一、准备工作
- 下载切水果大战原版.apk.
- 链接:https://pan.baidu.com/s/18N_Lg8C4O5D1J7cbt99W6Q?pwd=p625
提取码:p625
开始游戏
- 找找有什么比游戏还好玩的东西
看到有个礼包,点进去
- 果不其然让你掏钱
点购买,弹出确认支付
不能充值??!!
直接把这个apk拖到android killer进行逆向
二、开始整活
- 打开android killer,运行切水果大战.apk
- 因为刚才出现了“支付失败,请稍后重试”,所以我们选择搜索“失败”试试
输入失败后,点击Aa,选择将文本转化为Unicode选项,就会出现“\u5931\u8d25”
有几个感觉像是支付的东西,我这里瞅mymmpay就像,打开
android killer就是厉害,能直接查看源码
点击就会转化为java源码,我们看看有什么
找到一个关于支付的
可以看出 payResultFalse应该就是我们要找的
上面还有一个payResultCancel。下面还有payResultSuccess,越来越有趣了
再回到初始界面,打开字符串,发现有“购买失败”“购买成功”几个方法
双击进入,找到左面相应的代码
.method public payResultCancel()V
.locals 2
.prologue
.line 1407
iget-object v0, p0, Lcom/mydefinemmpay/tool/MymmPay;->psif:Lcom/mydefinemmpay/mypay/PaySuccessInterface;
sget v1, Lcom/mydefinemmpay/tool/MymmPay;->payId:I
invoke-interface {v0, v1}, Lcom/mydefinemmpay/mypay/PaySuccessInterface;->doPayCancel(I)V
.line 1408
const-string v0, "\u8d2d\u4e70\u53d6\u6d88"
invoke-virtual {p0, v0}, Lcom/mydefinemmpay/tool/MymmPay;->showDebug(Ljava/lang/String;)V
.line 1411
return-void
.end method
-------------------------------------取消购买的代码-----------------------------------------------------
.method public payResultFalse()V
.locals 3
.prologue
const/4 v2, 0x2
.line 1378
iget-object v0, p0, Lcom/mydefinemmpay/tool/MymmPay;->psif:Lcom/mydefinemmpay/mypay/PaySuccessInterface;
sget v1, Lcom/mydefinemmpay/tool/MymmPay;->payId:I
invoke-interface {v0, v1}, Lcom/mydefinemmpay/mypay/PaySuccessInterface;->doPayFalse(I)V
.line 1379
const/4 v0, 0x0
iput-boolean v0, p0, Lcom/mydefinemmpay/tool/MymmPay;->paysuss:Z
.line 1380
const-string v0, "zhifu false"
invoke-virtual {p0, v0}, Lcom/mydefinemmpay/tool/MymmPay;->Printlog(Ljava/lang/String;)V
.line 1381
iget v0, p0, Lcom/mydefinemmpay/tool/MymmPay;->falseTime:I
add-int/lit8 v0, v0, 0x1
iput v0, p0, Lcom/mydefinemmpay/tool/MymmPay;->falseTime:I
.line 1384
const-string v0, "\u8d2d\u4e70\u5931\u8d25"
invoke-virtual {p0, v0}, Lcom/mydefinemmpay/tool/MymmPay;->showDebug(Ljava/lang/String;)V
.line 1385
iget v0, p0, Lcom/mydefinemmpay/tool/MymmPay;->falseTime:I
if-ne v0, v2, :cond_0
.line 1386
invoke-static {}, Lcom/mydefinemmpay/tool/MessageUtil;->getInstance()Lcom/mydefinemmpay/tool/MessageUtil;
move-result-object v0
iget v0, v0, Lcom/mydefinemmpay/tool/MessageUtil;->ADOpen:I
if-ne v0, v2, :cond_0
.line 1387
sget-object v0, Lcom/mydefinemmpay/tool/MymmPay;->adf:Lcom/mydefinemmpay/mypay/UUADSDKPayInterface;
if-eqz v0, :cond_0
.line 1388
sget-object v0, Lcom/mydefinemmpay/tool/MymmPay;->adf:Lcom/mydefinemmpay/mypay/UUADSDKPayInterface;
iget-object v1, p0, Lcom/mydefinemmpay/tool/MymmPay;->context:Landroid/content/Context;
invoke-interface {v0, v1, p0}, Lcom/mydefinemmpay/mypay/UUADSDKPayInterface;->init(Landroid/content/Context;Lcom/mydefinemmpay/mypay/MymmPayInterFace;)V
.line 1389
const-string v0, "\u8d2d\u4e70\u5931\u8d25\u4e24\u6b21\u5f00\u542f\u5e7f\u544a"
invoke-virtual {p0, v0}, Lcom/mydefinemmpay/tool/MymmPay;->showDebug(Ljava/lang/String;)V
.line 1396
:cond_0
invoke-virtual {p0}, Lcom/mydefinemmpay/tool/MymmPay;->getLibKind()I
move-result v0
const/4 v1, 0x1
if-ne v0, v1, :cond_1
.line 1397
invoke-static {}, Lcom/mydefinemmpay/tool/MessageUtil;->getInstance()Lcom/mydefinemmpay/tool/MessageUtil;
move-result-object v0
iget-object v0, v0, Lcom/mydefinemmpay/tool/MessageUtil;->sdkKind:Ljava/lang/String;
const-string v1, "0"
invoke-virtual {v0, v1}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v0
if-eqz v0, :cond_1
.line 1398
invoke-virtual {p0}, Lcom/mydefinemmpay/tool/MymmPay;->getPayT()I
move-result v0
if-nez v0, :cond_1
.line 1399
sget-object v0, Lcom/mydefinemmpay/tool/MymmPay;->osif:Lcom/mydefinemmpay/mypay/OtherSDKPayInterface;
invoke-interface {v0}, Lcom/mydefinemmpay/mypay/OtherSDKPayInterface;->pay()V
.line 1404
:cond_1
return-void
.end method
-------------------------------------------购买失败的代码-----------------------------------------------
.method public payResultSuccess()V
.locals 8
.prologue
const/4 v7, 0x1
const/4 v6, 0x0
.line 1344
invoke-static {}, Lcom/mydefinemmpay/tool/RecordOpreate;->getInstance()Lcom/mydefinemmpay/tool/RecordOpreate;
move-result-object v3
.line 1345
sget-object v4, Lcom/mydefinemmpay/tool/RecordOpreate;->totalMoey:Ljava/lang/String;
.line 1344
invoke-virtual {v3, v4}, Lcom/mydefinemmpay/tool/RecordOpreate;->getData(Ljava/lang/String;)Ljava/lang/String;
move-result-object v3
invoke-static {v3}, Ljava/lang/Float;->valueOf(Ljava/lang/String;)Ljava/lang/Float;
move-result-object v3
invoke-virtual {v3}, Ljava/lang/Float;->floatValue()F
move-result v2
.line 1346
.local v2, "totalMoney":F
invoke-static {}, Lcom/mydefinemmpay/tool/MessageUtil;->getInstance()Lcom/mydefinemmpay/tool/MessageUtil;
move-result-object v3
iget v3, v3, Lcom/mydefinemmpay/tool/MessageUtil;->limitMoney:F
cmpg-float v3, v2, v3
if-gez v3, :cond_0
iget v3, p0, Lcom/mydefinemmpay/tool/MymmPay;->payCodeMoney:F
add-float/2addr v3, v2
invoke-static {}, Lcom/mydefinemmpay/tool/MessageUtil;->getInstance()Lcom/mydefinemmpay/tool/MessageUtil;
move-result-object v4
iget v4, v4, Lcom/mydefinemmpay/tool/MessageUtil;->limitMoney:F
cmpl-float v3, v3, v4
if-ltz v3, :cond_0
.line 1347
const-string v3, "\u606d\u559c\u60a8\u8fbe\u5230\u6d88\u8d39\u4e0a\u9650\uff0c\u81ea\u52a8\u5f00\u901a\u5c0a\u4eabVIP\uff0c\u60a8\u53ef\u4ee5\u514d\u8d39\u8d2d\u4e70\u4efb\u4f55\u9053\u5177"
invoke-virtual {p0, v3}, Lcom/mydefinemmpay/tool/MymmPay;->toastShow(Ljava/lang/String;)V
.line 1350
:cond_0
iget v3, p0, Lcom/mydefinemmpay/tool/MymmPay;->payCodeMoney:F
add-float/2addr v2, v3
.line 1351
invoke-static {}, Lcom/mydefinemmpay/tool/RecordOpreate;->getInstance()Lcom/mydefinemmpay/tool/RecordOpreate;
move-result-object v3
sget-object v4, Lcom/mydefinemmpay/tool/RecordOpreate;->totalMoey:Ljava/lang/String;
.line 1352
new-instance v5, Ljava/lang/StringBuilder;
invoke-direct {v5}, Ljava/lang/StringBuilder;-><init>()V
invoke-virtual {v5, v2}, Ljava/lang/StringBuilder;->append(F)Ljava/lang/StringBuilder;
move-result-object v5
invoke-virtual {v5}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v5
.line 1351
invoke-virtual {v3, v4, v5}, Lcom/mydefinemmpay/tool/RecordOpreate;->saveData(Ljava/lang/String;Ljava/lang/String;)V
.line 1353
iget-object v3, p0, Lcom/mydefinemmpay/tool/MymmPay;->psif:Lcom/mydefinemmpay/mypay/PaySuccessInterface;
sget v4, Lcom/mydefinemmpay/tool/MymmPay;->payId:I
invoke-interface {v3, v4}, Lcom/mydefinemmpay/mypay/PaySuccessInterface;->doPaySuccess(I)V
.line 1354
iput-boolean v7, p0, Lcom/mydefinemmpay/tool/MymmPay;->paysuss:Z
.line 1355
invoke-static {}, Ljava/lang/System;->currentTimeMillis()J
move-result-wide v4
iput-wide v4, p0, Lcom/mydefinemmpay/tool/MymmPay;->statPtime:J
.line 1356
sget-object v3, Ljava/lang/System;->out:Ljava/io/PrintStream;
new-instance v4, Ljava/lang/StringBuilder;
const-string v5, "dpv111111111"
invoke-direct {v4, v5}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
iget-object v5, p0, Lcom/mydefinemmpay/tool/MymmPay;->dpv:Ljava/util/Vector;
invoke-virtual {v5}, Ljava/util/Vector;->size()I
move-result v5
invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(I)Ljava/lang/StringBuilder;
move-result-object v4
invoke-virtual {v4}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v4
invoke-virtual {v3, v4}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
.line 1357
const/4 v1, 0x0
.local v1, "i":I
:goto_0
iget-object v3, p0, Lcom/mydefinemmpay/tool/MymmPay;->dpv:Ljava/util/Vector;
invoke-virtual {v3}, Ljava/util/Vector;->size()I
move-result v3
if-lt v1, v3, :cond_2
.line 1363
sget-object v3, Ljava/lang/System;->out:Ljava/io/PrintStream;
new-instance v4, Ljava/lang/StringBuilder;
const-string v5, "dpv2222222222222"
invoke-direct {v4, v5}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
iget-object v5, p0, Lcom/mydefinemmpay/tool/MymmPay;->dpv:Ljava/util/Vector;
invoke-virtual {v5}, Ljava/util/Vector;->size()I
move-result v5
invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(I)Ljava/lang/StringBuilder;
move-result-object v4
invoke-virtual {v4}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v4
invoke-virtual {v3, v4}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
.line 1364
iput v6, p0, Lcom/mydefinemmpay/tool/MymmPay;->falseTime:I
.line 1365
invoke-virtual {p0}, Lcom/mydefinemmpay/tool/MymmPay;->getLibKind()I
move-result v3
if-ne v3, v7, :cond_1
.line 1366
invoke-static {}, Lcom/mydefinemmpay/tool/MessageUtil;->getInstance()Lcom/mydefinemmpay/tool/MessageUtil;
move-result-object v3
iget-object v3, v3, Lcom/mydefinemmpay/tool/MessageUtil;->sdkKind:Ljava/lang/String;
const-string v4, "0"
invoke-virtual {v3, v4}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v3
if-eqz v3, :cond_1
.line 1367
iput v6, p0, Lcom/mydefinemmpay/tool/MymmPay;->migfalseTime:I
.line 1372
:cond_1
const-string v3, "\u8d2d\u4e70\u6210\u529f"
invoke-virtual {p0, v3}, Lcom/mydefinemmpay/tool/MymmPay;->showDebug(Ljava/lang/String;)V
.line 1373
return-void
.line 1358
:cond_2
iget-object v3, p0, Lcom/mydefinemmpay/tool/MymmPay;->dpv:Ljava/util/Vector;
invoke-virtual {v3, v1}, Ljava/util/Vector;->get(I)Ljava/lang/Object;
move-result-object v0
check-cast v0, Lcom/mydefinemmpay/tool/DialogPay;
.line 1359
.local v0, "dp":Lcom/mydefinemmpay/tool/DialogPay;
invoke-virtual {v0}, Lcom/mydefinemmpay/tool/DialogPay;->dismiss()V
.line 1360
iget-object v3, p0, Lcom/mydefinemmpay/tool/MymmPay;->dpv:Ljava/util/Vector;
invoke-virtual {v3, v0}, Ljava/util/Vector;->remove(Ljava/lang/Object;)Z
.line 1357
add-int/lit8 v1, v1, 0x1
goto :goto_0
.end method
-----------------------------------------------购买成功的代码-------------------------------------------
- 然后把购买成功的代码复制到购买失败的代码里。简单粗暴!
- 保存再看看右面字符串的内容,发现之前的取消,失败,成功都变成了成功,成功,成功
再最后删除可能会产生费用的危险权限:
在AndroidManifest.xml里搜索(或者可以直接搜索下面的这个)
android.permission.SEND_SMS
删掉<uses-permission android:name="android.permission.SEND_SMS"/>
然后打包编译
再次运行
三、结语
- 这次安卓逆向原理简单粗暴,但也算是自己入门的第一次破解了,有纪念意义。以后常玩切水果!
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
