Creator: (2011) Matt Briggs



Instructor: (2013-current) Frank Poz @knowmalware







License: Creative Commons: Attribution, Share-Alike



(http://creativecommons.org/licenses/by-sa/3.0/)







Class Prerequisites: Introduction to Intel x86 or equivalent knowledge.







Lab Requirements: Windows system with IDA Pro (Free 5.0 is acceptable). Microsoft Visual Studio 2008 redistributable package.







Class Textbooks: “Reversing: Secrets of Reverse Engineering” by Eldad Eilam,



“The IDA Pro Book” by Chris Eagle







Recommended Class Duration: 2 days







Creator Available to Teach In-Person Classes: Yes







Author Comments:







Throughout the history of invention curious minds have sought to understand the inner workings of their gadgets. Whether investigating a broken watch, or improving an engine, these people have broken down their goods into their elemental parts to understand how they work. This is Reverse Engineering (RE), and it is done every day from recreating outdated and incompatible software, understanding malicious code, or exploiting weaknesses in software.







In this course we will explore what drives people to reverse engineer software and the methodology and tools used to do it.







Topics include, but are not limited to:



•Uses for RE



•The tricks and pitfalls of analyzing compiled code



•Identifying calling conventions



•How to navigate x86 assembly using IDA Pro



•Identifying Control Flows



•Identifying the Win32 API



•Using a debugger to aid RE



•Dynamic Analysis tools and techniques for RE







During the course students will complete many hands on exercises.







This class serves as the prerequisite for Reverse Engineering Malware















Latest Class Materials







To bypass exe filters, e.g. so this can be sent through email, this is an encrypted zip with a password of “reclass2014”. All of the .exe files have been renamed to .ex_. On Mac OS X 10.6 and below, you will have to open the zip file from Terminal in order to get the password prompt.











Class Materials (2013)







To bypass exe filters, e.g. so this can be sent through email, this is an encrypted zip with a password of “reclass2013”. All of the .exe files have been renamed to .ex_. On Mac OS X 10.6 and below, you will have to open the zip file from Terminal in order to get the password prompt.











Full quality downloadable and .torrent QuickTime, h.264, and Ogg videos at Archive.org:

Full qualityQuickTime, h.264, and Ogg videos at Archive.org:

Day 1 Part 1 (5:25) - What is RE and What Can it Tell Me?



Day 1 Part 2 (30:03) - Refresher



Day 1 Part 3 (34:57) - Know Your Tools



Day 1 Part 4 (2:24) - The basic RE algorithm



Day 1 Part 5 (7:14) - Applying the RE Algorithm to the Bomb Lab



Day 1 Part 6 (22:29) - Lab Outline



Day 1 Part 7 (6:33) - Creating the Bomb Lab Answers File



Day 1 Part 8 (6:41) - Phase 2 Introduction



Day 1 Part 9 (28:23) - Phase 2 Walkthrough



Day 1 Part 10 (6:54) - Phase 3 Introduction



Day 1 Part 11 (22:21) - Phase 3 Walkthrough



Day 1 Part 12 (8:57) - Phase 4 Introduction



Day 1 Part 13 (14:08) - Phase 3 Introduction



Day 1 Part 14 (32:40) - Debugging



Day 1 Part 15 (3:32) - Day 1 review



Day 2 Part 1 (15:12) - Day 1 review 2



Day 2 Part 2 (11:21) - Phase 5 Introduction



Day 2 Part 3 (22:14) - Phase 5 Walkthrough



Day 2 Part 4 (20:50) - Phase 6 Introduction



Day 2 Part 5 (27:47) - Phase 6 Introduction 2



Day 2 Part 6 (19:25) - Phase 6 Walkthrough



Day 2 Part 7 (38:31) - Phase 6 Walkthrough 2



Day 2 Part 8 (12:15) - Analyzing C++



Day 2 Part 9 (7:39) - Next Class, Other Languages, & Day 2 Review



(6:47:55 total, sans lab time)















Class Materials (2011)











To bypass exe filters, e.g. so this can be sent through email, this is an encrypted zip with a password of “reclass2011”. All of the .exe files have been renamed to .ex_. On Mac OS X 10.6 and below, you will have to open the zip file from Terminal in order to get the password prompt.











Full quality downloadable QuickTime, h.264, and Ogg videos at Archive.org:

Full qualityQuickTime, h.264, and Ogg videos at Archive.org:

Day 1 Part 1 (57:36, 706 MB)



Day 1 Part 2 (1:17:18, 1 GB)



Day 1 Part 3 (29:49, 453 MB)



Day 1 Part 4 (38:36, 530 MB)



Day 1 Part 5 (36:06, 500 MB)



Day 2 Part 1 (49:29)



Day 2 Part 2 (54:58)



Day 2 Part 3 (40:09)



Day 2 Part 4 (1:10:10)



Day 2 Part 5 (58:51)



(8:33:02 total, sans lab time)











The videos are useful for students, but also more useful for potential instructors who would like to teach this material. By watching the video, you will better understand the intent of some slides which do not stand on their own. You are recommended to watch the largest size video so that the most possible text is visible without having to follow along in the slides.











Revision History:







08-17-2014 - (1) Refined "Basic RE Algorithm" (2) Added Java Decompiler references (3) Added attribution for "Programs = Algorithms + Data Structures" quote (4) Added .NET deobfuscator reference (de4dot) (5) Minor formatting changes



09-29-2013 - Added materials & videos from Frank Poz’s updated version of the class which was delivered in 2013. Frank added the following sections to the class wiki - "Dealing with DLLs", "Other Languages", and "Basic RE Algorithm". He also added more coverage of object oriented (C++) code.



03-17-2013 - Made fine-grain class map more prominent



07-08-2012 - Day 2 videos uploaded to YouTube, & both days uploaded to Archive.org



07-01-2012 - Day 1 videos uploaded to YouTube



01-27-2012 - Created some 'missing' content, fixed a few flaws, and added a write-up for the last task



06-16-2011 - Initial class content upload







If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes.





























