本帖最后由 淡然出尘 于 2015-2-7 17:37 编辑
以后我每分析一个程序会尽量在论坛分析一下思路和一些独特的方法
希望大家多多支持论坛哈
适合的游戏有:
<神庙逃亡><地铁酷跑><水果忍者><果宝三国> 甚至那个厂商...
下面是教程,提提人气,就隐藏了,莫怪哈~
适合的特征:
反编译之后的结构中有以下文件树
处理的方法:
1.全局搜索“already_owned”会有两个结果:
点击第二个smali里面的,会定位到Lcom/skynetpay/android/payment/frame/PaymentPlugin;类中;
2.修改的方法是让程序始终走“already_owned”所在_cond流程,修改后代码如下:
[Java] 纯文本查看 复制代码
....
....
....
invoke-static {v1, v2}, Lcom/skynetpay/lib/e/g;->b(Ljava/lang/String;Ljava/lang/CharSequence;)V
.line 329
iget-boolean v1, p0, Lcom/skynetpay/android/payment/frame/PaymentPlugin;->r:Z
goto :cond_0 /////////始终走:cond_0
.line 330
const-string v1, "PaymentPlugin"
const-string v2, "\u4e0a\u4e00\u7b14\u4ea4\u6613\u672a\u5b8c\u6210\uff0c\u4e0d\u80fd\u8fdb\u884c\u4e0b\u4e00\u7b14\u4ea4\u6613!"
invoke-static {v1, v2}, Landroid/util/Log;->w(Ljava/lang/String;Ljava/lang/String;)I
.line 479
:goto_0
return-void
....
....
....
invoke-direct {p0, p2, v0}, Lcom/skynetpay/android/payment/frame/PaymentPlugin;->enqueuePurchase(Ljava/lang/String;Lcom/skynetpay/lib/plugin/PluginResultHandler;)I
move-result v5
.line 339
sget-boolean v1, Lcom/skynetpay/lib/config/a;->c:Z
goto :cond_1 //始终走:cond_1
.line 340
const-string v1, "PaymentPlugin"
new-instance v2, Ljava/lang/StringBuilder;
....
....
....
invoke-virtual {v2, p2}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v2
invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v2
invoke-static {v1, v2}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I
.line 344
:cond_1 //让程序走:cond_1
invoke-virtual {p0, p2}, Lcom/skynetpay/android/payment/frame/PaymentPlugin;->findItemByIdentifier(Ljava/lang/String;)Lcom/skynetpay/android/payment/frame/bean/Item;
move-result-object v6
.line 345
goto :cond_3 //////goto
.line 346
new-instance v1, Lcom/skynetpay/lib/plugin/PluginResult;
sget-object v2, Lcom/skynetpay/lib/plugin/PluginResult$Status;->ERROR:Lcom/skynetpay/lib/plugin/PluginResult$Status;
const-string v3, "payment_item_not_found"
....
....
....
invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v2
invoke-static {v1, v2}, Lcom/skynetpay/lib/e/g;->b(Ljava/lang/String;Ljava/lang/CharSequence;)V
goto/16 :goto_0
.line 356
:cond_3 ///////////////让程序始终走:cond_3流程
iget-boolean v1, v6, Lcom/skynetpay/android/payment/frame/bean/Item;->isOwned:Z
/////////////////这里的那句跳转代码删除
new-instance v1, Lcom/skynetpay/lib/plugin/PluginResult;
sget-object v2, Lcom/skynetpay/lib/plugin/PluginResult$Status;->OK:Lcom/skynetpay/lib/plugin/PluginResult$Status;
const-string v3, "product_already_owned"
.line 358
invoke-virtual {p0, v3}, Lcom/skynetpay/android/payment/frame/PaymentPlugin;->getString(Ljava/lang/String;)Ljava/lang/String;
move-result-object v3
invoke-direct {v1, v2, v3}, Lcom/skynetpay/lib/plugin/PluginResult;-><init>(Lcom/skynetpay/lib/plugin/PluginResult$Status;Ljava/lang/String;)V
.line 359
invoke-virtual {v1}, Lcom/skynetpay/lib/plugin/PluginResult;->getMessage()Ljava/lang/String;
move-result-object v2
////////////////////注释这句不让toast弹出
#invoke-virtual {p0, v2}, Lcom/skynetpay/android/payment/frame/PaymentPlugin;->makeToast(Ljava/lang/CharSequence;)V
这样达到的结果如下:
A、支持离线;
B、支持三网;
C、无支付限制;
D、点击获得型破解内购;
整个程序可能还会有“盗版”验证的字样,如下图:
为了防止它提示出来,修改的关键地址在:Lcom/s1/lib/internal/ax;->q()Landroid/app/Activity;
让它始终返回为0即可,修改后的代码为:
[Java] 纯文本查看 复制代码 .method public final q()Landroid/app/Activity;
.locals 1
.prologue
const/4 v0, 0x0
return-object v0
.end method
好了。
希望大家都自己试试,
出现什么问题,及时提问解决..
|