Log in

View Full Version : My Training Class


OpenRCE_RolfRolles
November 24th, 2007, 18:50
This is a long entry, so don't read it if you aren't curious about my training material.

Although my website indicates that I've been writing and distributing software (and lately I have heard all sorts of other interesting characterizations thereof), instead I've actually spent the entire year developing a week-long reverse engineering training class and writing a book based upon it. To be specific, the course is about using the evaluation version of IDA to analyze binaries on a deep level, and it's targeted at people with six months to three years' experience reversing. Basically, I teach how to do things like this ("http://www.openrce.org/repositories/users/RolfRolles/pd162.idb") and like this (see Notepad.idb) ("http://www.openrce.org/articles/files/HyperUnpackMe2.zip"). I have given the course numerous times, with 38 positive reviews, two neutral reviews, and no negative reviews.

The best way to summarize the main idea behind the book and course is to answer a friend's question, whether Ilfak's Hex-Rays decompiler is going to obsolete the field of reverse engineering. The answer is no, because there are things that a decompiler can never do, such as create comments, apply meaningful names to functions / parameters / variables / structures / structure members, unfold constants, and recover enumerations, amongst other examples. A perfectly-working decompiler will present you with undocumented C code, and reading that code is still a challenge.

This distinction runs deep. There are two types of activities in static reverse engineering. Those that a decompiler can do (the rote, mechanical aspects) and those that a human must do (the creative, experience- and intuition-based elements). I call these respectively the "syntactic" and "semantic" parts of static reversing. One deals with understanding the relationship between compiled code and the original source, and the other deals with comprehending what arbitrary code is doing.

As for the outline, we spend the first half-day reviewing assembly language and a crash course in using the evaluation version of IDA. We will then spend the next two and a half days learning how C code is compiled into assembly language, and how to systematically decompile it back into C. Experience has proven that students will be able to decompile entire functions manually after completing this portion. The reason I teach decompilation is not because I recommend you actually decompile code on a regular basis, but rather, if you can perform decompilation, then you clearly have no problems with the syntactic parts of reversing.

The final two days are dedicated to the aforementioned "semantic" aspects of reverse engineering, the slippery art of comprehending undocumented code. We will once again take a systematic approach, beginning with a well-defined triage procedure for malware reverse engineering. Next we practice each of the code comprehension techniques that I have identified as part of my thought processes, interspersed with a number of live static reversing demonstrations. Once these two days are over, the student should have the ability to open an arbitrary executable into IDA and determine what it is doing (and decompile it into a byte-perfect replica, if they please).

All of the many exercises are performed upon real-world binaries, such as live malware.

As for prerequisites, you will need a laptop with either the evaluation or full version of IDA installed and a text editor. We will cover assembly language, but only as a refresher; it's best if you're already familiar with it. Also, the more experience you have with C programming, the easier the first half of the course will be.

I understand that certain groups of people are required to take certification exams in order to take any class whatsoever; in case this is true for you, the CREA should suffice, and we can arrange something.

I also have some extra material for more advanced reverse engineers regarding compiler optimizations and C++, which I am offering as a separate one-or-two-day training.

The reason that I posted this announcement is that I have spent the year tweaking and play-testing the material, and I believe that it is finally ready for prime-time, or nearly so anyway. If any of this has sparked your interest, please contact me at [my first name].[my last name]@gmail.com to request a copy of the syllabi. Thanks for reading this!

https://www.openrce.org/blog/view/854/My_Training_Class