Reverse engineering is the process of understanding software, but understanding software at scale requires more than good instincts. This class is for experienced practitioners who want to move beyond manual reversing and build faster, more repeatable workflows for understanding complex software.

But merely being able to see what lies underneath is not enough to reason about how a program behaves. The intent of assembly code, in contrast to its possible source, is inexplicit, hard to reason about, and insecure. Compilers need to map a theoretically infinite number of variables to a finite number of registers, and most processors use memory models that do not differentiate among different data structures, arrays, types, and sometimes even code. Simply put, a tremendous amount of information that is vital in understanding a program is irrecoverably lost through the process of compilation. Consequently, the process of identifying and recovering those structures, variables, types, and everything else that gets lost, is the process of reverse engineering.

Over the course of this training, students will learn the methodologies of current research and those employed by seasoned experts to recover nearly all aspects of compiled programs. Students will become proficient in recognizing common code patterns, recovering type, and deducing structures using the UI, API, debugger, extensions, and Sidekick to extract real program semantics in provably-correct ways. The class combines practical reverse engineering with the program analysis concepts needed to make that automation useful.

For those focused on finding bugs, we'll leverage modern analysis techniques to locate and verify them faster than ever before. For those exploring strange new architectures and platforms, we'll build tooling that works agnostically across all systems. For engineers interested in automation, we'll write cutting-edge analysis scripts to reduce or completely eliminate the need for human interaction. And for anyone feeling restricted by their current tools or workflow, we'll get under the hood and completely customize the reversing experience.

Truly, wherever you're looking to go, this course covers everything you need to boost your skills to the next level!

Prerequisites

Students must be able to read and write intermediate-level Python scripts. A foundation in reverse engineering, vulnerability research, firmware analysis, or similar is strongly recommended (see our "Which Class Is Right for You?" quiz). Students should be familiar with how the stack works, what the heap is, and some basic vulnerability classes (buffer overflow, stack smashing, etc). Guided exercises reminiscent of low-point reversing CTF challenges are integrated into the course, and students should be able to derive their own solutions.

Key Learning Objectives

• Build repeatable workflows for both manual and automated reverse engineering
• Accurately identify common code patterns (such as indexing into a buffer, accessing a structure member, and various control flow primitives)
• Improve the accuracy of decompilation through scripts, patching, annotating types, functions, and variables
• Identify and account for common decompiler mistakes (decompilation theory)
• Locate and analyze various bug classes automatically.
• Automate common reverse engineering tasks using ILs, SSA, graphs, and dataflow to reason about program behavior with scripts, snippets, extensions, and workflows
• Create plugins for Binary Ninja to customize the reverse engineering experience, support new architectures and platforms, automate tasks, and so much more!

Who Should Attend?

• Experienced Reverse Engineers
• Vulnerability Researchers
• Exploit Developers
• Malware Analysts
• Firmware Analysts

Course Agenda

Day 1: Foundations and Workflow

• Binary Ninja overview, navigation, and core workflow
• Points of interest, cross references, and program triage
• ILs and choosing the right representation
• Annotation, typing, structures, and patching
• Python console, snippets, and first automation steps

Day 2: Types, Semantics, and Analysis

• Type deduction and recovery
• Structure recovery and larger-function analysis
• Program semantics and analysis theory
• IR vs ILs, optimization, validation, and normalization
• SSA and dataflow fundamentals

Day 3: Graphs, Slicing, and Dynamic Analysis

• Control-flow graphs, call graphs, and program structure
• Slicing, source-to-sink analysis, and graph tooling
• IL internals, dominance, and graph theory
• Debugger workflows and dynamic analysis

Day 4: Automation at Scale and Advanced Topics

• Batch processing and corpus-scale automation
• Dataflow reasoning and bug-hunting workflows
• Stripped binaries and diffing
• Workflows, deobfuscation, and advanced analysis patterns
• Additional advanced topics based on class interest

Hardware/Software Requirements

A laptop that can run Binary Ninja (Ubuntu 22.04/24.04 x64/arm64; Windows 10/11 x64; MacOSX 14+ x64/arm64).

(Optional) A VM to run sample binaries. Most exercises can be completed statically, but some debugger workflows are easier with a local Linux target.

Included Course Materials

• A free non-commercial license of Binary Ninja including one year of updates (can convert to a license extension or used as a discount for a commercial upgrade upon request)
• A one-week free trial of Sidekick redeemable within one month from the start of class
• Slides, cheat-sheets, and tons of useful diagrams and reference resources
• Example scripts and binaries
• Full answers and solution scripts
• Take-home problems at the end of class to practice what you learned and challenge you to go further!
• (Upon request) Certificate of participation or completion usually redeemable for Class-A credit hours towards cert renewals; Check with your cert provider for additional requirements and how to redeem