-
-
[原创]某app广告太多,看不下去了,逆一波
-
发表于: 2021-6-17 11:07
-
本篇只供学习,本人未用作商业用途。他人若未经允许,也不得使用以及参考本篇中提到的源码以及附件进行谋利,违者必究
由于工作原因,很长时间没搞破解了。几个月前只是简单对某镖游戏dump了il2cpp与meta-data,昨天试玩了一下,竟然要更新,fuck! fuck! fuck!
然后随便在小米应用商店下载了个小游戏,广告太多,就以去广告为目标 练一下手吧。
dex文件查看工具
keytool
该cmd是为了生成keystore文件,重签名apk时需要。keytool命令在java安装目录/bin下面
jarsigner
该cmd是为了将apk进行重签名,重签名需要使用keystore文件。jarsigner命令也在java安装目录/bin下面
adb shell dumpsys activity activities top
打印手机上当前的未销毁的activity列表
adb shell dumpsys window windows
打印手机上当前的window,默认Z-order
dumpsys看看当前的广告栏属于哪个activity
activity为com.outfit7.mytalkingtomfree/com.jinke.Main
分析后,发现Main的父类中含有可疑的布局代码
上图中onCreate中调用了initContentLayout函数
这个函数中有一个Log.d,我们可通过查看程序运行日志确认该函数中的if语句是否执行了。
我这边在app冷启动时开始抓log,确实有这个日志
或者大家也可以通过打断点调试,确认这里是否执行了。
代码拆分说明:
LayoutInflater.inflate函数,代码加载布局,其函数声明为:
所以布局文件为layout.adjustable_banner_layout,这个布局的名字看起来就像是广告位。
xml中整个view的layout_height为fill_parent,这个高度值可能太大了,看起来应该不是主页上方广告的布局。
直接查看当前Activity的DecorView,查看其children,发现0,0 1080,206这个boundary就是广告显示的位置
jeb中查看交叉引用非常方便,选中函数a,然后按下快捷键x,发现只有一个地方调用了a
这个函数中使用了LayoutInflator。 YES!!!!!无疑了,这个调用链肯定初始化了主页上方的广告位。
继续查找a(c arg3)的调用者
这个函数中的字符很给力,showBanner, Failed to create view等
a(com.miui.zeus.mimo.sdk.server.api.c arg3, ViewGroup arg4, BannerInteractionListener arg5)的调用者
a(ViewGroup arg3, BannerInteractionListener arg4)的调用者
showAd(ViewGroup arg3, BannerInteractionListener arg4)的调用者
上述调用栈关系也可以使用动态调试的方式,一步到位。我没有使用调试的方法,因为这个广告在我的手机上出现的概率太低,想调试一次太难了,大家理解一下哈。
源头去除: onBannerAdLoadSuccess函数中,showAd调用移除。缺点:可能影响了app原本逻辑
尾部去除:设置view的visibility。优点:基本不影响app原本逻辑
昨天调试的时候保存了广告栏显示的代码源头。大家可以自行分析一下,看是否跟我找到的一样。
先挂断点查看startActivity调用栈, 我断在了instrumentation->execSartActivity方法
1.activity确实被拦截掉了,但是页面会卡在一个view中,显示加载中...
2.按返回键尝试将卡view的界面关掉,礼物盒没有正常开启奖励,肯定是影响了游戏逻辑。
奖励没拿到。。。。毛用都没有
广告加载完之后,右上角有一个X按钮,会显示出来。未加载完的时候隐藏。所以就在Activity中找找有没有相关的close或者onClick关键字
jeb中直接找到RewardVideoAdActivity, 确实搜索到了close与onclick关键字
void k()这个函数中使用了LayoutInflater,“mimo_reward_close_img”, setOnClickListener(this)。太明显了,毫无压力。
直接搜关键字setVisibility,该函数会将一个view显示出来
搜到了,就在RewardVideoAdActivity代码中,代码还是那么的明显,毫无压力。
this.g.setVisibility(0),这里的0是一个flag, 就是将view显示出来。
源头是通过onCompletion调过来的, com.miui.zeus.mimo.sdk.video.TextureVideoView$3实现了MediaPlayer.OnCompletionListener接口
原来广告是通过MediaPlayer播放的,然后播放是否完成 是 通过MediaPlayer的回掉接口掉过来的。
手有点疼了。。。。
主要是通过jeb,查看交叉引用关系
MediaPlayer是TextureVideoView的成员
TextureVideoView是VideoAdView的成员
VideoAdView是RewardVideoActivity的成员
结论: 可以通过拿到RewardVideoActivity实例,然后反射一步步拿到MediaPlayer实例
这可能是个老生常谈的问题。方式可能有好几种吧, 下面是我能想到的
1: ActivityThread中保存了当前进程的activity列表
2.拦截ActivityThread.H,这玩意是一个Handler,第一时间通过system_server将activity的生命周期,回掉过来。
3.通过frida或者其他hook工具,在activity->onCreate或者onResume这里下手
4.通过注入Instrumentation的方式,管控activity生命周期,可以拦截到onCreate以及onResume等
我使用了最后一种方案,用java写了点代码,最后编译为smali文件后,通过静态代码注入重打包了apk。
嗯,没看错,接口代码就是如此简单,注入的时候,直接调用PluginManager.init就行了。
这个smali文件中,只加入了最后一句, 目的就是初始化插件,实现Instrumentation注入
反编译/回编classes.dex
反编译/回编classes4.dex (反编译后将插件的smali放到out下面,然后再回编就行了)
Windows:我是通过zip工具打开的apk,然后直接将dex拖进去就行,比较方便
Mac:未尝试
4.删除apk中原本的签名文件夹(META-INF)重签名
1.广告页面会先弹出,80ms左右才会消失掉,所以视觉上还能看到广告activity
2.可能还有其他地方有广告。这个apk广告太多了。。。。不过目前来看应该好多了
带插件的apk如下:(法律原因,已删除)
原包apk:
链接: https://pan.baidu.com/s/1to64frG_x6DtqnrVAUZLfQ 密码: 7fwm
java -jar ~/env/apktool_2.5.0.jar d app-debug.apk
java -jar ~/env/apktool_2.5.0.jar d -r app-debug.apk //Do not decode resources. 不反编译资源文件
java -jar ~/env/apktool_2.5.0.jar d -s app-debug.apk //Do not decode sources. 不反编译源码文件
java -jar ~/env/apktool_2.5.0.jar d app-debug.apk
java -jar ~/env/apktool_2.5.0.jar d -r app-debug.apk //Do not decode resources. 不反编译资源文件
java -jar ~/env/apktool_2.5.0.jar d -s app-debug.apk //Do not decode sources. 不反编译源码文件
java -jar ~/env/baksmali-2.5.2.jar d classes4.dex //反编译dex文件,输出目录默认位out
java -jar ~/env/smali-2.5.2.jar a out //将out目录下面的smali源文件编译为dex文件,输出默认为out.dex
java -jar ~/env/baksmali-2.5.2.jar d classes4.dex //反编译dex文件,输出目录默认位out
java -jar ~/env/smali-2.5.2.jar a out //将out目录下面的smali源文件编译为dex文件,输出默认为out.dex
keytool -genkey -alias mine.keystore -keyalg RSA -validity 30000 -keystore mine.keystore
keytool -genkey -alias mine.keystore -keyalg RSA -validity 30000 -keystore mine.keystore
jarsigner -verbose -keystore mine.keystore -signedjar new.apk old.apk mine.keystore
-keystore:keystore 的名称
new.apk:签名后的apkold.apk:签名前的apkjarsigner -verbose -keystore mine.keystore -signedjar new.apk old.apk mine.keystore
-keystore:keystore 的名称
new.apk:签名后的apkold.apk:签名前的apkprivate void initContentLayout() { WeakReference v0 = this.banneContainerReference;
if(v0 == null || v0.get() == null) {
this.banneContainerReference = new WeakReference(LayoutInflater.from(this.activityWeakReference.get()).inflate(layout.adjustable_banner_layout, this.findViewById(0x1020002), true));
Log.d(MaoActivity.TAG, "setAdjustableBannerXY create view");
}
}private void initContentLayout() { WeakReference v0 = this.banneContainerReference;
if(v0 == null || v0.get() == null) {
this.banneContainerReference = new WeakReference(LayoutInflater.from(this.activityWeakReference.get()).inflate(layout.adjustable_banner_layout, this.findViewById(0x1020002), true));
Log.d(MaoActivity.TAG, "setAdjustableBannerXY create view");
}
}06-16 17:44:45.360 27784 27784 D com.outfit7.jinke.MaoActivity: setAdjustableBannerXY create view
06-16 17:44:45.360 27784 27784 D com.outfit7.jinke.MaoActivity: setAdjustableBannerXY create view
LayoutInflater.from(this.activityWeakReference.get()) 获取当前显示的activity,然后基于该activity对应的上下文创建一个LayoutInflater
LayoutInflater.from(this.activityWeakReference.get()) 获取当前显示的activity,然后基于该activity对应的上下文创建一个LayoutInflater
inflate(layout.adjustable_banner_layout, this.findViewById(0x1020002), true));
inflate(layout.adjustable_banner_layout, this.findViewById(0x1020002), true));
public View inflate(@LayoutRes int resource, @Nullable ViewGroup root, boolean attachToRoot)
public View inflate(@LayoutRes int resource, @Nullable ViewGroup root, boolean attachToRoot)
<?xml version="1.0" encoding="utf-8"?>
<RelativeLayout android:orientation="vertical" android:id="@id/mao_adjustable_container_root" android:layout_width="fill_parent" android:layout_height="fill_parent"
xmlns:android="http://schemas.android.com/apk/res/android">
<FrameLayout android:id="@id/mao_adjustable_ad" android:layout_width="wrap_content" android:layout_height="wrap_content" />
</RelativeLayout>
<?xml version="1.0" encoding="utf-8"?>
<RelativeLayout android:orientation="vertical" android:id="@id/mao_adjustable_container_root" android:layout_width="fill_parent" android:layout_height="fill_parent"
xmlns:android="http://schemas.android.com/apk/res/android">
<FrameLayout android:id="@id/mao_adjustable_ad" android:layout_width="wrap_content" android:layout_height="wrap_content" />
</RelativeLayout>
public class b extends FrameLayout {
public class com.miui.zeus.mimo.sdk.ad.banner.b$1 implements View$OnClickListener {
public com.miui.zeus.mimo.sdk.ad.banner.b$1(b arg1) {
this.a = arg1;
super();
}
public void onClick(View arg2) {
b v2 = this.a;
a v0 = v2.e;
if(v0 != null) {
v0.a(b.a(v2));
}
}
}
...
...
...
}public class b extends FrameLayout {
public class com.miui.zeus.mimo.sdk.ad.banner.b$1 implements View$OnClickListener {
public com.miui.zeus.mimo.sdk.ad.banner.b$1(b arg1) {
this.a = arg1;
super();
}
public void onClick(View arg2) {
b v2 = this.a;
a v0 = v2.e;
if(v0 != null) {
v0.a(b.a(v2));
}
}
}
...
...
...
}//com.miui.zeus.mimo.sdk.ad.banner.b
private void a(View arg3) { if(this.d()) {
this.b = arg3.findViewById(l.c("mimo_banner_view_summary"));
this.f = arg3.findViewById(l.c("mimo_banner_border"));
Glide.with(this.i).load(Integer.valueOf(l.b("mimo_banner_border"))).into(this.f);
this.k = arg3.findViewById(l.c("mimo_banner_view_flipper"));
}
else {
this.a = arg3.findViewById(l.c("mimo_banner_view_image"));
}
this.c = arg3.findViewById(l.c("mimo_banner_view_ad_mark"));
this.d = arg3.findViewById(l.c("mimo_banner_view_close"));
this.h = new d();
this.d.setOnClickListener(new View$OnClickListener() {
public void onClick(View arg1) {
a v1 = this.a.e;
if(v1 != null) {
v1.b();
}
}
});
((FrameLayout)this).setOnClickListener(this.g);
}
//com.miui.zeus.mimo.sdk.ad.banner.b
private void a(View arg3) { if(this.d()) {
this.b = arg3.findViewById(l.c("mimo_banner_view_summary"));
this.f = arg3.findViewById(l.c("mimo_banner_border"));
Glide.with(this.i).load(Integer.valueOf(l.b("mimo_banner_border"))).into(this.f);
this.k = arg3.findViewById(l.c("mimo_banner_view_flipper"));
}
else {
this.a = arg3.findViewById(l.c("mimo_banner_view_image"));
}
this.c = arg3.findViewById(l.c("mimo_banner_view_ad_mark"));
this.d = arg3.findViewById(l.c("mimo_banner_view_close"));
this.h = new d();
this.d.setOnClickListener(new View$OnClickListener() {
public void onClick(View arg1) {
a v1 = this.a.e;
if(v1 != null) {
v1.b();
}
}
});
((FrameLayout)this).setOnClickListener(this.g);
}
//com.miui.zeus.mimo.sdk.ad.banner.b
public void a(c arg3) { this.m = arg3;
int v0 = com.miui.zeus.mimo.sdk.utils.a.a(arg3.Y());
this.j = v0;
if(v0 == 0) {
this.j = l.a("mimo_banner_view_layout");
}
this.a(LayoutInflater.from(this.i).inflate(this.j, ((ViewGroup)this)));
String v3 = arg3.M();
if(TextUtils.isEmpty(((CharSequence)v3))) {
this.b();
return;
}
this.a(v3);
}
//com.miui.zeus.mimo.sdk.ad.banner.b
public void a(c arg3) { this.m = arg3;
int v0 = com.miui.zeus.mimo.sdk.utils.a.a(arg3.Y());
this.j = v0;
if(v0 == 0) {
this.j = l.a("mimo_banner_view_layout");
}
this.a(LayoutInflater.from(this.i).inflate(this.j, ((ViewGroup)this)));
String v3 = arg3.M();
if(TextUtils.isEmpty(((CharSequence)v3))) {
this.b();
return;
}
this.a(v3);
}
//com.miui.zeus.mimo.sdk.ad.banner
public void a(com.miui.zeus.mimo.sdk.server.api.c arg3, ViewGroup arg4, BannerInteractionListener arg5) { this.l = System.currentTimeMillis();
String v0 = "BannerUIController";
j.a(v0, "showBanner");
this.e = arg3;
this.h = arg5;
if(arg3 == null) {
this.a(com.miui.zeus.mimo.sdk.utils.error.a.e.au, com.miui.zeus.mimo.sdk.utils.error.a.e.av);
j.b(v0, "Empty splash ad info view arguments");
return;
}
this.f = arg4;
this.c.post(new Runnable(arg3) {
public void run() {
try {
c.a(this.b, new b(c.a(this.b)));
c.b(this.b).a(this.b);
c.b(this.b).a(this.a);
}
catch(Exception v0) {
j.b("BannerUIController", "Failed to create view", ((Throwable)v0));
this.b.a();
}
}
});
}
//com.miui.zeus.mimo.sdk.ad.banner
public void a(com.miui.zeus.mimo.sdk.server.api.c arg3, ViewGroup arg4, BannerInteractionListener arg5) { this.l = System.currentTimeMillis();
String v0 = "BannerUIController";
j.a(v0, "showBanner");
this.e = arg3;
this.h = arg5;
if(arg3 == null) {
this.a(com.miui.zeus.mimo.sdk.utils.error.a.e.au, com.miui.zeus.mimo.sdk.utils.error.a.e.av);
j.b(v0, "Empty splash ad info view arguments");
return;
}
this.f = arg4;
this.c.post(new Runnable(arg3) {
public void run() {
try {
c.a(this.b, new b(c.a(this.b)));
c.b(this.b).a(this.b);
c.b(this.b).a(this.a);
}
catch(Exception v0) {
j.b("BannerUIController", "Failed to create view", ((Throwable)v0));
this.b.a();
}
}
});
}
//com.miui.zeus.mimo.sdk.ad.banner
public void a(ViewGroup arg3, BannerInteractionListener arg4) { this.f = arg3;
b v3 = new b(this, arg4);
this.q = v3;
this.g.a(this.d, this.f, ((BannerInteractionListener)v3));
}//com.miui.zeus.mimo.sdk.ad.banner
public void a(ViewGroup arg3, BannerInteractionListener arg4) { this.f = arg3;
b v3 = new b(this, arg4);
this.q = v3;
this.g.a(this.d, this.f, ((BannerInteractionListener)v3));
}//com.miui.zeus.mimo.sdk.BannerAd
public void showAd(ViewGroup arg3, BannerInteractionListener arg4) { if(arg3 == null) {
j.b("BannerAd", "showAd failed, container can not be null");
}
this.mAdImpl.a(arg3, arg4);
}
//com.miui.zeus.mimo.sdk.BannerAd
public void showAd(ViewGroup arg3, BannerInteractionListener arg4) { if(arg3 == null) {
j.b("BannerAd", "showAd failed, container can not be null");
}
this.mAdImpl.a(arg3, arg4);
}
public void onBannerAdLoadSuccess() { String v0 = "MiMoAdBannerAdapter";
MLog.w(v0, "load banner ad success ,start render");
if(MiMoAdBannerAdapter.access$100(this.a) != null) {
MLog.w(v0, "start show banner ad");
MiMoAdBannerAdapter.access$100(this.a).showAd(MiMoAdBannerAdapter.access$200(this.a), MiMoAdBannerAdapter.access$300(this.a));
}
else {
MLog.w(v0, "load banner ad success,but banner ad is null");
this.a.notifyLoadError(new MMAdError(-2000));
this.a.trackDspLoad(String.valueOf(-2000), null);
}
}public void onBannerAdLoadSuccess() { String v0 = "MiMoAdBannerAdapter";
MLog.w(v0, "load banner ad success ,start render");
if(MiMoAdBannerAdapter.access$100(this.a) != null) {
MLog.w(v0, "start show banner ad");
MiMoAdBannerAdapter.access$100(this.a).showAd(MiMoAdBannerAdapter.access$200(this.a), MiMoAdBannerAdapter.access$300(this.a));
}
else {
MLog.w(v0, "load banner ad success,but banner ad is null");
this.a.notifyLoadError(new MMAdError(-2000));
this.a.trackDspLoad(String.valueOf(-2000), null);
}
}//com.xiaomi.ad.mediation.mimo.MiMoAdBannerAdapter
public void loadAndShow(AdInternalConfig arg1, AdLoadAndShowListener arg2, AdLoadAndShowInteractionListener arg3) { super.loadAndShow(arg1, arg2, arg3);
AndroidUtils.runOnMainThread(this.mMainHandler, new MiMoAdBannerAdapter$a(this, arg1));
}
//com.xiaomi.ad.mediation.mimo.MiMoAdBannerAdapter
public void loadAndShow(AdInternalConfig arg1, AdLoadAndShowListener arg2, AdLoadAndShowInteractionListener arg3) { super.loadAndShow(arg1, arg2, arg3);
AndroidUtils.runOnMainThread(this.mMainHandler, new MiMoAdBannerAdapter$a(this, arg1));
}
public class MiMoAdBannerAdapter$a implements Runnable {
public MiMoAdBannerAdapter$a(MiMoAdBannerAdapter arg1, AdInternalConfig arg2) {
this.b = arg1;
this.a = arg2;
super();
}
public void run() {
this.b.loadBannerAd(this.a);
}
}public class MiMoAdBannerAdapter$a implements Runnable {
public MiMoAdBannerAdapter$a(MiMoAdBannerAdapter arg1, AdInternalConfig arg2) {
this.b = arg1;
this.a = arg2;
super();
}
public void run() {
this.b.loadBannerAd(this.a);
}
}java -jar ~/env/baksmali-2.5.2.jar d classes2.dex
cd out/com/miui/zeus/mimo/sdk/ad/banner
vim a\$3.smali
//去掉invoke-virtual。相当于run()函数什么都没有做
java -jar ~/env/baksmali-2.5.2.jar d classes2.dex
cd out/com/miui/zeus/mimo/sdk/ad/banner
vim a\$3.smali
//去掉invoke-virtual。相当于run()函数什么都没有做
admin@C02D7132MD6R bin % adb shell dumpsys activity activities
ACTIVITY MANAGER ACTIVITIES (dumpsys activity activities)Display #0 (activities from top to bottom):
Stack #1:
...
...
* Hist #1: ActivityRecord{1f34e49 u0 com.outfit7.mytalkingtomfree/com.miui.zeus.mimo.sdk.ad.reward.RewardVideoAdActivity t3}
packageName=com.outfit7.mytalkingtomfree processName=com.outfit7.mytalkingtomfree
launchedFromUid=10139 launchedFromPackage=com.outfit7.mytalkingtomfree userId=0
app=ProcessRecord{382ce36 4930:com.outfit7.mytalkingtomfree/u0a139}
Intent { cmp=com.outfit7.mytalkingtomfree/com.miui.zeus.mimo.sdk.ad.reward.RewardVideoAdActivity (has extras) }
...
...
resizeMode=RESIZE_MODE_RESIZEABLE
* Hist #0: ActivityRecord{64ced92 u0 com.outfit7.mytalkingtomfree/com.jinke.Main t3}
packageName=com.outfit7.mytalkingtomfree processName=com.outfit7.mytalkingtomfree
launchedFromUid=10139 launchedFromPackage=com.outfit7.mytalkingtomfree userId=0
app=ProcessRecord{382ce36 4930:com.outfit7.mytalkingtomfree/u0a139}
Intent { flg=0x10000000 cmp=com.outfit7.mytalkingtomfree/com.jinke.Main (has extras) }
admin@C02D7132MD6R bin % adb shell dumpsys activity activities
ACTIVITY MANAGER ACTIVITIES (dumpsys activity activities)Display #0 (activities from top to bottom):
Stack #1:
...
...
* Hist #1: ActivityRecord{1f34e49 u0 com.outfit7.mytalkingtomfree/com.miui.zeus.mimo.sdk.ad.reward.RewardVideoAdActivity t3}
packageName=com.outfit7.mytalkingtomfree processName=com.outfit7.mytalkingtomfree
launchedFromUid=10139 launchedFromPackage=com.outfit7.mytalkingtomfree userId=0
app=ProcessRecord{382ce36 4930:com.outfit7.mytalkingtomfree/u0a139}
Intent { cmp=com.outfit7.mytalkingtomfree/com.miui.zeus.mimo.sdk.ad.reward.RewardVideoAdActivity (has extras) }
...
...
resizeMode=RESIZE_MODE_RESIZEABLE
* Hist #0: ActivityRecord{64ced92 u0 com.outfit7.mytalkingtomfree/com.jinke.Main t3}
packageName=com.outfit7.mytalkingtomfree processName=com.outfit7.mytalkingtomfree
launchedFromUid=10139 launchedFromPackage=com.outfit7.mytalkingtomfree userId=0
app=ProcessRecord{382ce36 4930:com.outfit7.mytalkingtomfree/u0a139}
Intent { flg=0x10000000 cmp=com.outfit7.mytalkingtomfree/com.jinke.Main (has extras) }
//com.miui.zeus.mimo.sdk.ad.reward.RewardVideoAdActivity
private void k() { int v0 = com.miui.zeus.mimo.sdk.utils.a.c(this.i.Y());
if(v0 == 0) {
v0 = l.a("mimo_reward_view_end_page_landscape");
}
this.h = LayoutInflater.from(((Context)this)).inflate(v0, this.g, true);
String v0_1 = this.i.M();
String v1 = this.i.L();
Bitmap v0_2 = BitmapFactory.decodeFile(v0_1, this.o);
Bitmap v1_1 = BitmapFactory.decodeFile(v1, this.o);
this.h.findViewById(l.c("mimo_reward_flv_video")).setImageBitmap(v0_2);
this.h.findViewById(l.c("mimo_reward_icon")).setImageBitmap(v1_1);
this.h.findViewById(l.c("mimo_reward_title")).setText(this.i.h());
this.h.findViewById(l.c("mimo_reward_summary")).setText(this.i.g());
this.h.findViewById(l.c("mimo_reward_dsp")).setText(this.i.i());
View v0_3 = this.h.findViewById(l.c("mimo_reward_jump_btn"));
((TextView)v0_3).setText(this.i.O());
b v1_2 = new b();
this.y = v1_2;
((com.miui.zeus.mimo.sdk.anim.a)v1_2).b(v0_3).a(1200).a(-1).b(1).a(new AccelerateDecelerateInterpolator()).c();
this.h.findViewById(l.c("mimo_reward_close_img")).setOnClickListener(((View$OnClickListener)this));
this.g.setOnClickListener(((View$OnClickListener)this));
}//com.miui.zeus.mimo.sdk.ad.reward.RewardVideoAdActivity
private void k() { int v0 = com.miui.zeus.mimo.sdk.utils.a.c(this.i.Y());
if(v0 == 0) {
v0 = l.a("mimo_reward_view_end_page_landscape");
}
this.h = LayoutInflater.from(((Context)this)).inflate(v0, this.g, true);
String v0_1 = this.i.M();
String v1 = this.i.L();
Bitmap v0_2 = BitmapFactory.decodeFile(v0_1, this.o);
Bitmap v1_1 = BitmapFactory.decodeFile(v1, this.o);
this.h.findViewById(l.c("mimo_reward_flv_video")).setImageBitmap(v0_2);
this.h.findViewById(l.c("mimo_reward_icon")).setImageBitmap(v1_1);
this.h.findViewById(l.c("mimo_reward_title")).setText(this.i.h());
this.h.findViewById(l.c("mimo_reward_summary")).setText(this.i.g());
this.h.findViewById(l.c("mimo_reward_dsp")).setText(this.i.i());
View v0_3 = this.h.findViewById(l.c("mimo_reward_jump_btn"));
((TextView)v0_3).setText(this.i.O());
b v1_2 = new b();
this.y = v1_2;
((com.miui.zeus.mimo.sdk.anim.a)v1_2).b(v0_3).a(1200).a(-1).b(1).a(new AccelerateDecelerateInterpolator()).c();
this.h.findViewById(l.c("mimo_reward_close_img")).setOnClickListener(((View$OnClickListener)this));
this.g.setOnClickListener(((View$OnClickListener)this));
}//com.miui.zeus.mimo.sdk.ad.reward.RewardVideoAdActivity
private void p() { int v0;
if(this.i.c()) {
this.n();
if(!TextUtils.isEmpty(this.i.u())) {
v0 = 1;
}
else {
goto label_11;
}
}
else {
label_11:
v0 = 0;
}
if(v0 != 0) {
this.m();
}
else {
this.f.setVisibility(8);
this.k.setVisibility(8);
this.g.setVisibility(0);
b v0_1 = this.y;
if(v0_1 != null) {
((com.miui.zeus.mimo.sdk.anim.a)v0_1).c();
}
ViewFlipper v0_2 = this.u;
if(v0_2 != null) {
v0_2.stopFlipping();
}
com.miui.zeus.mimo.sdk.utils.analytics.b.a(this.i.m(), this.i, "END_PAGE_VIEW", "load_success", 0, "");
}
}//com.miui.zeus.mimo.sdk.ad.reward.RewardVideoAdActivity
private void p() { int v0;
if(this.i.c()) {
this.n();
if(!TextUtils.isEmpty(this.i.u())) {
v0 = 1;
}
else {
goto label_11;
}
}
else {
label_11:
v0 = 0;
}
if(v0 != 0) {
this.m();
}
else {
this.f.setVisibility(8);
this.k.setVisibility(8);
this.g.setVisibility(0);
b v0_1 = this.y;
if(v0_1 != null) {
((com.miui.zeus.mimo.sdk.anim.a)v0_1).c();
}
ViewFlipper v0_2 = this.u;
if(v0_2 != null) {
v0_2.stopFlipping();
}
com.miui.zeus.mimo.sdk.utils.analytics.b.a(this.i.m(), this.i, "END_PAGE_VIEW", "load_success", 0, "");
}
}public class com.miui.zeus.mimo.sdk.video.TextureVideoView$3 implements MediaPlayer$OnCompletionListener {
public com.miui.zeus.mimo.sdk.video.TextureVideoView$3(TextureVideoView arg1) {
this.a = arg1;
super();
}
public void onCompletion(MediaPlayer arg2) {
TextureVideoView.c(this.a, 5);
TextureVideoView.d(this.a, 5);
if(TextureVideoView.e(this.a) != null) {
TextureVideoView.e(this.a).hide();
}
if(TextureVideoView.h(this.a) != null) {
TextureVideoView.h(this.a).onCompletion(TextureVideoView.d(this.a));
}
}
}public class com.miui.zeus.mimo.sdk.video.TextureVideoView$3 implements MediaPlayer$OnCompletionListener {
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2021-6-17 12:32
被whulzz编辑
,原因:
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
谢谢大佬 |
|
|
|
|
|
|
|
|
 凭第一感觉逆,可能其他大佬还有骚手段
|
|
|
|
|
|
|
|
|
牛
|
|
|
|
|
|
|
|
|
|
|
|
跟着大佬学习一下,pretendCompleteMediaPlayer的定义在??
 TalkingTomHacker的定义在??@Override public void callActivityOnDestroy(Activity activity) { mOrigin.callActivityOnDestroy(activity); TalkingTomHacker.afterCreateActivity(activity); } 是不是贴错了?? 注入Instrumentation的代码结构是怎样的??只看到一些局部不知道整体注入代码是怎样的。  还望大佬赐教  
|
|
|
https://github.com/whulzz1993/AndroidDemo/blob/master/hack/src/main/java/com/hack/core/PluginManager.java |
|
|
|
