Hello friends – It would be neglectful for the INT 3 blog to initialize without discussing the fundamental principles necessary to develop the Reverse Engineering Mindset. Last month I spoke at an internal, biyearly Microsoft conference in Seattle. The talk focused on my experience debugging a troublesome z-order bug causing a logon window to disappear while users attempted to logon to a third-party application from their field locations. Debugging z-order issues is an ugly business. Before stepping the audience through the debugger output projected on the big screen in the session room, I asked the question, “where do you start debugging an issue when there is no error message generated, no crash dump created, no blocking threads to examine, no event log message logged, nor any ETW trace output generated? Where is the debugging entry point for an elusive disappearing logon window?”

The answer culminated into a discussion of the three “Reverse Engineering Principles” I have strived to cultivate over the last eighteen years. First I discussed the importance of building your reverse engineering toolbox by mastering tools such as Windbg, IDA Pro, debug extensions such as MEX, debug scripts, and the Sysinternals suite. We spent time discussing the importance of solid code comprehension skills which includes understanding language primitives, identifying design principles and possessing a familiarity with compiler specifics. Then I wrapped up by deliberating on the importance of having a reasonable level of architecture knowledge including both operating system and processor semantics. Growing in all three of these areas will continue to develop the reverse engineering mindset.

Over the next couple of months, I will unpack these principles in a ‘Reverse Engineering Principles’ series named REP for short. The series will be loaded with sample assembly snippets, C code examples and Windbg walkthroughs. The first REP article in the series will pay homage to Matt Pietrek’s ‘Under the Hood’ article from February of 1998 with extended register and assembly walk-throughs. You can also count on Trey and Dan to run concurrent series and articles discussing other topics.

If you’re curious about the debugging starting point for the disappearing logon window issue, knowing the GDI architecture and how WinEvents operate (e.g. REP Principle of Architecture Knowledge) pointed me to my debug entry point.

And one more thing before we part ways this week – I mentioned the MEX tool above. MEX is a newly released debug extension for Windbg sustained by my team. Our design goal is to make you ‘faster as a debugger’. Download MEX, load it into Windbg with the .load command and check it out.

-Ron