I’m not a big software de-engineering guy or reverser and I don’t see myself gaining those skills in the next couple years, but someday I might get interested in the topic. While books and blogs and personal contacts are good resources, I really like seeing everything put together and the end results. Here are two video tutorials on unpacking and examining malware from Frank Boldewin over at Offensive Security.
Practical COM code reconstruction with IDA PRO
More advanced unpacking – Part I
I’ve been seeing more and more reversing tutorials out there. I think it’s great. Thanks for these two links – I had not yet seen them.
As for learning, just do it! May I suggest .NET Reflector with at least the two add-ons Reflexil and Deblector? Reflector allows you to switch between MSIL, C#, and VB.NET for any Mono/.Net assembly.
Reflexil is an add-on that you can use to learn how to remove parts of code, or re-purpose them by changing the instructions/opcodes.
Deblector is my favorite, which turns Reflector into a interactive decompiler debugger. If you’re having problems decompiling, debugging can help – but also try Salamander and its Deprotect utility.
Once you learn the concepts with Reflector and Deblector (plus Reflexil and Deprotect), you can then learn IDA Pro (which also has an MSIL disassembler, but no C# or VB.NET), HexRays, ImportREC, PEBrowse / StudPE / LordPE / PEiD, Jode (with JSwat). Then you’ll be ready to play with some really insane debuggers such as Immunity Debugger, OllyDbg, WinDbg/SDbgExt, UMSS, and all their plugins.
I really think IDA Pro (especially with HexRays) is the best reverse engineering tool outside of strings, xxd/hexdump/od, and binutils/objdump (all which are available on most Unixes as well as Cygwin, including with cross-compiled versions of binutils). However, I do use some point tools such as .NET Reflector/Deblector, Jode/JSwat, and Flare/Flasm/swftools/swfmill.
My problem isn’t learning reversing – it’s learning debugging! IDA Pro debugging, ImmDbg, OllyDbg, WinDbg, and UMSS just haven’t replaced gdb in my mind for some reason. Have any tutorials for those? In particular, I’m talking about bug finding for both patching and writing exploits.