网站 › 『移动安全区』 › 某水印软件本地会员解锁流程

Forgo7ten2020 发表于 2021-11-6 12:52

某水印软件本地会员解锁流程

首先查看提示是"开通VIP立享无限保存"
然后将APK使用apktool反编译后
搜索该字符串

发现在xml布局文件中出现了
然后去查找文件名，找到ID值

根据ID值找到相应的类

查看是哪调用了该对话框


.method private downloadAll()V
    .locals 3

    .line 397
    iget-object v0, p0, Lcom/shuiyinyu/dashen/editingtools/WxDownloadFragment;->urlInfoList:Ljava/util/List;

    invoke-interface {v0}, Ljava/util/List;->isEmpty()Z

    move-result v0

    if-eqz v0, :cond_0

    .line 398
    invoke-virtual {p0}, Lcom/shuiyinyu/dashen/editingtools/WxDownloadFragment;->requireActivity()Landroidx/fragment/app/FragmentActivity;

    move-result-object v0

    const-string v1, "\u8bf7\u5148\u53bb\u89c6\u9891\u53f7\u64ad\u653e\u89c6\u9891"

    invoke-static {v0, v1}, Lcom/shuiyinyu/dashen/utils/ToastUtil;->shortBottomToast(Landroid/content/Context;Ljava/lang/CharSequence;)V

    return-void

    .line 403
    :cond_0
    invoke-static {}, Lcom/shuiyinyu/dashen/MainApplication;->SharedInstance()Lcom/shuiyinyu/dashen/MainApplication;

    move-result-object v0

    invoke-virtual {v0}, Lcom/shuiyinyu/dashen/MainApplication;->isVip()Z

    move-result v0

    if-nez v0, :cond_1

    .line 404
    new-instance v0, Lcom/shuiyinyu/dashen/customview/PromptPaymentDialog;

    const v1, 0x7f11014c

    invoke-virtual {p0, v1}, Lcom/shuiyinyu/dashen/editingtools/WxDownloadFragment;->getString(I)Ljava/lang/String;

    move-result-object v1

    invoke-direct {v0, p0, v1}, Lcom/shuiyinyu/dashen/customview/PromptPaymentDialog;-><init>(Lcom/reactnative/hybridnavigation/HybridFragment;Ljava/lang/String;)V

    invoke-virtual {p0}, Lcom/shuiyinyu/dashen/editingtools/WxDownloadFragment;->getParentFragmentManager()Landroidx/fragment/app/FragmentManager;

    move-result-object v1

    const/4 v2, 0x0

    invoke-virtual {v0, v1, v2}, Lcom/shuiyinyu/dashen/customview/PromptPaymentDialog;->show(Landroidx/fragment/app/FragmentManager;Ljava/lang/String;)V

    return-void

    .line 409
    :cond_1
    iget-object v0, p0, Lcom/shuiyinyu/dashen/editingtools/WxDownloadFragment;->btnDownloadAll:Landroid/widget/TextView;

    const/4 v1, 0x0

    invoke-virtual {v0, v1}, Landroid/widget/TextView;->setEnabled(Z)V

    .line 410
    new-instance v0, Lcom/shuiyinyu/dashen/customview/ProgressDialog;

    invoke-virtual {p0}, Lcom/shuiyinyu/dashen/editingtools/WxDownloadFragment;->getActivity()Landroidx/fragment/app/FragmentActivity;

    move-result-object v1

    const-string v2, "\u6b63\u5728\u6279\u91cf\u4fdd\u5b58..."

    invoke-direct {v0, v1, v2}, Lcom/shuiyinyu/dashen/customview/ProgressDialog;-><init>(Landroidx/fragment/app/FragmentActivity;Ljava/lang/String;)V

    new-instance v1, Lcom/shuiyinyu/dashen/editingtools/-$$Lambda$WxDownloadFragment$5uJcb7Mz6cuUK79gfVlOpB-9Gaw;

    invoke-direct {v1, p0}, Lcom/shuiyinyu/dashen/editingtools/-$$Lambda$WxDownloadFragment$5uJcb7Mz6cuUK79gfVlOpB-9Gaw;-><init>(Lcom/shuiyinyu/dashen/editingtools/WxDownloadFragment;)V

    const-string v2, "\u53d6\u6d88\u4fdd\u5b58"

    .line 411
    invoke-virtual {v0, v2, v1}, Lcom/shuiyinyu/dashen/customview/ProgressDialog;->setProgressButton(Ljava/lang/String;Landroid/view/View$OnClickListener;)Lcom/shuiyinyu/dashen/customview/ProgressDialog;

    move-result-object v0

    .line 418
    invoke-virtual {v0}, Lcom/shuiyinyu/dashen/customview/ProgressDialog;->show()Lcom/shuiyinyu/dashen/customview/ProgressDialog;

    move-result-object v0

    iput-object v0, p0, Lcom/shuiyinyu/dashen/editingtools/WxDownloadFragment;->progressDialog:Lcom/shuiyinyu/dashen/customview/ProgressDialog;

    .line 420
    new-instance v0, Ljava/lang/Thread;

    new-instance v1, Lcom/shuiyinyu/dashen/editingtools/-$$Lambda$WxDownloadFragment$2DriiF8FzArwGDZWSmzuA1ngKMo;

    invoke-direct {v1, p0}, Lcom/shuiyinyu/dashen/editingtools/-$$Lambda$WxDownloadFragment$2DriiF8FzArwGDZWSmzuA1ngKMo;-><init>(Lcom/shuiyinyu/dashen/editingtools/WxDownloadFragment;)V

    invoke-direct {v0, v1}, Ljava/lang/Thread;-><init>(Ljava/lang/Runnable;)V

    iput-object v0, p0, Lcom/shuiyinyu/dashen/editingtools/WxDownloadFragment;->downloadAllThread:Ljava/lang/Thread;

    .line 465
    invoke-virtual {v0}, Ljava/lang/Thread;->start()V

    return-void
.end method
前往isVip()方法


.method public isVip()Z
    .locals 6

    const/4 v0, 0x0

    .line 114
    :try_start_0
    invoke-virtual {p0}, Lcom/shuiyinyu/dashen/MainApplication;->getApplicationContext()Landroid/content/Context;

    move-result-object v1

    invoke-static {v1}, Lcom/reactnativecommunity/asyncstorage/ReactDatabaseSupplier;->getInstance(Landroid/content/Context;)Lcom/reactnativecommunity/asyncstorage/ReactDatabaseSupplier;

    move-result-object v1

    invoke-virtual {v1}, Lcom/reactnativecommunity/asyncstorage/ReactDatabaseSupplier;->get()Landroid/database/sqlite/SQLiteDatabase;

    move-result-object v1

    const-string v2, "user"

    invoke-static {v1, v2}, Lcom/reactnativecommunity/asyncstorage/AsyncLocalStorageUtil;->getItemImpl(Landroid/database/sqlite/SQLiteDatabase;Ljava/lang/String;)Ljava/lang/String;

    move-result-object v1

    .line 118
    new-instance v2, Lcom/google/gson/Gson;

    invoke-direct {v2}, Lcom/google/gson/Gson;-><init>()V

    const-class v3, Lcom/google/gson/JsonObject;

    invoke-virtual {v2, v1, v3}, Lcom/google/gson/Gson;->fromJson(Ljava/lang/String;Ljava/lang/Class;)Ljava/lang/Object;

    move-result-object v1

    check-cast v1, Lcom/google/gson/JsonObject;

    const-string v2, "rawData"

    .line 120
    invoke-virtual {v1, v2}, Lcom/google/gson/JsonObject;->get(Ljava/lang/String;)Lcom/google/gson/JsonElement;

    move-result-object v1

    invoke-virtual {v1}, Lcom/google/gson/JsonElement;->getAsJsonObject()Lcom/google/gson/JsonObject;

    move-result-object v1

    const-string v2, "vip_expire_time"

    invoke-virtual {v1, v2}, Lcom/google/gson/JsonObject;->get(Ljava/lang/String;)Lcom/google/gson/JsonElement;

    move-result-object v1

    .line 122
    invoke-virtual {v1}, Lcom/google/gson/JsonElement;->isJsonNull()Z

    move-result v2

    if-nez v2, :cond_0

    invoke-virtual {v1}, Lcom/google/gson/JsonElement;->getAsLong()J

    move-result-wide v1

    invoke-static {}, Ljava/lang/System;->currentTimeMillis()J

    move-result-wide v3
    :try_end_0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

    cmp-long v5, v1, v3

    if-lez v5, :cond_0

    const/4 v0, 0x1

    :cond_0
    return v0

    :catch_0
    move-exception v1

    .line 124
    invoke-virtual {v1}, Ljava/lang/Exception;->printStackTrace()V

    return v0
.end method

.method public limited()Z
    .locals 6

    .line 136
    invoke-virtual {p0}, Lcom/shuiyinyu/dashen/MainApplication;->isVip()Z

    move-result v0

    const/4 v1, 0x0

    if-eqz v0, :cond_0

    return v1

    :cond_0
    const-string v0, "localstorage"

    .line 138
    invoke-virtual {p0, v0, v1}, Lcom/shuiyinyu/dashen/MainApplication;->getSharedPreferences(Ljava/lang/String;I)Landroid/content/SharedPreferences;

    move-result-object v0

    .line 140
    new-instance v2, Ljava/text/SimpleDateFormat;

    const-string v3, "yyyyMMdd"

    invoke-direct {v2, v3}, Ljava/text/SimpleDateFormat;-><init>(Ljava/lang/String;)V

    new-instance v3, Ljava/util/Date;

    invoke-direct {v3}, Ljava/util/Date;-><init>()V

    invoke-virtual {v2, v3}, Ljava/text/SimpleDateFormat;->format(Ljava/util/Date;)Ljava/lang/String;

    move-result-object v2

    .line 142
    new-instance v3, Ljava/util/HashSet;

    invoke-direct {v3}, Ljava/util/HashSet;-><init>()V

    invoke-interface {v0, v2, v3}, Landroid/content/SharedPreferences;->getStringSet(Ljava/lang/String;Ljava/util/Set;)Ljava/util/Set;

    move-result-object v3

    .line 144
    invoke-interface {v3}, Ljava/util/Set;->size()I

    move-result v4

    iget v5, p0, Lcom/shuiyinyu/dashen/MainApplication;->LIMIT:I

    if-lt v4, v5, :cond_1

    const/4 v0, 0x1

    return v0

    .line 146
    :cond_1
    invoke-static {}, Ljava/lang/System;->currentTimeMillis()J

    move-result-wide v4

    invoke-static {v4, v5}, Ljava/lang/Long;->toString(J)Ljava/lang/String;

    move-result-object v4

    invoke-interface {v3, v4}, Ljava/util/Set;->add(Ljava/lang/Object;)Z

    .line 148
    invoke-interface {v0}, Landroid/content/SharedPreferences;->edit()Landroid/content/SharedPreferences$Editor;

    move-result-object v0

    invoke-interface {v0, v2, v3}, Landroid/content/SharedPreferences$Editor;->putStringSet(Ljava/lang/String;Ljava/util/Set;)Landroid/content/SharedPreferences$Editor;

    move-result-object v0

    invoke-interface {v0}, Landroid/content/SharedPreferences$Editor;->apply()V

    return v1
.end method

isVip查询数据库，如果查到了vip到期时间，那就代表是VIP

limited()判断是否限制，如果是会员则不限制，如果当天次数小于LIMIT，也不限制（普通用户每日免费一次）


.method public isVip()Z
    .locals 6

    const/4 v0, 0x1

    return v0
.end method
直接将isVip()修改为如上，则解除限制成功。同时也可以在LIMIT初始化之前插入赋值

赋值为1000次

之后打包，签名。安装就ok了


经过测试，除了提取视频未解除限制之外，其余的都解除了。
提取视频是联网功能将链接上传到服务器，服务器解析视频地址后传过来。所以没办法搞

花好s月圆 发表于 2021-11-10 20:34

Forgo7ten2020 发表于 2021-11-7 23:11
它是个jar包，是需要java环境的，而java环境需要配置jdk

就没有一个安卓逆向软件不用安装jdk的吗 ？

Forgo7ten2020 发表于 2021-11-7 23:11

花好s月圆 发表于 2021-11-7 18:17
apktook需要java环境吗 ？也得配置jdk吧 ？

它是个jar包，是需要java环境的，而java环境需要配置jdk

Noth1ng 发表于 2021-11-6 13:06

有些小程序可以直接转存

adhaha2 发表于 2021-11-6 13:38

啥都没干咋的就违规了

zhukun1980 发表于 2021-11-6 13:39

感谢大神分享谢谢

猫个懒 发表于 2021-11-6 13:42

感谢大神分享:victory:

m-10306 发表于 2021-11-6 14:05

思路不错谢谢分享

L5712580 发表于 2021-11-6 14:21

思路不错谢谢分享

m0216 发表于 2021-11-6 14:24

感谢分享这个太好了

blindcat 发表于 2021-11-6 15:07

学习了，感谢分享

andylove 发表于 2021-11-6 16:36

思路不错，感谢分享

查看完整版本: 某水印软件本地会员解锁流程