Application hacking - 2026 Spring
English ICI012AS3AE-3001 and Finnish ICI012AS3A-3003

Find your vulnerabilities - before criminals do.

"Application hacking and vulnerabilities" (English, Mon 11-13:45) and "Sovellusten hakkerointi ja haavoittuvuudet" (Finnish, Mon 8-10:45).

Co-taught with Lari Iso-Anttila. Sold out, queue started.

Course namesApplication Hacking and Vulnerabilities (en)
Sovellusten hakkerointi ja haavoittuvuudet (fi)
Study guideApplication Hacking and Vulnerabilities ICI012AS3AE-3001 course description, implementation ICI012AS3AE-3001
Sovellusten hakkerointi ja haavoittuvuudet ICI012AS3A kurssikuvaus, toteutus ICI012AS3A-3003;
Timing2026 period 3, early spring (w03-w11, excluding w08) (schedule)
Credits5 ECTS
ClassesPasila, classroom pa5001, bring your laptop. Mon 08:00 fi, 11:00 en.
Max students30 each course, sold out, queue started
LanguageFully English for "Application hacking"; Finnish (+reading material in English) for "Sovellusten hakkerointi"
RemoteNo, fully contact in Pasila classroom, mandatory participation
Feedback4.5 / 5 Excellent feedback Five star experience
ServicesMoodle: Application hacking and vulnerabilities
Moodle: Sovellusten hakkerointi ja haavoittuvuudet
Laksu. Voluntary extra: Tero's list.
TeachersTero Karvinen and Lari Iso-Anttila
First class2026-01-12 w03 Mon in pa5001, bring your laptop. Finnish course 08:00, English 11:00.
EnrollSold out. For a change at a place from the queue, enroll in Peppi and come to the first class.

This page will be updated before and during the course.

Schedule

Mondays in Pasila, classroom pa5001. Bring your laptop!

"Sovellusten hakkerointi ja haavoittuvuudet" (Finnish, Mon 08:00-10:45).

"Application hacking and vulnerabilities" (English, Mon 11:00-13:45)

DayPreliminary Topic
2026-01-12 w03 MonIntroduction. Organization. Standards and frameworks. Tero and Lari.
2026-01-19 w04 MonHacking in and fixing vulnerabilities from source code, web as example. Tero.
2026-01-26 w05 MonHacking a web application and fixing the vulnerability, teardown. Tero.
2026-02-02 w06 MonGuest speaker? Static analysis. Ghidra. Strings, file... Tero.
2026-02-09 w07 MonDynamic analysis. Debuggers and gdb. Lari.
2026-02-23 w09 MonEmbedded systems. Lari.
2026-03-02 w10 MonCryptography. Tero.
2026-03-09 w11 MonCapture the Flag. Tero and Lari.

This is an advanced course, so topics may change as the course progresses.

Prerequisites

At the start of the course, you should know:

  • Programming basics
  • Linux basics
  • Installing Linux on a virtual machine on your own laptop

For the Finnish implementation, you should be able to speak Finnish fluently; and read and write Finnish and English. For the English implementation, only English is needed.

Prior knowledge acquired in any way is acceptable. Knowledge can be obtained, for example, from "Linux Servers" or "Programming 1" courses, but self-study is also fine.

Prerequisites may be verified with a survey if necessary, and course participants may be selected based on an initial test if needed.

You can review or learn the skills below before the course if you wish. If you already know the topics, you don't need the review package.

Review Package

If you already know these things, you don't need the review package. You don't have to learn these specific languages. If an initial test is held during the course, questions won't be limited to the review package content.

Programming Basics

  • The course involves coding and reading code
  • Any language works (e.g., Python or C)
  • Variable, data types (int, float, string, array/list), conditional statement (if-else), loops (for, while), function, class (class, object), execution order
  • You can write simple programs
  • You can read programming language and library manuals; and search the web for solutions to simple problems

If you want to review Python on Linux, you can start writing code like this:

$ python3
>>> print("Hello, Tero!")
>>> exit()

$ nano hello.py

And here you can write your program:

print("Hello, Tero!")

Save in nano with ctrl-X, y, enter. I personally install the 'micro' editor when I code more.

$ python3 hello.py
Hello, Tero!

And the language basics are explained here:

I often review languages by writing a bunch of easy warm-up programs.

Linux Basics

Linux is used as a tool. Basic skills are sufficient. The course does not require extensive Linux administration skills.

  • Using the command line
  • Root privileges (sudo)
  • Package management (apt-get)
  • Directory structure (e.g., /home/tero/, /etc/, /, /var/log, /usr/bin/, /usr/local/bin/)
  • Logs (sudo journalctl -n 20; /var/log/apache2/error.log)

Learn the commands from: Karvinen 2020: Command Line Basics Revisited

The easiest way to review is to install Linux on a virtual machine and play with it.

Installing Linux on a Virtual Machine

  • For example, installing Debian in VirtualBox (instructions below)
  • You can use other virtualization solutions if you can adapt and solve related challenges yourself (e.g., QEMU, lib-virt, virt-manager...)

Students have installed hundreds of Linuxes with this installation guide: Install Debian on Virtualbox - Updated 2024

(For Macintosh users: Apple Macintosh M1, M2, M3, M4... is not suitable for the course. Macs use arm64 architecture, course requires amd64 (x86-64). It's recommended to bring a regular PC laptop for the course, as many applications and virtual machines used in exercises are only available for this more common amd64 architecture. We recommend bringing an amd64-based laptop running Linux or Windows.)

Previous Implementations

All implementations "Application Hacking and Vulnerabilities"

Homework

Homework report links are submitted to Laksu 24 hours before the contact session. After submitting your own assignment, you peer-assess two classmates' assignments.

Homework is done and reported after each class. Assignments can be published anywhere and the link submitted to Laksu. Homework reports must be in a format viewable directly in a browser, as a regular HTML web page. No odt, no odp, no ppt, no docx, no doc, no pdf. Homework cannot be submitted by email. Links are submitted to Laksu and then two works are peer-assessed. Free web hosting is available from WordPress.com, GitHub.com, and Gitlab.com.

Assignments are official only after they are given at the end of class. Even if the assignment might sometimes be on the web page before class, they should not be done in advance, as they are evaluated according to the given assignment. Significant changes may be made before confirmation.

Homework is reviewed at the next meeting, problems are solved together, and oral feedback is given. The grade for the homework package is given only at the end of the course, but assignments must still be submitted 24 hours before the next class. Those who don't start completing the course by submitting assignments will be removed from the course. Publishing is voluntary but highly recommended. If for some reason you don't dare or otherwise don't want to publish, you can put the work on a web page behind a password (the same password for all homework) and share this password with classmates. If tests on homework topics are held during classes, their points are included in the homework assessment.

Homework must be done by experimenting on a computer and reporting the course of events, unless otherwise stated in the specific subsection. Reports must contain information that can verify the exercises were done and not fabricated.

All sources used must be cited in the report: course assignment page, classmates' reports, man pages, books. The citation must show which information came from which source. If you ask AI for advice, it must be cited as a source, naming the AI model and specifics. AIs hallucinate; it's recommended to verify the information. Summaries or essays must not be generated with AI or similar techniques; they must be written yourself. It is forbidden to generate text with AI, as your classmates will be reading what you wrote.

h1 High Standards (Lari)

h2 Break & Unbreak (Tero)

Now we hack! And code!

You'll learn to find and fix vulnerabilities.

Remember systematic working methods and report as you go. Also reflect: Where could this vulnerability be common? How could this mistake be avoided? What did I learn from this?

Tips

  • OWASP 10 is probably the most well-known document about web vulnerabilities
  • PortSwigger Academy's articles and labs are excellent material about web hacking.
  • Reporting is part of systematic working methods. A way to solve challenging computer problems.
    • The client isn't sitting behind you cheering when you hack. In return for payment, the client usually wants a report.
  • Did you cite the course, homework, documents, and all other sources?
    • Which information came from which source?
  • See the optional introductory exercises if needed. When you solve them first, the harder tasks become easier.
  • Create a Portswigger Academy account if needed.
  • Small hints and near-spoilers.
  • If hacking progresses, good. If you think of different approaches, keep going.
  • The newest version of the targets has a small improvement to 010-staff-only. But solving the version shown in class works too.
  • Stuck? No idea?
    • Do the introductory exercises
    • Look at the hints; that's why they exist
    • Useful: Think of different approaches. Write them down. Summarize what you already know. Do introductory exercises.
    • Useless: It's useless to stare at a web form for over 30 min if you can't think of approaches to try at your current skill level. In that case, hints help.
    • And we'll look at more together in class.

h3 No Strings Attached (Tero)

Did you know you can get information from binaries before running them? Here we step into next week's world of static analysis.

The uncrowned king of static analysis, 'strings', greets us!

  • a) Strings. Download ezbin-challenges.zip. Run 'passtr'. Find the correct password using 'strings'. Also find the flag. (Preferably without looking at the source, if you can.)
  • b) Make a new version of the passtr.c program where the password doesn't appear directly as-is in the binary. Demonstrate with a test that the password doesn't appear. (Obfuscation is sufficient.)
  • c) Packd. Run 'packd' from the package ezbin-challenges.zip. What is the password? What is the flag? (This task is slightly more challenging. Write down the approaches you tried and hypotheses you came up with. Hopefully you'll reach the goal yourself, but if not, the walkthrough will be revealed in class...)
  • d) Optional bonus: Cryptopals. Crypto Challenge Set 1. This can be done as a bonus over several weeks. If you solve items 1 .. "4. Detect single-character XOR", you've already stepped into the world of cryptography.

Tips

  • Use the 'strings' program
  • Is C unfamiliar? Try yourself first and look for hints online. If it doesn't resolve otherwise, you can ask AIs. Remember to cite sources.
  • Cryptopals
    • Base64 is needed only for practical reasons. You can use a ready-made language or library implementation.

Additional tips, packd

Packd, minor spoilers. The task is fun even if you look at these. (click to show)
  • Look at the beginning of the binary
  • The task name gives a hint; could the binary be packed (binary packer)?
  • Could it be some common tool (most common binary packers)?
  • The flag doesn't end with the character '8'.

Big hints, packd

Spoilers for the packd task. Still not a walkthrough. (click to show)
$ strings foo|head
$ strings -n 20 packd

h4 Some Disassembly Required (Tero)

  • x) Read/watch/listen and summarize. (In this x-subsection, you don't need to do tests on a computer; just reading or listening and a summary is enough. A few bullet points are sufficient for the summary.)
  • a) Install Ghidra.
  • b) rever-C. Reverse engineer the packd binary to C language with Ghidra. Find the main program. Give variables descriptive names. Explain the program's operation. Solve the task from the binary, without the original source code. ezbin-challenges.zip
  • c) If backwards. Modify the passtr program's binary (without the original source code) so that it accepts all passwords except the correct one. Demonstrate with tests that the program works. ezbin-challenges.zip
  • d) Nora CrackMe: Compile to binaries Tindall 2023: NoraCodes / crackmes. Read README.md: don't look at the source code unless you need training wheels. In these tasks, binaries are reverse engineered. Binaries are not modified, because otherwise the solution to every task would be to change the return value to "return 0".
  • e) Nora crackme01. Solve the binary.
  • e) Nora crackme01e. Solve the binary.
  • f) Nora crackme02. Name the main program's variables from the reverse-engineered binary and explain the program's operation. Solve the binary.
  • g) Optional: And beyond. Crackme01 has multiple solutions. How many can you find? Why?
  • h) Optional: Unsolicited. Crackme02 has two solutions. Can you find both?
  • i) Optional, slightly more challenging: A ray. Nora crackme02e. Solve the binary.

Want even harder challenges? You can solve more NoraCodes/crackmes challenges if you wish and your skills allow.

Tips

  • Ghidra installation
    • Kali:
      • 'sudo apt-get install ghidra'
    • Debian 12-Bookworm (from memory)
      • 'sudo apt-get install openjdk-17-jdk
      • Get the Ghidra version that works with this Java 17 version. I think Ghidra 11.1.2. It's actually quite new.
      • Github: NationalSecurityAgency / Ghidra: Releases: 11.1.2: Assets: ghidra_11.1.2_PUBLIC_20240709.zip (about 400 MB)
  • Packd reverse engineering
    • Did you remember to unpack the packing?
  • Training wheels as an adult?
    • The only purpose of the tasks is to learn this thing.
    • At work, you'll have to solve tasks yourself.
    • Basics are learned with simple programs. These skills are applied to more complex programs over time.
    • If all ideas and approaches are exhausted, then a model solution (or AI's direct answer) is better than nothing. It's always worth trying the task through even with instructions, so you'll know for the next one.
    • Don't delegate learning to AI.
    • Current AIs can solve easy tasks. But that's not very useful at work. The course tasks are easy because we're just learning. Skills must later be applied at a level that current AIs can't handle.
  • Return value from a command in Bash
    • 'echo Tero; echo $?' prints "Tero\n0", where 0 is the return value.
    • Zero means everything went well. Other numbers are errors.
  • If you end up registering for PicoCTF for fun, you can leave strange questions unanswered (such as those about ethnic group). Such questions are quite foreign to Finns but unfortunately common at least in British universities.

h5 It's Alive! (Lari)

  • a) Lab1. Investigate what's wrong with the program and how to fix it. lab1.zip
  • b) Lab2. Find out the password and flag + write a report on how it opened. lab2.zip
  • c) Lab3. Try Nora Crackmes exercises tasks 3 and 4; the rest are optional. Tindall 2023: NoraCodes / crackmes.
  • d) Lab4. Optional: Crackmes.one exercise. Can you find out the password? lab4.zip in Moodle.

Tips

  • lab0.zip solved in class
  • Lari's slides are available in Moodle

h6 Layer Cake (Lari)

  • a) Examine the file h1.jpg with tools you've already learned. What can you find out?
  • b) Examine the file h1.jpg with binwalk. What information do you find now? What tool would you use to separate files? (Note that binwalk versions 2.x and 3.x work differently.)
  • c) FOSS (Free Android OpenSource). Explore Android applications from Offa's (2024) list: Android FOSS. Choose the most interesting application for yourself from the list and go to its GitHub. Download the application's APK and use the following tools to explore how to open an APK.
  • d) Optional: Explore ESP32 projects from Covarrubias 2024: Awesome ESP. Choose the most interesting project for yourself. Investigate how to open an ESP32 binary. Write in your report which application you examined and what information you found from the compiled package. If necessary, you can compare whether the information matches the code on GitHub.

h7 Uhagre2 (Tero)

Many weaknesses in encryption are completely ordinary programming errors. That's why we can break encryption without a mathematics degree.

Including two of my favorites: Schneier is my favorite cryptography textbook, and Cryptopals is my favorite exercise for breaking encryption.

  • x) Read/watch/listen and summarize. (In this x-subsection, you don't need to do tests on a computer; just reading or listening and a summary is enough. A few bullet points are sufficient for the summary.)

  • Solve CryptoPals Set 1 challenges. Tasks can be solved with any programming language and using any text editor or IDE. Tasks shouldn't be solved with AI, as it just copies the model solution directly from its training material.

    • a) 1. Convert hex to base64.
    • b) 2. Fixed XOR.
    • c) 3. Single-byte XOR cipher.
    • d) 4. Detect single-character XOR.
      • Solving this task usually brings joy.
    • e) Optional, recommended: 5. Implement repeating-key XOR.
    • g) Optional: 6. Break repeating-key XOR.
    • h) Optional: 7. AES in ECB mode.
    • i) Optional: 8. Detect AES in ECB mode.

The submission deadline for optional h8 "Bonus" is the same as for this task, i.e., 24 h before the last meeting.

Tips

  • Summary
    • Reading is the most important thing
    • Schneier 2015 is my favorite cryptography textbook. At least the 20th edition is in print, so I guess someone else has agreed. I also recommend Schneier's blog.
    • My article presenting programming techniques is long; you should especially pick only a few key techniques for yourself for the summary, not make a comprehensive condensation.
  • CryptoPals

h8 Bonus

Optional: Bonus: list and link here your completed

  • a) Optional tasks
  • b) Substantially improved tasks after grading
  • c) Success in application hacking outside the course
    • For example, in CTFs related to application hacking

Deadline 24 h before the last meeting, i.e., the same as the previous task.

Adminstrivia: This page will update before and during the course. Human verified machine translation was used for parts of this page.