Use zjdroid to shell and crack <fishing talents 3>

<Fishing talents 3> just as soon as they came out, they were dumped out of DEX by the ghost Brother, which made it easy to crack. At first, I tried it with the zjdroid artifact, but I had never been worried about the success of the dump operation. One day, a reverse attack not only extracted the smali file, but also fixed the problem, you can also crack the payment interface and support offline mode. Record it.
The program is downloaded from the mobile mm Mall.

I. shelling.
The keyword of this shell is chaosvmp, which is said to have been developed by the company where the Yixue moderator is located. Install and run the program on your mobile phone. According to the tutorial, the shelling steps are as follows:
1. Open the command line and enter to view logcat:
ADB shell logcat-s zjdroid-shell-org.cocos2d.fishingjoy3
As shown in:

Write down the hook pid = 13108
2. Open another command line to send the command to the mobile phone. First, you need to obtain the information of the DEX file currently loaded by the APK in the ADB shell. Enter the command:
AM broadcast-a com. zjdroid. Invoke -- EI target 13108 -- es cmd '{"action": "dump_dexinfo "}'

There will be two paths. The first dump may not know which one to use. I use the APK suffix. In my opinion, if there is a **. classes. Dex path in the path, it is preferred; otherwise, you can try the path with the APK suffix. Let's start dump DEX:
AM broadcast-a com. zjdroid. Invoke -- EI target 13108 -- es cmd' {"action": "backsmali", "dexpath": "/data/APP/org.cocos2d.fishingjoy3-1.apk "}'

Run for several minutes, prompting that there is no error dumpdex finished.

Check the DEX file in the specified folder. If the size is 0 bytes, does it mean that we failed to dump the file? In fact,/file/smali can be proposed to be completely usable.

 

2. Repair.
The above smali file has been extracted and the original program is decompiled with ide. Replace the smali file with the dump file to check whether the compilation is successful. Indeed, an error occurred. For example,

Try to fix the problem and find the error:

Delete the two rows and fix the following error message. Then the compilation is successful.
Can I enable the installation and try again? I will return O (╯ □╰) O in seconds.
Why? Let's just get rid of the shell. Is it because the Code related to the shell is still called during the program running, causing crash? Finally, the androidmanifest. xml file contains the following information:

Delete the name attribute of the application. Then the repair is completed perfectly.

 

Iii. cracking.
According to the old ideas of the past, the mobile mm mall's text message payment is almost a matter of seconds, but today we use another way of thinking to find a more perfect means of cracking-do not let it play the payment interface and directly buy it successfully. (Or did the tutorial of tiange give me motivation to worship...) How can I think of it? You still have to analyze the key. methodonbillingfinish and locate the code for successfully calling the SMS:

(In fact, this code shows a payment interface that only shows "successful sending".) the following code can easily be used to identify the success of a transaction: "didcompletetransaction" "didcancelledtransaction"
You can directly search for keywords and find them. The org/cocos2dx/IAP/iapwrapper class contains the following methods:

Depending on the method name, we guess addpayment is suspected of adding a payment pop-up window. Then we try to copy all the code in. Method didcompletetransaction to. Method addpayment. Installation test. The result is as follows:

The didcompletetransaction method has another judgment. You only need to modify the judgment to view the code.

Then save and the test is successful.