REVERSE ENGINEERING PROFESSIONAL

VERSION 1.2
The most practical and comprehensive training course on reverse engineering.
 INTRODUCTION
COURSE DESCRIPTION
This fundamental self-study course teaches you the theoretical and practical knowledge
required to perform advanced reverse engineering of third-party software and malware
on the assembly language level.

This course will not leave you with a superficial understanding of how to use reversing
tools; rather, through a series of lessons and several challenges, you will be taught all the
necessary skills to succeed as a professional.

This training is based on Windows NT architecture (XP, Vista, 7, 8), since malware and
vulnerability researchers, as well as software pirates, still typically target these operating
systems.

During your advanced reverse engineering training, you will learn several methods used
to identify, isolate, and finally, analyze portions of code which are of high interest. You will
also learn about the most common Windows APIs utilized for file, memory, and registry
manipulation by either software protections (such as packers) or malware.

Additionally, the training focuses on several packers in order to give the you all the
essential knowledge and understanding of manual unpacking software. This is one of the
most important parts of advanced reverse engineering.

On top of all these exciting topics, you will also get insights into the most common anti-
reversing tricks, including different code obfuscation methods. Not only will you analyze
their mechanisms, but also learn how these can be bypassed in order to successfully
perform the reverse engineering process.

p. 2

Course home page: www.elearnsecurity.com/rep

 INTRODUCTION
WHO SHOULD TAKE THIS COURSE?

This reverse engineering training course is highly practical, meaning you will learn things by
doing rather than by listening to instructors and watching videos. If you like the “learning-
by-doing” approach, then this course is for you. This is NOT a “learn–repeat–forget” type
of training. The course’s guidance ensures that you will get all the necessary knowledge
along the way.

The Reverse Engineering Professional training course provides the foundation for current
or future malware researchers. If you are involved in any kind of software development,
you will benefit from learning how pirates attempt to bypass your protection. In turn, you
will be able to create smarter and more sophisticated ways to keep pirates away, and as
efficiently as possible.

This course benefits you if you are a:

• Penetration Tester • Computer Forensics Expert
• Security Analyst • IT Security Expert
• Antivirus Researcher • Mobile Application Developer
• Software Developer • Game Developer
• Software Tester • Incident Response Team Member
• Malware Researcher • Vulnerability Researcher
• Government IT Staff • Web Application Security Expert

Since reverse engineering is based on the understanding of computing architecture,

this course serves as a great foundation for everyone working in IT positions. With this
foundation, you will have a better understanding of even the most complex IT topics.

WHO SHOULD NOT TAKE THIS COURSE?

If you are looking to quickly memorize theories that you can dump out on paper during an
exam to get another certificate, this course is NOT for you. If you are simply looking for
user-manuals of reverse engineering tools in course format, then you won’t be happy with
this highly interactive training course, either.

p. 3

Course home page: www.elearnsecurity.com/rep

 INTRODUCTION
HOW AM I GOING TO LEARN?
The fun way, of course!

Don’t worry, eLearnSecurity courses are very interactive—and addictive—and present

content in such a way that it appeals to all learning styles. During this training, you will
complete several guided reversing challenges that will provide you with relevant, hands-
on practical application experience. Don’t expect the outdated way of learning by reading
pages and pages of theoretical methodologies.

CAN I TRACK MY LEARNING PROGRESS?

. . . or will I only find out during the exam if I learned something?

The answer to these questions are very simple. Your achievements will be clear. Each
practical module of the course has a reversing challenge associated with it. We will solve
these together while explaining to you all the necessary concepts. You are then free to
practice the labs as long as you want. If you solve a challenge, that demonstrates that you
learned and properly understood the concepts taught in the module.

IS THERE A FINAL EXAMINATION?

Yes. The final examination consists of two parts. The first part is a multiple-choice test.
Once you have passed this, you will proceed with the hands-on examination. During this
second part of your exam, you will have to solve a complex Reverse Engineering Challenge.

WILL I GET A CERTIFICATE?

Once you pass the complete final examination, you are an
“eLearnSecurity Certified Reverse Engineer” and will hold the
eCRE certification.

You can print your new certificate directly.

p. 4

Course home page: www.elearnsecurity.com/rep

 INTRODUCTION
ORGANIZATION OF CONTENTS
You are provided with a suggested learning path to ensure the maximum success rate and
the minimum effort.

FOUNDATIONS

• Module 1: The Necessary Theory: Part 1

• Module 2: The Necessary Theory: Part 2
• Module 3: The Necessary Theory: Part 3
• Module 4: VA/RVA/OFFSET & PE File Format

TECHNICAL: PART 1

All the following chapters include practical challenges, which we discuss in the written
part and/or during the video demos:

• Module 5: String References & Basic Patching

• Module 6: Exploring the Stack
• Module 7: Algorithm Reversing
• Module 8: Windows Registry Manipulation
• Module 9: File Manipulation

TECHNICAL: PART 2

All the following chapters include practical challenges, which we discuss in the written
part and/or during the video demos:

• Module 10: Anti-Reversing: Part 1

• Module 11: Anti-Reversing: Part 2
• Module 12: Anti-Reversing: Part 3
• Module 13: Code Obfuscation
• Module 14: Analyzing Packers & Manual Unpacking
• Module 15: Debugging Multi-Thread Applications
 

p. 5

Course home page: www.elearnsecurity.com/rep

 FOUNDATIONS
MODULE 1: THE NECESSARY THEORY PART 1
The first three modules aim to cover all the necessary theory as well as the concepts on
which the practical part of this course is based. We will start with a short description about
what Reverse Engineering is and the reasons why someone might need it, and then proceed
with more technical concepts. During the first three chapters we will discuss the basics
behind the Intel IA-32 CPU architecture (x86), the stack, the heaps, as well as exceptions,
Windows APIs with some Windows Internals, and the most common types of reversing
tools used these days.

1.1 Introduction
1.2 What is Reverse Engineering
1.3 Do We Need Reverse Engineering?
1.4 The Basics Behind The Intel IA-32 CPU Architecture
1.4.1 General Purpose Registers
1.4.2 EFLAGS Register
1.4.3 Segment Registers
1.4.4 Instruction Pointer Register
1.4.5 Debug Registers
1.4.6 Machine Specific Registers (MSRs)
1.5 Conclusion

p. 6

Course home page: www.elearnsecurity.com/rep

 FOUNDATIONS
MODULE 2: THE NECESSARY THEORY PART 2
So here we are in the second module, which is also dedicated to the theoretical knowledge
necessary for this course. One thing to keep in mind is that ‘theoretical’ doesn’t actually
mean that you might need it…or not. In fact, the theory discussed during these first three
modules covers all the fundamental knowledge and the concepts that you will need, not
just for this course and its technical assignments, but for the rest of your time as a reverser.

2.1 Introduction
2.2 Functions
2.3 Process vs. Thread
2.4 Function Calling
2.5 Stack Frames
2.5.1 Setting Up The Stack Frame - A Graphical Example
2.6 Calling Conventions
2.7 Reading EIP - A Simple Trick
2.8 Conclusion

MODULE 3: THE NECESSARY THEORY PART 3

The third module of this course aims to offer some extra theoretical knowledge necessary
for the rest of the course. During this module we will briefly touch on the concept of heaps,
we will discuss handles, exceptions, some basic Windows Ring3 Internal structures, and
Windows APIs. Finally, we’ll go through the most common types of reversing tools used
today for software reverse engineering.

3.1 Introduction
3.2 Heaps
3.3 Handles
3.4 Exceptions
3.5 Basic Windows Ring3 Internal Structures
3.6 Windows APIs
3.7 Types of Reversing Tools
3.8 Conclusion

p. 7

Course home page: www.elearnsecurity.com/rep

 FOUNDATIONS
MODULE 4: VA/RVA/OFFSET AND PE FILE FORMAT
In this module we will discuss virtual addresses, relative virtual addresses, offsets, as well
as some basic information regarding the Portable Executable File Format which describes
the basic structure of all Windows executable files.

4.1 Introduction
4.2 VA/RVA/OFFSET
4.2.1 Why Do We Need All This Information?
4.3 Overview of the Portable Executable File Format (PE)
4.3.1 MS-DOS Header
4.3.2 IMAGE_NT_HEADERS Structure (PE Header)
4.3.2.1 IMAGE_FILE_HEADER Structure
4.3.2.2 IMAGE_OPTIONAL_HEADER Structure
4.3.3 IMAGE_DATA_DIRECTORY Structure
4.3.4 The Section Table
4.4 Memory and File Alignment
4.5 Conclusion

p. 8

Course home page: www.elearnsecurity.com/rep

 TECHNICAL: PART 1
MODULE 5: STRING REFERENCES AND BASIC PATCHING
This module is dedicated to ‘String References’ as well as Basic Memory and File Patching.
We demonstrate the use of data strings in order to locate the algorithm we are interested
in and then we reverse its logic. Finally, we explain how we can manually calculate the
offset of a byte inside the physical file by knowing its virtual address in memory.

5.1 Introduction
5.2 String References
5.3 A Few Words Before Starting
5.4 Let’s Start . . .
5.4.1 Run the Target Executable and Observe its Functionality
5.4.2 Load the Executable in the Olly Debugger
5.4.3 Search for String References
5.4.4 Reversing the Logic
5.4.5 Basic Memory Patching
5.4.6 Executable Patching Through Olly
5.4.7 VA -> OFFSET Manual Calculation
5.4.8 Manual Byte Patching
5.5 Conclusion

p. 9

Course home page: www.elearnsecurity.com/rep

 TECHNICAL: PART 1
MODULE 6: EXPLORING THE STACK
This module focuses on exploring the data that we can retrieve from the stack in order to
trace back an algorithm. A very important technique when we have to deal with on-the-fly
encryption and decryption of data.

6.1 Introduction
6.2 A Few Words Before Starting
6.3 Let’s Start . . .
6.3.1 Run and Observe
6.3.2 Load to Olly and Search for Strings
6.3.3 How is this Possible?!
6.3.4 Exploring the Stack
6.3.5 Evaluating the MessageBox API Parameters
6.3.6 Reversing the Logic
6.3.7 Patching the Code
6.4 Conclusion

MODULE 7: ALGORITHM REVERSING

During this module, we dig deep into Reverse Engineering by analyzing in detail all the
important algorithms of the executable which include the data encryption/decryption
algorithm as well as the input data validation algorithm.

7.1 Introduction
7.2 A Few Words Before Starting
7.3 Let’s Start . . .
7.3.1 Two Important Algorithms
7.4 Conclusion

p. 10

Course home page: www.elearnsecurity.com/rep

 TECHNICAL: PART 1
MODULE 8: WINDOWS REGISTRY MANIPULATION
This module is dedicated to Windows Registry. We start with an overview of this important
Windows component and then we proceed with the detailed analysis of an executable that
attempts to read data from the registry and validate it according to a custom algorithm
which we finally Reverse Engineer. During this module we also make use of Hardware
Breakpoints and we demonstrate their importance.

8.1 Introduction
8.2 Windows Registry
8.3 A Few Words Before Starting
8.4 Let’s Start . . .
8.4.1 Retrieving Data From Windows Registry
8.4.2 Using Hardware Breakpoints
8.4.3 Algorithm Analysis
8.4.4 Reversing the Logic
8.5 Conclusion

MODULE 9: FILE MANIPULATION

During this module we Reverse Engineer an executable that attempts to locate a specific file
in the system and read data from it. In addition, we once more analyze in detail the custom
algorithm used to validate that data in order to extend our skills in Reverse Engineering
custom algorithms.

9.1 Introduction
9.2 A Few Words Before Starting
9.3 Let’s Start . . .
9.3.1 Getting a Handle
9.3.2 What Do We Know By Now?
9.3.3 Reading the File Contents
9.3.4 Algorithm Analysis
9.4 Conclusion

p. 11

Course home page: www.elearnsecurity.com/rep

 TECHNICAL: PART 2
MODULE 10: ANTI-REVERSING TRICKS PART 1
This is the first module dedicated to Anti-Reversing tricks which includes some basic direct
and indirect ways to detect a Ring3 debugger.

10.1 Introduction
10.2 Categories of Anti-Reversing Tricks
10.3 A Few Words Before Starting
10.4 Direct Debugger Detection
10.5 Indirect Debugger Detection
10.6 Window Debugger Detection
10.7 Conclusion

MODULE 11: ANTI-REVERSING TRICKS PART 2

In this module we continue talking about Anti-Reversing tricks regarding debuggers and
reversing tools detection methods.

11.1 Introduction
11.2 Process Debugger Detection
11.3 Parent Process Detection
11.4 Module Debugger Detection
11.5 Code Execution Time Detection
11.5.1 RDTSC: Read Time-Stamp Counter
11.5.2 GetTickCount API
11.6 Conclusion

p. 12

Course home page: www.elearnsecurity.com/rep

 TECHNICAL: PART 2
MODULE 12: ANTI-REVERSING TRICKS PART 3
This module is again focused on Anti-Reversing tricks. In this case we discuss differences
between SW and HW breakpoints and how they can be detected. We also talk about more
advanced tricks that involve the use of exceptions, and finally we talk about some well-
known methods for detecting a few popular VM environments.

12.1 Introduction
12.2 Software vs. Hardware Breakpoints
12.3 Software Breakpoint Detection
12.4 Hardware Breakpoint Detection
12.5 Ring0 Debuggers & System Monitoring Tools Detection
12.6 Structured Exception Handling (SEH)
12.7 Unhandled Exception Filter
12.8 VM Detection
12.9 Conclusion

MODULE 13: CODE OBFUSCATION

In this module we discuss different types of native code obfuscation methods. We explain
how these are implemented, the obstacles that can be created and how we can analyze
and cleanup obfuscated code.

13.1 Introduction
13.2 Logic Flow Obfuscation
13.3 ‘NOP’ Obfuscation
13.4 Anti-Disassembler Code Obfuscation
13.5 Trampolines
13.6 Instruction Permutations
13.7 Conclusion

p. 13

Course home page: www.elearnsecurity.com/rep

 TECHNICAL: PART 2
MODULE 14: ANALYZING PACKERS AND MANUAL UNPACKING
This module focuses on executables packers and more specifically on different generic
methods that we can use in order to successfully find the Original Entry Point of applications
packed with common packers. We give practical examples and we unpack them together
for fun and knowledge.

14.1 Introduction
14.2 Well-known Entry Points
14.3 Methods to Reach the OEP
14.4 Packers and Tools Used
14.5 Conclusion

MODULE 15: DEBUGGING MULTI-THREAD APPLICATIONS

In this module we discuss debugging and the analysis of multi-thread applications, or
applications that are able to execute various blocks of code via different threads. Reverse
Engineering multi-thread applications can sometimes be quite frustrating, especially for
beginners.

15.1 Introduction
15.2 Multi-Threading in Practice
15.3 Creating a New Thread
15.4 Threads Synchronization
15.5 Threads Manipulation
15.6 Debugging Multi-Thread Applications
15.7 Conclusion

p. 14

Course home page: www.elearnsecurity.com/rep

We are eLearnSecurity.

eLearnSecurity was founded with the simple mission of revolutionizing the way IT
professionals develop their information security skills. Now based in Cary, North Carolina
with offices and employees around the United States and Europe, eLearnSecurity is a
worldwide leader in cyber security training.

Through a blend of in-depth content and real-world simulations, our detailed courses,
training paths, and certifications equip businesses and individuals with the skills needed
to take on the cyber security challenges of today and tomorrow.

Whether you are interested in brushing up on specific ethical hacking techniques or

following a comprehensive training path, eLearnSecurity provides a unique opportunity
for security professionals to enhance their knowledge of the industry. We train red,
blue, and purple teams in the latest cyber security techniques with classes ranging from
beginner to expert levels.

eLearnSecurity’s Hera Labs is an industry-leading virtual lab that offers our clients
practical penetration testing and ethical hacking experience, changing the way students
and businesses take on the future of cyber security.

Contact details:

www.elearnsecurity.com
contactus@elearnsecurity.com