好友
阅读权限20
听众
最后登录1970-1-1
|
本帖最后由 myoldid 于 2015-1-19 22:24 编辑
前言
游戏名称:奔跑吧 兄弟-跑男来了
游戏版本:1.0.1
游戏类型:跑酷类
这款游戏最开始是在移动妹子里下的,在购买时会提示兑换码支付。按安卓逆向圣经里所说的,根据错误提示找到判断后,修改了,但只提示兑换成功,东西没到账。多次尝试后,实在是找不到其他能改的地方后,放弃了兑换码方式。
那既然它跳兑换码支付,说明就是检测到我没SIM卡,那要是强制返回有卡呢??既然是移动妹子的游戏,那好,返回中国移动吧,一次尝试后,兑换码支付窗口没了,给我弹出大大的短信发送失败1105的提示,心里窃喜,搞定了。
然后下一步,找onbillingfinish方法,但是,找到onbillingfinish方法后,却没有任何判断,没发下手啊。然后又想到移动支付成功有个订购成功提示,那根据这个提示强制返回为0x3e9后,安装运行,购买提示短信发送成功,再窃喜,搞定了。但是,但是一点确定后,大爷的,退出了。logcat提示还是1105...
我不甘心啊,想到去爱游戏找找,爱游戏的同款同公司同版本安装包有60多MB,移动妹子的却只有36MB,感觉很奇怪啊,管它的,先看看效果。与预期中的一样,还是兑换码支付。但是再经过尝试,实现了不弹窗口支付成功。
好了,切入正题
1. 因为是爱游戏的游戏,所以直接找payfailed,将调用payfailed的地方调用成paysuccess,如图1.这时候安装,运行,在弹出兑换码支付时,点取消已经可以成功支付了,但这不是最终目的,最终目的是绕过兑换码窗口。
图1
2.既然是判断到我没sim卡,那试试直接返回为中国电信呢?那先搜索中国电信,找到错误位置后,返回为中国电信
[Java] 纯文本查看 复制代码 new-instance v0, Lcn/egame/terminal/sdk/log/ak;
#v0=(UninitRef,Lcn/egame/terminal/sdk/log/ak;);
const-string v1, "CHINA_TELECOM"
#v1=(Reference,Ljava/lang/String;);
const-string v4, "\u4e2d\u56fd\u7535\u4fe1"
#v4=(Reference,Ljava/lang/String;);
new-array v5, v14, [Ljava/lang/String;
#v5=(Reference,[Ljava/lang/String;);
const-string v6, "46003"
#v6=(Reference,Ljava/lang/String;);
aput-object v6, v5, v2
const-string v6, "46005"
aput-object v6, v5, v3
const-string v6, "46011"
aput-object v6, v5, v7
invoke-direct/range {v0 .. v5}, Lcn/egame/terminal/sdk/log/ak;-><init>(Ljava/lang/String;IILjava/lang/String;[Ljava/lang/String;)V
#v0=(Reference,Lcn/egame/terminal/sdk/log/ak;);
sput-object v0, Lcn/egame/terminal/sdk/log/ak;->a:Lcn/egame/terminal/sdk/log/ak;
new-instance v4, Lcn/egame/terminal/sdk/log/ak;
#v4=(UninitRef,Lcn/egame/terminal/sdk/log/ak;);
const-string v5, "CHINA_MOBILE"
const-string v8, "\u4e2d\u56fd\u79fb\u52a8"
#v8=(Reference,Ljava/lang/String;);
new-array v9, v11, [Ljava/lang/String;
#v9=(Reference,[Ljava/lang/String;);
const-string v0, "46020"
aput-object v0, v9, v2
const-string v0, "46000"
aput-object v0, v9, v3
const-string v0, "46002"
aput-object v0, v9, v7
const-string v0, "46007"
aput-object v0, v9, v14
move v6, v3
#v6=(One);
invoke-direct/range {v4 .. v9}, Lcn/egame/terminal/sdk/log/ak;-><init>(Ljava/lang/String;IILjava/lang/String;[Ljava/lang/String;)V
#v4=(Reference,Lcn/egame/terminal/sdk/log/ak;);
sput-object v4, Lcn/egame/terminal/sdk/log/ak;->b:Lcn/egame/terminal/sdk/log/ak;
new-instance v5, Lcn/egame/terminal/sdk/log/ak;
#v5=(UninitRef,Lcn/egame/terminal/sdk/log/ak;);
const-string v6, "CHINA_UNICOM"
#v6=(Reference,Ljava/lang/String;);
const-string v9, "\u4e2d\u56fd\u8054\u901a"
new-array v10, v7, [Ljava/lang/String;
#v10=(Reference,[Ljava/lang/String;);
const-string v0, "46001"
aput-object v0, v10, v2
const-string v0, "46006"
aput-object v0, v10, v3
move v8, v14
#v8=(PosByte);
invoke-direct/range {v5 .. v10}, Lcn/egame/terminal/sdk/log/ak;-><init>(Ljava/lang/String;IILjava/lang/String;[Ljava/lang/String;)V
#v5=(Reference,Lcn/egame/terminal/sdk/log/ak;);
sput-object v5, Lcn/egame/terminal/sdk/log/ak;->c:Lcn/egame/terminal/sdk/log/ak;
new-instance v8, Lcn/egame/terminal/sdk/log/ak;
#v8=(UninitRef,Lcn/egame/terminal/sdk/log/ak;);
const-string v9, "NOT_DEFINE"
const-string v12, "\u4e2d\u56fd\u7535\u4fe1" #这里本是未定义,将它返回为中国电信
#v12=(Reference,Ljava/lang/String;);
##################第二段########################
const-string v1, "46000"
#v1=(Reference,Ljava/lang/String;);
invoke-virtual {v0, v1}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
move-result v1
#v1=(Boolean);
if-nez v1, :cond_4
const-string v1, "46002"
#v1=(Reference,Ljava/lang/String;);
invoke-virtual {v0, v1}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
move-result v1
#v1=(Boolean);
if-nez v1, :cond_4
const-string v1, "46007"
#v1=(Reference,Ljava/lang/String;);
invoke-virtual {v0, v1}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
move-result v1
#v1=(Boolean);
if-eqz v1, :cond_5
.line 848
:cond_4
const-string v0, "\u4e2d\u56fd\u79fb\u52a8"
goto :goto_1
.line 849
:cond_5
const-string v1, "46001"
#v1=(Reference,Ljava/lang/String;);
invoke-virtual {v0, v1}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
move-result v1
#v1=(Boolean);
if-nez v1, :cond_6
const-string v1, "46006"
#v1=(Reference,Ljava/lang/String;);
invoke-virtual {v0, v1}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
move-result v1
#v1=(Boolean);
if-eqz v1, :cond_7
.line 850
:cond_6
const-string v0, "\u4e2d\u56fd\u8054\u901a"
goto :goto_1
.line 851
:cond_7
const-string v1, "46003"
#v1=(Reference,Ljava/lang/String;);
invoke-virtual {v0, v1}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
move-result v1
const v1, 0x1
#v1=(Boolean);
if-nez v1, :cond_8
const-string v1, "46005"
#v1=(Reference,Ljava/lang/String;);
invoke-virtual {v0, v1}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
move-result v0
#v0=(Boolean);
if-eqz v0, :cond_9
.line 852
:cond_8
#v0=(Conflicted);v1=(Conflicted);
const-string v0, "\u4e2d\u56fd\u7535\u4fe1" #这里本来是未定义,改为中国电信
#v0=(Reference,Ljava/lang/String;);
goto :goto_1
.line 854
:cond_9
#v0=(Boolean);v1=(Reference,Ljava/lang/String;);
const-string v0, "\u4e2d\u56fd\u7535\u4fe1" #这里本来是未知,改为中国电信
#v0=(Reference,Ljava/lang/String;);
goto :goto_1
new-array v13, v2, [Ljava/lang/String;
3. 但还没完,我们再搜索46003,再根据提示,强制返回为电信卡
[Java] 纯文本查看 复制代码
:cond_7
#v0=(Reference,Ljava/lang/String;);
const-string v2, "46003"
#v2=(Reference,Ljava/lang/String;);
invoke-virtual {v0, v2}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
move-result v2
#v2=(Boolean);
if-nez v2, :cond_8
const-string v2, "46005"
#v2=(Reference,Ljava/lang/String;);
invoke-virtual {v0, v2}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
move-result v0
#v0=(Boolean);
if-eqz v0, :cond_9
.line 822
:cond_8
#v0=(Conflicted);v2=(Conflicted);
const/4 v0, 0x3 #这里看出电信卡的v0是3,那在本方法里的return v0前直接const/4 v0, 0x3
#v0=(PosByte);
goto :goto_1
##################第二段########################
#v2=(Boolean);
const-string v2, "46003"
#v2=(Reference,Ljava/lang/String;);
invoke-virtual {v0, v2}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
move-result v2
#v2=(Boolean);
if-nez v2, :cond_7
const-string v2, "46005"
#v2=(Reference,Ljava/lang/String;);
invoke-virtual {v0, v2}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
move-result v2
#v2=(Boolean);
if-eqz v2, :cond_8
.line 1116
:cond_7
const-string v2, "03" #这里看出电信卡的v2是"03",那在本方法里的return v0前直接const-string v2, "03"
#v2=(Reference,Ljava/lang/String;);
goto :goto_0
4. 根据搜索到的46003一个一个的改,改完后,编辑保存,一戳购买,哈哈,那个讨厌的兑换码窗口没了,也就是说现在游戏认定我们用的是电信卡了,那样又可以愉快的发帖了
以上方法可能有些繁琐,也许直接getSimState()返回sim状态就行了,但这方法也是一种新思路哦...
题外:这款游戏还有个技巧,就是淡然文章中说的skynetpay关键词,具体参见文章http://www.pd521.com/thread-232-1-1.html 这样在移动妹子游戏下,可以实现提示成功
原帖首发:http://www.pd521.com/thread-235-1-1.html
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2015-1-19 22:19
发表于 2015-1-19 23:25
|
发表于 2015-1-20 08:35
可以省钱了
下次发现你说的异常,我心里也有底了
