A Simple Reverse Engineering of Login Encryption Algorithm

1. “Seeing Flowers in the Fog”

Error in replaying the login interface:

A Simple Reverse Engineering of Login Encryption Algorithm

It seems to be related to RSA encryption. Why RSA? Just a feeling~~

```y9uN67EfI6s5KtHsQSxQ6XDq0MSYnON9XzZmTOXlN3gzGq13%2B5iZ0MmMXLq7ypgoPTr0NN7wnpjHHNbDcfVS/4Eda24Mjf8qgs%2BXX7a470iGyn8oh7S6Ha7QHMIyt9EQ1Oi1KNNSEidngzJB4y/V7jebeXjhaRZNqsPvbQRYSuA%3D```

URL Decoding

```y9uN67EfI6s5KtHsQSxQ6XDq0MSYnON9XzZmTOXlN3gzGq13+5iZ0MmMXLq7ypgoPTr0NN7wnpjHHNbDcfVS/4Eda24Mjf8qgs+XX7a470iGyn8oh7S6Ha7QHMIyt9EQ1Oi1KNNSEidngzJB4y/V7jebeXjhaRZNqsPvbQRYSuA=```

BASE64 Continue Decoding

```˛�#빪ѬA,P鰪Є蜣}_6fL奷x3�虐Ɍ\껊訽:䴞ޘǜփq咿ᝫn�⏗_港H抿(紺²瑐Ԩ娓R'g㲁㯕yxᩖMꃯmXJ```

2. “Analyzing in Detail”

Next, let’s analyze the login logic.

Encryption algorithm plugin:

http://172.18.252.116:8096/SmartWorkESB/js/jsencrypt.js

Login logic:

http://172.18.252.116:8096/SmartWorkESB/js/index.js

Basically, the client uses the public key for encryption, and the server uses the private key for decryption.

Returning to the password logic, the core code is as follows:

$(document).ready(function() {    $("form:first").validate({        onfocusout: !1,        onkeyup: !1,        showErrors: function(a, b) {            if (b && b[0]) {                var c = smartwork.getLabel($(b[0].element)) + b[0].message;                "" != c && smartwork.error(c)            }        }    });    var d = function() {        var a = $("form:first button");        smartwork.isReadOnly(a) || (smartwork.disable(a, !0), smartwork.hide(), $("form:first").valid() ? smartwork.ajax({            url: "pub/GetValidCode.do"        },        function(b) {            var c = new JSEncrypt;            c.setPublicKey("MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaHCIMidGANhTZQ2h+FtAfR0ZrojjRCxzUmYTNKJk/UXucMQYLAjQ31JffhZQRpsGfy3rkBdYJyJ8PNdsX243iPEuBfOeqc6b09Z+WaeNwvUy2LDFlvSarNcje5w0VOdD6o2cQwaqjGQRzoN9l+L/Yb2emqJBlY2Dvnf4CfJRyFwIDAQAB");            smartwork.ajax({                url: "pub/Login.do",                data: {                    userName: $('form:first input[name="userName"]').val(),                    password: c.encrypt(b.root + $('form:first input[name="password"]').val())                }            },            function(b) {                smartwork.disable(a, !1);                window.location = "main.html?v=" + Math.ceil(1E3 * Math.random())            },            function() {                smartwork.disable(a, !1)            })        },        function() {            smartwork.disable(a, !1)        }) : smartwork.disable(a, !1))    };    $("form:first button").click(function(a) {        d()    });    $("form:first input[name]").keyup(function(a) {        13 == a.keyCode && d()    })});
3. "Clarifying the Encryption Logic"<br />Step 1: Call POST /SmartWorkESB/pub/GetValidCode.do to get the replay key value<br />var d = function() {        var a = $("form:first button");        smartwork.isReadOnly(a) || (smartwork.disable(a, !0), smartwork.hide(), $("form:first").valid() ? smartwork.ajax({            url: "pub/GetValidCode.do"        },<br /><br />Step 2: Then call the Login.do interface, the password field is RSA encrypted (key + password field)<br />function(b) {            var c = new JSEncrypt;            c.setPublicKey("MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaHCIMidGANhTZQ2h+FtAfR0ZrojjRCxzUmYTNKJk/UXucMQYLAjQ31JffhZQRpsGfy3rkBdYJyJ8PNdsX243iPEuBfOeqc6b09Z+WaeNwvUy2LDFlvSarNcje5w0VOdD6o2cQwaqjGQRzoN9l+L/Yb2emqJBlY2Dvnf4CfJRyFwIDAQAB");            smartwork.ajax({                url: "pub/Login.do",                data: {                    userName: $('form:first input[name="userName"]').val(),                    password: c.encrypt(b.root + $('form:first input[name="password"]').val())                }            },<br /><br />Step 3: Validate the encryption algorithm<br />
4. "Complete POC Script" as follows:<br />#!/usr/bin/env python3<br /># -*- coding: utf-8 -*-<br />import requests<br />import base64<br />from Crypto.PublicKey import RSA<br />from Crypto.Cipher import PKCS1_v1_5<br /># ========== Configuration ==========<br />TARGET_HOST = "http://xxx.xxx.252.116:8096"<br />USERNAME = "admin"      # Only for logging, not needed for encryption<br />PASSWORD = "123456"    # The plaintext password to be encrypted<br /># Public key (PEM format, extracted from JS)<br />PUBLIC_KEY_PEM = """-----BEGIN PUBLIC KEY-----<br />MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaHCIMidGANhTZQ2h+FtAfR0ZrojjRCxzUmYTNKJk/UXucMQYLAjQ31JffhZQRpsGfy3rkBdYJyJ8PNdsX243iPEuBfOeqc6b09Z+WaeNwvUy2LDFlvSarNcje5w0VOdD6o2cQwaqjGQRzoN9l+L/Yb2emqJBlY2Dvnf4CfJRyFwIDAQAB<br />-----END PUBLIC KEY-----"""<br /># ========== Functions ==========<br />def get_valid_code():<br />    url = f"{TARGET_HOST}/SmartWorkESB/pub/GetValidCode.do"<br />    headers = {<br />        "X-Requested-With": "XMLHttpRequest",<br />        "Referer": f"{TARGET_HOST}/SmartWorkESB/index.html?v=363"<br />    }<br />    resp = requests.post(url, headers=headers)<br />    resp.raise_for_status()<br />    data = resp.json()<br />    if data.get("success") and "root" in data:<br />        return data["root"]<br />    else:<br />        raise RuntimeError(f"Failed to get validCode: {data}")<br />def rsa_encrypt_pkcs1_v1_5(plaintext: str, public_key_pem: str) -> str:<br />    key = RSA.import_key(public_key_pem)<br />    cipher = PKCS1_v1_5.new(key)<br />    ciphertext = cipher.encrypt(plaintext.encode("utf-8"))<br />    return base64.b64encode(ciphertext).decode("ascii")<br /># ========== Main Process ==========<br />if __name__ == "__main__":<br />    try:<br />        print(f"[>] Target: {TARGET_HOST}")<br />        print(f"[>] Encrypting password for user: {USERNAME}")<br />        # Step 1: Get validCode (root)<br />        root = get_valid_code()<br />        print(f"[+] ValidCode (root): {root}")<br />        # Step 2: Concatenate plaintext<br />        plaintext = root + PASSWORD<br />        print(f"[+] Plaintext (root + password): {plaintext}")<br />        # Step 3: RSA encryption (PKCS#1 v1.5)<br />        encrypted_b64 = rsa_encrypt_pkcs1_v1_5(plaintext, PUBLIC_KEY_PEM)<br />        print(f"[+] Encrypted (Base64):\n{encrypted_b64}")<br />        # Step 4: URL encoding (can be directly used for POST form)<br />        from urllib.parse import quote<br />        encrypted_urlencoded = quote(encrypted_b64)<br />        print(f"\n[>] Login Form Data:")<br />        print(f"userName={USERNAME}&amp;password={encrypted_urlencoded}")<br />    except Exception as e:<br />        print(f"[!] Error: {e}")

In conclusion:
The golden path in the AI era is no longer: learn a skill → accumulate experience → become an expert.
This path has been directly “accelerated – compressed – replaced” by AI.
The future starting point will be: centered on cognition → driving structural understanding → then mobilizing AI to complete skill implementation.

Leave a Comment