Description
ATTENTION: This course can also be delivered in Italian or Spanish upon request, depending on the audience composition.
1. Course description and introduction
This hands-on course guides participants through the use of four fundamental frameworks for advanced binary analysis: Unicorn, Qiling, Triton, and Miasm.
Each module combines theory and practical labs on x86/x64 and ARM/MIPS architectures.
All material is in Python, and the labs are conducted entirely online via a browser — no local installation is required.
Participants will learn how to:
– Emulate binary code at the CPU level with Unicorn to analyse obfuscated code, hook instructions, and integrate everything into fuzzing pipelines (AFL++).
– Use Qiling for full-system emulation (syscalls, filesystems, networking) and analysis of embedded and IoT firmware.
– Apply dynamic symbolic execution with Triton to solve constraints, identify vulnerabilities, and automate deobfuscation.
– Leverage Miasm’s intermediate representation (IR) for cross-architecture analysis, advanced deobfuscation, and binary rewriting.
The course is NOT an introduction to reversing: participants are expected to already be familiar with the basic concepts of assembly, disassembly, and Python.
2. Requirements — What to bring
– A laptop (any operating system: Windows, macOS, or Linux).
– An up-to-date web browser (Chrome, Firefox, Edge).
– A stable internet connection.
– Basic knowledge of Python.
– Familiarity with assembly and reverse engineering concepts.
All labs and tools are accessible online — no additional software installation is required. Participants will receive login credentials for the cloud environment prior to the course.
3. Level
Intermediate. Participants must have a basic understanding of reverse engineering and knowledge of Python. This course is not for complete beginners, but does not require specific experience with the frameworks covered.
PROGRAMME FOR THE DAY:
09:00 – 09:15 | Welcome & Setup (15 min) Introduction, course objectives, cloud environment access verification.
09:15 – 10:15 | Module 1: Capstone — Disassembly Fundamentals (1h) Framework architecture, multi-architecture disassembly (x86/x64, ARM), instruction parsing, integration with Python. Lab: building a custom disassembler.
10:15 – 10:30 | Coffee Break
10:30 – 12:00 | Module 2: Unicorn Engine — CPU Emulation (1h 30m) CPU-level emulation, memory mapping, instruction/memory hooks, shellcode and obfuscated code emulation. Lab: emulating and analysing ARM functions, hooking instructions for tracing, integration with AFL++ for fuzzing.
12:00 – 13:00 | Lunch Break
13:00 – 14:30 | Module 3: Qiling Framework — Full-System Emulation (1h 30m) From Unicorn to Qiling: syscall emulation, virtual filesystem/networking, OS-level hooks. Embedded/IoT firmware analysis. Lab: emulating a complete Linux/ARM binary, hooking syscalls, firmware analysis with Qiling.
14:30 – 14:45 | Coffee Break
14:45 – 16:30 | Module 4: Triton — Dynamic Symbolic Execution (1h 45m) Symbolic vs concrete execution, taint analysis, constraint solving with Z3, automated deobfuscation. Lab: solving crackme challenges with Triton, vulnerability discovery via symbolic execution, deobfuscation of protected code.
16:30 – 17:00 | Wrap-up & Q&A (30 min) Recap, resources for further reading, open Q&A.
NOTES:
- This course can also be delivered in Italian or Spanish upon request, depending on the audience composition.
- Lunches, coffee breaks and admission tickets to HackInBo® Spring Edition 2026 events included!