1.最近支出有点多,看了一下记账软件,没想到这也收费,而且好贵,这下没有米寸步难行了。
2.还是和之前一样,我们上算法助手,不会用的兄弟,看前面几个破解教程。
3.这个也是用的360加固,脱壳方法还是和之前一样,可以使用frida-dexdump或者Fundex,脱完壳直接搜索这个方法,只有一个。
4.点进去看看,我们看到了这个类下面的关键参数,当getVipType为2时,是已解锁状态,当等于0和1的时候是还没有解锁的状态
5.再往上看看,这里有个alreadyBuy类里面有个if判断是否开通会员。
6.我们点进isVip里去看看,寄!反编译失败了,这咋整??
7.别急,我们还有其他反编译工具,拿出我的JEB来,没有JEB的小伙伴也不用担心,一个boolean参数而已,无非是false或者true罢了。
8.我们直接frida hook它一下,看看是啥?
Java.perform(function () {console.log("启动");let BaseActivity = Java.use("com.luyun.simpleaccout.ui.BaseActivity");BaseActivity["isVip"].implementation = function () {console.log(`BaseActivity.isVip is called`);let result = this["isVip"]();console.log(`BaseActivity.isVip result=${result}`);return result;};});
9.发现成功调用了,而且返回值是false,那我们还是和之前一样,把返回值设置成true,还有在之前第四步的时候有个getVipType参数,当它设置为2时,为已解锁状态,所以我们要在上面代码的基础上,再把这块加上,然后重新注入。(对了注入之前先找个账号随便登录一下,他的登录没有去验证邮箱)
Java.perform(function () {console.log("启动");let BaseActivity = Java.use("com.luyun.simpleaccout.ui.BaseActivity");BaseActivity["isVip"].implementation = function () {console.log(`BaseActivity.isVip is called`);let result = this["isVip"]();console.log(`BaseActivity.isVip result=${result}`);return true;};BaseActivity["getVipType"].implementation = function () {console.log(`BaseActivity.getVipType is called`);let result = this["getVipType"]();console.log(`BaseActivity.getVipType result=${result}`);return 2;};});
10.注入之后显示已解锁,会员状态也变成了永久会员,但是用一些功能的时候,还是不行,提示开通会员。
11.md,急了!既然这样直接全局搜索isVip和getVipType,全都给你hook一遍,看你小子还狂不狂。废话我就不多说了,直接上hook代码。
function main() {Java.perform(function () {console.log("启动");let BaseActivity = Java.use("com.luyun.simpleaccout.ui.BaseActivity");BaseActivity["isVip"].implementation = function () {console.log(`BaseActivity.isVip is called`);let result = this["isVip"]();console.log(`BaseActivity.isVip result=${result}`);return true;};let SplashActivity = Java.use("com.luyun.simpleaccout.ui.SplashActivity");SplashActivity["isVip"].implementation = function () {console.log(`SplashActivity.isVip is called`);let result = this["isVip"]();console.log(`SplashActivity.isVip result=${result}`);return true;};let BaseFragment = Java.use("com.luyun.simpleaccout.ui.fragment.BaseFragment");BaseFragment["isVip"].implementation = function () {console.log(`BaseFragment.isVip is called`);let result = this["isVip"]();console.log(`BaseFragment.isVip result=${result}`);return true;};BaseActivity["getVipType"].implementation = function () {console.log(`BaseActivity.getVipType is called`);let result = this["getVipType"]();console.log(`BaseActivity.getVipType result=${result}`);return 2;};BaseFragment["getVipType"].implementation = function () {console.log(`BaseFragment.getVipType is called`);let result = this["getVipType"]();console.log(`BaseFragment.getVipType result=${result}`);return 2;};});}setTimeout(main, 500)
12.然后我们看一下hook之后的效果,已经成功解锁了vip,且所有功能都可以正常使用。
13.那又到了我们使用Lsposed插件进行持久化的时间了,还是和之前一样,我们开始写xposed插件,主要代码如下:
if (loadPackageParam.packageName.equals("com.luyun.simpleaccout")) {Log.d(tag, "极简记账已選中");Class ActivityThread = XposedHelpers.findClass("android.app.ActivityThread", loadPackageParam.classLoader);XposedBridge.hookAllMethods(ActivityThread, "performLaunchActivity", new XC_MethodHook() {protected void afterHookedMethod(MethodHookParam param) throws Throwable {super.afterHookedMethod(param);XposedHelpers.findAndHookMethod("com.luyun.simpleaccout.AccountApplication", loadPackageParam.classLoader, "isVip", new XC_MethodHook() {protected void afterHookedMethod(MethodHookParam param) throws Throwable {param.setResult(true);}});XposedHelpers.findAndHookMethod("com.luyun.simpleaccout.provider.AccountWidgetProvider", loadPackageParam.classLoader, "isVip", new XC_MethodHook() {protected void afterHookedMethod(MethodHookParam param) throws Throwable {param.setResult(true);}});XposedHelpers.findAndHookMethod("com.luyun.simpleaccout.ui.BaseActivity", loadPackageParam.classLoader, "isVip", new XC_MethodHook() {protected void afterHookedMethod(MethodHookParam param) throws Throwable {param.setResult(true);}});XposedHelpers.findAndHookMethod("com.luyun.simpleaccout.ui.SplashActivity", loadPackageParam.classLoader, "isVip", new XC_MethodHook() {protected void afterHookedMethod(MethodHookParam param) throws Throwable {param.setResult(true);}});XposedHelpers.findAndHookMethod("com.luyun.simpleaccout.ui.fragment.BaseFragment", loadPackageParam.classLoader, "isVip", new XC_MethodHook() {protected void afterHookedMethod(MethodHookParam param) throws Throwable {param.setResult(true);}});XposedHelpers.findAndHookMethod("com.luyun.simpleaccout.ui.BaseActivity", loadPackageParam.classLoader, "getVipType", new XC_MethodHook() {protected void afterHookedMethod(MethodHookParam param) throws Throwable {param.setResult(2);}});XposedHelpers.findAndHookMethod("com.luyun.simpleaccout.ui.fragment.BaseFragment", loadPackageParam.classLoader, "getVipType", new XC_MethodHook() {protected void afterHookedMethod(MethodHookParam param) throws Throwable {param.setResult(2);}});}});}
原文始发于微信公众号(Flower Sec):极简记账永久VIP破解
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论