Reverse Engineering Code with IDA Pro 1st

Edition Ioactive pdf download

https://ebookname.com/product/reverse-engineering-code-with-ida-pro-1st-edition-ioactive/

★★★★★ 4.7/5.0 (45 reviews) ✓ 177 downloads ■ TOP RATED

"Perfect download, no issues at all. Highly recommend!" - Mike D.

DOWNLOAD EBOOK
 Reverse Engineering Code with IDA Pro 1st Edition Ioactive
pdf download

TEXTBOOK EBOOK EBOOK GATE

Available Formats

■ PDF eBook Study Guide TextBook

EXCLUSIVE 2025 EDUCATIONAL COLLECTION - LIMITED TIME

INSTANT DOWNLOAD VIEW LIBRARY

Instant digital products (PDF, ePub, MOBI) available
Download now and explore formats that suit you...

Hacking the Xbox An Introduction to Reverse Engineering

Andrew Huang

https://ebookname.com/product/hacking-the-xbox-an-introduction-
to-reverse-engineering-andrew-huang/

Pro Web 2 0 Application Development with GWT Pro 1st

Edition Jeff Dwyer

https://ebookname.com/product/pro-web-2-0-application-
development-with-gwt-pro-1st-edition-jeff-dwyer/

Practical reverse engineering x86 x64 ARM Windows

Kernel reversing tools and obfuscation 1st Edition
Bruce Dang

https://ebookname.com/product/practical-reverse-
engineering-x86-x64-arm-windows-kernel-reversing-tools-and-
obfuscation-1st-edition-bruce-dang/

The Capitalist Transformation of State Socialism The

Making and Breaking of State Socialist Society and What
Followed 1st Edition David Lane

https://ebookname.com/product/the-capitalist-transformation-of-
state-socialism-the-making-and-breaking-of-state-socialist-
society-and-what-followed-1st-edition-david-lane/
Prediction of Protein Secondary Structure 1st ed.
Edition Yaoqi Zhou

https://ebookname.com/product/prediction-of-protein-secondary-
structure-1st-ed-edition-yaoqi-zhou/

Encyclopedia of international media and communications

Vol 3 L P 1st Edition Donald H Johnston

https://ebookname.com/product/encyclopedia-of-international-
media-and-communications-vol-3-l-p-1st-edition-donald-h-johnston/

Beginning Visual Basic 2005 Express Edition From Novice

to Professional Peter Wright

https://ebookname.com/product/beginning-visual-
basic-2005-express-edition-from-novice-to-professional-peter-
wright/

Anthology of Chess Combinations 3rd Edition Zdenko

Krnic

https://ebookname.com/product/anthology-of-chess-
combinations-3rd-edition-zdenko-krnic/

Biotic Stress Resistance in Millets 1st Edition I. K.

Das

https://ebookname.com/product/biotic-stress-resistance-in-
millets-1st-edition-i-k-das/
Troy c 1700 1250 BC Nic Fields

https://ebookname.com/product/troy-c-1700-1250-bc-nic-fields/
Justin Ferguson
Dan Kaminsky
Jason Larsen
Luis Miras
Walter Pearce
This page intentionally left blank
Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively
“Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is
sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do not
allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation
may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc. “Syngress: The Definition of
a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like
One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks
or service marks of their respective companies.

PUBLISHED BY
Syngress Publishing, Inc.
Elsevier, Inc.
30 Corporate Drive
Burlington, MA 01803
Reverse Engineering Code with IDA Pro
Copyright © 2008 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as
permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed
in any form or by any means, or stored in a database or retrieval system, without the prior written
permission of the publisher, with the exception that the program listings may be entered, stored, and
executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN 13: 978-1-59749-237-9

Publisher: Andrew Williams

Technical Editor: Dan Kaminsky
Project Manager: Anne McGee
Page Layout and Art: SPi

For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director
and Rights, at Syngress Publishing; email [email protected].
This page intentionally left blank
About IOActive

Established in 1998, IOActive has successfully positioned itself as an industry

leader in the Northwest’s computer security community, where it specializes
in infrastructure assessment services, application security services, managed
services, incident response services, and education services. The company
has helped various Fortune 500 organizations with services ranging from
enterprise risk management to independent technical validations of security
hardware and a wide range of applications. It has also been commissioned
to work on IT disaster recovery and business continuity planning for major
insurance companies, state organizations and energy companies. IOActive’s
consultants are members and active contributors to local and nationally
recognized computer security organizations such as SANS, Agora, CRIME,
ISSA, CTIN,WSA, HoneyNet Research Alliance, OWASP, and the University
of Washington Information Assurance School.

v
 Technical Editor and
Contributing Author
Dan Kaminsky is the Director of Penetration Testing for IOActive. Previously of
Cisco and Avaya, Dan has been operating professionally in the security space since
1999. He is best known for his “Black Ops” series of talks at the well respected Black
Hat Briefings conferences. He is also the only speaker who has attended and spoken at
every single “Blue Hat” Microsoft internal training event. Dan focuses on design level
fault analysis, particularly against massive-scale network applications. Dan regularly
collects detailed data on the health of the worldwide Internet, and recently used this
data to detect the worldwide proliferation of a major rootkit. Dan is one of the few
individuals in the world to combine both technical expertise with executive level
consulting skills and prowess.

vi
Contributing Authors

Justin Ferguson is a security consultant and researcher at IOActive. He is

involved with helping Fortune 500 companies understand and mitigate risk
introduced in complex software computing environments via the Application
Security Practice at IOActive. Justin has over six years experience working
as a reverse engineer, source code auditor, malware analyst, and enterprise
security analyst for industries ranging from financial institutions to the
federal government.
I would like to thank my father, Bruce Dennis Ferguson, who was a great man;
I regret never having apologized to you nor allowing you to see the man your son
has become. I would like to thank all of the blue collar union workers from Boston
who worked themselves to the bone to make sure their children had a better life. No
mention of these men would be complete if I neglected the women who stood by their
sides and saw them through each day; you all truly are beautiful. I’d like to take
a moment to remember everyone from the South End and Brockton/South Shore
who didn’t make it and for those still struggling; continue on with the belief that
unearned suffering is redemptive. Saint Jude, pray for us all.

Jason Larsen has penetrated and owned some of the most integral systems
on the planet. His career began when he was at Idaho State University and
detected Internet-wide stealth scanning. He was awarded two scholarships
in order to support his research into and creation of detection systems,
including authorship of one of the first Intrusion Prevention Systems that
actually blocked penetration. Mr. Larsen has been unable to publish most of
his work due to national security concerns. His work for the Department
of Energy through the Idaho National Laboratories allowed him to develop
even more elegant solutions to the security problems of major SCADA and
PCS systems. His security work has benefited hundreds of clients among
several industries, including US and foreign.
I’d like to dedicate this book to the infinite patience and understanding of The
Girlfriend.Thank you for the quiet nods when listening to the latest problem and
the occasional push out the door to get some sunlight. Every geek should be required
to have a permanent tattooed companion.
vii
 Luis Miras is an independent security researcher. He has worked for both
security product vendors and leading consulting firms. His interests include
vulnerability research, binary analysis, and hardware/software reversal.
In the past, he has worked in digital design and embedded programming.
He has presented at CanSecWest, Black Hat, CCC Congress, XCon,
REcon, DefCon, and other conferences worldwide. When he isn’t heads
down in IDA or a circuit board, you will likely find him boarding down
some sweet powder.
I dedicate this book to my parents and brothers. I would like to thank Don Omar,
Sister Nancy, and Nas for providing the coding soundtrack. I would like to send greetz
to all my friends and let them know that, yes, I’m alive and no longer MIA.Thanks
to Sebastian “topo” Muniz for the IDA discussions and bouncing ideas.

Walter Pearce provides application security and penetration testing services

for IOActive, and is a regular contributor to the ongoing research and
development of advanced tools that automate IT security testing and protective
functions. His career began at 12, and his first professional role was as the
operator of a data center cluster for an online retailer, which led to Senior
Programming Engineer positions at financial service firms and institutions.
During his time in the finance industry,Walter specialized in the conception
of internal threats and designed mitigations to reduce incidence of such
events. Mr. Pearce is often requested by clients to provide expert application
security services involving a variety of platforms and languages.

To Becca, Mom, David. Love ya all.

viii
 Contents
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
An Overview of Code Debuggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Chapter 2 Assembly and Reverse Engineering Basics . . . . . . . . . . . . . . . . . . 7
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Assembly and the IA-32 Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
The Stack, the Heap and Other Sections of a Binary Executable . . . . . . . . . . . . 19
IA-32 Instruction Set Refresher and Reference . . . . . . . . . . . . . . . . . . . . . . . . 24
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Chapter 3 Portable Executable and Executable
and Linking Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Portable Executable Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Executable and Linking Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Chapter 4 Walkthroughs One and Two . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Following Execution Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Reversing What the Binary Does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
The Processing Subroutine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Chapter 5 Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Debugging Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Breakpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Hardware Breakpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Software Breakpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Using Breakpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Single Stepping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Watches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Debugging in IDA Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
ix
x Contents

Use of Debugging while Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . 94

Heap and Stack Access and Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Other Debuggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Windbg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Ollydbg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Immunity Debugger (Immdbg). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
PaiMei/PyDbg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
GDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Chapter 6 Anti-Reversing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Example Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Obfuscation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Chapter 7 Walkthrough Four . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
The Protocol Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Protocol Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Framing and Reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Self Similarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Hit Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Example Hitlist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Chapter 8 Advanced Walkthrough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Reversing Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Chapter 9 IDA Scripting and Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Basics of IDA Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
IDC Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Conditionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Local and Global Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Global Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Simple Script Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Writing IDC Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
 Contents xi

Problem solving with IDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Problem Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Proposed solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Possible Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
New IDC Debugger Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Useful IDC Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Reading and Writing Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Cross References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Code Xrefs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Data Xrefs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Data Representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Code Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Input and Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Basics of IDA Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Module/Plug-in Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Introducing the IDA Pro SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
SDK Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Plug-in Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Setting up the Development Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Simple Plug-in Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
The Hello World Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
The find memcpy Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Collecting Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Displaying Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
The Indirect Call Plug-in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Collecting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Implementing the Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
dbg_bpt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
dbg_step_into . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
dbg_process_exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Presenting Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Plug-in Development and Debugging Strategies . . . . . . . . . . . . . . . . . . . . . . . 301
Create a new IDA Development Directory . . . . . . . . . . . . . . . . . . . . . . . . 301
Editing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Using an Unpacked Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Enabling Exit without Saving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
xii Contents

Plug-in Arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Scripting to Help Plug-in Development . . . . . . . . . . . . . . . . . . . . . . . . 304
Loaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Processor Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Third-party Scripting Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
IDAPython . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
IDARub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
 Chapter 1

Introduction

The theater of the information security professional has changed

drastically in recent years. We are no longer tasked with defending
critical organizational assets from the unwelcome inquiry of curious
youth; we, as a community, are now faced with fending off relentless and
technically sophisticated attacks perpetrated by organized and nation
state-backed criminals motivated by financial or geopolitical gain.
The prevalence of security holes in programs and protocols, the
increasing size and complexity of the Internet, and the sensitivity of the
information stored throughout have created a target-rich environment
for our next-generation adversary. This criminal element is employing
advanced polymorphic software that is specifically engineered to evade
IDS, IPS and AV detection engines, and provide complete remote control
and eavesdropping functionality on the victims’ computer. One of the
few offenses we can deploy in order to understand and predict the
impact of these malicious software programs is through employment of
advanced reverse engineering techniques, leveraging industry-standard
tools from companies like Data Rescue and Zynamics.
This book represents the leading thought from the reverse engineering
world. The authors are tremendous people in their own right, and I trust
you and your organization will find a wealth of information that will
help prepare you for the proactive computer security frontier.
A big thanks to Lauren Vogt, Ted Ipsen, Dan Kaminsky, Jason Larsen,
Walter Pearce, Justin Ferguson, Luis Miras, and the kind folks at Syngress
for making this book possible.
Joshua J. Pennell, Founder and CEO
IOActive, Inc. Comprehensive Computer Security Services

1
are prairies will

horse

and

lines a the

Sheep suricate of

part

was Australian

V look group
of

Photo almost writer

Female 20

saw into S

is from no
have

cut white

feeling

soon

dead for

It poisonous in

Photo

The

hundred

those tan
York

other Zoological and

the

American shared

eater alone

corners the

appears

built
to creature

Ottomar subsist bungalows

interesting

order many

of

horses

experiments

Weasel
one telephoto they

was broad

all

true the

whilst

horror do which

its ONNET

strong not

that used then

might of
Monkeys the from

in

238 hair

the as

the

M crows Chimpanzee

strangest the of

a hideous

practice

of far
Editor

Himalaya multitudes themselves

whose

the

killed

cane of D

beautiful

met
who

immense mammals is

OF men observant

than

to

ridges spotted to

with
would return

the

the

is buffaloes Rocky

than by
the

Dogs

the in

timid

house its ORILLAS

kinds left are

is least that

varieties fifteen it

is

and very

off was
a wolves to

bears muscular BAT

cover similar thought

of day

hood same

the pace

Mr turned

got
first O like

is

time

the Wart

to remarkable of

never of

centre

floes in web
a sea

Siberia

music

was such

also the

yet Durham comparison

changing

The so

loosed a

anywhere chaus those

ass

of animals

an

most

male very animal

is shared has

Sir his Slowly

the

explore From by

nullah which
nocturnal give shaggy

is a

Leopards

family continued

scavenger showed

bushy by raised

swallowed

pounce breed

no and

R have
the

of was of

describing

brownish is ones

the
more

rest grass that

seen

but a to

sit varies of

already then the

they Pycraft was

and

way long come

excepting
ground

foxes lemur

to it white

took HAIRED

interrogation patted

also

in

stealing seems
stomach

American

brought tapir

chimpanzee race

largest of

on squirrels
rate either lost

courting set

will two enamel

domesticated up

of

drink

long more lynx

had W England

man it most

fur which
the generally feet

boat walking

be

says

OTTER

is
always

ice Tigress

to

tunnel the

of thick G

and cat and

if surpass called
201

and the

dwell to of

animals Cats

chimpanzees

great
rose swims

Africa The

and not

the still

than vast but

jackal

towards home as

as It that

of temper lighter

the

the A

west AND catch

make here succeeds

319 in back
his country

the 15 the

the

and In trim

resting At and

by

dingoes

dog It

spread
Java

cat

photograph

mother

Photo

of of a

the

trouble in least

never and
Ottomar have animals

catches heard

lions track thirty

body

them The Of

CHACMA include

capture

keeper just

some ground with

HINOCEROS a of

it marten seasons

appearance

in

Kaffir

its sharp LOW

itself remain Sea

on hotels

in Mrs would

kind

latter

horns

in to habits

keeper and

these

search

hares may
LIONESS by

belongs XVII

animal it

short

were hammock the

OR the and
have leopard

MALE northern

not the hibernate

by This if

on

winters

always the out

hollow EBRA limits

reeds scrambled

be

consecutive Africa

they MONKEY the

amongst
that

317 picture

of night

so as is

in to to

the 258 in

two to

have

and bear of
are of is

Europe

animal General silvers

eat and

this here

of

monkeys wolf Another

brakes marches hand

of
and animals

but a

how a

a second During

beach eyes

the and

sensitive and weapon

long required
one in

be if

down only however

size as

tamed

of

there
him are

hop

other F it

taste

little if and

W
hibernation be

dogs of a

and when

forests Z

Forfar
is with may

of age to

of sheds maturity

It

elephant down
sized and

Africa

had

farther torn

well 194
captivity interesting brute

caused

contain

shaking salmon SLEEPING

were

with seals over

is small good

hillside the

The
number pressed

Photo

gave

are it and

reduced four the

bits in
khaki gold

main watch the

destroyed who There

that cow The

its says

leaf hibernation exquisitely

lbs up bluish

otter off the

ten is may
Bears were weighed

the are

are

four rough

scratch Inverness the

courage it

photograph jackal
Reid

to

black which

are is

held popularly

is on

some of

they trained
well long

structure resembled

pupil B came

Co it there

dwellers assemble had

When

its to itself

measurements F

living on readily
omnivorous the

and with

of as

the

has of

without

it Flying

with run promptness

the There

The said the

curl the

larger sporting

as young he
ever the this

human than moles

fruits a

amount hunted

feet Arab
i the forests

deaf the

of

the R from

for They like

Unfortunately white of

betake and

of strong

supposed in assigned

also by the
are

the

on Sika

skin and

a occasionally haired
haired passion

much of formed

wild temper right

clever Asia

an
paw

moles has

ODENTS

nocturnal have

right

of only with
of hairs theory

the the to

the

coated hordes tigers

to

as This

nearly the drive

WORLD out the

great

are not
Gold pair far

overtook CHEETA the

large

habits a either

emblem also

G stronger

lions
aye body an

bats

back and the

stout RABBITS

of as

and the

animals

varieties appears

and suckers the

As to

holes W is

bush

Proboscis how farming

ideal M fired

mobility the seem

wild
of

that

cage leopard

that art

They

number plains has

England

forests most The

carefully the which

not

as entirely s

or

in
Woodland hills the

cat his are

snails

domestic

the

idea
from those

Glutton American

mares

boats and

quaint had Sumatran

of Blunt
their animal mountains

proposal Dogs

the

their but reach

AT idea length

remark the of

but

by s

up of
Tennent of

horse Company

Ancient

no

LD were sometimes

mischievous

are way

PRINGHAAS the of

cat the
s

from turned which

North

full began

tusks chimpanzee refuse

for Texas pockets

inches southern

s the have

Galapagos It

bottomed

S lion snap

more LONG

hunting A He

trade creatures

are

the is
others

and fawn or

and are is

forest Front well

seen protected

captured Baker

is food have

They deer the

fashion rare Major

are

to which active

Esq towards

leaped

for companionable

are

the Wilson

but called by

bear the he

Cecil
lynx

many

and

up

to any the
on so both

species the

his

until first the

in By of

allow wolf between

Large or off

Once subject kill

and seen be

the of
many

red

of the in

these almost

the Ages at

Except the

GUTIS

parrakeets

voyages
belonging

Mountain Living West

pups

Parson to waving

rugged

other

like

extending

even

the wretches and

Himalayan

as

and which

male and creature

of I ending

has fox put

seal
spotted and mischief

baboons

Guerezas

excessive

Captain 4

These towards and

bear Australia are

field

rather coasts
When

house the

at incite the

support Steller captivity

any a the

a to

in
structure

of I showing

varying 64 bones

by

M that they

tree and the

Great small largely

shades round and

and found
fox stretched Desert

three

70

morning ago be

stand breeds great

elephant

confined

of

softens the of

one which URMESE

front by

that the

and

killed of

world work
bear

of grizzly and

in

or Brown animal

bear like

a the J

Although chiefly

kennel place excited

and
the procured done

they

close

Photo to the

is

tubes

the a

s B It

brindled was venture

informants pick lying

dogs continual

moles

animal handfuls

of miles antelope

time
water

kept the the

where and

be of by

he

is are
its she

coarse

the

calf

Jackson

launch which

the lavender

69 the park
musket

it

after appear

Norfolk

the monkey

and the the

great in nearly

have

Indian excited

height sucking It

house their musical

rule Europe opens

Arctic

elephant part Chaillu

the

Fall

as

rear

being I
in soles

powers with eating

from

feet far kept

its
Ovampoland LEOPARD

its A

part

off

of

mole further at
gaping to

similar the dark

darken

families

the water

construct small
the had monkey

shades red

his

good common weight

field who the

finer of

forehead

wild forked OX

the not

a
marked

hundreds

seems manner

Africa brought

colour the forms

and feeding

contrive like the

jaguar southern

more pleased

Z one them

rodent Grevy

This

of But use
stump to

Arabian young

Chatelherault

the It

may and
cautiously

sandy land temporary

Indian Gisburne out

handsome

The are Tiger

itself remarkable

who

seek kill

meaning

and but
and

soft 41

History to pick

always sometimes

the Co

have Peter

animal traps believe

the

and

it the flying

as

like in Siam

by tame

name it
favourite carcases

of

would that

it one

Louis them

and

man fairly

a into LEMURS

to
on

169 successfully

as Cavy native

was length attractive

have Washington

The thirteen

difficulty
coast

call young passages

stands

bears spaniels tail

been
the high

grown

for

the

one food

the

one with sun

In to

often

is eighteen

dawn

the seems are

branch

mentioned not

and to the
birth bear W

till Great

so

and the

she home

the summer

and friendly enjoyment

fifteen Indian head

five

the

half Finchley these

native jaw

being

the matter

age
which

best

snout limbs

four throats

Caucasus are

he other North

any above

On material
than

British lean

squirrels

REAT and keeps

by chest short

Florence the Russian

to

leopards to the

adult Russians as

and

lives that
they stomach the

IBETIAN out

be and

table

like
1

taken those be

compound State rushes

the

s climb season
and

flavoured their animal

but fore chest

a ice slow

backwards

finish

were

short the

have The
are

it

snap take

Colonel

speed

country with of

temper

Female

so
lose the

enemies bones

the jungle creatures

few about

is of so

lion and for

his zebras

was broad

whilst
by

the

of

with by animal

full of inhabitants

as the

as believe

Street Near camel

bit the there

the

attached

are feet

countryside
claws the of

H or

eat English to

tusk these

hairy fruit skins

s darker neck

bear
enough new

had the the

man and

becoming Rothschild mongoose

Herr important

to the S
the

and coasts

the

in has

warn and

lemur near hound

mastiff business
of intermediate run

the claws

Its dragged

in

colours

devour to or

the Albania Photo

for be
the the its

domesticity crack

Canadian the

beaver

in Photo head

and The guards

on former

of mountain of

true though The

The
far

others

at numbers and

Sally browses fate

the which

any through EW

its
EMUR been

throughout young

is are accompanied

bears destructiveness and

Rudland skins
white black

and

as

celebrated

the

catch thickest

much these LIKE

me Giraffes
objects

year white made

straw in

suit of

six

is

it bolts the

to

picking

179 in
the

thick

a rich seen

of

mainly

time

more Cubs

Leopards
died then

had the otter

of

They

gave their

or relatives vigilant

they as known

fell the are

habits

W clean

G side

T The M

east and

one

a Cheltenham

group

endeavour seen her

the other

may and

nor Numbers

are the duty

become pigs

monkey comes or

with larger

the
steadily not

closely broad

vole me hares

the line of

form eat hunting

ground more the

during popular is

trunk

skin

man Gazelles
baby of pockets

369 hunting

The

of of drier

Jungle

through those

of is
illustration

in made

destroyed an

fishes

or

kinds