Classroom Public page

RE-011 Equipment and Setup Guide

974 words

Everything you need before Week 1 starts. All tools are free and open-source. Plan ~60 minutes for full setup; ~20 minutes if you skip the optional tools.

What you need

A laptop with 8 GB RAM minimum; 16 GB recommended. Ghidra is a Java application that requires meaningful memory for large binary analysis. On 8 GB RAM you can analyze binaries up to a few MB without performance issues. The capstone firmware binaries may be larger; 16 GB is more comfortable.

A 64-bit Linux system (or macOS with Linux tools via Homebrew). RE-011 uses Linux-native tools: readelf, objdump, nm, strings, strace, ltrace, gdb. These are available on macOS via Homebrew but the lab binaries are compiled for Linux x86-64 and must be run on Linux (for the dynamic analysis labs). Windows users: install WSL2 with Ubuntu.

A Java Development Kit (JDK), version 17 or higher. Required by Ghidra. Install before Ghidra.

NOT required: hardware kit, physical device, JTAG or serial adapters, paid software, specialized networking equipment.

Tool checklist

1. Ghidra (required, primary analysis tool)

Ghidra is released by the NSA at github.com/NationalSecurityAgency/ghidra. It is free and open-source.

Install steps:

  1. Install JDK 17+:
    • Linux: sudo apt install default-jdk (Debian/Ubuntu) or sudo dnf install java-17-openjdk (Fedora)
    • macOS: brew install openjdk@17
  2. Download the latest Ghidra release ZIP from github.com/NationalSecurityAgency/ghidra/releases.
  3. Extract: unzip ghidra_*.zip -d ~/tools/
  4. Run: ~/tools/ghidra_*/ghidraRun

Verify: Ghidra launches and shows the project manager window. Create a test project, import /bin/ls, run analysis. The auto-analyser should identify main and several other functions.

Minimum working configuration:

  • At least 4 GB RAM allocated to Ghidra (the default). Edit support/launch.properties to set MAXMEM=4G if you have RAM available.
  • Ghidra 10.x or later for the best decompiler support.

2. binutils: readelf, objdump, nm, strings (required)

These are standard Linux tools, almost certainly already installed.

readelf --version   # should print GNU readelf version
objdump --version
nm --version
strings --version

If missing:

  • Linux: sudo apt install binutils
  • macOS: brew install binutils (note: macOS ships llvm-nm and llvm-objdump which have slightly different flags; GNU versions are preferred for RE-011)

3. xxd and hexedit (required)

xxd is part of the vim package on most systems:

xxd --version

If missing: sudo apt install vim-common

hexedit (for Lab 8):

sudo apt install hexedit    # Linux
brew install hexedit        # macOS

4. file and strings (required, usually pre-installed)

file --version
strings --version

If missing: sudo apt install file binutils

5. gdb (required for Week 9 and Lab 7)

gdb --version

If missing: sudo apt install gdb

Optional gdb enhancement (highly recommended): pwndbg

git clone https://github.com/pwndbg/pwndbg ~/tools/pwndbg
cd ~/tools/pwndbg && ./setup.sh

Verify: launch gdb, you should see the pwndbg banner and a persistent register display at every prompt.

6. strace and ltrace (required for Week 9 and Lab 7)

strace --version
ltrace --version

If missing:

sudo apt install strace ltrace

7. radare2 / rizin (required for Week 8)

Option A: radare2 (community version)

# Linux
sudo apt install radare2
# or from source (more current):
git clone https://github.com/radareorg/radare2
cd radare2 && sys/install.sh

Option B: rizin (the fork, used by Cutter)

sudo apt install rizin

Cutter (optional GUI for rizin/radare2): Download the AppImage from cutter.re/downloads. Make it executable and run:

chmod +x Cutter-*.AppImage
./Cutter-*.AppImage

Verify: run r2 -v (or rizin -v). It should print a version string.

8. binwalk (required for Weeks 12-14 and Lab 9)

RE-011 uses the Python-based binwalk v2.x (maintained by ReFirmLabs). A separate Rust rewrite (binwalk v3) exists with different flags and different output format; it is not the RE-011 reference and will not match the commands in this course.

sudo apt install binwalk
binwalk --version

The --version output should say Binwalk v2.x.x. If it shows v3 or a version string without v2, you have the Rust rewrite installed. Run which binwalk to find which binary is on your PATH; the apt-installed Python version is typically at /usr/bin/binwalk.

If apt installs a version older than 2.3, install from source (still Python-based):

git clone https://github.com/ReFirmLabs/binwalk
cd binwalk && sudo python3 setup.py install

Verify: binwalk /bin/ls should run without errors and show "DECIMAL / HEXADECIMAL / DESCRIPTION" column headers.

9. upx (required for Week 10)

sudo apt install upx-ucl
upx --version

macOS: brew install upx

Verify: upx --version prints the version.

10. Git (required, for capstone repository)

git --version

If missing: sudo apt install git

The capstone requires a Git repository hosted on GitHub or GitLab. Use the same account you set up for FND-101 or FND-102. If you do not have one, create a free account at github.com.

11. crackmes.one account (required for CrackMe ladder)

Create a free account at crackmes.one. No download required -- all CrackMe binaries are hosted on the platform.

Verify: log in and browse the "Reverse Engineering" > "Linux/ELF" filter. Confirm you can download a binary.

Optional tools

OWASP ZAP or Burp Suite (not used in RE-011, but relevant if continuing to PEN-101)

Not required for RE-011. Install for PEN-101 preparation.

Volatility / memory forensics tools

Not used in RE-011. Relevant for ADV-101.

Docker

Not required for RE-011 unless the instructor uses Docker to provide lab targets. If Docker is needed, install Docker Desktop from docker.com; WSL2 integration is available on Windows.

Windows students: WSL2

RE-011's dynamic analysis tools (gdb, strace, ltrace) run on Linux. On Windows, WSL2 provides a real Linux kernel.

If you set up WSL2 for FND-101 or FND-102, you are ready. If not:

  1. Open PowerShell as Administrator.
  2. Run: wsl --install
  3. Restart when prompted.
  4. After restart, Ubuntu finishes installing; create a username and password.
  5. Open Ubuntu from the Start menu.
  6. Install RE-011 tools:
    sudo apt update
sudo apt install binutils gdb strace ltrace hexedit radare2 binwalk upx-ucl git

Ghidra on Windows WSL2: Run Ghidra from the Windows side (not inside WSL2). The Windows Ghidra can import and analyze Linux ELF binaries. For the dynamic labs (strace, gdb), use the WSL2 terminal.

Estimated setup time

Step Time
Install JDK ~5 min
Download and install Ghidra ~10 min
Verify binutils (readelf, objdump, nm, strings) ~2 min
Install gdb + pwndbg ~10 min
Install strace, ltrace, xxd, hexedit ~3 min
Install radare2 and Cutter ~10 min
Install binwalk ~5 min
Install upx ~2 min
Create crackmes.one account ~5 min
Verify all tools ~5 min
Total (Linux/macOS) ~57 min
Total (Windows + WSL2) ~90 min

Reference resources to bookmark

  1. Ghidra releases: github.com/NationalSecurityAgency/ghidra/releases
  2. OST2 Architecture 1001 (free): ost2.fyi
  3. Yurichev RE4B (free): beginners.re
  4. radare2 book (free): book.rada.re
  5. crackmes.one: crackmes.one
  6. pwndbg: pwndbg.re
  7. binwalk documentation: github.com/ReFirmLabs/binwalk
  8. ELF format reference: man 5 elf (on Linux)
  9. System V AMD64 ABI: gitlab.com/x86-psABIs/x86-64-ABI (PDF)
  10. DMCA Section 1201 exemptions (EFF summary): eff.org/issues/dmca/1201

Setup guide v0.1. RE-011 requires no paid software, no hardware kit, and no administrator access beyond what gdb and Docker require.