Hasso-Plattner-InstitutSDG am HPI
Hasso-Plattner-InstitutDSG am HPI

Finding Vulnerabilities through Reverse Engineering (Sommersemester 2014)

Dozent: Prof. Dr. Christoph Meinel (Internet-Technologien und -Systeme)

Allgemeine Information

  • Semesterwochenstunden: 4
  • ECTS: 6
  • Benotet: Ja
  • Einschreibefrist: 1.4.2014 - 28.4.2014
  • Lehrform: SP
  • Belegungsart: Wahlpflichtmodul
  • Maximale Teilnehmerzahl: 10

Studiengänge, Modulgruppen & Module

IT-Systems Engineering BA
IT-Systems Engineering MA
  • IT-Systems Engineering A
  • IT-Systems Engineering B
  • IT-Systems Engineering C
  • IT-Systems Engineering D


"Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation." Quote by Dennis Yurichev.

Often times, attackers do not have access to the source code of an application. As a result, black and gray box testing is used to try and understand the way an application works and how one might be able to misuse it for its own benefit. Reverse engineering allows an attacker to gain deeper knowledge and understanding about their target and knowing how attackers go about doing this allows software developers to protect their software from being exploited.

This seminar gives an insight into the various facets of reverse engineering, including white-box, gray-box and black-box testing, to understand how a developer can ensure the security and robustness against common attacks and how he can protect against unintended misuse of his software.

We do not encourage people to apply the learned techniques on third-party software!

There will be two sections in this seminar, that lead from an introduction to the practical application of the gained knowledge.

  1. Understanding of basic reverse engineering techniques
  2. Practical application of the learned techniques
    1. On so called crack-me's
    2. On selected real-world software


A prior participation in the two courses "Internet Security" and "Cops & Robbers" would be helpful, but is not required. Additionally, knowledge in the assembly language and application security is recommended.


  • Dennis Yurichev: Reverse Engineering for Beginners. April 2014
  • C. Eagle: The IDA Pro Book. 2nd Edition, No Starch Press, June 2011
  • M. Sutton, A. Greene, P. Amini: Fuzzing - Brute Force Vulnerability Discovery. Addison-Wesley, June 2007

Lern- und Lehrformen

The seminar will focus on the practical application of reverse engineering techniques to find vulnerabilities. The seminar sessions will only be used for presentation of results and introduction to the topics. Many seminar sessions are dedicated for the students to practically work on the solution for their tasks.


The seminar is graded as follows:

  • Theoretical Introduction into reverse engineering topics (20%)
    • Presentation on reverse engineering topic (10%)
    • Short report (10%)
  • Practical Part
    • Reverse engineering on demo application (30%)
      • Practical Work (20%)
      • Presentation (10%)
    • Reverse engineering on selected real-world application (30%)
      • Practical Work (20%)
      • Presentation (10%)
    • Final report (20%)


The first seminar session will be at April 8th.

Seminars will take place at the following slots:

  • Wednesdays, 3:15 PM in H-E.52