美女薄情馆7.0.0破解VIP

设置限制

原图浏览限制

下方广告条

破解过程：
1、用APKTOOL反编译该APK程序，并用dex2jar工具将classes文件转化成jar文件。

2、用JR-GUI来查看JAR文件，可以发现一个VIP类

4、展开VIP，里面有一个VipMgr类，很明显是对VIP的管理类，展开之:

6、getVipType的返回值决定了VIP的类型。

  public static int getVipType(Activity paramActivity)
  {
    a = paramActivity;
    if (a == null);
    for (int i = -2; ; i = (int)a.getApplication().getSharedPreferences("360meinv", 3).getLong("state", -2L))
      return i;
  }

7、而在VipMgr类中的成员变量里有对VIP类型的定义：

  public static final int VIP_NEED_LOGIN = -2;
  public static final int VIP_NOAD = 100;
  public static final int VIP_NOAD_1YUAN = 130;
  public static final int VIP_NOAD_MONEY = 200;
  public static final int VIP_NOAD_SMS_10YUAN = 135;
  public static final int VIP_OUTDATE = -1;
  public static final int VIP_VIP = 300;

其中VIP_VIP是最高级别的VIP，是没有任何限制的。

8、所以我们只要将getVipType的返回值强制为300，程序就认为我们是VIP_VIP的类型了。对应到smali文件，修改如下：

.method public static getVipType(Landroid/app/Activity;)I
    .locals 6
    .parameter "a1"

    .prologue
    .line 325
    sput-object p0, Lpicview/meitui/vip/vipMgr;->a:Landroid/app/Activity;

    .line 326
    const/4 v0, -0x2

    .line 328
    .local v0, ret:I
    sget-object v3, Lpicview/meitui/vip/vipMgr;->a:Landroid/app/Activity;

    if-nez v3, :cond_0

    move v1, v0

    .line 336
    .end local v0           #ret:I
    .local v1, ret:I
    :goto_0
  #添加这一句，强制返回值为300(0x12c)
  const/16 v1, 0x12C
    return v1

    .line 331
    .end local v1           #ret:I
    .restart local v0       #ret:I
    :cond_0
    sget-object v3, Lpicview/meitui/vip/vipMgr;->a:Landroid/app/Activity;

    invoke-virtual {v3}, Landroid/app/Activity;->getApplication()Landroid/app/Application;

    move-result-object v3

    const-string v4, "360meinv"

    const/4 v5, 0x3

    invoke-virtual {v3, v4, v5}, Landroid/app/Application;->getSharedPreferences(Ljava/lang/String;I)Landroid/content/SharedPreferences;

    move-result-object v2

    .line 335
    .local v2, set:Landroid/content/SharedPreferences;
    const-string v3, "state"

    const-wide/16 v4, -0x2

    invoke-interface {v2, v3, v4, v5}, Landroid/content/SharedPreferences;->getLong(Ljava/lang/String;J)J

    move-result-wide v3

    long-to-int v0, v3

    move v1, v0

    .line 336
    .end local v0           #ret:I
    .restart local v1       #ret:I
    goto :goto_0
.end method

9、保存修改，重建APK,签名，破解完毕。

附上破解后的APK：

http://download.csdn.net/detail/heixiaowu/6008377