本帖最后由 痞孑 于 2018-2-2 16:53 编辑
玩了一会需要付费解锁全部内容(心里咯噔了一下) 但不要紧,看了看不需要联网(那就是单机了) 接着我们用 Android Killer 来破了它 下方帖子里边下载 https://www.52pojie.cn/thread-319641-1-1.html
1. 把安装包下载到桌面
接着把安装包拖进Android Killer反编译
2. 点击:工程搜索
3. 搜索字符:Notifydelivergoods(单机通用)
(如果遇到加密或者加固的话是搜不到的) (只要是在4399下载的游戏都可以用和这个方法名来搜索) (当然如果是网游的话,就不要白费力气了)
4. 搜索完毕之后得到的结果
(如下图)
5. 点击:最下方的一个类
(如下图)
6. 之后我们拉到最下方眨眼一看有一个U码
7. 接着我们把U码解密一下看看是什么内容
解密结果为:支付失败
8. 那么关键来了
在NotifyDeliverGoods这个方法名下方有一个判断
.method public notifyDeliverGoods (ZLcn/m4399/recharge/RechargeOrder;)Z
.locals 7
.param p1, "b" # Z
.param p2, "rechargeOrder" # Lcn/m4399/recharge/RechargeOrder;
.prologue
const/4 v6, 0x3
const/4 v5, 0x2
const/4 v1, 0x0
const/4 v0, 0x1
.line 42
if-eqz p1, :cond_0(关键1)
.line 43
iget-object v2, p0, Lcom/lilith/singlegame/sisan/SingleGameSisanProxy$1;->this$0:Lcom/lilith/singlegame/sisan/SingleGameSisanProxy;
# getter for: Lcom/lilith/singlegame/sisan/SingleGameSisanProxy;->mObserver:Lcom/lilith/singlegame/observer/BaseObservable;
invoke-static {v2}, Lcom/lilith/singlegame/sisan/SingleGameSisanProxy;->access$000(Lcom/lilith/singlegame/sisan/SingleGameSisanProxy;)Lcom/lilith/singlegame/observer/BaseObservable;
9. 为什么说这个判断是关键
我们看这个判断调用了谁
.method public notifyDeliverGoods(ZLcn/m4399/recharge/RechargeOrder;)Z
.locals 7
.param p1, "b" # Z
.param p2, "rechargeOrder" # Lcn/m4399/recharge/RechargeOrder;
.prologue
const/4 v6, 0x3
const/4 v5, 0x2
const/4 v1, 0x0
const/4 v0, 0x1
.line 42
if-eqz p1, :cond_0(关键1)
(这里我们可以运用Smali语法)
(if-eqz vA, :cond_**)
(如果vA等于0则跳转到:_**)
.line 43
iget-object v2, p0, Lcom/lilith/singlegame/sisan/SingleGameSisanProxy$1;->this$0:Lcom/lilith/singlegame/sisan/SingleGameSisanProxy;
# getter for: Lcom/lilith/singlegame/sisan/SingleGameSisanProxy;->mObserver:Lcom/lilith/singlegame/observer/BaseObservable;
invoke-static {v2}, Lcom/lilith/singlegame/sisan/SingleGameSisanProxy;->access$000(Lcom/lilith/singlegame/sisan/SingleGameSisanProxy;)Lcom/lilith/singlegame/observer/BaseObservable;
move-result-object v2
new-array v3, v6, [Ljava/lang/Object;
.line 44
invoke-static {v0}, Ljava/lang/Integer;->valueOf(I)Ljava/lang/Integer;
move-result-object v4
aput-object v4, v3, v1
.line 45
invoke-static {v0}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;
move-result-object v4
aput-object v4, v3, v0
.line 46
invoke-static {v1}, Ljava/lang/Integer;->valueOf(I)Ljava/lang/Integer;
move-result-object v1
aput-object v1, v3, v5
.line 43
invoke-virtual {v2, v3}, Lcom/lilith/singlegame/observer/BaseObservable;->notifyObservers(Ljava/lang/Object;)V
.line 57
:goto_0
return v0
.line 50
:cond_0(关键2)
(如果vA等于0则跳转到关键2)
(而关键2就是支付失败)
iget-object v2, p0, Lcom/lilith/singlegame/sisan/SingleGameSisanProxy$1;->this$0:Lcom/lilith/singlegame/sisan/SingleGameSisanProxy;
# getter for: Lcom/lilith/singlegame/sisan/SingleGameSisanProxy;->mObserver:Lcom/lilith/singlegame/observer/BaseObservable;
invoke-static {v2}, Lcom/lilith/singlegame/sisan/SingleGameSisanProxy;->access$100(Lcom/lilith/singlegame/sisan/SingleGameSisanProxy;)Lcom/lilith/singlegame/observer/BaseObservable;
move-result-object v2
const/4 v3, 0x4
new-array v3, v3, [Ljava/lang/Object;
.line 51
invoke-static {v0}, Ljava/lang/Integer;->valueOf(I)Ljava/lang/Integer;
move-result-object v4
aput-object v4, v3, v1
.line 52
invoke-static {v1}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;
move-result-object v4
aput-object v4, v3, v0
const/4 v0, -0x1
.line 53
invoke-static {v0}, Ljava/lang/Integer;->valueOf(I)Ljava/lang/Integer;
move-result-object v0
aput-object v0, v3, v5
const-string v0, "\u652f\u4ed8\u5931\u8d25=支付失败"
aput-object v0, v3, v6
.line 50
invoke-virtual {v2, v3}, Lcom/lilith/singlegame/observer/BaseObservable;->notifyObservers(Ljava/lang/Object;)V
move v0, v1
.line 57
goto :goto_0
1o. 那么这样一来思路就很清晰了
我们把 if-eqz p1, :cond_0(关键1)删掉就可以绕过关键2直接达到我们的目的
如下图为测试结果
支付成功之后就可以愉快的玩耍啦
本教程到此结束 有不会的小伙伴跟帖,抽时间回复 附成品:https://pan.baidu.com/s/1mj8ZA20 密码:bcr1
| 
[复制链接]
发表于 2018-2-2 16:47
发表于 2018-3-8 16:42
