Road to Reversing - 0x02 - Tools and Techniques
October 2, 2016
In this second post of the series, I continue with the background information and setting up the context of my learning.
There are more tools for RE than these three, but I have focused this first tool video on the most relevant tools for me and my current focus of static analysis.
IDA as the behemoth it is, is akin to a full-blown IDE like VisualStudio or NetBeans.
Binary Ninja is the sleek, quick and extensible Sublime Text and
radare2 is like vim: the learning curve is quite steep, but there is exquisite power behind each single stroke of the keyboard.
You can download the freeware version of the first release of the previous major version. Current version is v6.8 so you are getting 5.0 for free. Hopefully they'll get to 7.0 soon so us students/learners can get an upgrade to v6.0.
Unfortunately the licensing is not self-study friendly. The starter edition costs just over 500 EUR and only supports 32-bit executables. If you want 64-bit support, you will need to cough up just over 1000 EUR. This is quite prohibitive for people like me, who don't get paid to do RE yet. But given IDA's status as the de facto standard tool in the industry it can obviously dictate the price quite freely.
As features goes, IDA has them all. (except undo). It boasts architecture support from basic x86 to Gameboy Advanced. And as with anything that has a million and one features, it comes with a gazillion buttons in the UI for you to configure.
Oh yeah: Out of these three, IDA freeware is the only one that is Windows only. So you will need a VM in case you are not natively running Windows.
Binary Ninja (binja)
Binary Ninja offers a demo version, but like IDA free it is limited to 32-bit x86. The full version has wider support for architectures, but not as wide as IDA's massive collection. I personally fancy the unintrusive UI and ease of use it provides vs the massive amounts of buttons in IDA's default view.
I see binja as the underdog challenging the industry standards. As tools go, binja is quite recent -- it was only relased a few months ago, but shows great promise. I hope to cash in on this new tool and my programming skills to hopefully create some useful plugins in Python for this environment and get most out of my purchase.
Radare2 is free, open-source software (FOSS). You can download it from the website as an installer for your OS (Windows, OSX, Linux) or clone its source code on Github. Just opening r2 or opening a file with it will probably leave quite an empty feeling on your screen, as by default it shows almost nothing. You will need to instruct it to analyse and print things you want to see.
To slightly dampen the learning curve to something manageable, r2 does include a visual mode and a web GUI -- I personally did not manage to get the web GUI working correctly, but based on screenshots on the website it looks fantastically easier to use than the default cli configuration.
I have used r2 and ida free to solve crackmes, but both of them have left me cold and uninspired. I mean, I want to know r2 just so I could be a cool matrix-kinda hacker, but I really don't have the patience to spend that much time learning just the tool before learning the craft. IDA on the other hand seemed like taking a complex industrial-scale woodcutting, plank making deforestation machine for cutting down a single tree in your backyard.
Binja fits in my hands — I am nowhere to mastery with it yet, but it feels at least achievable — and I like its look-n-feel.
One of the things that scared me as I kickstarted this series was that unlike Path to OSCP where I was following the PWK course and its lab environment, I was not enrolled on any "Learn you some RE for great good" course. I was not in square one, as I had some stuff already learnt, but neither was there a clear path forward. I sorta started making my own route by deciding that I want to learn how to do static analysis first.
Today as I was chatting on #offsec, a fellow there asked me if I had chosen malware or 'deep security' from Open Security Training or if I had maybe gone through all of their stuff. I was perplexed. I had no idea what they were talking about. I know of Open Security Training since I have gone through their "Introductory Intel x86" course videos on Youtube, but I had not checked out their website more than that.
Turns out, they have quite a few courses available. The same fella told me he was going through the intermediate x86 course. I went to check it out and it sorta made sense. It felt intuitively the right move for me to focus on a course like this.
I am not yet sure if I will focus on the intermediate x86 or if I should first check out introduction to reverse engineering software. The latter feels more appealing as the former has dynamic analysis with WinDbg for rootkits and other anti-reversing techniques (more advanced stuff). The RE class will include dynamic analysis with debuggers, but feels a bit more down to earth.
Maybe I will do both. I will let my gut tell me based on the first few videos of both series.
I thought about adding future episode ideas here, but I feel that it might be constrictive. I'd rather keep more of a documentary feel for this series, so I will make videos about things that pop up during this learning process instead of trying to come up with a fixed set of topics.
This video came up just as I was planning on doing this tool comparison post, so I figured I'd link it here:
Using Binary Ninja for Modern Malware Analysis, does a nice job of comparing IDA (pro) and Binary Ninja for malware analysis.