Binary Literacy: Systematic Static Reverse Engineering

This four-day course contains a thorough introduction to static reverse engineering, the act of deriving meaning from assembly language code simply by reading it. The target audience is those who primarily employ dynamic reverse engineering, and/or for those who are more comfortable with Hex-Rays than an ordinary disassembly listing. The course has been heavily classroom-tested, having been taught over two dozen times. The material has been rewritten and modernized for the last edition of Recon.

COURSE DESCRIPTION

As the title implies, this course is about analyzing software systems without executing them, as though one was reading a novel. Starting from the basic letters (assembly language instructions), words (basic blocks) are constructed; from there sentences (functions) may be put together. These are organized into paragraphs (modules) which, taken together, form the bulk of chapters (executable objects). Finally, a collection of chapters makes up a book (software system).

The course begins by systematically examining the process of compiling C code into assembly language, and how to manually decompile assembly language back into C. All of these examples come from real-world binaries. Prior experience teaching this course shows that this gives students a good grounding in reading assembly language. Understanding the structure of a sentence is not enough to understand its actual meaning, or that understanding one sentence is not enough to understand a paragraph, etc. Decompilation is therefore not enough: the human analyst needs techniques to comprehend the code that he or she is seeing. We will thus proceed with techniques to derive semantic meaning from assembly code.

With the above in hand, we are prepared to statically analyze any C-compiled binary of our choosing, and we shall spend the rest of the class reverse engineering binaries both in live and individual sessions. These binaries will consist of live malware, but it needs to be stressed that this is not a course on malware specifically: it is a course on reverse engineering in general, and its techniques are applicable to all sub-fields thereof (e.g. malware, security, interoperability). The course is not “advanced” so much as it treats what might be considered “the basics” systematically. Attendees who are already intimately familiar with the compilation process and the art of static reverse engineering would be well-advised to instead pursue one of Recon’s other excellent offerings.

CLASS REQUIREMENTS

A laptop with IDA Pro installed on it (any recent version will do); a firm grasp of the English language; exposure to x86 assembly language is assumed (it will be briefly reviewed, but not treated in depth).

BIO

Rolf Rolles has 19 years of experience reverse engineering, spanning the areas of malware analysis, vulnerability analysis, exploit development, reverse engineering tool development, and professional education. He specializes in static reverse engineering, deobfuscation, and static program analysis. Rolf created and moderates the Reverse Engineering Reddit. These days, he runs Möbius Strip Reverse Engineering, offering consulting services and training classes. He obtained his B.A. in pure mathematics from New College of Florida in 2005.