There is no commentSelect some text and then click Comment, or simply add a comment to this page from below to start a discussion.
HackMDzer0pts CTF forensicsWe're given an Android disk image. Our goal is to find the pattern lock.
Since this is an old version of Android (KitKat), we can recover the pattern from /data/system/gesture.key.
gesture.key uses SHA1 hash.
You can write a simple brute-force script.
#include <stdio.h>
#include <string.h>
#include <openssl/sha.h>
#define MAX_LENGTH 9
void sha1(unsigned char *data, unsigned char *hash, int len) {
SHA_CTX c;
SHA1_Init(&c);
SHA1_Update(&c, data, len);
SHA1_Final(hash, &c);
}
long crack(unsigned char *target, int len, int depth, unsigned long code) {
int i;
long result;
unsigned long c = code;
unsigned char hash[SHA_DIGEST_LENGTH];
unsigned char data[MAX_LENGTH];
if (depth == len) {
for (i = 0; i < len; i++) {
data[i] = c % 10;
c /= 10;
}
sha1(data, hash, len);
if (strncmp(target, hash, SHA_DIGEST_LENGTH) == 0) {
return code;
} else {
return -1;
}
} else {
for (i = 0; i < 10; i++) {
result = crack(target, len, depth + 1, code * 10 + i);
if (result != -1) break;
}
}
return result;
}
int main(void) {
int l, i;
unsigned char target[SHA_DIGEST_LENGTH];
long result;
FILE *fp = fopen("./gesture.key", "rb");
if (fp == NULL) {
perror("gesture.key");
return 1;
}
l = fread(target, SHA_DIGEST_LENGTH, 1, fp);
for(l = 1; l <= MAX_LENGTH; l++) {
result = crack(target, l, 0, 0);
if (result == -1) {
printf("[-] Failed: len=%d\n", l);
} else {
printf("Code: ");
for(i = 0; i < l; i++) {
printf("%c", (char)(0x30 + (result % 10)));
result /= 10;
}
putchar('\n');
fclose(fp);
return 0;
}
}
puts("Solution not found :(");
fclose(fp);
return 1;
}
or
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up