好友
阅读权限25
听众
最后登录1970-1-1
|
Dlan
发表于 2014-6-9 19:50
本帖最后由 Dlan 于 2014-6-9 21:21 编辑
【文章标题】:机智的卷纸破解过程
【文章作者】: dlan
【作者邮箱】: a@lcx.cc
【作者主页】: 无
【作者QQ号】: 无
【软件名称】:机智的卷纸
【加壳方式】: 无
【编写语言】: JAVA
【使用工具】: ApkIDE
【软件介绍】:没什么好介绍的...
【作者声明】: 只是技术交流,没有其他目的。失误之处敬请诸位大侠赐教!
机智的卷纸是一款绝对的福利神器 具体功能百度!
唯一的收费的地方就是开启远程浏览 需要积分。反编译机智的卷纸 ,程序是经过混淆的。
打开软件的远程浏览 ,提示:赚取积分(剩下0积分)
然后来到apkide 搜索 剩下的unicode:来到 pointChanged() 方法
D:\ApkIDE3.1\ApkIDE\Work\com.lumu.bdy\smali\fragment\Fragment_WebServer.smali
[Asm] 纯文本查看 复制代码 .method private pointChanged()V //" 看方法的名字就知道是这里了 “改变积分”"
.locals 3
.prologue
.line 58
iget-object v0, p0, Lfragment/Fragment_WebServer;->wall:Landroid/widget/Button;
new-instance v1, Ljava/lang/StringBuilder;
const-string v2, "赚取"
invoke-direct {v1, v2}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
iget-object v2, p0, Lfragment/Fragment_WebServer;->name:Ljava/lang/String;
invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v1
const-string v2, "(剩下"
invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v1
iget-object v2, p0, Lfragment/Fragment_WebServer;->context:Landroid/content/Context;
invoke-static {v2}, Lcom/baidu/mobads/appoffers/OffersManager;->getPoints(Landroid/content/Context;)I
move-result v2 //" 来到“剩下”的下面, 调用了 OffersManager 的 getPoints静态方法参数为context ,看名字 是获取积分,然后给button类型的wall"
invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;->append(I)Ljava/lang/StringBuilder;
move-result-object v1
.line 59
iget-object v2, p0, Lfragment/Fragment_WebServer;->name:Ljava/lang/String;
invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v1
const-string v2, ")"
invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v1
invoke-virtual {v1}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v1
.line 58
invoke-virtual {v0, v1}, Landroid/widget/Button;->setText(Ljava/lang/CharSequence;)V
.line 60
return-void
.end method
对应java:
[Asm] 纯文本查看 复制代码 private void pointChanged()
{
this.wall.setText("赚取" + this.name + "(剩下" + OffersManager.getPoints(this.context) + this.name + ")");
}
[Asm] 纯文本查看 复制代码 .method public onClick(Landroid/view/View;)V
.locals 6
.param p1, "v" # Landroid/view/View;
.prologue
const/4 v5, 0x5
const/4 v4, 0x0
.line 90
invoke-virtual {p1}, Landroid/view/View;->getId()I
move-result v2 " //把getId() 的结果赋给v2"
packed-switch v2, :pswitch_data_0 " //swith 分支语句"
" .......省略..............."
const/4 v5, 0x5 " //v5赋值5"
" .......省略..............."
invoke-static {v2}, Lcom/baidu/mobads/appoffers/OffersManager;->getPoints(Landroid/content/Context;)I
move-result v1 " getPoints方法的返回赋值 v1"
.line 116
.local v1, "point":I
if-ge v1, v5, :cond_3 " //条件判断 v1大于v5调到cond_3 ,我们跟进cond_3"
.line 117
new-instance v2, Ljava/lang/StringBuilder;
iget-object v3, p0, Lfragment/Fragment_WebServer;->name:Ljava/lang/String;
invoke-static {v3}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;
move-result-object v3
invoke-direct {v2, v3}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
const-string v3, "不足,无法启动"
invoke-virtual {v2, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v2
invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v2
invoke-static {v2}, Lbase/BaseApplication;->toast(Ljava/lang/String;)V
goto :goto_1
.line 120
:cond_3" //调到这,看字符串应该是正确的地方了。"
iget-object v2, p0, Lfragment/Fragment_WebServer;->context:Landroid/content/Context;
invoke-static {v2, v5}, Lcom/baidu/mobads/appoffers/OffersManager;->subPoints(Landroid/content/Context;I)Z
.line 121
new-instance v2, Ljava/lang/StringBuilder;
const-string v3, "启动成功,5""
invoke-direct {v2, v3}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
iget-object v3, p0, Lfragment/Fragment_WebServer;->name:Ljava/lang/String;
invoke-virtual {v2, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v2
const-string v3, "离你而去~"
invoke-virtual {v2, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v2
invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v2
invoke-static {v2}, Lbase/BaseApplication;->toast(Ljava/lang/String;)V
.line 122
iget-object v2, p0, Lfragment/Fragment_WebServer;->server:Lserver/Server;
const/4 v3, 0x1
invoke-virtual {v2, v3}, Lserver/Server;->allowAccess(Z)V
goto/16 :goto_0
.line 90
nop
:pswitch_data_0
.packed-switch 0x7f07002e
:pswitch_0
.end packed-switch
.end method
对应java:
[Asm] 纯文本查看 复制代码 public void onClick(View paramView)
{
switch (paramView.getId())
"........省略.........."
if (OffersManager.getPoints(this.context) < 5)
{
BaseApplication.toast(this.name + "不足,无法启动");
return;
}
OffersManager.subPoints(this.context, 5);
BaseApplication.toast("启动成功,5" + this.name + "离你而去~");
this.server.allowAccess(true);
那么我们 让v1大于v5或者修改逻辑就行了:
修改后的:
[Asm] 纯文本查看 复制代码 .line 116
.local v1, "point":I
const v1,0x6
if-ge v1, v5, :cond_3
或者:
[Asm] 纯文本查看 复制代码 .line 116
.local v1, "point":I
if-le v1, v5, :cond_3
[Asm] 纯文本查看 复制代码 "链接: [url]http://pan.baidu.com/s/1c0w4TQ4[/url] 密码: 6vqw"
附语法表:
[Asm] 纯文本查看 复制代码 "http://www.blogjava.net/midea0978/archive/2012/01/04/367847.html"
码字不容易,评分不减CB!谢谢!
|
免费评分
-
查看全部评分
|
[复制链接]
