Skip to main content

Reversing: Secrets of Reverse Engineering

Reversing: Secrets of Reverse Engineering

Eldad Eilam

ISBN: 978-0-764-57481-8

Apr 2005

624 pages

In Stock


* VAT information


Beginning with a basic primer on reverse engineering-including computer internals, operating systems, and assembly language-and then discussing the various
applications of reverse engineering, this book provides readers with practical, in-depth techniques for software reverse engineering. The book is broken into two parts, the first deals with security-related reverse engineering and the second explores the more practical aspects of reverse engineering. In addition, the author explains how to reverse engineer a third-party software library to improve interfacing and how to reverse engineer a competitor's software to build a better product.
* The first popular book to show how software reverse engineering can help defend against security threats, speed up development, and unlock the secrets of competitive products
* Helps developers plug security holes by demonstrating how hackers exploit reverse engineering techniques to crack copy-protection schemes and identify software targets for viruses and other malware
* Offers a primer on advanced reverse-engineering, delving into "disassembly"-code-level reverse engineering-and explaining how to decipher assembly language
Foreword vii

Acknowledgments xi

Introduction xxiii

Part I Reversing 101 1

Chapter 1 Foundations 3

Chapter 2 Low-Level Software 25

Chapter 3 Windows Fundamentals 69

Chapter 4 Reversing Tools 109

Part II Applied Reversing 139

Chapter 5 Beyond the Documentation 141

Chapter 6 Deciphering File Formats 199

Chapter 7 Auditing Program Binaries 243

Part III Cracking 307

Chapter 9 Piracy and Copy Protection 309

Chapter 10 Antireversing Techniques 327

Chapter 11 Breaking Protections 357

Part IV Beyond Disassembly 421

Chapter 12 Reversing .NET 423

Chapter 13 Decompilation 457

Appendix A Deciphering Code Structures 479

Appendix B Understanding Compiled Arithmetic 519

Appendix C Deciphering Program Data 537

Appendix D Citations 561

Index 567

Please read before downloading the code
Backdoor.Hacarmy.D: This is a trojan/backdoor type malware program that was distributed in 2004. It is non-contagious, but it connects to a central server through which an attacker could theoretically connect to the infected system and control or damage it. The central servers have been taken down long ago, so in its current state the program should be nonetheless harmless. It is not advisable to install the program on a system unless that system was specifically installed for testing purposes and is detached from the network.

Because of security restrictions regarding this file, the complete zip file for this download has been moved and may now be accessed here.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work or the nature or effect of the program and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Cataloging-in-Publication Data Trademarks: Wiley, the Wiley Publishing logo and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.
Download the final Bibliography
Requires Microsoft Word Viewer to view file.
Appendix C Correx
There were errors in Appendix C, pages 540-1, that this download corrects.
ChapterPageDetailsDatePrint Run
43Error in Code
char szWelcome = This string will be stored in the executable's preinitialized data section ;

should be:

char szWelcome[] = This string will be stored in the executable's preinitialized data section ;

164, 165Error in Text
Heading: Search Loop 3

It says that it is using EDI as a counter.

should be:


*This error also occurs at top of page 165

185Error in Code
SHR ECX, 2 <--- right shift

A right shift by 2 will divide by 4 and not multiply by 4 as the text says:

This code..., ECX with ElementSize*4,..

should be:


217Typo in Text
In the last paragraph on the page:


Should be


540-541Errors in Text
Error on page 540:
the book states that in cdecl calling convection The first parameter is pushed onto the stack first, and the last parameter is pushed last.


Error on page 541:
it states that stdcall functions receive parameters in the reverse order compared to cdecl, meaning that the last parameter an stdcall function takes is pushed to the stack first.

CORRECTION:Stdcall takes the parameters in same order as cdecl, pascal is the inverse of cdecl in parameter pushing order.