--[ Introduction to Ghidra and Reverse Engineering

$ getent passwd sdeaton
├─ name: Sean Deaton
└── org: Blue Star Cyber

Sean is an alumnus of the United States Military Academy (B.S. 2017) and Georgia Tech (M.S. 2021), where he studied Computer Science. After commissioning as a Cyber Officer in the U.S. Army, Sean served as a developer with the 780th MI BDE. He now works as a vulnerability researcher for Blue Star and Bogart Associates, with particular interests in fuzzing, data flow analysis, and decompilation theory. When he’s not finding bugs or working on training material, he spends his time at the dog park trying to burn off his corgi’s seemingly unlimited energy.


We found that most other courses focus solely on the tool. So we set out to build a course that also provides a great introduction to software reverse engineering. This six-hour course will get you up to speed on the latest reverse engineering techniques and how to use the open-source software, Ghidra, to find bugs. We updated our course in 2022 to support Ghidra 10.2.

Terminal Learning Objectives

At the end of this course, students will be able to:

  • Describe the Executable and Linkable Format (ELF).
  • Install Ghidra on their platform of choice (Linux, Windows, or Mac).
  • Create a non-shared project and load an executable into Ghidra.
  • Understand blocks of x86 and amd64 assembly.
  • Describe the function prologue and function epilogue.
  • Describe how stack space is allocated.
  • Manipulate variables with the stack editor.
  • Understand the difference between calling conventions on both x86 and amd64, to include stdcall, fastcall, cdecl, thiscall, Microsoft x64, and System V amd64.
  • Understand the relationship between caller and callee-saved registers.
  • Write custom Ghidra scripts in Python to find symbols of interest.
  • Describe the difference between linear sweep and recursive descent disassembly algorithms.
  • Understand imported and exported symbols.
  • Know where to start reversing when given an ELF for x86 or amd64.
  • Navigate the Ghidra API documentation.
Our Methods

We believe that knowledge should be accessible. To break down physical barriers, all of our courses take place on Discord. We’ve made a custom server where students can follow along and interact with instructors in high definition. Virtual breakout rooms allow students to collaborate and work on labs and quickly get the attention of instructors when assistance is needed. When the class is over, you’ll have access to all the recordings to ensure you never forget the experience.


Hardware and software:

  • Dual-core CPU or better.
  • 4 GB RAM or better.
  • 25 GB+ of free hard drive space for installation and materials.
  • 25 Mbs+ of reliable Internet download speed or better.
  • Windows, Linux, or macOS.
  • A Discord account.
  • Java Runtime Environment.
  • Can I use an Apple Silicon device to take this course?

    We’ve designed our course to work on both amd64 and arm64 architectures for Linux and Mac. So you won’t have any issues.

  • Can I use a Windows arm64 device, like a Surface Pro, to take this course?

    While we have tested our course on Linux and macOS devices on arm64, we have not tried it on arm64 Windows. So while we don’t expect any issues, don’t hesitate to contact us if you plan to use one of these devices.

  • Do I need a microphone or a webcam?

    We would love to see your smiling face, but a webcam is not required. A microphone would help when asking questions or interacting with the instructors, but you can always write questions or comments in the text channel.