Plants vs. botnets 2 paid analysis, Plants vs. botnets paid
Continue to sort out the previous articles, and inspire new users with some ideas. I just posted my blog...
---------------------------- Split line ---------------------------------
In the past two days, someone posted a tutorial about purchasing a mobile phone card on the Internet, and directly unwrapped the file ChinaMobilePurchase $ PurchaseCallBack. the content of onUserOperCancel in smali is changed to the content of onBillingSuccess. If you click Cancel in mobile payment, it is equivalent to payment. Just now the test card at hand is Unicom. Well, let's analyze the UNICOM payment process again.
Step 1: Test the game
First, install the software on your mobile phone and download the apk on Baidu search. After the game reaches the second level, we open the DDMS of Eclipse to view the Log Content.
Click the acceleration button in the second Guanzhong area, and then click Start again. Click the acceleration button again. A prompt is displayed.
At this time, we will look at the Log in DDMS, find the relevant content, find the xyf of the keyword tag, and then we will add a Filter, and set the tat to xyf.
At this time, we should first click on the flight mode of the mobile phone to see what the payment failed. The Log is as follows:
Step 2: start thinkingAfter the first step of analysis, we have a general operation direction. ①. Find the relevant code according to the prompts. ②. Purchase the SMS, and modify the SMS directly. ③ if you can understand ②, we can remove the text message sending process.
Step 3: Start AnalysisSearch for 's31: 'To view the context where s31 is located. In zhiwudazhanjiangshi2gaoqing_1 \ smali \ com \ multimode_billing_sms \ ui \ iiliiiliiliill. smali found that s31 is located:
After Utf-8 transcoding for: S31: the user confirmed the selection, prepared to send text messages and then in this class, look up
After Utf-8 transcoding for: S31: the user confirmed the selection, prepared to send text messages and then in this class, look up
S31 is in this if statement, that is, click event judgment, that is, OK or cancel. That is, we found the event after clicking OK. After knowing this, we began to look for the entry point for sending text messages. First, let's look at the content below s31, because s31 is about to send text messages, so we found the following class. lcom/multimode_billing_sms/ui/MultiModePay;
Because we are looking for an entry to send text messages, we can search for the sendtextmessage keyword in this category to see if it can be found. If it can be found, our work will be very simple.
After finding this, we were very open and ready to test. We sent the phone number modification to another card to see if we could receive the text message. If we could receive it, it means we have modified it successfully. This Code is the payment code. Re-compile, sign, install, and test... as follows:
The mobile phone shows that the purchase was successful. OK. Here we understand the payment process of the UNICOM card. Next, let's think about the content in step 2. Think 2. we can think of the simplest way: Modify the mobile phone number here, modify the text message content, and send the text message number. That is, modify the content in sendTextMessage v1 (SMS number) and v2 (SMS content) to send a query text message to 10010. --------------------------------- Split line ---------------------------- invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;-> sendTextMessage (Ljava/lang/String; Landroid/app/PendingIntent; landroid/app/PendingIntent;) V --------------------------------- split line ------------------------ write const-string v1, "10010" const-string v3, "10010" above the code. Think 3. Delete the text message sending code, that is, the sendTextMessage method mentioned above. Let's check whether the result is feasible. Delete, recompile, sign, test, view Log
Here, through the Log feedback, we can also know that the purchase has been successful, and then we can see whether the game is normal, such:
Step 4: Test CompleteNow, we have finished the test and paid for the CCN card. You can play the game happily ~ At this time, we will continue to think about it. If the game is still charged by text message, we can directly search for the keyword sendTextMessage, view the context modification for testing, and finally Delete the test.
Original software: Link: http://pan.baidu.com/share/link? Required id = 711418096 & uk = 3659465571 password: 1shi