VCA-RE-011: Introduction to Reverse Engineering

Course Overview

VCA-RE-011 is deliberately an introductory RE course, not a light version of RE-101. The flagship assumes students can read compiled binaries, use a disassembler productively, and write a report that someone at USENIX would take seriously. RE-011 builds exactly those skills. It introduces the analytical posture, "the program is in front of me, I will understand it" - alongside the tooling fluency that makes the posture viable.

RE-011 is the conceptual scaffolding, not the deep dive. RE-101's flagship curriculum teaches Ghidra and radare2 in their full professional depth in Weeks 8-9; RE-011 is where students get UI-comfort with the same tools first, so RE-101's pace lands as merely intense rather than disorienting. RE-011 also plants the binary-and-byte-level fluency RE-101 lists as required incoming knowledge: hex and byte-order literacy, file-format recognition (ELF / PE / Mach-O), and the discipline of reading rather than guessing what a binary does. Students leave RE-011 able to load a binary into Ghidra, move through to main(), follow cross-references, find strings, identify the compiler that produced the binary, and write a defensible finding report. That is the entrance ticket to RE-101.

How the Course Teaches: Foundational Readings

RE-011 carries the RE track's paired-textbook system at the entry tier. The build-it-yourself pair (OST2 + Yurichev) provides the structured learning scaffold; the narrative pair (Erickson + bunnie) provides the practitioner mental model that makes the lab work feel motivated rather than mechanical. Both pairs are woven into the lab prompts and the capstone analysis template throughout the course.

Learning Objectives

Listed in Bloom's-taxonomy order. Each is measurable against a specific lab or written deliverable.

1. Remember. State the magic numbers of the three major executable formats (ELF 0x7F 45 4C 46; PE 0x4D 5A "MZ"; Mach-O 0xFEEDFACE / 0xFEEDFACF); name the major sections of an ELF binary (.text, .data, .rodata, .bss, .symtab, .strtab); recite the System V AMD64 calling convention's argument registers (rdi, rsi, rdx, rcx, r8, r9). (Assessed: closed-book quiz; Lab 1 file-identification worksheet.)
2. Understand. Explain why the same C source produces different machine code under gcc -O0, gcc -O2, and clang -O3; explain why optimisation makes RE harder; explain why stripped binaries (no symbol table) are harder than unstripped. (Assessed: written reflection D2; Lab 3 compiler-output comparison.)
3. Understand. Distinguish static analysis (read the binary; reason about behaviour) from dynamic analysis (run the binary in a controlled environment; observe behaviour); explain when each is appropriate and when each is required (e.g., packed binaries demand dynamic unpacking before static analysis becomes useful). (Assessed: Lab 7 dynamic-vs-static comparison.)
4. Apply. Load an unknown binary into Ghidra: configure the loader correctly for the architecture, run the auto-analysis, move through to main via the symbol tree (or via the entry point + cross-reference walk for stripped binaries), follow cross-references to identify the program's major routines, and rename functions and variables based on inferred meaning. (Assessed: Lab 4 Ghidra-navigation walkthrough.)
5. Apply. Read x86-64 assembly produced by a modern compiler well enough to identify the source-language constructs it came from: if/else branches as conditional jumps; while/for loops as backward jumps; function prologues and epilogues; switch statements as jump tables; struct field access as base-plus-offset addressing. Map the assembly back to plausible C source. (Assessed: Lab 5 assembly-to-C reconstruction.)
6. Apply. Solve a graduated CrackMe ladder of at least 8 challenges across password-check defeat, simple keygen, anti-debug awareness, simple packing, and basic obfuscation. Document the technique used for each. (Assessed: Lab 6 CrackMe ladder.)
7. Analyze. Given an unknown binary on a training target, identify what it does without running it (or with controlled dynamic analysis where static analysis hits a wall), document the findings, and write a 4-6 page report at professional level. (Assessed: Lab 9, the capstone.)
8. Evaluate. Compare the analytical workflow used against an unknown binary in this course against the workflow RE-101 will demand against a real device's firmware (the SB6141 cable modem). Identify which RE-011 skills carry directly forward and which RE-101 expands. Articulate the student's readiness gap before enrolling in the flagship. (Assessed: deliverable D3 self-assessment, ~400 words.)

Week-by-Week Topic Flow

Fourteen weeks. Lecture is light (~1 hr/wk) because RE is a doing discipline; lab time is the central block. The CrackMe ladder runs as a continuous spine across Weeks 4-13.

1. Week 1. What reverse engineering is, and what it is not. The professional and legal landscape (DMCA §1201, the security-research carve-outs, why CFAA boundaries matter to RE practitioners). The analytical posture: read first, run second, never guess. Lab 1. File-identification worksheet.
2. Week 2. The byte-level view. Hex editors (xxd, hexedit, HxD on Windows). Magic numbers. Endian-ness reading at sight. Repairing a corrupted file header. Lab walk. Identify 10 unknown files by their magic alone.
3. Week 3. ELF in depth. Sections vs. segments. The symbol table. Stripped vs. unstripped binaries. readelf, objdump, nm, strings. Lab 2, ELF section-walk on a small binary the student wrote in FND-102.
4. Week 4. x86-64 assembly I. Registers, stack, calling convention. Reading objdump -d output. The discipline of guessing what the C source must have been. Lab 3. Compile the same C with -O0, -O2, -O3; diff and explain. CrackMe ladder begins.
5. Week 5. x86-64 assembly II. Control flow. Conditional jumps. Loops as backward jumps. Function prologues / epilogues. Jump tables for switch statements. Lab 5. Assembly-to-C reconstruction.
6. Week 6. Ghidra I. Project setup, the auto-analyser, the symbol tree, the listing view, the decompiler view. Naming discipline and how it compounds across an analysis session. Lab 4. Load a small binary; rename every function with a meaningful identifier; document why.
7. Week 7. Ghidra II. Cross-references, data-type inference, struct definitions, function-signature override. The decompiler-as-conversation: tweak types, watch decompiled output improve. Continued CrackMe progression.
8. Week 8. radare2 / rizin / cutter as the alternative-tradition disassembler. Why some practitioners prefer it (scriptable, terminal-native, faster on huge binaries). The cross-tool comparison: same binary in Ghidra and r2; what each reveals first. Lab walk. One binary in both tools.
9. Week 9. Dynamic analysis. gdb with peda/pwndbg/gef extensions; strace and ltrace; valgrind for memory-error observation. When static analysis hits a wall and dynamic is the only path forward (packed binaries, runtime-decrypted code, anti-static-analysis tricks). Lab 7. Dynamic-vs-static comparison on a packed CrackMe.
10. Week 10. Anti-RE tricks: simple packing (UPX), basic obfuscation (control-flow flattening, opaque predicates), anti-debug checks (ptrace self-attach, timing checks, IsDebuggerPresent equivalents). The defender's playbook is also the offender's; both sides know the same techniques. Continued CrackMe progression now includes anti-debug variants.
11. Week 11. Patching. Modify a binary to defeat a check, change a constant, redirect a branch. objcopy, ed-on-binaries, Ghidra's built-in patching tool. The discipline of making the smallest possible patch. Lab 8. Patch the CrackMe ladder's capstone challenge to bypass the check rather than solve it.
12. Week 12. Guided firmware teardown. The instructor walks an instructor-selected training target (typically a small consumer IoT device or a legacy router whose firmware is trivially extractable) end-to-end: extraction, identification, structure, salient findings. The student replicates each step on their own copy. This is the rehearsal for Lab 9.
13. Week 13. Capstone scoping. Each student receives an instructor-assigned training target (a step smaller and more tractable than RE-101's SB6141), drafts an analysis plan, and gets sign-off before extraction begins.
14. Week 14. Capstone delivery: written report + 5-minute oral summary in front of the cohort. Lab 9 due.

Lab Manifest

Nine numbered labs across the course, with the CrackMe ladder running as a continuous spine from Week 4 onward. Labs 1-8 are graded on correctness and lab-notebook quality; Lab 9 is the capstone, two-tier-graded against the rubric below.

• CrackMe ladder. A structured progression of at least 12 challenges (8 required, 4 stretch) drawn from crackmes.one, pwn.college's reverse-engineering modules, and instructor-curated picks. The ladder begins Week 4 with simple password-check defeat and progresses through keygen reconstruction, anti-debug awareness, simple packing, and basic obfuscation by Week 12.
• Lab 1. File-identification worksheet. Given 10 unknown binary files, identify each by magic number, header structure, and salient strings. No tooling beyond file, xxd, strings.
• Lab 2. ELF section-walk. Compile a small student-written C program; walk every section with readelf, objdump, nm; explain what each section contains and why.
• Lab 3. Compiler-optimisation comparison. Same source, three optimisation levels. Diff the objdump -d outputs; explain three specific optimisations the compiler chose at -O2.
• Lab 4. Ghidra-navigation walkthrough. Load a 200-line C program's compiled binary; move through to main in three different ways (symbol tree, entry-point follow, cross-reference walk); rename every non-trivial function and document the rationale.
• Lab 5. Assembly-to-C reconstruction. Given the disassembly of a stripped 50-instruction function, reconstruct plausible C source; compare against the actual source the instructor reveals after submission.
• Lab 6. CrackMe ladder mid-course checkpoint. Document at least 4 solved challenges with technique narrative.
• Lab 7. Dynamic-vs-static comparison. A packed CrackMe; analyse statically first (observe what is hidden); then unpack dynamically and analyse the unpacked form.
• Lab 8. Patching. Take a CrackMe with a binary check; produce the smallest possible patch (single-byte preferred) that bypasses the check; verify the patched binary still runs.
• Lab 9, Capstone. Firmware analysis on an instructor-assigned training target. See Capstone section below for full rubric.

Bridge to RE-101 / ADV-101 / ADV-102 / RE-201: the RE-Strand Scaffolding

RE-011's deliberate forward-pointer is its position as the scaffolding under the entire RE strand. By the close of RE-011 the student has UI-comfort with Ghidra and radare2, can read x86-64 assembly at the "recognise common idioms" level, and has written one analytical report. Three things RE-011 makes possible downstream:

• VCA-RE-101 (the flagship, RE of embedded systems, SB6141 capstone). RE-101's prerequisite list (per the published vca-re-101 page) names ARM-assembly literacy as taught-in-place at Week 4 + Week 9, but it assumes the student already has x86-64 assembly literacy as a recognition skill. RE-011 builds exactly that: the student arrives at RE-101 able to read x86-64, ready to learn ARM by analogy. Similarly, RE-101 teaches Ghidra and radare2 in their professional depth at Weeks 8-9; RE-011 students arrive UI-comfortable with both tools, so the depth instruction lands rather than overwhelms. The cognitive distance from RE-011 capstone to RE-101 first lab is the smallest the curriculum can make it.
• VCA-ADV-101 (CVE-to-tool engineering). ADV-101 students reproduce disclosed CVEs against vulnerable software; the workflow begins with reading the vulnerable binary in a disassembler, identifying the vulnerable function, and observing the corruption pattern. RE-011's Ghidra fluency and assembly-reading habit are exactly the table-stakes for that workflow.
• VCA-ADV-102 (LLM-CVE variant; CVE-2025-65106 LangChain Jinja2). Even the AI-CVE-reproduction work begins with understanding what code the vulnerability lives in. RE-011's "read first, run second, never guess" analytical posture is the discipline ADV-102 assumes.
• VCA-RE-201 (RE of burst radio signals). Even at the RF/SDR layer, the practitioner reads firmware images extracted from radios, analyses signal-processing routines in disassembly, and sometimes patches firmware to alter modulation parameters. RE-011's patching discipline (Lab 8) is the precursor.
• The future vca-arm-201 and vca-mips-201 Part-II electives. Both deepen RE-011's assembly-reading work onto specific architectures. RE-011 builds the meta-skill (read disassembly; map to source-language constructs; recognise compiler idioms); the architecture electives instantiate it on ARM and MIPS.
• The future vca-ai-* AI-security strand. Reverse engineering of AI systems is an emerging professional field (model extraction, weight-stealing attacks, prompt-injection corpus analysis). The analytical posture RE-011 builds transfers; the targets shift from binaries to model weights and serialised computation graphs.

Topical mini-module cross-cut: VCA-MINI-WIRESHARK-CVES-2026-05 (Wireshark RCE quartet, May 2026). RE-011 references the Profile import CVE (CVE-2026-5656) as the canonical accessible worked example because it is a logic bug rather than memory corruption: students can read the C++ patch line-by-line in WiresharkZipHelper::unzip() and understand exactly what the missing path-validation check should have been, without any prior binary-exploitation background. The mini-module catalog page distils the vocabulary; the deep walkthrough lives in the companion handout.

The course's closing message: RE-011 is where you learn to read what a compiler emitted. RE-101 is where that skill becomes a profession. Without RE-011 the flagship's pace is punishing; with RE-011 the pace is intense in a productive way.

Tool Journal: RE-011 Originating Entries

The Tool Journal continues. RE-011 originates the diary's reverse-engineering roots; HW-101 originated bench-electronics, FND-102 originated Python and shell, NET-101 originated network analysis, SEC-101 originated security tooling, and CSA-101 will originate the toolchain-build tools (with Ghidra first formally introduced in CSA-101 Chapter 6a as a mandatory tool against a small student-built linked image). RE-011 picks up Ghidra at the binary-analysis level CSA-101 forward-referenced.

RE-011 originates the following diary entries (anchored against the OST2 + Yurichev build-it-yourself pair and the Erickson + bunnie narrative pair throughout):

• Ghidra (binary-analysis level). First met Week 6. The student met Ghidra in CSA-101 Chapter 6a as a tool for inspecting their own student-built linker output; RE-011 picks up Ghidra at the level the tool was built for. Analysis of binaries the student did not author. Project setup, auto-analyser, decompiler view, naming discipline. Continues into RE-101 at professional depth.
• radare2 / rizin / cutter. First met Week 8. The alternative-tradition disassembler family. Scriptable, terminal-native, fast on large binaries. Some practitioners prefer it; some run both side-by-side. RE-011 introduces the alternative so students arrive at RE-101 having seen both.
• objdump from the RE perspective. First met Week 3 (re-met from CSA-101 Chapter 4's assembler-cross-validation use). Same tool, different posture: in CSA-101 the student validated their hand-encoding against objdump's output; in RE-011 objdump -d is the first-pass disassembler against unknown binaries.
• strings. First met Week 1. Extracts printable strings from any binary file. The fastest way to identify what a program is about. The first tool every RE practitioner reaches for.
• file. First met Week 1. Identifies file type by magic number and structure. Often the first 5 seconds of any analysis.
• nm. First met Week 3 (re-met from CSA-101 Chapter 6). Lists symbols in an object or executable. Critical for identifying function entry points in unstripped binaries.
• readelf. First met Week 3 (re-met from CSA-101 Chapter 12). Walks ELF structure section-by-section. The complete-image-shape tool.
• xxd / hexedit / HxD. First met Week 2. Hex-editor family. Read raw bytes, recognise structure visually, repair corruption.
• gdb with peda / pwndbg / gef extensions. First met Week 9 (re-met from CSA-101 Chapter 7+8). Same tool, RE-perspective: the dynamic instrument when static analysis hits a wall.
• strace and ltrace. First met Week 9. System-call and library-call tracers respectively. The dynamic-analysis tools that show what a binary is asking the OS to do.
• UPX. First met Week 10. The most common open-source binary packer. Met as a target to defeat (its -d flag unpacks UPX-packed binaries trivially) before harder packers are introduced.
• crackmes.one platform. First met Week 4. The community-curated CrackMe ladder. The same platform every working RE practitioner used for their early skill-building.
• OST2 (OpenSecurityTraining2). First met as companion reference alongside RE-011 Weeks 4-5. Xeno Kovah's Architecture 1001 course (x86-64 assembly) is the build-it-yourself entry anchor for the RE track. Free; 501(c)(3) non-profit; student diary entry notes which OST2 modules map to which RE-011 labs.
• Yurichev RE4B (beginners.re). First met as companion reference alongside RE-011 Weeks 4-8. The free (CC-BY-SA; 1052pp) RE reference that covers every major architecture. Student diary entry tracks which chapters have been read; the book follows the student through RE-101 and into RE-201.

Roughly twelve tool entries originate in RE-011 (counting the re-perspective re-met tools as fresh entries, since the analytical posture is genuinely different). RE-101 promotes Ghidra and radare2 to professional-depth tools and adds binwalk, firmware-mod-kit, squashfs-tools, and the SoC-specific extraction toolchains. The diary continues to grow across the strand.

Capstone: Firmware Analysis Report on a Training Target

The course capstone. The student receives an instructor-assigned training target (a small consumer IoT device, a legacy router whose firmware is trivially extractable, or a comparable artifact - a step smaller and more tractable than RE-101's SB6141 flagship target) and produces a professional firmware analysis report.

Required artifacts

• The 4-6 page report itself, written at professional level: structured headings, factual claims supported by specific evidence (file hashes, address ranges, screenshot annotations).
• A documentation of the firmware-extraction method (which tooling, which interface, hash of the extracted image at the moment of extraction).
• An identification of the binary's major components: the architecture, the operating-system family if any, the major user-space processes or major firmware blocks.
• At least three salient findings. Specific functions, hard-coded credentials, suspicious strings, debug interfaces, identifiable third-party components, each documented with the analytical path that produced it.
• A 5-minute oral summary delivered to the cohort, presenting the analytical narrative in non-jargon-heavy terms.

Two-tier grading rubric

First, your project must work. The report is on a real firmware target with technical accuracy. Reports with material technical errors do not pass. No rubric scoring is performed on incorrect analysis. Each finding must be specific (an address range, a function name, a hash) rather than general ("some functions appear suspicious").

Then we score the report on three dimensions. Once the report passes Tier 1, it is scored on three dimensions:

• Analytical depth (40%). Did the student go beyond surface findings? Were cross-references followed? Were inferences justified by evidence rather than asserted?
• Methodological discipline (30%). Did the student document their workflow such that another analyst could reproduce the work? Are the tools, commands, and decision points named?
• Professional level and clarity (30%). Is the report written at the level a working RE practitioner would recognise? Are claims falsifiable? Is the technical writing precise?

There is no curve. There is no participation credit. This is the student's first professional RE deliverable, the structural precursor to the RE-101 SB6141 capstone (which is harder, longer, and against a target with active commercial deployment) and to every subsequent firmware-analysis report the student will write professionally. The methodological discipline established here is what makes RE work auditable; the analytical depth is what makes it valuable.

Prerequisite Map

What RE-011 depends on, and what depends on RE-011:

• Depends on: VCA-SEC-101 (vulnerability-class vocabulary (buffer overflow, use-after-free, integer overflow, type confusion) introduced abstractly there is traced through assembly here; CVE-record literacy carries forward to capstone evidence work) + VCA-HW-101 (datasheet-reading discipline; the firmware-teardown work in Weeks 12-14 assumes the student can read a board photograph, identify the major chips, and look up datasheets).
• Feeds into VCA-RE-101 (the flagship): RE-101's assembly-reading pace assumes x86-64 literacy as a recognition skill (taught in RE-011 Weeks 4-5); RE-101 teaches ARM by analogy in Week 4 and at depth in Week 9. RE-101 teaches Ghidra and radare2 at professional depth in Weeks 8-9; RE-011 students arrive UI-comfortable. RE-011 is the named prerequisite path into RE-101 for students entering the pipeline without prior reverse-engineering exposure.
• Feeds into VCA-ADV-101 (CVE-to-tool engineering): Vulnerable-binary analysis begins in a disassembler; RE-011's Ghidra fluency is the table-stakes skill.
• Feeds into VCA-ADV-102 (LLM-CVE variant): Same analytical posture applied to AI-relevant CVEs (CVE-2025-65106 LangChain Jinja2 is the canonical LLM-era CVE target).
• Feeds into VCA-RE-201 (RE of burst radio signals): Firmware-image analysis applied to radio devices. The patching discipline from Lab 8 is precursor to RF firmware modification work.
• Feeds into the future vca-arm-201 + vca-mips-201 electives: Both deepen the assembly-reading meta-skill onto specific architectures. RE-011 establishes the meta-skill.
• Feeds into the future vca-ai-* strand: RE of AI systems (model-extraction, weight-stealing, prompt-injection corpus analysis) is an emerging field; the analytical posture transfers structurally.

Certification Alignment

No industry certification covers this content at the introductory level, and that is appropriate: RE is a doing discipline whose credential of record is portfolio work, not exam scores. The Virtus certificate is the credential of record at this level.

Forward-pointer: RE-011 prepares conceptually for several professional credentials students may pursue post-career-start:

• GIAC GREM (Reverse Engineering Malware). The most-recognised RE credential in industry; ~$8k+ exam fee plus ~$8k course, typically employer-funded. RE-011 + RE-101 covers the substantive technical content GREM examines.
• OffSec OSED (Exploit Development). Not strictly RE, but adjacent, RE skills are entrance tickets. ~$2k course + exam.
• SANS FOR610 (Reverse-Engineering Malware: Malware Analysis Tools and Techniques). The training course behind GREM. 6 days, ~$8k.
• eLearnSecurity eCMAP / eCRE. Lower-cost mid-tier credentials in the malware-analysis and reverse-engineering space.

Students who continue through RE-101, ADV-101, and the future vca-arm-201 elective are well-positioned for any of these credentials by their early-career years.

Recommended Readings

Primary anchor pair. Build-it-yourself (entry tier)

• OST2, Architecture 1001: x86-64 Assembly (OpenSecurityTraining2; Xeno Kovah; free; 501(c)(3) non-profit; ost2.ninja). The canonical build-it-yourself entry-tier anchor for the RE track. Works through x86-64 assembly from the register level with hands-on exercises. Architecture 1101 (RE of binaries) is the direct follow-on. Strongly recommended alongside RE-011 Weeks 4-8.
• Yurichev, Reverse Engineering for Beginners (beginners.re; free CC-BY-SA 4.0; 1052 pp). The canonical free RE reference. Covers x86-32, x86-64, ARM, MIPS, and others using a comparative-compiler-output methodology. Yurichev's opening chapters map directly onto RE-011's Week 4 Lab 3. The entire book follows the student through the RE strand; the early chapters are sufficient for RE-011.

Primary anchor pair. Practitioner narrative

• Erickson, Hacking: The Art of Exploitation, 2nd ed. (No Starch Press, 2008; ISBN 978-1-59327-144-2). The practitioner's mechanistic account of how programs fail. Erickson's treatment of the C-to-assembly-to-exploit chain is the narrative complement to RE-011's assembly-reading labs. Best read in parallel with Weeks 4-9.
• bunnie Huang, The Hardware Hacker (No Starch Press, 2017; ISBN 978-1-59327-758-1) + Hacking the Xbox (No Starch Press, 2003; free PDF from bunnie's site). The narrative anchor for the firmware-as-boundary-enforcement mental model that RE-011's Week 12 guided teardown and capstone instantiate. bunnie's SD-card chapter in The Hardware Hacker is the entry-tier reading; Hacking the Xbox is the historical anchor that makes the genealogy of the discipline visible.

Format Prescriptions

Hour budget: ~13 lec hr + ~35 lab hr + ~52 indep hr (= ~100 hr total).

Live (standard cadence)

2 sessions/wk × 90 min each (45 min lecture + 45 min hands-on per session) + 30 min stay-after office time. 14 weeks total. Best for college-elective + adult-learning + homeschool-co-op cadence.

Night class (working-adult cadence)

1-2 sessions/wk in evenings; spread over ~28 weeks. Best for community-college + vocational-tech students with day jobs.

Bootcamp

8 hr/day × 5 days/wk = 40 hr/wk; total ~3 weeks. RE-011's 100 hr lands at ~2.5 weeks. Best for adults / age-irrelevant students with prereq comfort + dedicated learning time. Excellent feeder format into a subsequent RE-101 bootcamp.

Async self-paced

Lecture hours via recorded video; lab hours via free-CrackMe-ladder + Ghidra + radare2 self-hosted; indep hours = student pace. Includes Discord-group access (1-2 days/wk instructor-advertised availability). AI-assistant tier add-on. Live 1:1 tutoring premium tier add-on for disassembler walkthrough.

High school / homeschool co-op

Adapted live cadence over a school year (~18 weeks at typical school cadence) OR semester (14 weeks at college cadence). Detailed per-syllabus planning available on request.

Classroom

Full course content (weekly modules, labs, capstone packet, instructor guide) lives in the Virtus Cyber Academy classroom, which is in active build. The public preview is on the way.

Open in classroom

Interested in VCA-RE-011?

Email interested@virtuscyberacademy.org with your background and interest.

Email interested@virtuscyberacademy.org