هکرها بدون پوشش: تکنیک های قدرتمند برای محافظت از برنامه نویسی شما

I read the 2nd edition of this book, so I will be referring to it.

First of all, let me tell you that is a VERY GOOD introduction to Reverse Engineering. If you are a beginner, you will get tons of useful and updated information from this book. For sure you will learn, and let me tell you that the info in this book is worth every penny. You will get hands-on experience not only on rev-eng, but also a very good idea about all the software around it. When you are new to the reverse-engineering world, it is very difficult to get started because of the amount of information on the net. Too much is sometimes less because you end up in circles from tutorial to tutorial, without making good bases.
If you follow this book from cover to cover, you will “get it”. You will learn. You will know how to debug/disassemble a program and patch it to alter the way it behaves.

Warning: if you are a TOTAL beginner (who does not know any programming language at all) this book is not for you. Kris assumes that you know at least a bit of C. He won’t get into the details of what a pointer is. You should know that if you want to do reversing. If you don’t, learn a bit of C first, and then come back to this book.
So, it’s important to judge the book by what it is. It’s not an introduction to computers or programming. It is a VERY GOOD introduction to Reverse Engineering. Having said that, let’s start!

Pros –> Easy to follow, full of useful and updated [2008] information. You will really learn a lot from it if you don’t know how to use debuggers/disassemblers. You will learn a bit IDA, OllyDBG, Hiew, and more than a bit of Soft-ICE. Also, you will learn how to get started with API monitors, profilers, etc.

Cons –> The book has a few not-so-important errors, but you will catch’em if you are awake. The translation is not the best, and sometimes the words are mixed up a bit.

One caveat: I skip everything related to Unix/Linux because I do not rev-eng on those platforms. So, I will speak only about Windows chapters.

Chapter 1: it introduces the “tools of the trade” very well. It’s really worth reading because knowing what tools are out there and what they can do for you will save a lot of time when reversing. API monitors and profilers are worth using if you want to get to the point fast. Reverse Engineering is not hard, what is hard sometimes is to find the exact piece of code that you need to reverse/change. Monitors and spies will help you to find those points faster.

Chapter 3: speaks about virtual machines and emulators. Excellent introduction to this area. Some programs (virus, trojans or any malware) may infect your computer. What could be better than having a virtual machine where you can try everything without fear? This is the point of the chapter. Differences between virtualization software. By the way, I personally use Virtual Box and I prefer it over VMWare. Reason? Speed! The startup-time of a frozen machine is INCREDIBLY faster in VBox than VMware. Once the VM is running, the performance is pretty much the same.
If you work a lot with virtual machines (you will if you plan to reverse), give Virtual Box a try. Do not go straight to VMWare. Try both and decide by yourself which one is better for the job you need to do.

Chapter 4: different assemblers. I personally was not interested too much in this chapter because I’m a Windows guy so there’s not too much room for choices: MASM is the way to go. It’s almost a standard. You have books on the subject, communities, packages, IDEs, etc. Of course the other ones may be good, but if you don’t have a lot of time to invest on research, go with MASM.
By the way, don’t be afraid if this seems to be too much information. The book won’t use MASM or any assembler, it simply introduces you to the different assemblers. In other words, you don’t have to know assembler in advance to read this book. Go ahead and don’t be afraid because Kris explains the instructions at the same times as he uses them.

Chapter 5: shows you different protection mechanisms and how to bypass them. The chapter is not a hands-on, but a plain English explanation of the protections and bypasses.

Chapter 6: this is a real hands on, and a very good one! You create your own C program and crack it! The good thing is that Kris shows you the very basics here. How to actually understand your program using dumpbin. You will bypass the protection (it’s just a password, but still a good example) with basic tools, slowly moving to more complex ones: from dumpbin, passing thru Hiew until IDA.
After playing with your own program, you will try to bypass the protection of a commercial software. Keep in mind that this is for practicing at home only. DO NOT distribute or use.
The most important thing is this chapter is not only that you will learn the very basics, but you will also learn -for example- how IDA or HIEW do to find references to text-strings, code, etc. Very cool.

Chapter 7: debugging. He uses Soft-ICE to show you how to place breakpoint on Windows APIs, messages, data, etc. You can port this knowledge to other debuggers if you dont like Soft-ICE

Chapter 10: how to create logs using Soft-ICE, how to debug using OllyDBG. Don’t be discouraged by the usage of Soft-ICE. If you want, just read those pages and do not use it, but read them! It’s very interesting how he creates a small but efficient logger using Soft-ICE + the Macros of FAR Manager. Again: maybe you won’t use that, but read it so you will understand the mind behind the book. He really get things done, no matter how.
After playing a bit with SoftICE he presents OllyDBG and many of its features.
By the end of the chapter, the author touches a bit of “cracking by coverage”. Which basically means: running a program twice and compare the differences to see where the protection is. The example uses a date-trial period, so you first run the program when it still runs, and create coverage1.txt. Then, you set the computer date so the program refuses to execute (trial period expired), and save the log as coverage2.txt. After that, you compare both logs (with a tool that you build yourself in 5 minutes) and see the difference. Got it! Without even debugging a line of code, you can patch it! Very good technique.

Chapter 11: PE format, X-Code (like code caves), etc. It shows you how to insert code in a binary (exe) file the same way viruses do.

Chapter 13: disassembling 64 bits. I did not read it.

Chapter 15: patching advanced techniques. How to change low level stuff of your WinOS. How to recover from a Blue Screen of Death.

Chapters 17, 18, and 19: anti-debugging techniques and how to overcome them. Unpacking techniques using different approaches including the universal one, dumping the image to the disk, rebuild the import table, etc. Obfuscated programs and how to deal with them.

Chapter 21: debugging and disassembling malware. I did not read it.

Conclusion: a goldmine for beginners. Useful for intermediates. Interesting for advanced people because they might find novel techniques here. A good read.