Lock screen cipher algorithm parsing and decoding scheme in Android

First, preface

Recently played King Glory, downloaded an auxiliary sample, the result was locked machine, of course, crack it is very simple, this later will be detailed analysis of this sample, but because this sample triggered by the desire is to parse the Android lock screen cipher algorithm, and then use an efficient way to make the lock machine malicious samples. Now the lock machine sample principle is too complex, meaningless. So this article first introduces the lock screen cipher algorithm principle in Android.

Second, lock screen password mode

We know that there are two main types of lock screen passwords supported in Android:

One is the gesture password , which is our common nine Gongge cipher map.

one is to enter a password , which is also divided into pin password and complex character password, and pin password is four-bit digital password is relatively simple.

Of course, there is also a high-level fingerprint password, this is not the scope of this study. We only look at gesture password and input password algorithm parsing.

Analysis of cryptographic algorithms

How we find the breakthrough, in fact, is very simple, in the setting of the lock Screen password interface, tool analysis to get the current view class, and then step by step into, Finally back to a lock screen password tool class: Lockpatternutils.java, because each version may be implemented logically different, here I use 5.1 of the source for analysis, after finding this class, direct analysis can.

first, the Input cipher algorithm analysis

First, let's analyze the input cipher algorithm analysis:

Here there is a method: Passwordtohash method, the parameters for the user input password and the current user corresponding ID, the general device will not have multiple users, so here the general UserID default is 0, the following is the most core encryption algorithm: original password + The salt value of the device, then respectively MD5 and SHA-1 operation, converted to hex value again splicing is finally saved to the local encryption password . And now the most important thing is how to get the salt value of the device, this can be step-by-step tracking code:

To view the GetSalt method, he first takes the salt value from one place according to the field key: Lockscreen.password_salt, and if it finds that the value is 0, randomly generates one and saves it to that place. Finally, the salt is converted to a hex value. Now you need to find this place and continue to follow the code:

Here the conjecture should be saved in a database, continue to follow the code:

This is done through the SM to get a service to operate, we have already played the SM all rotten, such as the acquisition of services, the final implementation of the logic is in the Xxxservice class , So here should be the Locksettingsservice.java class, find this class and see his Getlong method:

In fact, it is very certain that the database is saved, continue to follow the code:

Here it is. Save to a database, we continue to view the Locksettingstorage.java class:

Here you see, the database name is:locksettings.db, then where is he saved? Keep looking at this class:

See there are two key files, then this is used to save the encrypted gesture password and enter the password information to the local, the next time the power-on unlock will need to read this file content for password comparison. Here you see a directory is the system, so the database and the two key files are likely to be saved to the directory:/data/system/, but to ensure that we directly use the Find command to the root directory to search the database file is also possible. The final confirmation is the directory:

You may be prompted for the Find command, and you need to install the BusyBox tool to use this command. Find this database file is good to do, take it out directly, and then use the SQLite tool to view it, of course, can also be viewed directly on the phone. For convenience or to come out:

Here we see this table field, and get to this value, then the following will use this value to verify that our analysis is correct, we first set a simple input password for the device, here directly enter the simple "1234", and then in the/data/ The system directory generates a password encryption key file:/data/system/password.key, this time we will change the file guide:

Below I use the simple Java code to implement this algorithm manually, to see if the analysis is correct, the encryption algorithm does not have to write their own, directly from the above source code copied out can be:

Then the salt value here is what we get from the database, but remember to do a hex conversion:

Then we use the "1234" password to generate the information after the encryption:

Run a direct look at the result:

Here found the content and the above Password.key content exactly the same, also verified that our analysis is completely in line with, here we analyzed the input password encryption algorithm, summed up is: MD5 (input plaintext password + device salt). HEX+SHA1 (enter plaintext password + device's salt). Hex; is the final encrypted content. And here the most important thing is how to get the salt value of the device, this is actually simple, we can use the reflection mechanism to obtain, create a simple Android project:

So we don't have to look at the database to get the salt, so it's quick and easy:

This is the value after the Long value in the database is converted to hex.

second, gesture cipher algorithm analysis

The following continues to parse the gesture password, the code is still in Lockpatternutils.java:

This algorithm is relatively simple, that is, nine lattice pattern into a byte array, and then SHA1 encryption, about nine Gongge no longer say, starting from 0 clockwise count to 8, similar to the following:

Here to see the code, there are rows and columns of the points, so for example, L shape gesture password should be: 00 03 06 07 08, such a composition of five length of bytes. Here to verify that the gesture password is correct, we set a simple gesture password:

Then in the/data/system directory to generate a password file:/data/system/gesture.key, get out with binary tools to view, otherwise you may see is garbled, here is the 010Editor tool to view:

In order to maximize the reduction algorithm, we still copy the source code, and then define a gesture nine Gongge class, constructs the point data of this gesture:

This is the source code encryption algorithm, the following constructs the gesture point data:

The gesture point should be: 00 01 02 05 08, Print to see the results:

Very excited to find, exactly the same, so the perfect analysis, Android system lock screen password encryption algorithm. Here again to summarize the two ways to lock screen password algorithm:

The first type: input cipher algorithm

Enter the plaintext password + The salt value of the device, then manipulate MD5 and SHA1 after the conversion to hex value for stitching, the final encryption information is saved to the local directory:/data/system/password.key

The second type: gesture cipher algorithm

Convert the point data in the nine Gongge gesture password into the corresponding byte array, and then directly SHA1 the encryption. The final encrypted information is saved to the local directory:/data/system/gesture.key

Four, lock screen password cracking

The above analysis of the Android lock screen password encryption algorithm principle, the following simple analysis, how to hack the lock screen password in Android.

The first type: input cipher algorithm

If this is for the pin type password, just a simple four-digit password, then all the combination is 10,000, this time we only need to encrypt the 10,000 password through the encryption algorithm to generate a password vault can be easily cracked. If it is a complex input password then it is not so simple, this may require a very nasty brute force, as the length of the password increases, the crack time will be very large. However, the general user password will not be very long.

The second type: gesture cipher algorithm

In fact, someone on the net has given a password library, because the nine Gongge pattern can be all calculated, and then convert it into byte data, in the encryption algorithm encryption can generate a gesture cipher library. Specific information can be self-search online.

Here, some students will have some bad ideas, such as picking up a mobile phone or to check the password of the wife's mobile phone, whether it can be directly cracked its password? The general idea should be very simple, first put the device root, because we see above analysis will find that if you want to read the key file, must have root permission, of course, the root operation in the corresponding system version still have method operation. If Root succeeds, then get his salt value, then use the password vault to start brute force. Of course this is silent will not be found to crack, but you root has actually been found Haha, if you are picking up a cell phone, in fact, not so laborious, directly delete the key file, this time you enter a password can be unlocked, this because the system in check password when found key file does not exist , I think this device does not have a password lock, so you can enter anything to unlock.

Unfortunately, the above is said to be nonsense, because you in this series of operations before you must have a recognition, that is the device connection allow box, we will be the first time the phone connected to the computer will be a license box, if you do not authorize, then nothing can be done. Unless this is the time to exploit the great loophole, it is generally impossible. So now the problem is that you picked up a cell phone, of course, happy to insert into the computer hack will find that the first unlock, and then to see the authorization box, so it is tragic. You can't do anything. It is honest to return the cell phone to others, to be a great citizen is the right path.

Attention:

For this encryption algorithm system will not change in a system version, because you want to if the encryption algorithm changed, add 4.4 users to upgrade to 5.0, the results found that the encryption algorithm changed, the phone unlock failed, the user will be crazy, I page view 2.3 of the code, the algorithm is identical. So the algorithm is compiled a Java project on GitHub, interested students can download view or directly use the operation. Changes may be the salt value of the device, or the database file. But the encryption algorithm is not changed.

Encryption algorithm Source: HTTPS://GITHUB.COM/FOURBROTHER/ANDROIDSCREENOFFPWD

V. Summary

I believe that everyone reading this article is eager to try it manually, before the operation must remember to get your device's salt value, this way there are two, one is to view the/data/system/locksetting.db file, one is to use reflection to obtain . Then pay attention to the source version, this article is about the 5.1 version and 5.1 devices to operate, so you must pay attention to the version of the operation, but the version is different, such an algorithm will not change.

Lock screen cipher algorithm parsing and decoding scheme in Android