之前僅僅介紹了工具的使用����,本文將實(shí)踐一下如何利用 cycript 結(jié)合 class-dump 結(jié)果 hack,還要犧牲一下支付寶 App ���。
首先�����,老套路�,取到手勢(shì)解鎖界面的 View Controller:
cy# var app = [UIApplication sharedApplication]
@"<DFApplication: 0x1666c960>"
cy# var keyWindow = app.keyWindow
@"<UIWindow: 0x16591bd0; frame = (0 0; 320 568); gestureRecognizers = <NSArray: 0x1b047000>; layer = <UIWindowLayer: 0x165d0650>>"
cy# var root = keyWindow.rootViewController
@"<UINavigationController: 0x179779a0>"
cy# var visible = root.visibleViewController
@"<GestureUnlockViewController: 0x165de090>"
然后����,對(duì)照 class-dump-z 結(jié)果,來(lái)分析 GestureUnlockViewController 有什么利用價(jià)值 :
@interface GestureUnlockViewController : DTViewController <UIAlertViewDelegate, GestureHeadImageViewDelegate> {
@private
GestureHeadImageView* _headImageView;
GestureTipLabel* _tipLabel;
GestureInputView* _inputView;
DTButton* _forgetButton;
DTButton* _changeAccountButton;
int _retryCount;
UIView* _guideView;
id<GestrueViewControllerDelegate> _delegate;
}
@property(assign, nonatomic) __weak id<GestrueViewControllerDelegate> delegate;
-(void).cxx_destruct;
-(BOOL)shouldAutorotateToInterfaceOrientation:(int)interfaceOrientation;
-(void)headClicked;
-(void)gestureInputView:(id)view didFinishWithPassword:(id)password;
-(void)gestureInputViewFirstEffectiveTouch:(id)touch;
-(void)alertView:(id)view clickedButtonAtIndex:(int)index;
-(void)actionChangeAccountToLogin;
-(void)actionResetPswBtnClick;
-(void)resetCurrentUser;
-(void)resetPsw;
-(void)viewWillDisappear:(BOOL)view;
-(void)notifyFaceToFacePayReceivedData:(id)facePayReceivedData;
-(void)viewWillAppear:(BOOL)view;
-(void)breakFirstRun;
-(BOOL)isFirstRun;
-(void)guideViewClicked:(id)clicked;
-(void)viewDidLoad;
-(void)viewWillLayoutSubviews;
@end
目測(cè) _tipLabel 是寫(xiě)賬戶(hù)名和提示操作的 label ���,上篇文章我提到過(guò):@private 限制不了 keyPath ����,現(xiàn)在我們來(lái)修改一下支付寶登錄頁(yè)的用戶(hù)名信息:
cy# [visible setValue:@"Test By yiyaaixuexi" forKeyPath:@"_tipLabel.text"]
http://wiki.jikexueyuan.com/project/ios-security-defense/images/hack-practice.png" alt="hack-practice" />
支付寶手勢(shì)密碼解鎖有嘗試次數(shù)限制�,連續(xù)錯(cuò) 5 次就要重新登錄��。
我想解除重試解鎖次數(shù)的限制����,發(fā)現(xiàn)了記錄解鎖次數(shù)的類(lèi)型是 int �����,int _retryCount �,這一點(diǎn)讓我很不開(kāi)心���,因?yàn)槲覠o(wú)法通過(guò) KVC 來(lái)修改其值了����。
但是沒(méi)有關(guān)系�����,我可以通過(guò)指針訪(fǎng)問(wèn):
cy# visible->_retryCount = 0
0
這樣我就能無(wú)限制的用程序暴力破解手勢(shì)密碼了�,來(lái)計(jì)算一下有多少種可能呢?
http://wiki.jikexueyuan.com/project/ios-security-defense/images/hack-practice2.png" alt="hack-practice2" />
這個(gè)數(shù)字對(duì)我來(lái)說(shuō)有點(diǎn)大�����,可是對(duì) iPhone5 的 CPU 來(lái)說(shuō)就是小菜一碟了~
等一下,密碼格式是什么呢��?
-(void)gestureInputView:(id)view
didFinishWithPassword:(id)password;
id 類(lèi)型的密碼���,很?chē)?yán)謹(jǐn)��,又給 hack 帶來(lái)不少麻煩呀~
不過(guò)沒(méi)關(guān)系�����,我們可以利用 Method Swizzling 來(lái)打出 password 到底是什么���,不過(guò)呢,貌似可以再寫(xiě)一篇新文章去介紹了……
