🔬

Reverse Engineering

RE challenges ask you to understand programs without access to source code. You'll read assembly, decompile binaries, trace execution, defeat anti-debugging, and ultimately extract flags hidden in logic.

What is it?

Reverse engineering (RE) is the process of analysing a compiled program — without its source code — to understand what it does. Security engineers use RE to analyse malware, audit closed-source software, and find vulnerabilities in firmware.

It requires knowledge of CPU architectures (x86, ARM), calling conventions, compilation artifacts, and common obfuscation techniques. The goal is to reconstruct intent from raw bytes and machine instructions.

How it works in a CTF

In a CTF, you receive a compiled binary (ELF, PE, APK, or firmware image) and must figure out the correct input that causes it to print the flag, or locate a hard-coded secret inside it. No source code is provided.

Common workflow: run file + strings + checksec → open in Ghidra/IDA → identify the validation function → trace the logic → derive the required input or patch the binary.

Example challenge types
Find the hardcoded flag in stringsKeygen / serial crackmeObfuscated logic (XOR decode loop)Anti-debug bypass (ptrace check)Packed binary (UPX unpack)Custom bytecode VM interpreterLicense key validation reversalGo / Rust binary decompilationARM firmware flag extractionDynamic analysis with GDBSelf-modifying codeC++ vtable tracing

Sample Challenge

KeyCheck
Reverse Engineering Easy 150 pts
You are given a Linux ELF binary that asks for a password and prints "Access granted — here is your flag" if correct, otherwise "Wrong!". The binary is stripped (no function names) and was compiled with -O2.
keychecker
How to solve it
  1. Run strings keychecker | grep -i flag — nothing obvious. Run file and checksec to understand the binary.
  2. Open in Ghidra. Find main via the entry-point symbol. Decompile it.
  3. Identify a strcmp() call comparing your input to a hard-coded string — Ghidra shows the string in the decompilation view.
  4. The comparison string is the password. Run the binary and enter it to confirm the flag is printed.
FLAG{gh1dra_str1ng_1s_all_u_n33d}

Official Resources & Standards

Ghidra
Free, open-source reverse engineering suite from the NSA. Disassembles and decompiles most architectures.
FreeNSAOpen Source
IDA Free
The free version of the industry-standard IDA Pro disassembler — supports x86/x64 and ARM.
FreeDisassembler
radare2
Powerful open-source RE framework with disassembly, debugging, scripting, and binary patching.
FreeOpen Source
Binary Ninja Cloud
Free cloud-based binary analysis with a modern decompiler. No install required.
FreeBrowser
x64dbg
Open-source, user-friendly debugger for Windows x64/x32 executables.
FreeDebuggerWindows

Free Training & Practice

Crackmes.one
Large library of user-submitted crackme binaries rated by difficulty. Perfect daily practice.
FreeChallenges
OpenSecurityTraining2
Free, in-depth university-style courses on x86-64 assembly, RE fundamentals, and malware analysis.
FreeCourses
MalwareUnicorn Workshops
Free hands-on practical RE workshops by Amanda Rousseau covering Windows internals and malware.
FreeWorkshop
challenges.re
Collection of RE exercises with step-by-step hints and solutions from Dennis Yurichev.
FreeChallenges
Azeria Labs — ARM Assembly
Excellent free series on ARM32/64 assembly for RE on mobile and embedded targets.
FreeARM
picoCTF — Reverse Engineering
Beginner-friendly RE problems with guided hints. Great entry point.
FreeBeginner
HackTheBox Academy — Reverse Engineering
Structured modules covering disassembly, decompilation, anti-analysis, and crackmes.
Free TierLabs

Essential Tools

Ghidra
NSA decompiler/disassembler — most commonly used free tool for CTF RE.
FreeDecompiler
GDB + pwndbg
Enhanced GDB with smart layouts, heap visualization, and one-command search.
FreeDebugger
strace / ltrace
Trace system calls (strace) and library calls (ltrace) to understand binary behavior live.
FreeLinux
Detect-It-Easy (DIE)
Detects compilers, packers, and obfuscators used on a binary — useful first step.
FreeOpen Source

Getting Started Tips

💡 Tip: String search first — run `strings -n 8` on the binary and look for flag fragments, function names, or hard-coded URLs.
💡 Tip: Use `file` and `checksec` to know what you are dealing with before opening a disassembler.
💡 Tip: In Ghidra, rename variables and functions as you understand them. A well-labelled decompile view saves hours.
💡 Tip: For packed binaries, let the program unpack itself: set a breakpoint just before entry point and dump the memory after the unpacking loop.