【破解记录之】对游戏<三重镇>的破解过程
本帖最后由 水波摇曳 于 2015-1-26 09:27 编辑这款游戏是帮朋友破解的
下面是破解过程:
1、游戏中的购买流程如下:
点击那个小红叉,返回以后下面会提示“用户取消购买”:
搜索“用户取消购买”的Unicode码,得到下面的结果:
此时的文件树如下所示:
通过浏览文件树里的各个smali类,定位到道具的购买操作的方法:
在smali的修改之后如下:
.......
invoke-virtual {p0, p2}, Lcom/idreamsky/gamecenter/payment/PaymentAPI;->findItemByIdentifier(Ljava/lang/String;)Lcom/idreamsky/gamecenter/resource/Item;
move-result-object v4
.line 309
goto :cond_1 //////////始终跳到:cond_1
.line 310
const-string v0, "\u672a\u53d1\u73b0\u9053\u5177"
invoke-virtual {v3, v0}, Lcom/idreamsky/gc/DGCInternal;->makeToast(Ljava/lang/String;)V
.line 353
:cond_0
:goto_0
return-void
.line 313
:cond_1
invoke-virtual {p0, p2}, Lcom/idreamsky/gamecenter/payment/PaymentAPI;->isProductOwned(Ljava/lang/String;)Z
move-result v0
.line 314
#if-eqz v0, :cond_3 ////////////这个外跳注释掉
.line 315
iget-object v0, v4, Lcom/idreamsky/gamecenter/resource/Item;->product:Lcom/idreamsky/gamecenter/resource/Product;
iget v0, v0, Lcom/idreamsky/gamecenter/resource/Product;->type:I
goto :cond_2 //////////始终跳到:cond_2
iget-object v0, v4, Lcom/idreamsky/gamecenter/resource/Item;->product:Lcom/idreamsky/gamecenter/resource/Product;
iget v0, v0, Lcom/idreamsky/gamecenter/resource/Product;->type:I
const/4 v5, 0x2
if-ne v0, v5, :cond_3
.line 316
:cond_2
iget-object v0, p0, Lcom/idreamsky/gamecenter/payment/PaymentAPI;->a:Lcom/idreamsky/gamecenter/payment/PaymentDelegate;
////////////////////////////往外的跳注释掉
#if-eqz v0, :cond_0
.line 317
iget-object v0, p0, Lcom/idreamsky/gamecenter/payment/PaymentAPI;->a:Lcom/idreamsky/gamecenter/payment/PaymentDelegate;
invoke-static {v4}, Lcom/idreamsky/gamecenter/payment/PaymentAPI;->toPayableProduct(Lcom/idreamsky/gamecenter/resource/Item;)Lcom/idreamsky/gamecenter/payment/PayableProduct;
move-result-object v1
///////////////////////始终走这个流程
invoke-virtual {v0, v1}, Lcom/idreamsky/gamecenter/payment/PaymentDelegate;->onProductPurchased(Lcom/idreamsky/gamecenter/payment/PayableProduct;)V
.line 318
iget-object v0, p0, Lcom/idreamsky/gamecenter/payment/PaymentAPI;->a:Lcom/idreamsky/gamecenter/payment/PaymentDelegate;
invoke-static {v4}, Lcom/idreamsky/gamecenter/payment/PaymentAPI;->toPayableProduct(Lcom/idreamsky/gamecenter/resource/Item;)Lcom/idreamsky/gamecenter/payment/PayableProduct;
move-result-object v1
.line 319
const-string v2, ""
.line 318
invoke-virtual {v0, v1, p3, p4, v2}, Lcom/idreamsky/gamecenter/payment/PaymentDelegate;->onProductPurchased(Lcom/idreamsky/gamecenter/payment/PayableProduct;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)V
goto :goto_0
........
我们再次见识到了 owned 的伟大..
隐藏几天,不然你们都不回复
支持论坛啊
完了
哎呀呀终于弄懂了,终于搞懂一点了
三、反编译apk与重新编译与签名
简洁的说就是
反编译: apktool d test apk outdir
重新编译:apktool b outdir 会再outdir内有一个dist文件内就有一个test.apk啦
签名signapktest.apk 这样就生成
adb install text.apk
四、其实反编译还可以这样,嘿嘿这样可以直接看java而不是smali汇编
1.dex2jar.bat classes.dex,生成classes-dex2jar.jar就是所要转化jar包。
2、 http://jd.benow.ca 打开jd-gui.exe 打开jar

方法二:用这个直接打开apk包,不建议使用这个
Smali2Java.1.0.0.558.zip
http://www.hensence.com/cn/smali2java/
感谢分享!支持 支持淡然妹子的教程,好好学习下 好好学习下 酱紫啊,那就只能回复了 反反复复 谢谢分享~学习下~~
谢谢分享~学习下~~ {:4_86:}好好学习,多谢哈! 看看教程,嘻嘻