破解Android镜像锁屏密码
煤矿路口西 Lv4
 2021-09-21 11:06:50    656 字  3 分钟  

破解Android镜像锁屏密码

制作准备

首先我们需要手动制作一个Android镜像。

此处我们采用方便的“夜神模拟器”直接创建一个安卓镜像,并设置锁屏密码

make_1

破解过程

取证大师打开vmdk文件

nox_2-disk2.vmdk/分区3/system/device_policies.xml

nox_2-disk2.vmdk/分区3/system/gatekeeper.password.key

nox_2-disk2.vmdk/分区3/system/gatekeeper.pattern.key

make_2

根据device_policies.xml文件中,我们得到该解锁图案的长度为9

make_3

同时我们可以看到密码由纯数字构成。

在此基础上,个人认为除了图案密码,其他的密码也有了爆破的可行性。

结合scrypt-hash算法GitHub - dannycoates/scrypt-hash: node bindings for crypto_scrypt,对文中给出的m-pass-hash.py进行改进后

#!/usr/bin/python
# -*- coding:utf-8 -*-
import struct
import binascii
import pyscrypt

N = 16384
r = 8
p = 1

f = open('gatekeeper.pattern.key', 'rb')  # 读取gatekeeper.pattern.key文件
blob = f.read()
s = struct.Struct('<' + '17s 8s 32s')
(meta, salt, signature) = s.unpack_from(blob)  # 提取其中关键的信息

f1 = open('password.txt', 'r')  # 读取字典
lines = f1.readlines()
for data in lines:
    password = data.strip()
    # print meta
    to_hash = meta
    # print to_hash
    print password
    # print signature
    to_hash += password # 将字典中读取的密码和meta信息组合成to_hash
    hash = pyscrypt.hash(to_hash, salt, N, r, p, dkLen=32)
    print 'signature  %s' % signature.encode('hex')

    print 'Hash:      %s' % hash[0:32].encode('hex')  # 取hash值的前32位

    print 'Equal:     %s' % (hash[0:32] == signature)


    if hash[0:32] == signature:  # 如果相同,程序结束
        print("OK")
        exit()

其中的password.txt实际是不重复的1-9的全排列:

file1=open('password.txt','a')
for a in "123456789":
    for b in "123456789":
        for c in "123456789":
            for d in "123456789":
                for e in "123456789":
                    for f in "123456789":
                        for g in "123456789":
                            for h in "123456789":
                                for i in "123456789":
                                    if a != b and a != c and a != d and a != e and a != f and a!= g  and a != h  and a !=i\
                                            and b != c and b!= d and  b != e and b != f and b!= g  and b != h  and b !=i\
                                            and c != d and c != e and c != f and c!= g  and c != h and c !=i\
                                            and d != e and d != f and d!= g and d != h and d !=i\
                                            and e != f and e!= g  and e != h and e !=i\
                                            and f != g  and f != h and f !=i\
                                            and g != h and g !=i\
                                            and h != i:
                                        password = a + b + c + d + e + f + g + h + i
                                        file1.write(password+'\n')
file1.close()

运行结果如下(python2)

make_4

从而知道锁屏密码为124578963

对应到图案为

make_5

  • 本文标题:破解Android镜像锁屏密码
  • 本文作者:煤矿路口西
  • 创建时间:2021-09-21 11:06:50
  • 本文链接:http://www.mklkx.xyz/2021/09/21/破解Android镜像锁屏密码/
  • 版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!