Follow the ghost brother learn so modify, four, example first

Follow the ghost brother learn so modify, four, example first

Picture/Text Listen to Ghost Brother tell a story

---------------------------------------------Split Line--------------------------------------------

This article is an article of the previous period, the recent so analysis of this series just can be done as an example tutorial, so the supplement took back.

The first three did not read, please continue to pay attention to the blog, read the previous three articles.

When the strike is over and the analysis of so is deepened, the article is supplemented

In addition, this article needs to have a certain base on the reverse of Android anti-compilation, a simple understanding of the role of So, have any doubts, can go to the Group and forum or Google search by itself to solve.

Article by www.pd521.com Webmaster invitation, starting in its forum, we can focus on the past, a lot of basic information, convenient for beginners to learn.

Please practice!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! yourself.

---------------------------------------------Split Line--------------------------------------------

Today we are to analyze the small yellow people run, the image of the yellow people from the film has been good, and now all photographed the second part, so we find this game to analyze.

First-level analysis:

To get the game, first we have to install to see where it is worth cracking.

Through observation, we found that the main way of consumption in the game on bananas and coins above, in this case, then we first look at whether the payment above can directly crack inside the purchase. Purchase as shown:

And the way the game is paid, then query the relevant information, such as the previous changes to the Onpayfailed method in my tutorial , changes to the onbillingfinish method, where the mobile payment may be upgraded, You can't do that directly. in that case, let's look at the Logcatand see if there is any valuable information.

With multiple tests, we found that there was this line of output when we clicked into the game to pay, so we followed up on the line of code, which was definitely the code that started the payment process.

For those unfamiliar with Smali code, open the jar file directly using Jd-gui to view it, as follows:

The search found the characteristic characters we found, as follows:

The search found the characteristic characters we found, as follows:

We can find that thedobilling method, according to the name, we also feel that is used when the purchase, so we pursue it. Full-Text search dobilling effect is not ideal, so we can directly find gameinterface This class of related call way.

Well, to this class, according to the interface name, we can guess, this is the callback function of the payment. The meaning of the callback function, that is, to determine whether to pay, and then return the relevant data, by other algorithms to increase the number of bananas or coins.

Game.nativebillingdone, see this native method, we need to do analysis of so file, we find Game class to see which of the calls is So files, searching system.loadlibrary :

Know the name of so, then we hang ida,java can be called directly using the export function is definitely exported, So we search for Nativebillingdone in export :

Then see this method:

B is called the meaning of the method, here call Addcash method, so we know more clearly, this is to increase the gold, the name is so easy to understand, and then guess I'm sorry for the author.

Let's take a glance at what the method does:

Well, after a rough look at the first piece of code, let's turn it down:

Through the text in the picture, we can also simply understand, we need to do is to test first, the Addcash (int) method to set the incoming parameter to 8 will be what, will not increase the gold. So when we go back to the initial analysis, look here:

Through the text in the picture, we can also simply understand, we need to do is to test first, the Addcash (int) method to set the incoming parameter to 8 will be what, will not increase the gold. So when we go back to the initial analysis, look here:

Amen, thank the author, see this line of output, this is our click on the payment interface of the return button generated, because the payment process will be the game to pause the sound, so it will produce this situation, so that developers can observe the data.

up, we can find other places by ourselves in the main class Game.smali, can see the log is just more convenient for our analysis speed, we can manually find code is also possible. So no logis found, but it costs a little more in time, and the other effects are small. OK, so we'll just find out where this line of log is printed, and call the nativebillingdone method above it:

The first line, set v1=8, the second line, call my own method to print the int data to see if the assignment is successful, students can ignore it, the third line calls Natvebillingdone method.

and then go back to compiling, packing the test ... ... .....Discover initialize gold coins really for 18888, then click on Store, Pay page, press back key:

Well, when we get here, our first level of purpose is done.

need to explain is, the use ofIDA , the students themselves check the data,ARM Grammar, their own data can be, there are many tutorials on the web, their hands-on, master more deeply.



Second Level analysis:

After the first level analysis, we know that the position has been analyzed. So The algorithm in the file also found the right, then, we initialize a lot more gold coins how good, so we continue to start analysis

The key is in the Addcash method of this line on the R1 Copy of the code above, we open the system to take a look at:

only four bytes, through these 4 byte implementations to assign 18888 to r1,4 bytes The largest number is 0xffff to see if the function receives an unsigned or signed type. Int16 , the maximum value is now probably 0xFFFF the corresponding conversion to decimal is 65535 . OK, so let's see how to modify the data, immediately, we can directly manipulate the change byte. C8 E3 , this line of code originally for MOV R1, #0x49C8 I'm not familiar with command commands, so just try to change them slowly .

Because of the immediate number of that itself, by observing that the original instruction was just in reverse for E3 C8, then the control 0x49c8, I directly modified as shown:

found that the direct modification of the success, well, this is more to force, we directly use 010Editor or UE, operating so file

The blue part of the front is the memory address, we use the CTRL + G command to jump address, directly corresponding to modify the four byte code. then repackage, test: The result itself can be seen, everything is normal, initialize 65535. Payment page, return, add gold coins.


We are testing the increase of bananas, so there is the increase in gold coins Oh, this is for interested students to try their own, hands-on, a lot of practice ~ ~ ~ This article is for communication only, do not do other commercial use.
Layout look uncomfortable, directly read the document, the relevant attachment address:

Link: Http://pan.baidu.com/s/1eQILJkI Password: 7kyr

In fact, this game has a lot of ways to crack, here is just about one or two kinds of it, we can add their own ~

Reprint please specify the source ~~~~~~~~~~

Follow the ghost brother learn so modify, four, example first