To be able to recognize C code structures in assembly you need to know assembly. The hardest part of learning assembly in 2013 is actually to find good reading material. I know because I spent two years teaching myself assembly and I read a lot of utterly useless books, for example the 1.700 page long book from Randal Hyde called “The Art of assembly”. Below I present a handpicked list of reading material, starting from beginner to advance.
1. Lena151
assembly guide. This is actually one thing that is good with Lena’s tutorials
as it shows you the most basic parts and is only 20 pages long!
2. The
200 first pages of the old book “Assembly Language Step-by-Step: Programming
with DOS and Linux” by Jeff
Duntemann. This is a must read. If
you don’t read this, you’ll extend the learning curve by years. The way
Duntemann ties assembly programming to the inner workings of computer systems
and CPUs is just amazing.
3. The
following chapters in Eldad Eilams book “Reversing – Secrets of Reverse
Engineering”. Read these chapters in the order I present them
1. Appendix
A – Deciphering Code Structures
2. Appendix
B – Understanding Compiled Arithmetic
3. Chapter
2 – Low Level Software
4. Chapter
3 – Windows Fundamentals
That makes about 250 pages
in Eldad’s book and you should quite honestly never waste your time by reading
the rest of his book as he dives into hands on approaches but uses terrible
reverse engineering examples.
4. All
chapters in “Part 2 – Advanced Static Analysis” from the book “Practical
Malware Analysis” by No Starch Press.
1. Chapter
4 – A Crash Course in x86 Disassemby
2. Chapter
5 – IDA Pro
3. Chapter
6 – Recognize C Code Constructs in Assembly
4. Chapter
7 – Analyze Malicious Windows programs
The four mentioned chapters
take up less than 100 pages of the book. Practical Malware Analysis is however a
great book written by some of the best in the industry and should be read cover to cover later on but for a beginner these chapters are enough.
That is the reading suggested for newbies in both reverse
engineering and assembly. If you want to be a more advanced reverser there is
some more reading that really needs to be done.
5. Wrox
Professional Assembly Language - A great book. Covers most features you
already read about a little deeper. Great to read for repeating and
fortifying your knowledge base.
6. Intel
Software developers manual is around 4000 pages of which the majority is must
read. I have read the following parts
1. Volume
1, “Basic architecture” explains the basics of Intel CPU’s. It lets you know more about features such as MMX instruction set extensions. This part is a little
more than 500 pages and contains 15 chapters. Again, it is an introduction and
basics volume, the more advanced version is Volume 3, “System Programming Guide”.
2. Volume
3, “System Programming Guide” is an absolute must, especially for reversers. It
is critical for a reverser to know the protection system (ring 0 to 4), Interrupt
and exception handling, Debugging instructions, Virtual Machine
control instructions and so on. This volume is around 1600 and it is very good
to read it cover to cover at least once.
No doubt you will find very skilled reverse engineers or
programmers who will tell you they never read any of these documents and especially
not Intel Software Developers Manual. Most reversers only use it when they need to
look up opcodes or which flags are set by which instruction.
But many of these people have picked up the same
knowledge from other sources during a lifetime of programming, or they simply
lack this knowledge.
These days the rapid development of IT forces newbies to
take shortcuts. The world needs more and better reverse engineers now, not in
twenty years. If you follow these reading suggestions, you decrease your learning time into 1-1,5 years.
Happy hacking!
/Ani
/Ani
