Reverse real macOS app behavior from first principles.
This track teaches efficient reverse engineering workflows from a beginner-friendly starting point to operationally useful intermediate analysis. It uses a custom-built macOS training app with realistic bundle structure, ARM64 disassembly, Swift, Objective-C, helpers, local state, network behavior, and instrumentation points. The course is about tool fluency, methodology, and professional analysis, not zero-day hunting.
Every listed topic is intended to be backed by a local lab, a guided training-app exercise, or a reproducible analysis artifact. Hopper and Ghidra can be used as primary tools; commercial tools are treated as optional workflow mappings, not hard requirements.
Reverse Engineering Workflow and Lab Setup
Set up the controlled workflow: training app, evidence folders, baseline observation, notes, and proof standards.
macOS Application Anatomy for Reverse Engineers
Learn where behavior lives inside an app bundle before jumping into disassembly.
First-Pass Binary Triage with Free Tools
Use built-in and free command-line tooling to create a useful target profile without a GUI disassembler.
Mach-O Structure That Actually Matters
Read the Mach-O details that directly answer analysis questions: loaders, imports, sections, constants, and metadata.
ARM64 Basics for macOS Reverse Engineers
Learn enough Apple Silicon ARM64 to follow control flow, arguments, returns, stack frames, branches, and common compiler patterns.
Strings, Symbols, Resources, and Config Clues
Turn noisy static clues into leads: feature names, resources, config files, local state, and confidence levels.
Objective-C Reversing for App Behavior
Map Cocoa application behavior through selectors, classes, delegates, notifications, and target-action paths.
Swift Reversing for Practical Analysis
Recognize Swift-heavy app logic, demangle names, and understand mixed Swift/Objective-C boundaries.
LLDB Runtime Analysis
Move from static guesses to runtime proof with breakpoints, backtraces, values, and object inspection.
Local State, Preferences, SQLite, and Artifacts
Find where app decisions are persisted and explain what those artifacts prove.
Runtime Telemetry: Files, Logs, Processes, and Network
Correlate user actions with macOS evidence so findings are reproducible and defensible.
Network, API, and Request-Construction Reversing
Move from endpoint strings to request construction, safe mock-server testing, and runtime proof.
Decompiler-Style Reasoning and Control-Flow Recovery
Learn to read behavior from call graphs, branches, pseudocode-style reasoning, and runtime confirmation.
LLDB Control-Flow Proof and Runtime State Manipulation
Use LLDB to prove branches, inspect registers and objects, alter state in memory, and validate hypotheses.
License Gates, Feature Locks, and Patch-Based Hypothesis Testing
Reverse a deliberately weak activation gate in the MacSec training app and prove the lock path safely.
Instrumentation, Hooking Concepts, and Analysis Shims
Instrument lab behavior to observe arguments and decisions while respecting hardened runtime limits.
Crash Reports, Exceptions, and Failure-Driven Reverse Engineering
Use crashes, exceptions, diagnostics, and failure paths as navigation aids instead of dead ends.
Real-App Case Study Methodology
Apply the Vol 1 workflow to production apps observationally while keeping patching inside MacSec-owned labs.