Analysis on the full-process cracking of fishing talents 1.01, fishing 1.01

Analysis on the full-process cracking of fishing talents 1.01, fishing 1.01

Preface

In the first version, I made a simple analysis on the fishing talents. For details, see http://blog.sina.com.cn/s/blog_92b6d74d0102uyz1.html. I think the second edition should be similar, but I still encountered various problems when I did it. Under the guidance of my friend @ Sunday, I slowly recorded it, add some content for the new blog.

Dump dex

The problem encountered in this step is: at the end of the process, dump to a. smali file. If you can't get through the samli folder, you can still use it. In fact, many of the smali files we normally decompile are useless and dispensable. The reason why the existence is sometimes standby, sometimes the third-party SDK is redundant, so when you realize that the dump smali file is incomplete, extract it and try it. If the compilation is successful, it is half the success.

Repair

During compilation, the same errors as the first version will occur. You can fix them in the same way. After installation and running, it will crash. At first, I did not think about program LOG. It may be caused by incomplete Dump. Yes @ Sunday reminder, read LogCat at a glance.

Keyword "fuck exit1", do not know in which file, then use Notepad ++ full word match full folder search, there are two folders of armeabi, armeabi-v7a libfishingjoy3.so, it indicates different cpu instruction sets. Ghost brother's statement is to delete-v7a only modifies the armeabi one by one. Here we will not be lazy. IDA launch:

00200C30 00DO // change to 00EA

Next, modify libfishingjoy3.so under the armeabi-v7a,

00200150 40F07281 // change to 90909090

After the modification, the operation can be turned on, but after loading 100%, it will still exit. Xiaomi will pop up the following Log

It can be inferred that the CMGCIAP initialization in org. cocos2dx. Controller. ChinaMobileIAPSwitch $1 failed.

Cracking internal purchases

The method for cracking internal purchases is the same as that for the first version. As many kids shoes ask me how to bypass the payment interface, here I will talk about a few common ones in general, and I will write a post in the future:
1. If a game has a quota, you can directly modify the quota prompt method to perform the "purchased" operation;
2. In the onbillingfinash method, find the method that is successfully jumped to, slightly modify or assign a value, or change the hop, and then copy it to the method on the Payment interface, the general identifiers are addpayment, pay, and dopay.

Postscript

1. Imagine that it would be difficult for the author to erase the apparently output LogCat, but I should pay attention to it. I used to remember the code to exit the Native layer:

loc_50AC20MOV             R0, #0BL              nativeExitBL              getpidMOV             R1, #2  ; sigBL              kill

2. Be sure to carefully check the Log output by the program. when you understand the fix, you will know where to start.
























Attack methods for fishing Talents

Cracking? It sounds very simple.
But you don't have to think about it. If it can be cracked, it will be broken.
Don't be so naive, okay? We should wake up.
However, some instruments are required.
I was as stupid as you when I first stepped into this line.
Who has never started? Everybody starts from the beginning.
Currently, only the remote control is the most logical
In the past, I did not know that there were few such instruments and I was angry with myself.
Of course, is it impossible for me to practice more?
This is what Xiaomi of JI 'Nan yuanhang electronics told me.

Hacker attack

Hello, I have already sent it to you. Several of them are cracked versions. They are completely free of charge. Please check.
Xiao Yu [authoritative expert]