TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... In December of 2007, Microsoft released seven security bulletins which fixed 11 new security vulnerabilities. TippingPoint and ZDI were credited with discovering a total of four of those vulnerabilities.

MindshaRE: The IDA Pro Book

IDA can be a very intimidating program to use. When starting out, not only are you trying to get comfortable with assembly, but you also must navigate a program with a steep learning curve. IDA's lack of documentation, aside from ida.hlp, compounds this problem leaving you somewhat insecure in your endeavor. Not anymore. A new book as been published by no starch press titled "The IDA Pro Book". Its author, Chris Eagle, is no stranger to the world of reverse engineering and has been a fixture at security conferences for several years. So today we will take a look at this book. If you are strapped for time, and cannot read everything I have to say, I'll summarize this post. Buy this book!

MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here by going through our blog history.

The IDA Pro Book is not the only book on IDA. In fact, another book on using IDA, was released earlier this year. I have looked at both of them, and honestly, there is only one book on IDA Pro. Chris Eagle funnels his knowledge of IDA and reversing into a concise, easily readable, and handy "missing manual" for IDA Pro users old and new. His chapters are well defined, and examples are elaborately detailed. Chris' time as an educator in the field of computer science, security, and reverse engineering really show throughout this book.

Part I of the book starts off by giving the reader a good baseline of tools and idioms as they pertain to reverse engineering. In the first chapter Eagle covers the "Whats, Whys, and Hows" providing a good understanding of what exactly IDA is /doing/ when disassembling a binary. Of particular interest, is the section covering different methods of disassembling a binary such as linear sweep, and recursive descent. It's important to have this understand of the method IDA employs to identify code, data, and primitives.

Chapter two, is necessary for any reverse engineering book, covering commonly used tools outside of IDA Pro. While I understand that mentioning tools such as objdump, strings, PeID, etc are necessary, this chapter is my least favorite. It seems inserted merely for posterity's sake, which isn't a terrible thing.

The last chapter rounds out a good intro, by providing the reader with an understanding of the program. It may seem obvious, but issues such as purchasing, support, and installation are at your fingertips. One paragraph titled "Hex-Rays Stance on Piracy" made me chuckle a bit. Regular IDA users will be familiar with the lengths Hex-Rays has gone to not only protect their product, but publicly decry users of pirated copies in their "Hall of Shame".

From the beginning the reader is exposed to my favorite aspect of this book. It is almost 100% IDA from cover to cover. Other books on IDA cover useful, but misguided, topics such as executable file formats, or assembly and higher level programming languages. Obviously this is required knowledge, but there are plenty of dedicated books in each of these areas. From the gates The IDA Pro Book is non stop IDA, only touching on the aforementioned topics when needed to explain a particular subject. It feels like you are really immersed in the program, learning all of its nuances.

Part II of the book jumps right into the meat and potatoes. Chris gets you started by covering the loading of files, how IDA stores its disassembly, navigation, manipulation, and data types. At over 150 pages this section should be studied and memorized by anyone who uses IDA on a regular bases.

Chapters 4 through 6 get the reader's feet wet in the program's UI. The UI is, in my opinion, the source of frustration for most new users of IDA. Eagle himself states in Chapter 3 "IDA is not your mother's word processor" because, while it may look like a text processor, the UI is in a world of its own.

Of particular interest in these chapters are the sections covering IDA's database creation, common and tertiary windows in the UI, and disassembly navigation. It's nice to see all of the UI elements available to the user described in detail in these chapters. Many of the essential windows aren't as noticeable in IDA at first glance and this provides a good reference when ida.hlp is lacking.

Chapters 7 through 10 round out this essential section of the book. One of the highlights, and must reads, is Chris' 40 page coverage of data types and structures. Everything from creating structures, to how C++ classes look in assembly, is laid out in an easy to understand, example driven, manner that is a delightful read. This could be the premier set of chapters of its kind, and certainly one of the best in the book.

Part III takes us through some of the advanced features IDA provides. Configuration customization, and IDA's FLIRT signatures are covered followed by some of IDA's limitations (Generating EXEs anyone?).

Part IV of the book really shines. Its goal is to familiarize the reader with extending IDA. Of all things IDA can do, I believe its scripting, plugin architecture, loader, and processor modules are what separate it from other disassemblers and truly make it the industry standard.

Chris Eagle has a lot of experience in this field having written many plugins, scripts, and processor modules. This is apparent throughout this part of the book and really helps when covering these complex, and almost undocumented aspects of IDA. While IDA's scripting language and SDK are not perfect, with the knowledge and help this sections provides, a user can apply this to achieve an endless amount of tasks.

While certainly useful, this advanced section may not be for everyone. If you are wanting to just disassemble binaries, and navigate code, you can skip "Extending IDA's Capabilities". But for users wanting to load exotic executable formats, or write a processor module to disassemble a virtual machine this section will be a good resource. I personally got a lot of use out of the loader and processor module chapters. The example driven teaching of these subjects is a welcome detour from the dry documentation, or sparse text files on the web.

Towards the end of the book, in Part V, Chris Eagle shows us how the previous subjects are applied in the real world. Each chapter lightly touches on its respected subject (There are whole books on vulnerability analysis) and provides a good jumping off point for readers interested in that particular application of reverse engineering in IDA Pro. Once again this book stays focused on IDA, and doesn't distract the reader. Although there may be plenty of information on subjects such as vulnerability analysis, and obfuscated code analysis, "Real World Applications" still provides value by delivering useful scripts, and information that can be leverage by IDA.

Finally we end things with the often maligned subject of IDA's built in debugger. Honestly it gets a bad rap, and it may be a deserved one when compared to fully functional debuggers like WinDbg. However the debugger is not IDA's primary function. It is another extension of the program allowing the user to take their static disassembly work into the world of live analysis.

Eagle does a fine job demonstrating the usefulness of the built in debugger and the features it exposes. From scripting breakpoints, and pulling registers, to handling exceptions its all here. Honestly, I may force myself to use it the next time I need a debugger and I'm feeling adventurous.

Chris Eagle delivers a very concise, well laid out book in "The IDA Pro Book". The step by step examples, and much needed detail of all aspects of IDA alone make this book a good choice.  Combine that with the little things such as the numbering system in the examples, must have plugins and tools, side bar tidbits of related information, and well formulated descriptions of seemingly awkward tasks, make this book a solid addition to any tech library. I honestly think, like IDA, it will be the industry standard on one of the more intimidating applications in the security, and reverse engineering world.

I know what you may be thinking, "Who is Cody, and why should I care about his wordy review?". To answer that I will leave you with two other opinions of the book.

"I wholeheartedly recommend The IDA Pro Book to all IDA Pro users" - Ilfak Guilfanov
"This is the densest, most accurate, and, by far, the best IDA Pro book ever released" - Pierre Vandevenne

For those that don't know Ilfak is the creator of IDA Pro, and Pierre is the Owner/CEO of DataRescue (Former publishers of IDA). If that's not enough, here is a blog post from Ilfak himself.


Hope you enjoyed this weeks MindshaRE!


Published On: 2008-08-28 13:40:35

Comments post a comment

No comments.