破解Android镜像锁屏密码
煤矿路口西 Lv4

破解Android镜像锁屏密码


制作准备

首先我们需要手动制作一个Android镜像。

此处我们采用方便的“夜神模拟器”直接创建一个安卓镜像,并设置锁屏密码

make_1

破解过程

取证大师打开vmdk文件

nox_2-disk2.vmdk/分区3/system/device_policies.xml

nox_2-disk2.vmdk/分区3/system/gatekeeper.password.key

nox_2-disk2.vmdk/分区3/system/gatekeeper.pattern.key

make_2

根据device_policies.xml文件中,我们得到该解锁图案的长度为9

make_3

同时我们可以看到密码由纯数字构成。

在此基础上,个人认为除了图案密码,其他的密码也有了爆破的可行性。

结合scrypt-hash算法GitHub - dannycoates/scrypt-hash: node bindings for crypto_scrypt,对文中给出的m-pass-hash.py进行改进后

#!/usr/bin/python
# -*- coding:utf-8 -*-
import struct
import binascii
import pyscrypt

N = 16384
r = 8
p = 1

f = open('gatekeeper.pattern.key', 'rb') # 读取gatekeeper.pattern.key文件
blob = f.read()
s = struct.Struct('<' + '17s 8s 32s')
(meta, salt, signature) = s.unpack_from(blob) # 提取其中关键的信息

f1 = open('password.txt', 'r') # 读取字典
lines = f1.readlines()
for data in lines:
password = data.strip()
# print meta
to_hash = meta
# print to_hash
print password
# print signature
to_hash += password # 将字典中读取的密码和meta信息组合成to_hash
hash = pyscrypt.hash(to_hash, salt, N, r, p, dkLen=32)
print 'signature %s' % signature.encode('hex')

print 'Hash: %s' % hash[0:32].encode('hex') # 取hash值的前32位

print 'Equal: %s' % (hash[0:32] == signature)


if hash[0:32] == signature: # 如果相同,程序结束
print("OK")
exit()

其中的password.txt实际是不重复的1-9的全排列:

file1=open('password.txt','a')
for a in "123456789":
for b in "123456789":
for c in "123456789":
for d in "123456789":
for e in "123456789":
for f in "123456789":
for g in "123456789":
for h in "123456789":
for i in "123456789":
if a != b and a != c and a != d and a != e and a != f and a!= g and a != h and a !=i\
and b != c and b!= d and b != e and b != f and b!= g and b != h and b !=i\
and c != d and c != e and c != f and c!= g and c != h and c !=i\
and d != e and d != f and d!= g and d != h and d !=i\
and e != f and e!= g and e != h and e !=i\
and f != g and f != h and f !=i\
and g != h and g !=i\
and h != i:
password = a + b + c + d + e + f + g + h + i
file1.write(password+'\n')
file1.close()

运行结果如下(python2)

make_4

从而知道锁屏密码为124578963

对应到图案为

make_5

  • 本文标题:破解Android镜像锁屏密码
  • 本文作者:煤矿路口西
  • 创建时间:2021-09-21 11:06:50
  • 本文链接:http://www.mklkx.xyz/2021/09/21/破解Android镜像锁屏密码/
  • 版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!