Objects

  • cebiesign
<object id="cebiesign" name="cebiesign" classid="clsid:f3e92562-1b4d-4bfa-b2d4-e9bcabe3b5a8" codebase="js/cebiesign.ocx#version=2,0,0,4" border="0">
 </object>
  • powercommit
<object id="powercommit" codebase="js/PowerEnter.CAB#version=1,0,0,72" classid="clsid:BEEE2807-1709-4184-A05D-1B2DE01EE4CF" style="width:0px;height:0px" height="0" width="0">
<param name="width" value="0">
<param name="height" value="0">
<param name="frameName" value="mainFrame">
</object>
  • powerpassword
<object id="powerpassword" codebase="js/PowerEnter.CAB#version=1,0,0,72" classid="clsid:614E58F9-74D0-4D7B-90E3-64A0F2AA73B4" style="width:186pxpx;height:23pxpx" height="23px" width="186px">
<param name="width" value="186px">
<param name="height" value="23px">
<param name="maxLength" value="20">
<param name="minLength" value="0">
<param name="maskChar" value="*">
<param name="backColor" value="#FFFFFF">
<param name="textColor" value="#000000">
<param name="borderColor" value="#7f9db9">
<param name="accepts" value="*">
<param name="msgBox" value="false">
<param name="fieldName" value="Password">
</object>

Commit Code

var blob ="BgIAAACkAABSU0ExAAQAAAEAAQAfFsbhRXwKJMLpsGExRSNaUxLZhaHvMp9ZJEgO2sa30lj6jc2BkNrF/35TKQuLphYVYwDLADdbRj23ChSzVWVmQwAs9CXrqR3tcYavKGsRBEeHEFctULIt6QFn/1Gz6F11k61K8G9yMXy9AGgN+pHum2X3EODpRJBFH9/w1VC+1w==";

	function doLogin() {
		var ran = "<random value>";
		if(ran != null && ran !="") {
			var random = parseFloat(ran)+1;
			document.form1.ran.value = random;
		} else {
			document.form1.ran.value = 0;
		}
		var powercommit = document.getElementById("powercommit");
		var powerpassword = document.getElementById("powerpassword");
		powercommit.reset();
		powerpassword.publicKeyBlob(blob);
		powerpassword.commit("powercommit");
		powercommit.submit("form1");
	}

Form Params

<form name="form1" action="perlogin1.do" method="post">
<input type="hidden" name="_viewReferer" value="login/login01" />
<input type="hidden" name="_locale" value="zh_CN" />
<input type="hidden" name="version" value="20140529" />
<input type="hidden" name="Password" />
<input type="hidden" name="ran" value="063319703" />
<input type="hidden" name="TransName" value="" />
<input type="hidden" name="Plain" value="" />
<input type="hidden" name="Signature" value="" />
<input type="hidden" name="MerName" value="" />
<input type="hidden" name="TransType" value="" />
<input type="hidden" name="OperationNo" value="" />
<input type="hidden" name="MerDCFlag" value="" />
<input type="hidden" name="checkloginflag" value="" />

<input type="hidden" name="_tokenName" value="1jjihb5u" />
<div class="box">
<!--头部-->
<div class=" head"><table cellpadding="0" cellspacing="0" border="0"    style="margin:10px 0;"><tr><td  align="left" ><img src="images/public/login_2.gif"  /></td>
 </tr>
    </table>
</div>
<!--头部结束-->
<!--内容-->
<div class="content">
<table cellpadding="0" cellspacing="0" border="0">
<tr> 
  <td class="conback" valign="top" >
	
  </td>
  <td class="conback2" valign="top" align="center">
  <!--登录区-->
  <table cellpadding="0" cellspacing="0" border="0" class="login" width="433">
  	<tr><td valign="top" class="title line01" align="left"><img src="images/public/yhdl.gif" width="120" height="22" />
	<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="1" height="1" id="flash" align="middle">
	    <param name="allowScriptAccess" value="sameDomain"/>
	    <param name="movie" value="/per/bharosa_web/flash/bharosa.swf"/>
	    <param name="quality" value="low"/>
	    <param name="bgcolor" value="#ffffff"/>
	    <param name=FlashVars value="dcUrl=/dc?s=true&"/>
	    <embed src="/per/bharosa_web/flash/bharosa.swf" quality="low" bgcolor="#ffffff" FlashVars="dcUrl=/dc?s=true&" width="1" height="1"name="flash" align="middle" allowScriptAccess="sameDomain" type="application/x-shockwave-flash"/>
	</object>
</td></tr>
    <tr><td height="35" align="center">
    	
    </td></tr>
    <tr><td align="left">
       <table cellpadding="0" cellspacing="3" border="0" width="100%">
         <tr>
           <td class="size01 txt02" align="right" width="120">登录名或账号:&nbsp;&nbsp;</td>
           <td align="left" height="32" width="190"><input name="LoginName" id="skey" value=""  class="input_out3" 
           		onfocus="this.className='input_on3';this.onmouseout=''" onblur="this.className='input_off3';this.onmouseout=function(){this.className='input_out3'};" type="text" size="16" /></td>
           <td width="100">&nbsp;</td>
         </tr> 
         <tr>
           <td class="size01 txt02" align="right"  width="120">登录密码:<img src="images/public/wen.gif" alt="请输入您设置的8~14位网银登录密码"/></td>
           <td align="left" height="32">
           		<script type="text/javascript">writePassObject("powerpassword",{"fieldName":"Password","maxLength":"20","minLength":"0","width":"186px","height":"23px","msgBox":"false","maskChar":"*","borderColor":"#7f9db9"});</script>
           </td>
           <td align="left">
           		<a href="####" class="txt_line txt07" onclick="MM_openBrWindow('pwdHelp.do','个人网上银行常见问题解答','width=640,height=420')">密码输入帮助</a>
           		
          		
          		
                  <img id="image1" src="tokenImage.xx?_timesShowToken=2&ran=063319703" style="display:none"/>
                
           </td>
         </tr>
         
         <tr><td colspan="3" height="10"></td></tr>
         <tr><td colspan="3" align="center">
         <img src="images/public/denglu_1.gif"  onclick="doLogin();"  style="cursor: hand"/>&nbsp;&nbsp;&nbsp;&nbsp;
         </td></tr>
       </table>
    </td></tr>
    <tr><td height="23"></td></tr>
    <tr><td class="txt08" align="center"><a href="FP320501.do" class="txt07 txt_line">找回登录名</a> | <a href="FP320301.do" class="txt07 txt_line">忘记登录密码</a> | <a href="FP990101.do?ident=gr&idper=ds" class="txt07 txt_line">我要开通网银</a> </td></tr>
  </table>
  <!--登录区结束-->
  </td>
</tr>
</table>


</form>

Sample Form

  • username = 11111111
  • password = 22222222
<entry method="POST" url="https://www.cebbank.com/per/perlogin1.do">
    <timestart>2014-06-19T06:00:43.594Z</timestart>
    <timeend>2014-06-19T06:00:44.064Z</timeend>
    <duration>0.470 s</duration>
    <processname>C:\Program Files\Internet Explorer\iexplore.exe</processname>
    <result>200 OK</result>
    <size>0</size>
    <stage>REQUEST_CLOSE</stage>
    <mimetype>text/html</mimetype>
    <redirecturl/>
    <requestCamefromCache>False</requestCamefromCache>
    <responseCamefromCache>False</responseCamefromCache>
    <requestobjectname>/per/perlogin1.do</requestobjectname>
    <winet_sr_result>True</winet_sr_result>
    <winet_sr_errormessage/>
    <bodySize>9333</bodySize>
    <Web_PageID>0</Web_PageID>
    <PageTitle/>
    <Socket_SendSize>0</Socket_SendSize>
    <Socket_RecvSize>0</Socket_RecvSize>
    <Starred>False</Starred>
    <Comment/>
    <headers>
      <requestheaders>
        <header>POST /per/perlogin1.do HTTP/1.1</header>
        <header>Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*</header>
        <header>Referer: https://www.cebbank.com/per/prePerlogin.do?_locale=zh_CN</header>
        <header>Accept-Language: en-us</header>
        <header>User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)</header>
        <header>Content-Type: application/x-www-form-urlencoded</header>
        <header>Accept-Encoding: gzip, deflate</header>
        <header>Host: www.cebbank.com</header>
        <header>Connection: Keep-Alive</header>
        <header>Cache-Control: no-cache</header>
        <header>Cookie: WT_FPC=id=2b3fd12fcdda9131eb91403212946597:lv=1403212951284:ss=1403212946597; cebmemberbranchcode=3550; cebmemberbranchname=%u5317%u4EAC%u5206%u884C; PERJSESSIONID=t6m9Tv0cW5s9jN7JhXFLBhvsbwnG9h4gLn0pyqKgDp97tnNPxdpC!-2124310495; BIGipServerpool_eb_8005=2366482624.17695.0000</header>
        <header>Content-Length: 388</header>
      </requestheaders>
      <responseheaders>
        <header>HTTP/1.1 200 OK</header>
        <header>Server: Sun-Java-System-Web-Server/7.0</header>
        <header>Date: Thu, 19 Jun 2014 10:01:06 GMT</header>
        <header>Cache-Control: no-cache</header>
        <header>Date: Thu, 19 Jun 2014 09:59:58 GMT</header>
        <header>Pragma: No-cache</header>
        <header>Content-type: text/html; charset=gbk</header>
        <header>Expires: Thu, 01 Jan 1970 00:00:00 GMT</header>
        <header>Content-Language: zh-CN</header>
        <header>X-Powered-By: Servlet/2.5 JSP/2.1</header>
        <header>Connection: Keep-alive</header>
        <header>Via: 1.1 AN-0001544151441131</header>
        <header>Content-Length: 9333</header>
      </responseheaders>
    </headers>
    <content>
      <contentLength>9333</contentLength>
      <mimetype>text/html</mimetype>
    
    </content>
    <cookies>
      <sent>
        <cookie name=" WT_FPC">id=2b3fd12fcdda9131eb91403212946597:lv=1403212951284:ss=1403212946597</cookie>
        <cookie name=" cebmemberbranchcode">3550</cookie>
        <cookie name=" cebmemberbranchname">&#177;&#177;&#190;&#169;&#183;&#214;&#208;&#208;</cookie>
        <cookie name=" PERJSESSIONID">t6m9Tv0cW5s9jN7JhXFLBhvsbwnG9h4gLn0pyqKgDp97tnNPxdpC!-2124310495</cookie>
        <cookie name=" BIGipServerpool_eb_8005">2366482624.17695.0000</cookie>
      </sent>
      <received/>
    </cookies>
    <cache>
      <BeforeRequest>
        <UrlInCache>False</UrlInCache>
      </BeforeRequest>
      <AfterRequest>
        <UrlInCache>False</UrlInCache>
      </AfterRequest>
    </cache>
    <QueryString/>
    <PostData>
      <mimetype>application/x-www-form-urlencoded</mimetype>
      <size>388</size>
      <params>
        <param name="_viewReferer">login/login01</param>
        <param name="_locale">zh_CN</param>
        <param name="version">20140529</param>
        <param name="Password">XQn0aqYKjJeFutYuXaooFuDF7cAU7jAYd4lpIff/qaZOd1gElxbw/ChRmY1mipjeUlpO0lO8FHO13VaeEyaQf54np25wFo6X2t0LlAKKpruupbDHEWas3pVuajAXsuUqsyqSeDqNlsXpckRWdFBopnzoKuggcgkaMLXsyJtGLU8=</param>
        <param name="ran">55924190</param>
        <param name="TransName"/>
        <param name="Plain"/>
        <param name="Signature"/>
        <param name="MerName"/>
        <param name="TransType"/>
        <param name="OperationNo"/>
        <param name="MerDCFlag"/>
        <param name="checkloginflag"/>
        <param name="_tokenName">z90qww5h</param>
        <param name="LoginName">11111111</param>
      </params>

  </entry>

API Calls

CryptImportKey(blob)
CryptEncrypt(NULL, 8) -> 128 (128 bytes required)
CryptEncrypt(password, 8) -> encrypted pw
encrypted pw:
0x03310BD0 D3 5F 47 03 22 A3 0D FA 0C DC 3D BE 06 43 E8 06 ._G.".....=..C..
0x03310BE0 AF 4D E3 85 80 04 6F 38 46 80 AC F7 E5 79 23 6C .M....o8F....y#l
0x03310BF0 87 E0 D9 81 2B E7 EC 2B AE B7 BB 19 9B A4 13 68 ....+..+.......h
0x03310C00 E9 2B B3 64 80 DE E4 66 66 10 BF D5 56 2A 4E BC .+.d...ff...V*N.
0x03310C10 56 E4 47 66 7E 16 D7 DB 66 B7 05 43 BC AF D6 95 V.Gf~...f..C....
0x03310C20 AA AD 37 31 0D DE E7 37 7E 71 D2 43 CE 65 1B EB ..71...7~q.C.e..
0x03310C30 A4 03 03 D7 77 C7 7B A7 41 EA 51 B4 65 70 AD 08 ....w.{.A.Q.ep..
0x03310C40 63 B3 63 21 84 05 37 F8 6D 2E 74 3C 1A 6A E0 C8 c.c!..7.m.t<.j..

0x03332BA0 EC 3D A5 ED 3E B1 D7 59 60 9D 36 BA AC CB 22 EA .=..>..Y`.6...".
0x03332BB0 87 15 9A BB 73 D4 39 82 DB 07 3D 66 E7 28 E5 BF ....s.9...=f.(..
0x03332BC0 6B 2E 0F C9 5E 23 9D 34 DC D2 D7 F3 99 20 A5 1E k...^#.4..... ..
0x03332BD0 56 41 97 F9 38 94 60 A4 7B 36 90 CF 78 99 EA 87 VA..8.`.{6..x...
0x03332BE0 4F 7E 3E 61 68 D8 C4 8E FD ED D3 DF FD 82 38 A1 O~>ah.........8.
0x03332BF0 0B 18 29 14 41 D6 FC C5 3C 3B 6A D1 61 97 17 57 ..).A...<;j.a..W
0x03332C00 E2 D2 F9 0E 11 57 4A AB 16 60 0F 3C 2D 4F DD 07 .....WJ..`.<-O..
0x03332C10 2B 57 5A 49 3C D2 F4 DF F8 A0 E1 2D 4A DB BF 25 +WZI<......-J..%
CryptGenRandom(10) -> random
random:
00000000  c8 a4 67 20 dc ef ad ef  6b 79                    |..g ....ky|
00000000  d1 f9 3e 73 dc c6 ec f6  47 60                    |..>s....G`|
CryptCreateHash(MD5)
CryptHashData(key1, 21)
key1: "csii_powerenter_jason"
0x035092F8 63 73 69 69 5F 70 6F 77 65 72 65 6E 74 65 72 5F csii_powerenter_
0x03509308 6A 61 73 6F 6E                                  jason           
CryptDeriveKey(RC4, key1) -> dkey1

CryptEncrypt(dkey1, key2, 16) -> encrypted key2
key2: = base64(random)
0x009AAC78 79 4B 52 6E 49 4E 7A 76 72 65 39 72 65 51 3D 3D yKRnINzvre9reQ==
0x0330FD70 30 66 6B 2B 63 39 7A 47 37 50 5A 48 59 41 3D 3D 0fk+c9zG7PZHYA==

encrypted key2: = RC4_encrypt(MD5("csii_powerenter_jason"), base64(random))
0x009AAC78 D2 5B D6 88 DA F1 04 C6 97 0B 46 48 5F 07 84 D6 .[........FH_...
0x0330FD70 9B 76 EF CD F0 86 04 F7 D2 3E 25 72 63 17 84 D6 .v.......>%rc...

CryptHashData(key1, 21)
CryptDeriveKey(RC4, key1) -> dkey1
CryptDecrypt(dkey1, sth, 16) -> decrypted sth
sth: = encrypted key2
0x03309EC8 EE 42 D4 D1 D5 C5 4D DC 91 3E 4E 70 58 31 84 D6 .B....M..>NpX1..
decrypted sth: = base64(random) = key2
0x03309EC8 45 52 50 37 46 7A 33 6C 74 50 31 4A 62 67 3D 3D ERP7Fz3ltP1Jbg==

submit pw: = base64(reverse(encrypted pw))
Jb/bSi3hoPjf9NI8SVpXKwfdTy08D2AWq0pXEQ750uJXF5dh0Wo7PMX81kEUKRgLoTiC/d/T7f2OxNhoYT5+T4fqmXjPkDZ7pGCUOPmXQVYepSCZ89fS3DSdI17JDy5rv+Uo52Y9B9uCOdRzu5oVh+oiy6y6Np1gWdexPu2lPew=
00000000  25 bf db 4a 2d e1 a0 f8  df f4 d2 3c 49 5a 57 2b  |%..J-......<IZW+|
00000010  07 dd 4f 2d 3c 0f 60 16  ab 4a 57 11 0e f9 d2 e2  |..O-<.`..JW.....|
00000020  57 17 97 61 d1 6a 3b 3c  c5 fc d6 41 14 29 18 0b  |W..a.j;<...A.)..|
00000030  a1 38 82 fd df d3 ed fd  8e c4 d8 68 61 3e 7e 4f  |.8.........ha>~O|
00000040  87 ea 99 78 cf 90 36 7b  a4 60 94 38 f9 97 41 56  |...x..6{.`.8..AV|
00000050  1e a5 20 99 f3 d7 d2 dc  34 9d 23 5e c9 0f 2e 6b  |.. .....4.#^...k|
00000060  bf e5 28 e7 66 3d 07 db  82 39 d4 73 bb 9a 15 87  |..(.f=...9.s....|
00000070  ea 22 cb ac ba 36 9d 60  59 d7 b1 3e ed a5 3d ec  |."...6.`Y..>..=.|
00000080

ran: 75915681
token: k1ssjcn1


Conclusion

submit pw = base64(reverse(encrypted pw)) pw encrypted by the public key in blob through CryptEncrypt() random not used.