Scaffolding course for the Virtus Cyber Academy reverse-engineering track. Read static analysis first. Build the habits that RE-101 and ADV-101 depend on.
Mission
RE-011 gives students the vocabulary, tooling fluency, and analytical posture needed to read compiled code without running it. By the end of the course a student can open an unfamiliar binary in Ghidra, navigate to the region of interest, produce a plausible C reconstruction, and write a structured findings report. That is the RE-101 entry bar.
What this course is not: RE-011 does not cover exploit development, shellcode, ROP chains, kernel internals, malware unpacking pipelines, or firmware extraction from live hardware. Those belong to RE-101, ADV-101, ADV-102, and RE-201. RE-011 ends where RE-101 begins.
Audience and prerequisites
Students who have completed SEC-101 (or who can demonstrate equivalent familiarity with the Linux command line, basic networking, and the OWASP threat model vocabulary). No prior assembly knowledge required. No prior C required -- but students who have written a few hundred lines of C will move faster in Weeks 4-5.
Hardware: any 64-bit laptop from the last eight years with 8 GB RAM (16 GB recommended for Ghidra with large binaries). No special hardware required. No FPGA, no physical device teardown -- that is the RE-101 / hardware-track domain.
Anchor readings
Two free-access texts carry the course:
- Xeno Kovah, OST2 Architecture 1001 (ost2.fyi, free). The canonical x86-64 assembly reference for this course. Students work through the relevant modules in parallel with Weeks 3-6.
- Dennis Yurichev, Reverse Engineering for Beginners (beginners.re, free CC-BY-SA). The practical binary-reading reference. Students use the relevant chapters alongside Weeks 5-9.
Practitioner narrative (library copies recommended):
- Jon Erickson, Hacking: The Art of Exploitation, 2nd ed. (No Starch Press) -- for students who want to see where these skills lead.
- bunnie Huang, The Hardware Hacker -- context for the firmware teardown weeks.
Course shape
| Item | Value |
|---|---|
| Total time | ~116 hours over 14 weeks |
| Weekly time | ~8 hours student time |
| Lecture per week | 2 x 45-50 min sessions |
| Lab per week | 1 structured lab per week (Labs 1-8 spread across weeks); CrackMe ladder spine ~2 hr/week Weeks 4-14 |
| Independent practice | ~4 hr/week |
| Reading | ~30-45 min/week |
| Audience | SEC-101 graduates (or equivalent) |
| Prerequisites | SEC-101 + Linux CLI fluency + basic C literacy helpful |
| Cost | $0 (all tools free and open-source; Ghidra is NSA/government-released open source) |
| Capstone | Firmware analysis report on instructor-assigned training target |
14-week topic flow
| Week | Theme | Structured lab | CrackMe ladder |
|---|---|---|---|
| 1 | What RE is -- scope, posture, legal framing | Lab 1: File identification | -- |
| 2 | Byte-level view -- hex editors, magic numbers, endianness | (lab walk, ungraded) | -- |
| 3 | ELF format in depth -- sections, segments, symbol tables | Lab 2: ELF section walk | -- |
| 4 | x86-64 assembly I -- registers, stack, calling convention | Lab 3: Compiler optimisation | Ladder begins |
| 5 | x86-64 assembly II -- control flow, loops, jump tables | Lab 5: Assembly-to-C reconstruction | Ladder continues |
| 6 | Ghidra I -- project setup, navigation, decompiler | Lab 4: Ghidra navigation | Ladder continues |
| 7 | Ghidra II -- cross-references, data types, struct recovery | (Ghidra CrackMe session, ungraded) | Ladder continues |
| 8 | radare2 / rizin / cutter -- alternative tradition | (r2 lab walk, ungraded) | Ladder continues |
| 9 | Dynamic analysis -- gdb, strace, ltrace, when static hits a wall | Lab 7: Dynamic vs. static | Ladder continues |
| 10 | Anti-RE tricks -- packing, obfuscation, anti-debug | (anti-RE analysis, ungraded) | Ladder continues |
| 11 | Binary patching -- objcopy, Ghidra patch tool, smallest-patch discipline | Lab 8: Patch to bypass | Ladder continues |
| 12 | Firmware teardown -- guided rehearsal, extraction, identification | (guided teardown session) | Ladder closes (checkpoint) |
| 13 | Capstone scoping -- instructor-assigned target, analysis plan, sign-off | -- | Lab 6 checkpoint due |
| 14 | Capstone delivery -- report, oral summary, bridge to RE-101 | Lab 9: Capstone | -- |
Lab index
| Lab | Title | Week assigned | Graded |
|---|---|---|---|
| Lab 1 | File identification | Week 1 | Yes |
| Lab 2 | ELF section walk | Week 3 | Yes |
| Lab 3 | Compiler optimisation | Week 4 | Yes |
| Lab 4 | Ghidra navigation | Week 6 | Yes |
| Lab 5 | Assembly-to-C reconstruction | Week 5 | Yes |
| Lab 6 | CrackMe checkpoint | Week 13 | Yes |
| Lab 7 | Dynamic vs. static | Week 9 | Yes |
| Lab 8 | Patch to bypass | Week 11 | Yes |
| Lab 9 | Capstone: firmware analysis | Week 14 | Yes |
CrackMe ladder
The CrackMe ladder runs from Week 4 to Week 13 as a continuous independent-practice spine. Students solve at least 8 CrackMe challenges (4 additional as stretch) from crackmes.one, pwn.college's RE track, and the picoCTF reverse-engineering category.
Primary sources: pwn.college (RE track), picoCTF (RE category), crackmes.one. Use whichever is reachable. crackmes.one has intermittent availability issues; if it is down, use pwn.college or picoCTF instead without waiting.
Each solved CrackMe is documented in a Tool Journal entry: what the binary does, what technique revealed the key, what Ghidra / radare2 view was most useful, time spent. Lab 6 is the mid-course checkpoint (4+ challenges documented with technique narrative).
Per-week time budget
| Week | Reading | Lecture | Lab | CrackMe | Reflection / practice | Total |
|---|---|---|---|---|---|---|
| 1 | 30 min | 90 min | 90 min | -- | 60 min | ~5 hr |
| 2 | 30 min | 90 min | 60 min (walk) | -- | 60 min | ~4 hr |
| 3 | 45 min | 90 min | 90 min | -- | 60 min | ~5 hr |
| 4 | 45 min | 90 min | 90 min | 90 min | 60 min | ~7 hr |
| 5 | 45 min | 90 min | 90 min | 90 min | 60 min | ~7 hr |
| 6 | 30 min | 90 min | 90 min | 90 min | 60 min | ~7 hr |
| 7 | 30 min | 90 min | 60 min (walk) | 120 min | 60 min | ~7.5 hr |
| 8 | 30 min | 90 min | 60 min (walk) | 90 min | 60 min | ~6.5 hr |
| 9 | 45 min | 90 min | 90 min | 90 min | 60 min | ~7.5 hr |
| 10 | 45 min | 90 min | 60 min (walk) | 90 min | 60 min | ~6.5 hr |
| 11 | 30 min | 90 min | 90 min | 90 min | 60 min | ~7.5 hr |
| 12 | 45 min | 90 min | 90 min | 60 min (checkpoint) | 60 min | ~7 hr |
| 13 | 30 min | 90 min | -- | Lab 6 checkpoint due | 120 min (scoping doc) | ~6 hr |
| 14 | -- | 60 min | 180 min (capstone) | -- | 60 min | ~5 hr |
| Total | ~7 hr | ~21 hr | ~21 hr | ~18 hr | ~14 hr | ~91 hr |
Note: independent reading of OST2 Architecture 1001 and Yurichev RE4B chapters adds ~20-25 hr across Weeks 3-9. Total course hours ~110-116.
Forward pointers
After RE-011:
- RE-101 (Reverse Engineering I): hands-on vulnerability research on the Motorola SB6141 lab target. RE-011 fluency (Ghidra navigation, x86-64 reading, ELF structure) is the entry prerequisite.
- ADV-101 (Adversarial Analysis I): malware analysis, threat-actor TTP reconstruction. RE-011 + SEC-101 together form the ADV-101 prerequisite.
- ADV-102 (Adversarial Analysis II): advanced dynamic analysis, sandboxing, unpacking pipelines. RE-011 dynamic analysis week is the first exposure to the tools ADV-102 expands on.
- RE-201 (Reverse Engineering II): firmware extraction from live hardware, JTAG, serial console access. RE-011 firmware teardown week (Week 12) is the conceptual preview.
RE-011 v0.1. 14 weeks. Entry course for the Virtus Cyber Academy reverse-engineering track.