I’ll be honest — for a long time, reverse engineering scared me a bit. I could muddle through the basics, but the moment I hit a wall of assembly code or a packed binary with five layers of encryption, I’d feel completely out of my depth. The resources out there are either aimed at total beginners (“here’s what a CPU register is”) or they assume you’ve been doing this for a decade. There’s not much in between.

That gap is one of the reasons I built a learning mode into Arkana. I called it /arkana-learn, and it’s basically an interactive tutor that teaches you reverse engineering by doing it — on real binaries, with real tools, step by step.

What It Actually Is

The idea is simple. You load a binary — could be a piece of malware, a CTF challenge, or just a program you’re curious about — and tell it you want to learn. It walks you through the analysis step by step, explaining what each tool does, why it’s being used, and what to look for in the results. Before it shows you the answer, it’ll often ask you a question first: “Looking at these imports, what do you think this program might be doing?” It’s trying to build your instinct, not just show you facts.

The key thing is that everything is live. It’s not a textbook with screenshots of what a hex editor looks like. You’re looking at real tool output from a real binary, and the tutor is interpreting it for you in real time. When it says “see that string that looks like a URL? That’s probably where this malware phones home,” you’re seeing it in the actual data, not in a diagram.

It Meets You Where You Are

This was important to me. The tutor adapts to four different levels, and it figures out where you are pretty quickly.

If you’re completely new, it talks in plain language and uses everyday analogies. The import table becomes “a shopping list of functions the program needs to borrow from Windows.” Sections in a binary become “rooms in a building — one for the code, one for the data, one for resources like icons and images.” It sticks to the gentler tools and doesn’t throw a decompiler at you on day one.

As you get more comfortable, the language shifts. The analogies drop away, technical terms come in with brief context, and the tools get more powerful. By the time you’re at the advanced level, you’re doing data flow analysis, tracing where encryption keys come from through the code, and using the emulator to step through anti-debugging tricks.

It remembers your progress between sessions too, so you’re not starting from scratch every time you come back to it.

What It Covers

The curriculum is broader than I originally planned. It ended up at 18 modules across the four levels:

At the beginner level, you’re learning what a compiled program actually looks like under the hood — how it’s structured, what the different sections mean, how to read the strings embedded in it, what its imports tell you about its behaviour, and a gentle introduction to assembly language (just the 10 instructions you’ll see most often, not the whole reference manual).

At intermediate, things get more interesting. You start reading decompiled code, learning how programs try to hide what they are through packing and encryption, spotting cryptographic patterns, and mapping a program’s capabilities against known attack techniques.

The advanced modules cover the stuff that used to completely lose me — tracing how data flows through a program, using emulators to safely run suspicious code, understanding anti-analysis tricks that malware uses to fight back against people like us, and extracting hidden configuration data like server addresses and encryption keys.

And at the expert level, it’s things like manually unpacking heavily protected binaries, reversing network protocols, writing detection signatures, and comparing different versions of the same malware to track how it evolves over time.

How It’s Actually Helped Me

I know it sounds daft — learning from a tool I built myself. But the thing is, building the tools and understanding how to use them properly are two very different skills. I could tell you exactly how the decompiler works under the hood, but ask me to look at the output and figure out what a function does? That took practice.

The biggest shift for me was in how I approach a new binary. Before, I’d open it up, poke around a bit, get overwhelmed by the volume of information, and not really know where to focus. The structured approach — triage first, then strings, then imports, then dig into the interesting functions — sounds obvious when you write it down, but having something enforce that discipline made a real difference.

The Socratic questioning is surprisingly effective too. When the tutor asks “what do you think this function does based on the APIs it calls?” before showing you the decompiled code, it forces you to build a mental model first. Half the time I was wrong, but that’s kind of the point — you learn more from being wrong and understanding why than from just being handed the answer.

I’m not claiming to be an expert reverse engineer now. But I’m a much better one than I was six months ago, and a lot of that progress came from working through real samples with this thing.

Have a Go

If you’ve ever been curious about reverse engineering but found the learning curve off-putting, this might be a decent place to start. You don’t need any prior experience — the beginner level genuinely starts from scratch. All you need is a binary to look at (there are plenty of CTF challenges and sample malware available for practice) and the willingness to poke around.

Just type /arkana-learn in Claude Code with Arkana connected, and it’ll take it from there. Or if you want to dive straight into a specific topic, ask it directly — “teach me about packing” or “walk me through how imports work” and it’ll pick up from wherever you are.

Arkana is free and open-source. Everything you need to get started is on the GitHub and the website.

If you do give it a go, I’d genuinely love to hear how you get on. The whole point of building this was to make reverse engineering less intimidating, and knowing whether it actually works for other people would mean a lot.