for Disassembly
    • Malware Analysis
    • Vulnerability Analysis
    • Software Interoperability
      • ie. Reverse engineer legacy software to write wrappers for integration with modern app
    • Compiler Validation
    • Debugging
  • X86 Assembly Syntax: AT&T vs INTEL
    • AT&T syntax
      •  has % in front of all register names (%EIP , %EBP, %EAX, ..etc.)
      • the $ sign is in front of all literal constants aka immediate operands 
      • source is on left, destination on right
      • ie add $0x4, %eax  -- adds 4 to the value in eax storing the result in eax
    • INTEL syntax
      • no % or $
      • destination on left, source on right
      • ie add eax, 0x4 --adds 4 to the value in eax storing hte result in eax
    • Personal note:
      • in GDB (Gnu Debugger, available in linux) you can type "set disassembly-flavor intel" or "set disassembly-flavor att" to set the style of disassembled code. the default is ATT irrc..
  • Types of Instructions
    • Sequential flow
      • command is executed then moves onto the next 
    • Conditional Branching 
      • two possible paths
      • like an if statement 
    • unconditional branching
      • always jumps to another area of code
      • like the bottom of a while loop
    • Function calls
      • always goes but onces a return command is hit comes back to where it left off
Thats all for chapter 1, the material was light and pretty obvious for anyone familiar with assembly language.

For the purpose of getting familiar with assembly language, I recommend Security Tube's linux assembly language megaprimer.
Next time, chapter 2.

No comments:

Post a Comment