-
-
[原创]安卓日记_android第一个程序编写与破解
-
2022-10-8 09:55
-
前言
希望可以结识对安卓安全及逆向破解感兴趣的朋友。此为学习笔记,参考于会飞的丑小鸭。他的博客地址为https://blog.csdn.net/ASSYIRAN
https://www.52pojie.cn/home.php?mod=space&uid=619334
正向程序设计
MainActivity.xml
最简化的一个登录activity
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | <?xml version="1.0" encoding="utf-8"?><LinearLayout xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" android:layout_width="match_parent" android:layout_height="match_parent" tools:context=".MainActivity" android:orientation="vertical"> <TextView android:id="@+id/Tv_login" android:layout_width="match_parent" android:layout_height="50dp" android:text="登录界面" android:gravity="center" android:layout_marginTop="300dp" /> <EditText android:id="@+id/Et_Username" android:layout_width="match_parent" android:layout_height="50dp" android:textSize="16sp" android:textColor="@color/black" android:hint="用户名" android:maxLines="1" android:padding="5sp" android:layout_marginTop="10dp"/> <EditText android:id="@+id/Et_Password" android:layout_width="match_parent" android:layout_height="50dp" android:textSize="16sp" android:textColor="@color/black" android:hint="密 码" android:maxLines="1" android:padding="5sp" android:inputType="textPassword" android:layout_marginTop="5dp" /> <Button android:id="@+id/Btn_Login" android:layout_width="100dp" android:layout_height="50dp" android:text="登录" android:layout_gravity="center"/></LinearLayout> |
效果是这样子
MainActivity.java
获取Edit控件中的用户名和密码,如果用户名为ymt 同时密码为123456 才能弹出登录成功。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | package com.example.ni0822;import android.support.v7.app.AppCompatActivity;import android.os.Bundle;import android.view.View;import android.widget.Button;import android.widget.EditText;import android.widget.Toast;public class MainActivity extends AppCompatActivity { //定义控件 EditText Username; EditText Password; Button Login; @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); //找到控件 Username = findViewById(R.id.Et_Username); Password = findViewById(R.id.Et_Password); Login = findViewById(R.id.Btn_Login); //对登录按钮设置监听事件 Login.setOnClickListener(new View.OnClickListener() { @Override public void onClick(View view) { check(Username.getText().toString().trim(),Password.getText().toString().trim());//调用check函数 } }); } private void check(String username, String password) { if (username.equals("ymt") && password.equals("123456")){ Toast.makeText(MainActivity.this,"登录成功",Toast.LENGTH_SHORT).show(); }else{ Toast.makeText(MainActivity.this,"登录失败",Toast.LENGTH_SHORT).show(); } }} |
逆向程序破解
将编译生成的apk拖入Android Killer中。
反编译
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | 当前 Apktool 使用版本:Android Killer Default APKTOOL正在反编译 APK,请稍等...>I: Using Apktool 2.6.1 on app-debug.apk>I: Loading resource table...>I: Decoding AndroidManifest.xml with resources...>I: Loading resource table from file: C:\Users\yangmutou\AppData\Local\apktool\framework\1.apk>I: Regular manifest package...>I: Decoding file-resources...>I: Decoding values */* XMLs...>I: Baksmaling classes.dex...>I: Copying assets and libs...>I: Copying unknown files...>I: Copying original files...APK 反编译完成!正在反编译 APK 源码,请稍等...>dex2jar E:\binary_safe\逆向\Android_Tools\AndroidKiller_v1.3.1\projects\app-debug\ProjectSrc\classes.dex -> .\classes-dex2jar.jar>Detail Error Information in File .\classes-error.zip>Please report this file to http://code.google.com/p/dex2jar/issues/entry if possible.APK 源码反编译完成!正在提取 APK 源码,请稍等...APK 源码提取完成!---------------------------APK 所有反编译工作全部完成!!!---------------------------正在对当前工程进行分析,这将有助于您更加方便快捷的了解当前工程的信息!正在分析中,请稍等...该 APK 未检测到其他信息分析完成! |
查看入口类中的MainActivity.smali代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 | .class public Lcom/example/ni0822/MainActivity; #对应于apk中的 MainActivity.java中的 public class MainActivity.super Landroid/support/v7/app/AppCompatActivity; #对应于apk中的 MainActivity.java中的 extends AppCompatActivity.source "MainActivity.java" #对应于apk中的 MainActivity.java# instance fields #定义控件.field Login:Landroid/widget/Button;.field Password:Landroid/widget/EditText;.field Username:Landroid/widget/EditText;# direct methods.method public constructor <init>()V .locals 0 .line 10 invoke-direct {p0}, Landroid/support/v7/app/AppCompatActivity;-><init>()V return-void.end method.method static synthetic access$000(Lcom/example/ni0822/MainActivity;Ljava/lang/String;Ljava/lang/String;)V .locals 0 #定义局部变量 .param p0, "x0" # Lcom/example/ni0822/MainActivity; .param p1, "x1" # Ljava/lang/String; .param p2, "x2" # Ljava/lang/String; .line 10 invoke-direct {p0, p1, p2}, Lcom/example/ni0822/MainActivity;->check(Ljava/lang/String;Ljava/lang/String;)V return-void.end method.method private check(Ljava/lang/String;Ljava/lang/String;)V #check函数 .locals 2 #check函数中的两个参数 .param p1, "username" # Ljava/lang/String; .param p2, "password" # Ljava/lang/String; .line 34 const-string v0, "ymt" invoke-virtual {p1, v0}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z#函数equals,相等返回true即1,不相等返回flase即0 move-result v0 #返回的结果赋值给v0 const/4 v1, 0x0 if-eqz v0, :cond_0 #如果v0==0,(即不相等的话)就跳转到cond_0处执行代码, cond_0为弹出登录失败 const-string v0, "123456" invoke-virtual {p2, v0}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z#函数equals,相等返回true即1,不相等返回flase即0 move-result v0 #返回的结果赋值给v0 if-eqz v0, :cond_0 #如果v0==0,(即不相等的话)就跳转到cond_0处执行代码, cond_0为弹出登录失败 .line 35 const-string v0, "\u767b\u5f55\u6210\u529f" #登录成功 invoke-static {p0, v0, v1}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast; #调用带参数的静态方法 move-result-object v0 invoke-virtual {v0}, Landroid/widget/Toast;->show()V #Toast.makeText(MainActivity.this,"登录成功",Toast.LENGTH_SHORT).show(); goto :goto_0 #跳转到goto_0处执行代码, goto_0为函数返回 .line 37 :cond_0 const-string v0, "\u767b\u5f55\u5931\u8d25" invoke-static {p0, v0, v1}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast; move-result-object v0 invoke-virtual {v0}, Landroid/widget/Toast;->show()V#Toast.makeText(MainActivity.this,"登录失败",Toast.LENGTH_SHORT).show(); .line 39 :goto_0 return-void.end method# virtual methods.method protected onCreate(Landroid/os/Bundle;)V #protected void onCreate(Bundle savedInstanceState) .locals 2 .param p1, "savedInstanceState" # Landroid/os/Bundle; .line 18 #super.onCreate(savedInstanceState); invoke-super {p0, p1}, Landroid/support/v7/app/AppCompatActivity;->onCreate(Landroid/os/Bundle;)V .line 19 const v0, 0x7f09001c #setContentView(R.layout.activity_main); invoke-virtual {p0, v0}, Lcom/example/ni0822/MainActivity;->setContentView(I)V .line 21 #Username = findViewById(R.id.Et_Username); const v0, 0x7f070004 invoke-virtual {p0, v0}, Lcom/example/ni0822/MainActivity;->findViewById(I)Landroid/view/View; move-result-object v0 check-cast v0, Landroid/widget/EditText; iput-object v0, p0, Lcom/example/ni0822/MainActivity;->Username:Landroid/widget/EditText; .line 22 #Password = findViewById(R.id.Et_Password); const v0, 0x7f070003 invoke-virtual {p0, v0}, Lcom/example/ni0822/MainActivity;->findViewById(I)Landroid/view/View; move-result-object v0 check-cast v0, Landroid/widget/EditText; iput-object v0, p0, Lcom/example/ni0822/MainActivity;->Password:Landroid/widget/EditText; .line 23 #Login = findViewById(R.id.Btn_Login); const v0, 0x7f070001 invoke-virtual {p0, v0}, Lcom/example/ni0822/MainActivity;->findViewById(I)Landroid/view/View; move-result-object v0 check-cast v0, Landroid/widget/Button; iput-object v0, p0, Lcom/example/ni0822/MainActivity;->Login:Landroid/widget/Button; .line 25 #Login.setOnClickListener(new View.OnClickListener() new-instance v1, Lcom/example/ni0822/MainActivity$1; invoke-direct {v1, p0}, Lcom/example/ni0822/MainActivity$1;-><init>(Lcom/example/ni0822/MainActivity;)V invoke-virtual {v0, v1}, Landroid/widget/Button;->setOnClickListener(Landroid/view/View$OnClickListener;)V .line 31 return-void.end method |
大致的逻辑是获取Edit控件中的用户名和密码,如果用户名为ymt 同时密码为123456 才能弹出登录成功。
当然这个程序是写的一个最简化的demo,如何让程序不论输入什么都弹出登录成功呢。
Java equals() 方法 | 菜鸟教程 (runoob.com)
暂时有三种方案
- 将用户名比较以及密码比较的的if-eqz v0, :cond_0 的smali代码改为if-nez v0, :cond_0,让其不为0(即为1即为输入相等)的时候跳转到登录失败,反之不会进行跳转就会执行到登录成功的代码.
- 将用户名比较以及密码比较的的if-eqz v0, :cond_0 的smali代码直接删掉,这样就不会进行跳转了,便会执行到登录成功的代码,内行!!!
- 在check函数中添加goto代码,让其在比较用户名/密码之前直接跳转到登录成功的地方。
编译报错
1 2 3 4 5 6 7 8 9 | 当前 Apktool 使用版本:Android Killer Default APKTOOL正在编译 APK,请稍等...>I: Using Apktool 2.6.1>I: Smaling smali folder into classes.dex...>I: Building resources...>W: E:\binary_safe\逆向\Android_Tools\AndroidKiller_v1.3.1\projects\app-debug\Project\res\layout-v26\abc_screen_toolbar.xml:5: error: No resource identifier found for attribute 'keyboardNavigationCluster' in package 'android'>W: >brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [C:\Users\yangmutou\AppData\Local\Temp\brut_util_Jar_16382895022893023606392608352829872330.tmp, p, --forced-package-id, 127, --min-sdk-version, 16, --target-sdk-version, 32, --version-code, 1, --version-name, 1.0, --no-version-vectors, -F, C:\Users\yangmutou\AppData\Local\Temp\APKTOOL3488050684730216472.tmp, -e, C:\Users\yangmutou\AppData\Local\Temp\APKTOOL9730365376095588790.tmp, -0, arsc, -I, C:\Users\yangmutou\AppData\Local\apktool\framework\1.apk, -S, E:\binary_safe\逆向\Android_Tools\AndroidKiller_v1.3.1\projects\app-debug\Project\res, -M, E:\binary_safe\逆向\Android_Tools\AndroidKiller_v1.3.1\projects\app-debug\Project\AndroidManifest.xml]APK 编译失败,无法继续下一步签名! |
成功解决
1 2 | \AndroidKiller_v1.3.1\bin\apktool\apktool>java -jar ShakaApktool.jar empty-framework-dirI: Removing 1.apk framework file... |
参考
编译成功
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | 当前 Apktool 使用版本:Android Killer Default APKTOOL正在编译 APK,请稍等...>I: Using Apktool 2.6.1>I: Smaling smali folder into classes.dex...>I: Building resources...>I: Building apk file...>I: Copying unknown files/dir...>I: Built apk...APK 编译完成!正在对 APK 进行签名,请稍等...>Exception in thread "main" java.lang.NoClassDefFoundError: sun/misc/BASE64Encoder> at com.android.signapk.SignApk.addDigestsToManifest(SignApk.java:169)> at com.android.signapk.SignApk.main(SignApk.java:325)>Caused by: java.lang.ClassNotFoundException: sun.misc.BASE64Encoder //高于jdk8后不在有这个方法了> at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)> at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)> at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)> ... 2 moreAPK 签名完成!---------------------------APK 所有编译工作全部完成!!!生成路径:file:E:\binary_safe\逆向\Android_Tools\AndroidKiller_v1.3.1\projects\app-debug\Bin\app-debug_killer.apk |
但是安装不成功,报错如下
1 | Failed to parse /data/local/tmp/app-debug killer.apk |
解决办法,把AK的jdk11换成jkd8即可
然后就安装正常了。(奇奇怪怪,AS写apk的时候用的明明是jdk11)
这里只贴下方案3吧,一二很简单。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 | .class public Lcom/example/ni0822/MainActivity; #对应于apk中的 MainActivity.java中的 public class MainActivity.super Landroid/support/v7/app/AppCompatActivity; #对应于apk中的 MainActivity.java中的 extends AppCompatActivity.source "MainActivity.java" #对应于apk中的 MainActivity.java# instance fields #定义控件.field Login:Landroid/widget/Button;.field Password:Landroid/widget/EditText;.field Username:Landroid/widget/EditText;# direct methods.method public constructor <init>()V .locals 0 .line 10 invoke-direct {p0}, Landroid/support/v7/app/AppCompatActivity;-><init>()V return-void.end method.method static synthetic access$000(Lcom/example/ni0822/MainActivity;Ljava/lang/String;Ljava/lang/String;)V .locals 0 #定义局部变量 .param p0, "x0" # Lcom/example/ni0822/MainActivity; .param p1, "x1" # Ljava/lang/String; .param p2, "x2" # Ljava/lang/String; .line 10 invoke-direct {p0, p1, p2}, Lcom/example/ni0822/MainActivity;->check(Ljava/lang/String;Ljava/lang/String;)V return-void.end method.method private check(Ljava/lang/String;Ljava/lang/String;)V #check函数 .locals 2 #check函数中的两个参数 .param p1, "username" # Ljava/lang/String; .param p2, "password" # Ljava/lang/String; .line 34 const-string v0, "ymt" invoke-virtual {p1, v0}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z #函数equals,相等返回true即1,不相等返回flase即0 move-result v0 #返回的结果赋值给v0 const/4 v1, 0x0 goto :goto_3 if-eqz v0, :cond_0 #如果v0==0,(即不相等的话)就跳转到cond_0处执行代码, cond_0为弹出登录失败 const-string v0, "123456" invoke-virtual {p2, v0}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z #函数equals,相等返回true即1,不相等返回flase即0 move-result v0 #返回的结果赋值给v0 if-eqz v0, :cond_0 #如果v0==0,(即不相等的话)就跳转到cond_0处执行代码, cond_0为弹出登录失败 .line 35 :goto_3 const-string v0, "\u767b\u5f55\u6210\u529f" #登录成功 invoke-static {p0, v0, v1}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast; #调用带参数的静态方法 move-result-object v0 invoke-virtual {v0}, Landroid/widget/Toast;->show()V #Toast.makeText(MainActivity.this,"登录成功",Toast.LENGTH_SHORT).show(); goto :goto_0 #跳转到goto_0处执行代码, goto_0为函数返回 .line 37 :cond_0 const-string v0, "\u767b\u5f55\u5931\u8d25" invoke-static {p0, v0, v1}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast; move-result-object v0 invoke-virtual {v0}, Landroid/widget/Toast;->show()V #Toast.makeText(MainActivity.this,"登录失败",Toast.LENGTH_SHORT).show(); .line 39 :goto_0 return-void.end method# virtual methods.method protected onCreate(Landroid/os/Bundle;)V #protected void onCreate(Bundle savedInstanceState) .locals 2 .param p1, "savedInstanceState" # Landroid/os/Bundle; .line 18 #super.onCreate(savedInstanceState); invoke-super {p0, p1}, Landroid/support/v7/app/AppCompatActivity;->onCreate(Landroid/os/Bundle;)V .line 19 const v0, 0x7f09001c #setContentView(R.layout.activity_main); invoke-virtual {p0, v0}, Lcom/example/ni0822/MainActivity;->setContentView(I)V .line 21 #Username = findViewById(R.id.Et_Username); const v0, 0x7f070004 invoke-virtual {p0, v0}, Lcom/example/ni0822/MainActivity;->findViewById(I)Landroid/view/View; move-result-object v0 check-cast v0, Landroid/widget/EditText; iput-object v0, p0, Lcom/example/ni0822/MainActivity;->Username:Landroid/widget/EditText; .line 22 #Password = findViewById(R.id.Et_Password); const v0, 0x7f070003 invoke-virtual {p0, v0}, Lcom/example/ni0822/MainActivity;->findViewById(I)Landroid/view/View; move-result-object v0 check-cast v0, Landroid/widget/EditText; iput-object v0, p0, Lcom/example/ni0822/MainActivity;->Password:Landroid/widget/EditText; .line 23 #Login = findViewById(R.id.Btn_Login); const v0, 0x7f070001 invoke-virtual {p0, v0}, Lcom/example/ni0822/MainActivity;->findViewById(I)Landroid/view/View; move-result-object v0 check-cast v0, Landroid/widget/Button; iput-object v0, p0, Lcom/example/ni0822/MainActivity;->Login:Landroid/widget/Button; .line 25 #Login.setOnClickListener(new View.OnClickListener() new-instance v1, Lcom/example/ni0822/MainActivity$1; invoke-direct {v1, p0}, Lcom/example/ni0822/MainActivity$1;-><init>(Lcom/example/ni0822/MainActivity;)V invoke-virtual {v0, v1}, Landroid/widget/Button;->setOnClickListener(Landroid/view/View$OnClickListener;)V .line 31 return-void.end method |
成功.(这里我其实卡了挺长时间的,就是第一次我是把第49行的代码上面空了一行,在回编安装后发现没有起作用,奇奇怪怪,但删掉空行后就可以了,没有多次尝试,这里单纯记录一下)
参考
【 】《教我兄弟学Android逆向02 破解第一个Android程序 》 - 『移动安全区』 - 吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn
滚动的天空破解
刚开始15个小球
一局消耗一个
没有了之后点击获取
- 60秒恢复10个小球
花钱购买(想都别想)
反编译
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | 当前 Apktool 使用版本:Android Killer Default APKTOOL正在反编译 APK,请稍等...>I: Using Apktool 2.6.1 on 滚动的天空_1.1.0.140.apk>I: Loading resource table...>I: Decoding AndroidManifest.xml with resources...>I: Loading resource table from file: C:\Users\yangmutou\AppData\Local\apktool\framework\1.apk>I: Regular manifest package...>I: Decoding file-resources...>I: Decoding values */* XMLs...>I: Baksmaling classes.dex...>I: Copying assets and libs...>I: Copying unknown files...>I: Copying original files...APK 反编译完成!正在反编译 APK 源码,请稍等...>dex2jar E:\binary_safe\逆向\Android_Tools\AndroidKiller_v1.3.1\projects\滚动的天空_1.1.0.140\ProjectSrc\classes.dex -> .\classes-dex2jar.jarAPK 源码反编译完成!正在提取 APK 源码,请稍等...APK 源码提取完成!---------------------------APK 所有反编译工作全部完成!!!---------------------------正在对当前工程进行分析,这将有助于您更加方便快捷的了解当前工程的信息!正在分析中,请稍等...该 APK 基于 Unity3D分析完成! |
oppo的支付adk
把支付成功的函数复制一份然后把支付失败的函数给覆盖掉
(注意,这里不要把支付失败的函数名给替换掉)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 | .method public onSuccess(Ljava/lang/String;)V .locals 3 .prologue .line 101 const-string v0, "lx" new-instance v1, Ljava/lang/StringBuilder; invoke-direct {v1}, Ljava/lang/StringBuilder;-><init>()V const-string v2, "onSuccess--->\u652f\u4ed8\u6210\u529f---resultMsg:" #支付成功 invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v1 invoke-virtual {v1, p1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; move-result-object v1 invoke-virtual {v1}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String; move-result-object v1 invoke-static {v0, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I .line 103 iget-object v0, p0, Lcom/turbochilli/rollingsky/pay/OppPay$2$1;->this$1:Lcom/turbochilli/rollingsky/pay/OppPay$2; iget-object v0, v0, Lcom/turbochilli/rollingsky/pay/OppPay$2;->val$mPayCallback:Lcom/turbochilli/rollingsky/pay/PayCallback; if-eqz v0, :cond_0 .line 104 invoke-static {}, Lcom/turbochilli/rollingsky/c;->a()Lcom/turbochilli/rollingsky/c; move-result-object v0 invoke-virtual {v0}, Lcom/turbochilli/rollingsky/c;->h()Lcom/turbochilli/rollingsky/c$b; move-result-object v0 iget-object v1, p0, Lcom/turbochilli/rollingsky/pay/OppPay$2$1;->this$1:Lcom/turbochilli/rollingsky/pay/OppPay$2; iget-object v1, v1, Lcom/turbochilli/rollingsky/pay/OppPay$2;->val$orderId:Ljava/lang/String; invoke-interface {v0, v1}, Lcom/turbochilli/rollingsky/c$b;->b(Ljava/lang/String;)V .line 105 iget-object v0, p0, Lcom/turbochilli/rollingsky/pay/OppPay$2$1;->this$1:Lcom/turbochilli/rollingsky/pay/OppPay$2; iget-object v0, v0, Lcom/turbochilli/rollingsky/pay/OppPay$2;->val$mPayCallback:Lcom/turbochilli/rollingsky/pay/PayCallback; iget-object v1, p0, Lcom/turbochilli/rollingsky/pay/OppPay$2$1;->this$1:Lcom/turbochilli/rollingsky/pay/OppPay$2; iget-object v1, v1, Lcom/turbochilli/rollingsky/pay/OppPay$2;->val$iProduct:Lcom/turbochilli/rollingsky/pay/IProduct; const/16 v2, 0xc invoke-interface {v0, v1, v2}, Lcom/turbochilli/rollingsky/pay/PayCallback;->onSendOrderInfo(Lcom/turbochilli/rollingsky/pay/IProduct;I)V .line 107 :cond_0 return-void.end method |
覆盖后长这个样子
参考:
【新提醒】安卓游戏内购破解之滚动的天空 - 『移动安全区』 - 吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn
这里看吾爱上的操作楼主是把函数名也给覆盖了,有些不明白了,我试了下,点击返回就游戏停止运行了,评论区里也有是这样的,感觉楼主的有些奇怪,不应该覆盖函数名啊,于是尝试不覆盖支付失败函数名成功了。不过不得不说,吾爱的评论区还是很值得去看的。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工 作,每周日13:00-18:00直播授课
安卓安全
(单选)
安卓安全
(3 票,100%)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
