What to bring:

Students must bring their own Windows® Laptop with Adobe® Acrobat Reader®, an unzip utility and a full version (standard or advanced) of Ida Pro 4.9 or greater installed.

Failure to do so will make participation difficult. Students attempting to use the freeware or demo versions of Ida available from DataRescue will be unable to complete many of the hands on portions of the course. The limited capability freeware version of Ida is available.

Students wishing to compile Ida plugins should also have either MicrosoftÆ Visual C++Æ 6.0, Visual StudioÆ .NET, or a cygwin (recommended) environment that includes gcc, g++, and make.

Black Hat USA 2010 Weekend Training Session

July 24 - 25

Black Hat USA 2010 Weekday Training Session


Reverse Engineering with Ida Pro

Christopher S. Eagle

Register Button

The need for reverse engineering binary software components arises in more and more contexts every day. Common cases include analysis of malicious software such as viruses, worms, trojans and rootkits, analyzing binary drivers in order to develop open source drivers for alternate platforms, analyzing closed source software for security flaws, and source code recovery in legacy systems. The first step in such an analysis is generally the acquisition of a high quality disassembly of the binary component. Ida Pro is touted as the premier disassembler available today. Ida Pro is capable of disassembling machine languages for a large number of microprocessors and microcontrollers and is particularly strong when used on Windows and LinuxÆ executables. This course will cover essential background material for effective reverse engineering before diving into the features of Ida Pro that set it apart from other disassemblers.

Course Structure
This is a two-day course that combines lectures with increasingly difficult hands-on exercises designed to familiarize the student with the capabilities of Ida Pro and its uses in analyzing various types of binary files.

What You Will Learn
The course will provide an overview of disassembler theory followed by a review of the structure of compiler-generated code. Armed with that background information, students will be introduced to the features of Ida Pro that set it apart from other disassemblers and learn how it can assist them in determining the behavior of various binary files. The course will cover the basics of the Ida Pro interface including the many informational displays it contains. Students will be introduced to the scripting capabilities of Ida Pro as well as its plugin architecture. Finally, students will be presented with techniques for dealing with statically linked, stripped, and obfuscated binaries.

How It Will Work
Each student will be provided with many example binaries that will be used throughout the course to demonstrate Ida Proís many features. The binaries run the range from simple demonstrations to real world examples of obfuscated malicious code. These binaries will be used in both instructor-led discussions and individual exercises to reinforce disassembly concepts and familiarize the student with a wide range of Ida Pro capabilities. In addition to sample binaries, students will be provided with valuable reverse engineering reference material including many Ida Pro sample scripts and plugins.

Who Should Attend?
Information security officers, anti-virus vendors, vulnerability researchers, security consultants, software developers and other nice people will all benefit from the techniques presented in this class. Remember that this course is practical and of an extremely technical nature, so a basic understanding of assembly language (preferably x86), C/C++ programming, networking, and security is a course prerequisite.

Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

Because the class requires that a version of IDA Pro 4.9 or greater be installed on the participant's laptop, you must purchase the software directly from DataRescue.


Chris Eagle

is a Senior Lecturer of Computer Science at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 24+ years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering. He has been a speaker at conferences such as Black Hat, Defcon, CodeCon, and Shmoocon and is the author of "The IDA Pro Book", the definitive
guide to IDA Pro. In his spare time he is the Dean of Hacking for the Sk3wl of r00t, current champions of the Defcon Capture the Flag Competition.
Register Button

Super Early:
Ends Apr 1
Ends May 15

Ends Jun 15

Ends Jul 23