How to skip school without any consequences (maybe)

How to skip school without any consequences (maybe)

Table of contents

Hi it's me again, in the last days i was trying to make an app for my smartwatch in order to retrieve the homework and notify me when a teacher assign a new task. Since our school software doesn't have public APIs i reversed it.

How it works

All the API requests made by this software are encrypted with rc4 and encoded with base64, luckily i managed to deobfuscate it's source code (it's just a cordova app, that makes ajax requests)

after that i reversed the login function

login: function (codice_fiscale, username, password, success_callback, errorCallBack) {
      APP.forceTimelineReload = true
      var method = 'Login'
      var json_urlencoded = {}
      json_urlencoded.sCodiceFiscale = codice_fiscale
      json_urlencoded.sUserName = username
      json_urlencoded.sPassword = password
      json_urlencoded.sAppName = APP.name // FAM_APP
      json_urlencoded.sVendorToken = appGlobals.SVENDOR_TOKEN
      var json_stringified = JSON.stringify(json_stringified)
      var params = {}
      params.async = true
      params.data = json_urlencoded
      params.successCallBack = success_callback
      params.errorCallBack = errorCallBack
      var opt = params
      var ajax_request = $.extend(true, {}, SDWS)
      ajax_request.exec(undefined, method, opt)

basically this function creates a json with school code, my username, my password, the app name (that is always "FAM_APP") then encrypts this json with rc4 + base64, urlencode the result and send it to it's endpoint. Let's try to do the same

After sending the request we get a bunch of information and it's included the pin to justify the absences, bad grades, notes ecc...

to demonstrate that i'm not lying i will justify an absence

Conclusion

I don't want to roast the developers of this software, but if they are reading this i'll suggest to hash the pin instead of sending it in plaintext