About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
RolfRolles
's Blog
Created: Monday, August 13 2007 00:45.39 CDT
Modified: Monday, August 13 2007 18:15.22 CDT
Printer Friendly ...
My Training Class
Author:
RolfRolles
# Views:
4658
This is a long entry, so don't read it if you aren't curious about my training material.
Although my website indicates that I've been writing and distributing software (and lately I have heard all sorts of other interesting characterizations thereof), instead I've actually spent the entire year developing a week-long reverse engineering training class and writing a book based upon it. To be specific, the course is about using the evaluation version of IDA to analyze binaries on a deep level, and it's targeted at people with six months to three years' experience reversing. Basically, I teach how to
do things like this
and
like this (see Notepad.idb)
. I have given the course numerous times, with 38 positive reviews, two neutral reviews, and no negative reviews.
The best way to summarize the main idea behind the book and course is to answer a friend's question, whether Ilfak's Hex-Rays decompiler is going to obsolete the field of reverse engineering. The answer is no, because there are things that a decompiler can never do, such as create comments, apply meaningful names to functions / parameters / variables / structures / structure members, unfold constants, and recover enumerations, amongst other examples. A perfectly-working decompiler will present you with undocumented C code, and reading that code is still a challenge.
This distinction runs deep. There are two types of activities in static reverse engineering. Those that a decompiler can do (the rote, mechanical aspects) and those that a human must do (the creative, experience- and intuition-based elements). I call these respectively the "syntactic" and "semantic" parts of static reversing. One deals with understanding the relationship between compiled code and the original source, and the other deals with comprehending what arbitrary code is doing.
As for the outline, we spend the first half-day reviewing assembly language and a crash course in using the evaluation version of IDA. We will then spend the next two and a half days learning how C code is compiled into assembly language, and how to systematically decompile it back into C. Experience has proven that students will be able to decompile entire functions manually after completing this portion. The reason I teach decompilation is not because I recommend you actually decompile code on a regular basis, but rather, if you can perform decompilation, then you clearly have no problems with the syntactic parts of reversing.
The final two days are dedicated to the aforementioned "semantic" aspects of reverse engineering, the slippery art of comprehending undocumented code. We will once again take a systematic approach, beginning with a well-defined triage procedure for malware reverse engineering. Next we practice each of the code comprehension techniques that I have identified as part of my thought processes, interspersed with a number of live static reversing demonstrations. Once these two days are over, the student should have the ability to open an arbitrary executable into IDA and determine what it is doing (and decompile it into a byte-perfect replica, if they please).
All of the many exercises are performed upon real-world binaries, such as live malware.
As for prerequisites, you will need a laptop with either the evaluation or full version of IDA installed and a text editor. We will cover assembly language, but only as a refresher; it's best if you're already familiar with it. Also, the more experience you have with C programming, the easier the first half of the course will be.
I understand that certain groups of people are required to take certification exams in order to take any class whatsoever; in case this is true for you, the CREA should suffice, and we can arrange something.
I also have some extra material for more advanced reverse engineers regarding compiler optimizations and C++, which I am offering as a separate one-or-two-day training.
The reason that I posted this announcement is that I have spent the year tweaking and play-testing the material, and I believe that it is finally ready for prime-time, or nearly so anyway. If any of this has sparked your interest, please contact me at [my first name].[my last name]@gmail.com to request a copy of the syllabi. Thanks for reading this!
Blog Comments
RolfRolles
Posted: Monday, August 13 2007 12:50.59 CDT
When I woke up today, my inbox had more new emails than I've had since the beginning of the month. Thanks to everybody who expressed interest.
To clarify a few points:
0) The book should be out sometime in Q1 2008;
1) The training is not free. The idealist in me wishes it were so, but this is how I pay my bills nowadays;
2) At this time, I intend to hold my trainings in the US (although I would certainly consider other places, if there was enough interest);
3) My primary interest at this point is to do a few on-site trainings for organizations;
4) Most of the people who contacted me expressed an interest in single-student type of scenarios, so it's likely that I will set up some sort of publicly-available class. I'll try to see if I can come to a consensus with those that have mailed me. This option will be slightly more expensive, as I will have to rent space and have catering done.
jms
Posted: Monday, August 13 2007 17:32.06 CDT
What about online training/book/audio, SANS does this and does a very good job of it. I took their GCIH completely remote, and they had all the audio, books, etc. provided to me. Not to mention it will lower your costs, and adds flexibility to the rest of us who have very little time off.
phantal
Posted: Monday, August 13 2007 17:38.54 CDT
The flip side to that coin, jms, is people downloading & sharing the video/audio/book with friends. While many of us would legitimately purchase & use the product, this is a community made up of individuals more than capable of taking advantage of his business venture.
-Brian
RolfRolles
Posted: Monday, August 13 2007 18:14.24 CDT
I agree with phantal, and furthermore I think (and I think my students think the same, as do other people who give training classes) that there is much benefit in actually being in the same room with somebody who is experienced, being able to ask them questions and observe what they do.
With the last half of the course, I try to build up the audience's intuition by using the Socratic method -- asking a lot of questions. That doesn't work nearly as well with electronic materials.
jms
Posted: Tuesday, August 14 2007 03:13.50 CDT
Oh totally, I would have preferred to have Ed Skoudis teaching me in person, and this is especially true of RE work. I would just saying that it can be useful. :) Best of luck on your endeavour!
trojan06
Posted: Tuesday, August 14 2007 11:24.43 CDT
I would say different methods fit difference audience. My company won't allow me to go out for a week to take such class.
All I can do is to use my spare time to study it.
BTW, there is no doubt that online class is a trend.
Soul12
Posted: Thursday, August 16 2007 02:26.19 CDT
nice stuff mate.. GJ ;)
Add New Comment
Comment:
There are
31,313
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}