When a book is so well-received by your peers as The IDA Pro Book has been, even if reverse engineering isn’t a huge part of what you do every day, you pretty much have to give it a read. The creator of IDA Pro, Ilfak Guilfanov, even recommends it himself for a number of reasons, calling it “the most thorough and accurate IDA Pro book.” Even though I don’t do a whole lot of reversing, I do use IDA on occasion, so I thought it in my best interests to read this book. Authored by Chris Eagle, a co-author of one of my favorite security books, Gray Hat Hacking, I had fairly high expectations. I was not disappointed.
It’s no secret that I’m a spelling, grammar, and punctuation Nazi. Let me first begin by not talking about the book’s content, but it’s presentation. Other than a small hand-full of issues falling into those categories, this book was nearly flawless in it’s presentation, and that’s saying a lot at around 600 pages. The few copy edits I noted have been posted by the publisher (and subsequently removed, I assume into a new revision being printed) on the book’s errata page. It’s obvious that a lot of effort was put into presentation, and it’s refreshing to read such a well organized and well presented technical book.
The first few chapters of The IDA Pro Book in Part I do an excellent job of setting the reader who’s not all that familiar with the world of reverse engineering up with a solid foundation. Chapter 1 explains the various types of programming languages, compilers and linkers that convert those languages into machine code, the theory of and approaches to disassembly of machine code, and the various reasons why you would want to attempt such a thing. Chapter 2 enumerates a number of tools used for profiling compiled machine code such as executables and library files in order to collect a wealth of information that can then be used in the disassembly process to guide and assist a flexible disassembler such as IDA Pro as well as some more limited disassemblers. Chapter 3 then gives the reader their first look at the world of IDA with a little bit of background regarding where to purchase it, support options, and getting it installed. At this point, the reader is ready for the practical lessons that lie ahead.
Part II begins with Chapter 4 on getting started. This covers launching IDA, loading the files intend for disassembly, how IDA stores data in it’s own internal database, and an introduction to the desktop. Chapter 5 then details all of the available displays provided by the IDA desktop.
Once familiar with the desktop and it’s available displays, Chapter 6 and Chapter 7 familiarize the reader with disassembly navigation and manipulation in IDA, respectively. The chapter on disassembly navigation walks the fine line between providing enough information to give the reader a foundation of understanding upon which to build and information overload; not a trivial task when discussing run-time memory management, call stack layout, function calling conventions, compiler nuances, and how IDA disassembles, infers, tracks, and manages all of this and then presents it to the user in a somewhat readable and easily navigable display. The chapter on disassembly manipulation
The final three Chapters in Part II cover how IDA handles datatypes and data structures, code and data cross-references, and finally the myriad of ways that you can interface with IDA such as the GUI, console mode on various platforms, and batch mode. Overall, Part II is a solid introduction to IDA .
The four chapters comprising Part III clue you into some advanced features of IDA, such as customizing the tool, the options available to you for library code recognition using the FLIRT engine and it’s signature, extending IDA’s knowledge of all the various things that it is aware of, and finally patching binaries and a few limitations. The content in these chapters isn’t entirely necessary for the casual IDA user, however if you use IDA extensively you would be well served to file this information away in your grey matter.
Part IV is where things really get interesting, especially if you’re comfortable writing code or scripts. This section is all about extending IDA and tailoring it to your own specific needs, such as scripting with IDC, developing for IDA using the SDK, creating plug-ins, and so forth. I won’t go into much detail here as I have not yet had the opportunity to really use the information contained in this section, however those of you that would know who you are. This is the reference for you.
The next section, Part V, covers how you apply all of the knowledge and skills that you’ve learned so far to the real world. Consider this “Applied IDA Pro”. This section instructs you on dealing with binaries built using different compilers and various compiler nuance, analyzing obfuscated code which you will likely encounter if working with any form of malware, and using IDA for software vulnerability analysis. If you make your living in the security industry, you definitely want to read these chapters as there are many useful nuggets of information to be had.
Finally, Part VI introduces the IDA debugger and details how it interacts with the IDA disassembler. Since the book’s publication, IDA Pro 5.4 has shipped which includes support for a total of eight debuggers in addition to it’s own. As such, this part of the book is already ab it dated, however there is still useful information to be had, such as how IDA interacts with debuggers. You can find a list of all of the supported debuggers, and tutorials on their use, at the Hex-Rays web site.
Again, I would like to reiterate that this was an extremely well written book and while I didn’t read it cover-to-cover, I did read much, much more of it than I usually do when reading a technical book. It’s ability to hold my attention alone (I’m extremely ADD) is testament to it’s quality, and I highly recommend this book to anyone from the person looking to begin using IDA Pro to the seasoned veteran. There truly is something there for everyone.