Reverse Engineering


Table of Contents


Reverse Engineering is a technique used to analyze software to identify and understand its components  and its  flows. It is a process of understanding code infringement  processes and analyzing software weaknesses. Reverse Engineers analyze systems to create system representations in another form of abstraction.

How to make the most of this course?

In order to succeed in the course, the following requirements must be met:

  • Participation in all practical laboratories
    Self-work at home between lessons;
  • Repetition of materials, self-learning, performing tasks, etc …

In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium Arena.

Target audience

• Cybersecurity practitioners
• Cyber forensics analysts
• Security engineers
• Security researchers
• Incident responders
• Junior reverse engineers
• Software developers
• IT security administrators


  • Become familiarized with the concept of reverse engineering and applications
  • Analyze various file formats to uncover the hidden codes within them
  • Identifying Control flows
  • Understand Assembly
  • Conducting open-source intelligence
  • Exploiting server, database, and application software


  • ThinkCyber Level-1 courses



This module aims to cover necessary theories and concepts on which reverse engineering is based, starting from the base structure of files and its source.

Technical content

  • Calculation of Bases
    o Hexadecimal Base
    o Binary Base
    o Transition Between Bases
    o Transition Between Hexadecimal to Binary and vice Versa
    o Numerical Actions on Numbers in Different Representations
    o Negative Numbers


During this module, participants will practice an in-depth analysis of the program codes using Assembly principles. Participants will be able to recognize the effect of software and codes before their initial execution.

Technical content

  • Assembly
    o Registries
    o Processor Architecture
    o PE Format – Portable Executable
  • Installing a Workspace
    o Linux syscall Table
    o File Descriptor
    o The Connection to Files
    o Start of Program Construction
    o Debugging Process
    o IDA
  • Professionalization in GDB
    o Jumps & Conditions
    o Manipulation on a Processor
    o Loops
    o Activating Number-Detonation on the Processor
    o Ordering Bytes
    o Maintaining Flags Mode using a Stack
    o Stack
    o Calling Conventions
    o Build printf Functions using Assembly
    o Call to Functions


In this module, participants will gain knowledge of memory management and controlling code flows while utilizing it to replicate and exploit software; participants will be focusing on using code and memory flows to use and develop exploits.

Technical content

  • Buffer
    o Protostar
    o Buffer Overflow
  • Writing Exploits to Bypass Protections
    o Processes in Computer Science
    o Pseudo-terminal
    o Race Condition
    o Apport Service
    o How Debugger Works
    o Anti-Reversing
    o Return Oriented Programming (ROP)
  • Memory Management policy
    o W^X
    o NX bit
    o DEP
    o Ret2libc
    o Format String
    o Overcoming the ASLR Mechanism Through the Format String Attack
    o The Process of Adding the Addresses to a Written Code
  • Memory Management
    o Heap
    o How a Process Gets Memory From the System
    o Heap Overflow
  • Preparing a Windows Workspace
    o Visual Studio
    o OllyDbg
    • Exploitation Over the Internet
    o Buffer Overflow Over the Internet
    o Tracer Browser Detection
    o Fuzzing
    o SPIKE
    o Debug Using OllyDbg to Restore Crash
    o Shellcode
    o Manually Create Shellcode
    o Create Shellcode Using Metasploit
  • Bad Characters
    o Encoding
    o From Python to Metasploit
    o Mixins
    o SLmail
    o Immunity Debugger
  • Preparing crack for the game “mine-sweeper”
    o The Crack Making Process
    o The dll Analysis


The following labs are part of the actual BT221 course:
  • Lab 1 Calculation of Bases
  • Lab 2 Representing Information
  • Lab 3 Assembly
  • Lab 4 Controller Flags in the Processor
  • Lab 5 Professionalization in GDB
  • Lab 6 Buffers
  • Lab 7 Writing Exploits to Bypass Protections
  • Lab 8 Memory Management Policy
  • Lab 9 GOT Utilization
  • Lab 10 Memory Management
  • Lab 11 Exploitation
  • Lab 12 Bad Characters

Real cases studies

Case study #1 (RE001)
With the recent Corona outbreak, many students and employees used the Zoom application to chat, video, and audio conferencing. A group of hackers seized the opportunity and started to spread a Trojan that mimics the behavior of the Zoom installer. We managed to acquire a sample of the Trojan. Use your skills to reverse its behavior, and identify the authors of the Trojan.
Case study #2 (RE002)
Cybersecurity researchers have uncovered a new destructive data-wiping malware, dubbed ZeroCleare, that is being used by state-sponsored hackers in the wild to target energy and industrial organizations in the Middle East. They managed to capture a binary that may contain traces of the malware. Your task is to analyze the binary file to identify the behavior of the malware.
Previous slide
Next slide

 Course type

This course is delivered in the following ways:

  • Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
  • In situe classroom with proctored labs and scenarios executed in our Cyberium Arena

All sessions are recorded and attendees can replay them  during 30 days. All course material is electronically made available to the participant.

 Course Group:


 Hands-on / Theory MiX

The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.

1 %
Case Studies


This course prepares the participant to the following certification:


Required EqUIPMENT

Network connection

As this course extensively uses a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.

BYOD – Bring Your Own Device

As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:

  • Audio and Video
  • 8 GB RAM
  • 200 GB Disk Space
  • Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)

And also a Good Headset with Mic

More Details