Table of contents
Hi it's me again, in the last days i was trying to make an app for my smartwatch in order to retrieve the homework and notify me when a teacher assign a new task. Since our school software doesn't have public APIs i reversed it.
How it works
All the API requests made by this software are encrypted with rc4 and encoded with base64, luckily i managed to deobfuscate it's source code (it's just a cordova app, that makes ajax requests)
after that i reversed the login function
login: function (codice_fiscale, username, password, success_callback, errorCallBack) {
APP.forceTimelineReload = true
var method = 'Login'
var json_urlencoded = {}
json_urlencoded.sCodiceFiscale = codice_fiscale
json_urlencoded.sUserName = username
json_urlencoded.sPassword = password
json_urlencoded.sAppName = APP.name // FAM_APP
json_urlencoded.sVendorToken = appGlobals.SVENDOR_TOKEN
var json_stringified = JSON.stringify(json_stringified)
var params = {}
params.async = true
params.data = json_urlencoded
params.successCallBack = success_callback
params.errorCallBack = errorCallBack
var opt = params
var ajax_request = $.extend(true, {}, SDWS)
ajax_request.exec(undefined, method, opt)
basically this function creates a json with school code, my username, my password, the app name (that is always "FAM_APP") then encrypts this json with rc4 + base64, urlencode the result and send it to it's endpoint. Let's try to do the same
After sending the request we get a bunch of information and it's included the pin to justify the absences, bad grades, notes ecc...
to demonstrate that i'm not lying i will justify an absence
Conclusion
I don't want to roast the developers of this software, but if they are reading this i'll suggest to hash the pin instead of sending it in plaintext