To be able to recognize C code structures in assembly you need to know assembly. The hardest part of learning assembly in 2013 is actually to find good reading material. I know because I spent two years teaching myself assembly and I read a lot of utterly useless books, for example the 1.700 page long book from Randal Hyde called “The Art of assembly”. Below I present a handpicked list of reading material, starting from beginner to advance.
1. Lena151
assembly guide. This is actually one thing that is good with Lena’s tutorials
as it shows you the most basic parts and is only 20 pages long!
2. The
200 first pages of the old book “Assembly Language Step-by-Step: Programming
with DOS and Linux” by Jeff
Duntemann. This is a must read. If
you don’t read this, you’ll extend the learning curve by years. The way
Duntemann ties assembly programming to the inner workings of computer systems
and CPUs is just amazing.
3. The
following chapters in Eldad Eilams book “Reversing – Secrets of Reverse
Engineering”. Read these chapters in the order I present them
1. Appendix
A – Deciphering Code Structures
2. Appendix
B – Understanding Compiled Arithmetic
3. Chapter
2 – Low Level Software
4. Chapter
3 – Windows Fundamentals
That makes about 250 pages
in Eldad’s book and you should quite honestly never waste your time by reading
the rest of his book as he dives into hands on approaches but uses terrible
reverse engineering examples.
4. All
chapters in “Part 2 – Advanced Static Analysis” from the book “Practical
Malware Analysis” by No Starch Press.
1. Chapter
4 – A Crash Course in x86 Disassemby
2. Chapter
5 – IDA Pro
3. Chapter
6 – Recognize C Code Constructs in Assembly
4. Chapter
7 – Analyze Malicious Windows programs
The four mentioned chapters
take up less than 100 pages of the book. Practical Malware Analysis is however a
great book written by some of the best in the industry and should be read cover to cover later on but for a beginner these chapters are enough.
That is the reading suggested for newbies in both reverse
engineering and assembly. If you want to be a more advanced reverser there is
some more reading that really needs to be done.
5. Wrox
Professional Assembly Language - A great book. Covers most features you
already read about a little deeper. Great to read for repeating and
fortifying your knowledge base.
6. Intel
Software developers manual is around 4000 pages of which the majority is must
read. I have read the following parts
1. Volume
1, “Basic architecture” explains the basics of Intel CPU’s. It lets you know more about features such as MMX instruction set extensions. This part is a little
more than 500 pages and contains 15 chapters. Again, it is an introduction and
basics volume, the more advanced version is Volume 3, “System Programming Guide”.
2. Volume
3, “System Programming Guide” is an absolute must, especially for reversers. It
is critical for a reverser to know the protection system (ring 0 to 4), Interrupt
and exception handling, Debugging instructions, Virtual Machine
control instructions and so on. This volume is around 1600 and it is very good
to read it cover to cover at least once.
No doubt you will find very skilled reverse engineers or
programmers who will tell you they never read any of these documents and especially
not Intel Software Developers Manual. Most reversers only use it when they need to
look up opcodes or which flags are set by which instruction.
But many of these people have picked up the same
knowledge from other sources during a lifetime of programming, or they simply
lack this knowledge.
These days the rapid development of IT forces newbies to
take shortcuts. The world needs more and better reverse engineers now, not in
twenty years. If you follow these reading suggestions, you decrease your learning time into 1-1,5 years.
Happy hacking!
/Ani
/Ani
I totally agree with you. Same thing happened to me some time ago. Lots of shitty stuff out there for those who are interested in self-learning ASM out of the 90's. I liked a lot your comment of the learning curve - that's a fu**n so true. Cheers.
SvaraRadera-chr1x
Hmmm, are you still active writing here?
SvaraRaderaI just read you "Why lena151 won't help you" article and decided to try your approach (a bit of free time at the moment) ;)
Would love to read more from you in the future.
Greetings
badagent
I will be back now :)
RaderaHi guys!
SvaraRaderaYeah, I'm still active, several gigantic posts coming soon.
chr1x: :)
@Carsten: Write code, compile and then reverse it. Later on, write some code and try to predict what it will look like when compiled...
Things you want to focus on are comparisons between signed/unsigned variables, array copying, data structures, type casting.
Can you explain which C compilation flags are relevant when teaching ourselves , especially the optimization ones.
RaderaHi Ahmad, I'll make it a blogpost. Will post it soon.
RaderaI'm interested in reading this book Assembly Language Step-by-Step: Programming with DOS and Linux but after googling a little bit, i found another, more recent version of this book (Third edition) called Assembly Language Step-by-Step: Programming with Linux, which one do you recommend me to get ?
SvaraRaderaI would say go for the new one, although I have not read the new one myself. But I looked at it on Amazon and the beginning was the same.
RaderaDen här kommentaren har tagits bort av skribenten.
RaderaOk thank you, i'm actually reading the 146th page. I gotta say i prefer "PC Assembly" from Paul Carter. Only thing i've learned or understood better is the memory chapter from this book so far. Also he spends a lot of time explaining things not really related to assembly, like how does Kate work..., or how to use linux....Don't like this book, will check this one "Reversing – Secrets of Reverse Engineering" ;)
SvaraRaderaNice :) Let me know what you think of it. Also, did you try out my own reversing tutorial? You should find it among the posts somewhere. It is however very basic...
RaderaI've checked it and as you said it, it's very basic, those were things i learned before :)
RaderaAs for the Secrets of Reverse Engineering book, i just finished reading the four chapters, and i gotta say i learned many new things but the Chapter 3 (Mainly the part about kernel, too many new terms to understand...) about Windows Fundamentals was very hard to understand. I don't know if it's me or that the author doesn't explain things very well.
I'll check Practical Malware Analysis now, thank you for all these books name ;)
Btw i found this youtube channel about different security topics, including RE, malware analysis, Structure of PE/ELF, etc... : https://www.youtube.com/user/OpenSecurityTraining
RaderaVery good videos !
Seen them :) Personally, I am not much of a video-guy. Video tuts are too passive for me. I need easy hands on examples and then I usually dig my way from there...
RaderaIt's difficult to leave a book unfinished ;)
SvaraRaderaHow about going for the books cover to cover?
Lot's of the information is redundant. When you work in a field such as IT were you have to understand, learn and interact with new systems on a daily basis you soon realize learning exactly what you need is a key skill.
SvaraRaderaSome of those books contain chapters on 16 bit assembly, which you will probably never use. Some of them are heavy on 32 bit assembly while the requirement for 64 bit assembly and ARM assembly programmers is increasing. And so on.
I do not know why someone would waste their time reading approximately 10000 pages about two instruction sets that might not even be useful by the time they are finished. But sure, if that pleases you, carry on.
Do you have any resources to do long-term exercises step-by-step? RE is a technique, I think. It's necessary to do some practice during and after the reading.
SvaraRaderaYes, it is a methodology and needs to be practiced. I wrote another post on that subject. My suggestion is to really understand the mapping between C/C++ code and x86 assembly. The best way to do that in my opinion is to write C/C++ programs, compile them, reverse them, make changes to the C-files, recompile and observe the changes in the binary. Then keep repeating that for a while.
RaderaThanks for the list,
SvaraRaderaAnother good book for beginners is (in my opinion, at least) "Introduction to Computing Systems: From bits & gates to C & beyond".
Hi Mihai!
RaderaI will update the post and add the book to the list in the end while giving you credit. Thank you for the suggestion.
Den här kommentaren har tagits bort av skribenten.
SvaraRaderaSorry, what I wanted to ask was if you had a link to the lena151 tuts since you said they were "Only 20 pages long" but all the lena tutorials I can find are videos and not a PDF/book....
Raderathanks for the post
Lena151 tutorials are videos. In the original files, Lena151 included a 20 page long x86 assembly introduction. I don't know where you can find it but try tuts4you.
Radera/ani
Where does Dennis Yurichev's ebook fit in with this list?
SvaraRaderaHi Chris!
RaderaWell, Yurichev's book is an approach to cover most of the above technologies.
Personally, I find it useful to read the same information from different sources. All of the books I write about in my list are books I have read. And most of them present the same information. When I read the first books, not all of it stuck to me. But when the same knowledge was presented to me from different perspectives and with different approaches, it finally stuck.
And frankly, thanks makes me biased. The order in which I read the books certainly has affected my view of their quality... :)
Den här kommentaren har tagits bort av skribenten.
SvaraRadera"Assembly Language Step-by-Step: Programming with DOS and Linux" is a great book, thanks for the suggestion. I'll be reading your other suggestions as well.
SvaraRaderaThanks for the post.
I loved that one too. It's funny how these old books are there, as valuable gems for assembly knowledge :)
RaderaYou are right, the useful chapters in my opinion are roughly 140 pages. Yes, appendix c is useful too.
SvaraRadera