仨笨贼1.0 内购破解教程

小试锋芒 · 发表于 2013-12-27 08:52

本帖最后由小试锋芒于 2014-9-3 08:27 编辑

1、APK反编译。

2、在AndroidManifest中找到主Activity：com.mm.cm.sbz.ApplicationDemo
截图00.png

3、打开ApplicationDemo.class，可以很容易发现三个关于付费的成员变量：
截图01.png

4、再往下看，可以看到付费失败和付费成功的成员方法：
截图02.png

在startGame1()方法中可以看到该应用的APPID和APPKEY：
截图03.png

5、我们很容易想到将付费失败方法的内容替换成付费成功的内容，那么这样无论购买成功与否，最终都会执行成功时的动作，因此我们将付费失败的smali代码替换成成功的代码。
修改前的代码：

[AppleScript] 纯文本查看 复制代码

.method private billingFailed(I)V
    .locals 1
    .parameter "sbillingIndex"

    .prologue
    .line 224
    const/4 v0, 0x0

    invoke-static {p1, v0}, Lcom/mm/cm/sbz/ApplicationDemo;->nativeBillingSuccess(II)V

    .line 225
    return-void
.end method

修改后的代码：

[AppleScript] 纯文本查看 复制代码

.method private billingFailed(I)V
    .locals 2
    .parameter "sbillingIndex"

    .prologue
    .line 229
    const/4 v0, 0x1

    invoke-static {p1, v0}, Lcom/mm/cm/sbz/ApplicationDemo;->nativeBillingSuccess(II)V

    .line 231
    packed-switch p1, :pswitch_data_0

    .line 256
    :goto_0
    return-void

    .line 234
    :pswitch_0
    const-string v0, "30000283477701"

    const-string v1, "6"

    invoke-static {p0, v0, v1}, Lcom/cm/tools/Tool;->startGamePay(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0

    .line 237
    :pswitch_1
    const-string v0, "30000283477703"

    const-string v1, "1"

    invoke-static {p0, v0, v1}, Lcom/cm/tools/Tool;->startGamePay(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0

    .line 240
    :pswitch_2
    const-string v0, "30000283477705"

    const-string v1, "1"

    invoke-static {p0, v0, v1}, Lcom/cm/tools/Tool;->startGamePay(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0

    .line 243
    :pswitch_3
    const-string v0, "30000283477702"

    const-string v1, "1"

    invoke-static {p0, v0, v1}, Lcom/cm/tools/Tool;->startGamePay(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0

    .line 246
    :pswitch_4
    const-string v0, "30000283477704"

    const-string v1, "1"

    invoke-static {p0, v0, v1}, Lcom/cm/tools/Tool;->startGamePay(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0

    .line 249
    :pswitch_5
    const-string v0, "30000283477706"

    const-string v1, "2"

    invoke-static {p0, v0, v1}, Lcom/cm/tools/Tool;->startGamePay(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0

    .line 252
    :pswitch_6
    const-string v0, "30000283477707"

    const-string v1, "2"

    invoke-static {p0, v0, v1}, Lcom/cm/tools/Tool;->startGamePay(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0

    .line 231
    :pswitch_data_0
    .packed-switch 0x0
        :pswitch_0
        :pswitch_1
        :pswitch_2
        :pswitch_3
        :pswitch_4
        :pswitch_5
        :pswitch_6
    .end packed-switch
.end method

6、修改保存，重新编译签名，测试发现，当我们点击某个物品购买时，会弹出相应的购买界面，此时我们只要点击返回按钮，购买就成功了！
图4.png

7、到此，已经达到了破解内购的目的，但是不完美，因为会弹出购买界面，我们想要点击购买时，不弹出任何界面就成功购买。继续分析，在 public void addAdvertisement2(int paramInt)方法中发现有“网络连接失败”的字眼，并且有对各个物品购买的监听事件，因此我们在这里面做文章，给它偷天换日。将addAdvertisement2的smali代码替换成付费成功的代码.

图5.png

修改前：

[AppleScript] 纯文本查看 复制代码

.method public addAdvertisement2(I)V
    .locals 5
    .parameter "billingIndex"

    .prologue
    .line 283
    const-string v1, "tag"

    new-instance v2, Ljava/lang/StringBuilder;

    invoke-direct {v2}, Ljava/lang/StringBuilder;-><init>()V

    invoke-virtual {v2, p1}, Ljava/lang/StringBuilder;->append(I)Ljava/lang/StringBuilder;

    move-result-object v2

    invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v2

    invoke-static {v1, v2}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I

    .line 286
    packed-switch p1, :pswitch_data_0

    .line 318
    :goto_0
    return-void

    .line 289
    :pswitch_0
    :try_start_0
    sget-object v1, Lcom/mm/cm/sbz/ApplicationDemo;->purchase:Lmm/purchasesdk/Purchase;

    sget-object v2, Lcom/mm/cm/sbz/ApplicationDemo;->context:Landroid/content/Context;

    const-string v3, "30000283477701"

    iget-object v4, p0, Lcom/mm/cm/sbz/ApplicationDemo;->mListener:Lcom/mm/cm/sbz/IAPListener;

    invoke-virtual {v1, v2, v3, v4}, Lmm/purchasesdk/Purchase;->order(Landroid/content/Context;Ljava/lang/String;Lmm/purchasesdk/OnPurchaseListener;)Ljava/lang/String;
    :try_end_0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

    goto :goto_0

    .line 313
    :catch_0
    move-exception v0

    .line 315
    .local v0, e:Ljava/lang/Exception;
    invoke-virtual {v0}, Ljava/lang/Exception;->printStackTrace()V

    .line 316
    sget-object v1, Lcom/mm/cm/sbz/ApplicationDemo;->context:Landroid/content/Context;

    const-string v2, "\u7f51\u7edc\u8fde\u63a5\u5931\u8d25"

    const/4 v3, 0x0

    invoke-static {v1, v2, v3}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;

    move-result-object v1

    invoke-virtual {v1}, Landroid/widget/Toast;->show()V

    goto :goto_0

    .line 292
    .end local v0           #e:Ljava/lang/Exception;
    :pswitch_1
    :try_start_1
    sget-object v1, Lcom/mm/cm/sbz/ApplicationDemo;->purchase:Lmm/purchasesdk/Purchase;

    sget-object v2, Lcom/mm/cm/sbz/ApplicationDemo;->context:Landroid/content/Context;

    const-string v3, "30000283477703"

    iget-object v4, p0, Lcom/mm/cm/sbz/ApplicationDemo;->mListener:Lcom/mm/cm/sbz/IAPListener;

    invoke-virtual {v1, v2, v3, v4}, Lmm/purchasesdk/Purchase;->order(Landroid/content/Context;Ljava/lang/String;Lmm/purchasesdk/OnPurchaseListener;)Ljava/lang/String;

    goto :goto_0

    .line 295
    :pswitch_2
    sget-object v1, Lcom/mm/cm/sbz/ApplicationDemo;->purchase:Lmm/purchasesdk/Purchase;

    sget-object v2, Lcom/mm/cm/sbz/ApplicationDemo;->context:Landroid/content/Context;

    const-string v3, "30000283477705"

    iget-object v4, p0, Lcom/mm/cm/sbz/ApplicationDemo;->mListener:Lcom/mm/cm/sbz/IAPListener;

    invoke-virtual {v1, v2, v3, v4}, Lmm/purchasesdk/Purchase;->order(Landroid/content/Context;Ljava/lang/String;Lmm/purchasesdk/OnPurchaseListener;)Ljava/lang/String;

    goto :goto_0

    .line 298
    :pswitch_3
    sget-object v1, Lcom/mm/cm/sbz/ApplicationDemo;->purchase:Lmm/purchasesdk/Purchase;

    sget-object v2, Lcom/mm/cm/sbz/ApplicationDemo;->context:Landroid/content/Context;

    const-string v3, "30000283477702"

    iget-object v4, p0, Lcom/mm/cm/sbz/ApplicationDemo;->mListener:Lcom/mm/cm/sbz/IAPListener;

    invoke-virtual {v1, v2, v3, v4}, Lmm/purchasesdk/Purchase;->order(Landroid/content/Context;Ljava/lang/String;Lmm/purchasesdk/OnPurchaseListener;)Ljava/lang/String;

    goto :goto_0

    .line 301
    :pswitch_4
    sget-object v1, Lcom/mm/cm/sbz/ApplicationDemo;->purchase:Lmm/purchasesdk/Purchase;

    sget-object v2, Lcom/mm/cm/sbz/ApplicationDemo;->context:Landroid/content/Context;

    const-string v3, "30000283477704"

    iget-object v4, p0, Lcom/mm/cm/sbz/ApplicationDemo;->mListener:Lcom/mm/cm/sbz/IAPListener;

    invoke-virtual {v1, v2, v3, v4}, Lmm/purchasesdk/Purchase;->order(Landroid/content/Context;Ljava/lang/String;Lmm/purchasesdk/OnPurchaseListener;)Ljava/lang/String;

    goto :goto_0

    .line 304
    :pswitch_5
    sget-object v1, Lcom/mm/cm/sbz/ApplicationDemo;->purchase:Lmm/purchasesdk/Purchase;

    sget-object v2, Lcom/mm/cm/sbz/ApplicationDemo;->context:Landroid/content/Context;

    const-string v3, "30000283477706"

    iget-object v4, p0, Lcom/mm/cm/sbz/ApplicationDemo;->mListener:Lcom/mm/cm/sbz/IAPListener;

    invoke-virtual {v1, v2, v3, v4}, Lmm/purchasesdk/Purchase;->order(Landroid/content/Context;Ljava/lang/String;Lmm/purchasesdk/OnPurchaseListener;)Ljava/lang/String;

    goto :goto_0

    .line 307
    :pswitch_6
    sget-object v1, Lcom/mm/cm/sbz/ApplicationDemo;->purchase:Lmm/purchasesdk/Purchase;

    sget-object v2, Lcom/mm/cm/sbz/ApplicationDemo;->context:Landroid/content/Context;

    const-string v3, "30000283477707"

    iget-object v4, p0, Lcom/mm/cm/sbz/ApplicationDemo;->mListener:Lcom/mm/cm/sbz/IAPListener;

    invoke-virtual {v1, v2, v3, v4}, Lmm/purchasesdk/Purchase;->order(Landroid/content/Context;Ljava/lang/String;Lmm/purchasesdk/OnPurchaseListener;)Ljava/lang/String;
    :try_end_1
    .catch Ljava/lang/Exception; {:try_start_1 .. :try_end_1} :catch_0

    goto :goto_0

    .line 286
    nop

    :pswitch_data_0
    .packed-switch 0x0
        :pswitch_0
        :pswitch_1
        :pswitch_2
        :pswitch_3
        :pswitch_4
        :pswitch_5
        :pswitch_6
    .end packed-switch
.end method

修改后：

[AppleScript] 纯文本查看 复制代码

.method public addAdvertisement2(I)V
    .locals 2
    .parameter "sbillingIndex"

    .prologue
    .line 229
    const/4 v0, 0x1

    invoke-static {p1, v0}, Lcom/mm/cm/sbz/ApplicationDemo;->nativeBillingSuccess(II)V

    .line 231
    packed-switch p1, :pswitch_data_0

    .line 256
    :goto_0
    return-void

    .line 234
    :pswitch_0
    const-string v0, "30000283477701"

    const-string v1, "6"

    invoke-static {p0, v0, v1}, Lcom/cm/tools/Tool;->startGamePay(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0

    .line 237
    :pswitch_1
    const-string v0, "30000283477703"

    const-string v1, "1"

    invoke-static {p0, v0, v1}, Lcom/cm/tools/Tool;->startGamePay(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0

    .line 240
    :pswitch_2
    const-string v0, "30000283477705"

    const-string v1, "1"

    invoke-static {p0, v0, v1}, Lcom/cm/tools/Tool;->startGamePay(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0

    .line 243
    :pswitch_3
    const-string v0, "30000283477702"

    const-string v1, "1"

    invoke-static {p0, v0, v1}, Lcom/cm/tools/Tool;->startGamePay(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0

    .line 246
    :pswitch_4
    const-string v0, "30000283477704"

    const-string v1, "1"

    invoke-static {p0, v0, v1}, Lcom/cm/tools/Tool;->startGamePay(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0

    .line 249
    :pswitch_5
    const-string v0, "30000283477706"

    const-string v1, "2"

    invoke-static {p0, v0, v1}, Lcom/cm/tools/Tool;->startGamePay(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0

    .line 252
    :pswitch_6
    const-string v0, "30000283477707"

    const-string v1, "2"

    invoke-static {p0, v0, v1}, Lcom/cm/tools/Tool;->startGamePay(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;)V

    goto :goto_0

    .line 231
    :pswitch_data_0
    .packed-switch 0x0
        :pswitch_0
        :pswitch_1
        :pswitch_2
        :pswitch_3
        :pswitch_4
        :pswitch_5
        :pswitch_6
    .end packed-switch
.end method

8、修改保存，重新编译，签名，测试，不再弹出购买界面，直接购买成功。

wangdongdexin · 发表于 2013-12-27 09:01

看着好有诱惑力呀楼主给我一个俺也试试呗

GGLHY · 发表于 2013-12-27 08:58

围观大婶
求跟随您的脚步~~~

小淫仙 · 发表于 2013-12-27 09:03

又学习了安卓方面的知识!

御剑 · 发表于 2013-12-27 09:12

学习了...感谢分享

sunset920 · 发表于 2013-12-27 09:21

吼吼。。。安卓破解原来还是挺容易的呢

1354669803 · 发表于 2013-12-27 09:32

我反正是死也看不懂

九零-鑫鑫 · 发表于 2013-12-27 09:36

安卓看起来比较简单... 毕竟俺学过Java ... 谢谢楼主分享

xxjgdzz · 发表于 2013-12-27 09:50

学习了...感谢分享

凌宵 · 发表于 2013-12-27 10:16

还有更简单的方法！自己去找度娘

帐号		自动登录	找回密码
密码			注册[Register]

[Android 原创] 仨笨贼1.0 内购破解教程

免费评分

本帖被以下淘专辑推荐:

个人中心