强xx奸oo Android程序开机启动杀手Autorun Manager

于2012-08-16,02:03:15 更新。


Autorun Manager是个不错的应用。可以用来禁止某些不老实的android应用开机启动和push 一些垃圾信息(如sina weibo就喜欢时不时push一些垃圾信息)。

虽然网上有捐赠版的下载,不过,还是喜欢自己折腾一下。折腾,是生活的一部分。

软件名:Autorun Manager
软件版本: 3.5

官方介绍:

PRO key app is available on the market!

Donators and PRO users receive additional features:
- no ads
- basic mode's prevent restart feature is selectable
- can block more than 4 receivers in advanced mode
- Chuck Norris mode enabled

也就是说:
免费版的有广告、不能启用阻止应用重启、不能修改超过4个receiver、不能启用Chuck Norris模式。
其它3条还算可以接受,唯一不可接受的就是不能修改超过4个receiver这一条。
android应用在AndroidManifest.xml中注册它要使用的receiver,如:

1
2
3
4
5
6
7
8
9
10
11
12
       <receiver android:name="com.rs.autorun.AutorunStartupIntentReceiver" android:enabled="false">
            <intent-filter android:priority="-1000">
                <action android:name="android.intent.action.BOOT_COMPLETED" />
                <category android:name="android.intent.category.HOME" />
            </intent-filter>
        </receiver>

        <receiver android:name="com.rs.autorun.misc.InstallReferrerReceiver" android:exported="true">
            <intent-filter>
                <action android:name="com.android.vending.INSTALL_REFERRER" />
            </intent-filter>
        </receiver>

如android.intent.action.BOOT_COMPLETED 这个receiver就是用于接收开机启动广播的。
而Autorun Manager的禁止程序开机启动的机制正是将相应程序的receiver给禁用,这样,这个程序便不会开机即启动了。android.intent.action.GET_PUSH_VALUE 即是用于推送的,我很果断地把sina weibo的这个receiver给disable了。

关于android broadcast receiver的原理,有兴趣的童鞋可以自行Google.这里不述。


2012-08-17 :今天重新把思路整理了一下,并更新了这篇文章。

修改过4个receiver的设置后,这个应用(免费版的)便会提示你使用的免费版,最多只能修改4个receiver.
用apktool反编译出smali文件后,打开res/values/strings.xmlres/values/public.xml查得提示语You need to have PRO key to change more than %1$d receivers的id为0x7f0b0025.

搜索0x7f0b0025,在smali/f/d.smali 文件第341行找到。我这里把相关代码帖出并做些许解释:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
# virtual methods
.method public final onCheckedChanged(Landroid/widget/CompoundButton;Z)V
    .locals 6
    .parameter
    .parameter

    .prologue
#寄存器v4用来保存最大可禁用的reciever数量(4个)
    const/4 v4, 0x4

    const/4 v1, 0x0

    const/4 v0, 0x1

    .line 206
    iget-object v2, p0, Lf/d;->jy:Lf/g;

    .line 207
#取  h.c.ka的值给v2 (布尔类型)
    sget-object v2, Lh/c;->ka:Ljava/lang/Boolean;

    invoke-virtual {v2}, Ljava/lang/Boolean;->booleanValue()Z

    move-result v2

#如果h.c.ka的值为真,则跳转到:cond_0
    if-nez v2, :cond_0

    invoke-static {}, Lcom/rs/autorun/receiver/l;->bJ()I

    move-result v2

#如果已经禁用的reciever数量(v2寄存器)小于 4 个(v4寄存器),则跳转到 :cond_0 .
    if-lt v2, v4, :cond_0

 
#Lcom/rs/autorun/receiver/l;->jp 是一个ArrayList
#将jp给v2
    sget-object v2, Lcom/rs/autorun/receiver/l;->jp:Ljava/util/ArrayList;
#取得p0对象实例的jy属性丢给v3寄存器
    iget-object v3, p0, Lf/d;->jy:Lf/g;

    iget-object v3, v3, Lf/g;->jE:Ljava/lang/String;

检查v2对象中是否包含v3对象.(v2 is the "this" instance,v3为参数)
    invoke-virtual {v2, v3}, Ljava/util/ArrayList;->contains(Ljava/lang/Object;)Z

    move-result v2
#如果不在的话,就跳转到:cond_9
    if-eqz v2, :cond_9

    .line 209
    :cond_0
    sget-object v2, Lcom/rs/autorun/receiver/l;->jq:Ljava/util/ArrayList;

    iget-object v3, p0, Lf/d;->jz:Lf/a;

    iget-object v3, v3, Lf/a;->packageName:Ljava/lang/String;

    invoke-virtual {v2, v3}, Ljava/util/ArrayList;->contains(Ljava/lang/Object;)Z

    move-result v2

    if-eqz v2, :cond_3

    iget-object v2, p0, Lf/d;->jy:Lf/g;

    iget-object v2, v2, Lf/g;->jE:Ljava/lang/String;

    const-string v3, "com.crittercism."

    invoke-virtual {v2, v3}, Ljava/lang/String;->startsWith(Ljava/lang/String;)Z

    move-result v2

    if-nez v2, :cond_3

    .line 210
    sget-object v2, Lh/l;->LOG_TAG:Ljava/lang/String;

    new-instance v3, Ljava/lang/StringBuilder;

    const-string v4, "app disable not allowed: "

    invoke-direct {v3, v4}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    iget-object v4, p0, Lf/d;->jz:Lf/a;

    iget-object v4, v4, Lf/a;->packageName:Ljava/lang/String;

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v3

    invoke-static {v2, v3}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I

    .line 212
    iget-object v2, p0, Lf/d;->jw:Landroid/content/Context;

    const v3, 0x7f0b0031

    invoke-virtual {v2, v3}, Landroid/content/Context;->getText(I)Ljava/lang/CharSequence;

    move-result-object v2

    iget-object v3, p0, Lf/d;->jw:Landroid/content/Context;

    invoke-static {v2, v3}, Lh/m;->a(Ljava/lang/CharSequence;Landroid/content/Context;)V

    .line 214
    iget-object v2, p0, Lf/d;->jA:Landroid/widget/CheckBox;

    if-nez p2, :cond_2

    :goto_0
    invoke-virtual {v2, v0}, Landroid/widget/CheckBox;->setChecked(Z)V

    .line 247
    :cond_1
    :goto_1
    return-void

    :cond_2
    move v0, v1

    .line 214
    goto :goto_0

    .line 215
    :cond_3
    iget-object v2, p0, Lf/d;->jw:Landroid/content/Context;

    invoke-static {v2}, Lcom/rs/autorun/misc/s;->x(Landroid/content/Context;)Lcom/rs/autorun/misc/s;

    move-result-object v2

    iget-boolean v2, v2, Lcom/rs/autorun/misc/s;->iC:Z

    if-nez v2, :cond_5

    iget-object v2, p0, Lf/d;->jz:Lf/a;

    iget-object v2, v2, Lf/a;->jt:Ljava/lang/Boolean;

    invoke-virtual {v2}, Ljava/lang/Boolean;->booleanValue()Z

    move-result v2

    if-eqz v2, :cond_5

    .line 216
    sget-object v2, Lh/l;->LOG_TAG:Ljava/lang/String;

    const-string v3, "system disable is not enabled"

    invoke-static {v2, v3}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I

    .line 218
    iget-object v2, p0, Lf/d;->jA:Landroid/widget/CheckBox;

    if-nez p2, :cond_4

    :goto_2
    invoke-virtual {v2, v0}, Landroid/widget/CheckBox;->setChecked(Z)V

    .line 219
    iget-object v0, p0, Lf/d;->jw:Landroid/content/Context;

    const v1, 0x7f0b0023

    invoke-virtual {v0, v1}, Landroid/content/Context;->getString(I)Ljava/lang/String;

    move-result-object v0

    iget-object v1, p0, Lf/d;->jw:Landroid/content/Context;

    invoke-static {v0, v1}, Lh/m;->a(Ljava/lang/CharSequence;Landroid/content/Context;)V

    goto :goto_1

    :cond_4
    move v0, v1

    .line 218
    goto :goto_2

    .line 225
    :cond_5
    sget-object v2, Lh/l;->LOG_TAG:Ljava/lang/String;

    new-instance v3, Ljava/lang/StringBuilder;

    const-string v4, "disable item: "

    invoke-direct {v3, v4}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    iget-object v4, p0, Lf/d;->jy:Lf/g;

    iget-object v4, v4, Lf/g;->packageName:Ljava/lang/String;

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    const-string v4, " - "

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    iget-object v4, p0, Lf/d;->jy:Lf/g;

    iget-object v4, v4, Lf/g;->jE:Ljava/lang/String;

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v3

    invoke-static {v2, v3}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I

    .line 226
    iget-object v2, p0, Lf/d;->jy:Lf/g;

    iget-object v2, v2, Lf/g;->jE:Ljava/lang/String;

    const-string v3, "com.crittercism."

    invoke-virtual {v2, v3}, Ljava/lang/String;->startsWith(Ljava/lang/String;)Z

    move-result v2

    if-eqz v2, :cond_6

    .line 227
    const-string v2, "crittercism is disabled"

    invoke-static {v2}, Lcom/flurry/android/f;->c(Ljava/lang/String;)V

    .line 230
    :cond_6
    iget-object v2, p0, Lf/d;->jw:Landroid/content/Context;

    invoke-static {v2}, Lh/m;->H(Landroid/content/Context;)Z

    move-result v2

    if-nez v2, :cond_8

    move v2, v0

    .line 231
    :goto_3
    if-eqz v2, :cond_7

    .line 232
    invoke-static {v0}, Lh/m;->j(Z)V

    .line 234
    :cond_7
    iget-object v3, p0, Lf/d;->jA:Landroid/widget/CheckBox;

    iget-object v4, p0, Lf/d;->jy:Lf/g;

    invoke-static {p2}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v5

    invoke-virtual {v4, v5, v0}, Lf/g;->a(Ljava/lang/Boolean;Z)Z

    move-result v0

    invoke-virtual {v3, v0}, Landroid/widget/CheckBox;->setChecked(Z)V

    .line 235
    if-eqz v2, :cond_1

    .line 236
    invoke-static {v1}, Lh/m;->j(Z)V

    goto/16 :goto_1

    :cond_8
    move v2, v1

    .line 230
    goto :goto_3

    .line 240
    :cond_9
    sget-object v2, Lh/l;->LOG_TAG:Ljava/lang/String;

    const-string v3, "not donated"

    invoke-static {v2, v3}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I

    .line 243
    iget-object v2, p0, Lf/d;->jw:Landroid/content/Context;

#  id 0x7f0b0025
对应:  You need to have PRO key to change more than %1$d receivers
    const v3, 0x7f0b0025

    invoke-virtual {v2, v3}, Landroid/content/Context;->getText(I)Ljava/lang/CharSequence;

    move-result-object v2

    invoke-virtual {v2}, Ljava/lang/Object;->toString()Ljava/lang/String;

    move-result-object v2

    new-array v3, v0, [Ljava/lang/Object;

    invoke-static {v4}, Ljava/lang/Integer;->valueOf(I)Ljava/lang/Integer;

    move-result-object v4

    aput-object v4, v3, v1

    invoke-static {v2, v3}, Ljava/lang/String;->format(Ljava/lang/String;[Ljava/lang/Object;)Ljava/lang/String;

    move-result-object v2

    iget-object v3, p0, Lf/d;->jw:Landroid/content/Context;

    invoke-static {v2, v3}, Lh/m;->a(Ljava/lang/CharSequence;Landroid/content/Context;)V

    .line 245
#取得p0对象的jA给v2寄存器
    iget-object v2, p0, Lf/d;->jA:Landroid/widget/CheckBox;

    if-nez p2, :cond_a

    :goto_4
#设置为已选中状态
    invoke-virtual {v2, v0}, Landroid/widget/CheckBox;->setChecked(Z)V

    goto/16 :goto_1

    :cond_a
    move v0, v1

    goto :goto_4
.end method

不难看出,:cond_9 处的那小段代码就是显示你不是捐赠用户,不能改变过超过4个receiver.
因为这里的跳转实际上是根据3个条件相与的结果来进行的(要(!c.ka.booleanValue() && l.bJ() >= 4 && !l.jp.contains(jy.jE)) 这个表达式为真才会跳转到执行弹出not donated提示框的代码)。
条件1:如果h.c.ka的值为真,则跳转到:cond_0
条件2:如果已经禁用的reciever数量(v2寄存器)小于 4 个(v4寄存器),则跳转到 :cond_0
if-lt v2, v4, :cond_0
条件3: if-eqz v2, :cond_9

也就是说,代码逻辑是:

1
2
3
4
if( !condition_1 && !condition_2 && !condition_3 )
执行提醒捐赠的代码
else
执行正常的保存设置代码

最初我采用的破解方法是把 if-eqz v2, :cond_9 这个跳转修改为了 if-nez v2, :cond_9,这样当然是可以的,因为改变任意一个条件都是可以成功的。
现在我采用的破解方法是让“h.c.ka的值为真”,怎么让它为真呢?等下往下看时我会说到。因为这个h.c.ka的值不单单是影响可以修改的receiver的数量,还影响到free版的应用的另外两个选项:阻止应用重启、启用Chuck Norris模式,如果只修改一处地方就能影响到两外以上的跳转(这些跳转正是我们需要的),何乐而不为呢?因此,这里我不再按老方法去修改跳转了。

==================================================

然后再看com\rs\autorun\misc\AutorunPreferencesActivity.smali
因为这个AutorunPreferences是修改配置时的Activity,所以看下它的代码。看它是怎么处理复选框被点击事件的。根据编程经验加上反编译出来的smali代码,可以知道,这个应用只是把pro版的功能给隐匿了,相应的操作代码还是有的。因此,只需要让程序自己觉得是pro版就行了。
这里它对于AutorunPreferencesActivity的事件响应逻辑是这样的:当pro版才能使用的复选框被点击时,判断是否满足相应的条件,不满足的话就弹出提示框,提示此功能只有pro版才能使用。并把复选框的值设置为false.

com\rs\autorun\misc\AutorunPreferencesActivity.smali相关代码:
代码比较多,我这里只帖出关键的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
# interfaces
.implements Landroid/content/SharedPreferences$OnSharedPreferenceChangeListener;


# instance fields
.field private hY:Lcom/rs/autorun/misc/AutorunPreferencesActivity;

.field private hZ:Landroid/preference/CheckBoxPreference;

.field private ia:Landroid/preference/CheckBoxPreference;

.field private ib:Landroid/preference/CheckBoxPreference;

.field private ic:Landroid/preference/CheckBoxPreference;

.field private ie:Landroid/preference/CheckBoxPreference;

.field private if:Landroid/preference/Preference;

.field private ig:Landroid/preference/Preference;

.field private ih:Landroid/preference/Preference;

.field private ii:Landroid/preference/Preference;

.field private ij:Landroid/preference/Preference;

.field private ik:Landroid/preference/Preference;

.field private final il:Lcom/rs/autorun/misc/q;

#
弹出需要pro版才能使用此功能的对话框(调出com/rs/autorun/ui/BuyProVersionActivity)
.method static synthetic a(Lcom/rs/autorun/misc/AutorunPreferencesActivity;)V
    .locals 2
    .parameter

    .prologue
    .line 32
    new-instance v0, Landroid/content/Intent;

    const-class v1, Lcom/rs/autorun/ui/BuyProVersionActivity;

    invoke-direct {v0, p0, v1}, Landroid/content/Intent;-><init>(Landroid/content/Context;Ljava/lang/Class;)V

    const/high16 v1, 0x4000

    invoke-virtual {v0, v1}, Landroid/content/Intent;->addFlags(I)Landroid/content/Intent;

    move-result-object v0

    const/high16 v1, 0x400

    invoke-virtual {v0, v1}, Landroid/content/Intent;->addFlags(I)Landroid/content/Intent;

    move-result-object v0

    invoke-virtual {p0, v0}, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->startActivity(Landroid/content/Intent;)V

    return-void
.end method

#ia (prevent选项) 之getter
.method static synthetic b(Lcom/rs/autorun/misc/AutorunPreferencesActivity;)Landroid/preference/CheckBoxPreference;
    .locals 1
    .parameter

    .prologue
    .line 32
    iget-object v0, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->ia:Landroid/preference/CheckBoxPreference;

    return-object v0
.end method

#hZ (cnmodeEnabled选项) 之getter
.method static synthetic e(Lcom/rs/autorun/misc/AutorunPreferencesActivity;)Landroid/preference/CheckBoxPreference;
    .locals 1
    .parameter

    .prologue
    .line 32
    iget-object v0, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->hZ:Landroid/preference/CheckBoxPreference;

    return-object v0
.end method

.method protected onCreate(Landroid/os/Bundle;)V 方法这里省略不帖出,它的作用时做一些初始化的操作,如获取应用配置信息prefs,并将结果保存到当前对象的成员变量中。在这个方法的中会执行bC()方法。bC()方法的作用是什么呢?就是设置OnPreferenceClick事件的监听器。我们继续看下面的代码就会知道详细的程序逻辑。

#bC() 方法是关键

.method private bC()V
    .locals 7

    .prologue
    const/4 v4, 0x0

    const/4 v0, 0x1

    const/4 v1, 0x0

#如果h.c.ka的值为假,就跳转到 :cond_3 , :cond_3 处的代码是干什么用的呢?往下面看,找:cond_3 .
    .line 90
    sget-object v2, Lh/c;->ka:Ljava/lang/Boolean;

    invoke-virtual {v2}, Ljava/lang/Boolean;->booleanValue()Z

    move-result v2

    if-eqz v2, :cond_3 #这个跳转是我们所不希望的

#把ia对象的值给v2
    iget-object v2, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->ia:Landroid/preference/CheckBoxPreference;

#设置v2对象的OnPreferenceClick事件监听器为v4( null ) ,这里的代码是我们需要它执行的
    invoke-virtual {v2, v4}, Landroid/preference/CheckBoxPreference;->setOnPreferenceClickListener(Landroid/preference/Preference$OnPreferenceClickListener;)V

    .line 91
    :cond_0
    :goto_0
    sget-object v2, Lh/c;->ka:Ljava/lang/Boolean;

    invoke-virtual {v2}, Ljava/lang/Boolean;->booleanValue()Z

    move-result v2

    iget-object v3, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->hY:Lcom/rs/autorun/misc/AutorunPreferencesActivity;

#m.c() 方法用于判断设置是否已经root和安**usybox
    invoke-static {v3, v1}, Lh/m;->c(Landroid/content/Context;Z)Ljava/lang/Boolean;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/Boolean;->booleanValue()Z

    move-result v3

#如果没有root和安**usybox,跳转到:cond_5
    if-eqz v3, :cond_5

#如果v2为0 ,也就是说h.c.ka的值为假,直接跳转到 :cond_4
    if-eqz v2, :cond_4
#否则,设置com/rs/autorun/misc/AutorunPreferencesActivity;->hZ对象(也就是cnmodeenabled复选框对象)的OnPreferenceClickListener为 v4 (null)
    iget-object v2, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->hZ:Landroid/preference/CheckBoxPreference;

    invoke-virtual {v2, v4}, Landroid/preference/CheckBoxPreference;->setOnPreferenceClickListener(Landroid/preference/Preference$OnPreferenceClickListener;)V

    .line 92
    :cond_1
    :goto_1
    sget-object v2, Lh/c;->ka:Ljava/lang/Boolean;

    invoke-virtual {v2}, Ljava/lang/Boolean;->booleanValue()Z

    move-result v2
#又是判断h.c.ka ,如果为假,跳转到:cond_7
    if-eqz v2, :cond_7
#否则,是pro版了,禁用pro 选项 ( AutorunPreferencesActivity;->ik 为 pro选项对象),使之处于灰色不可点击状态。

    iget-object v2, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->ik:Landroid/preference/Preference;

    invoke-virtual {v2, v1}, Landroid/preference/Preference;->setEnabled(Z)V

    sget-object v2, Lh/c;->kb:Ljava/lang/Boolean;

    invoke-virtual {v2}, Ljava/lang/Boolean;->booleanValue()Z

    move-result v2

#如果没有安装pro key app ,跳转到 :cond_2
    if-eqz v2, :cond_2
#否则,启用hidePro checkbox,使之可点击
    iget-object v2, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->ie:Landroid/preference/CheckBoxPreference;

    invoke-virtual {v2, v0}, Landroid/preference/CheckBoxPreference;->setEnabled(Z)V

    iget-object v2, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->ie:Landroid/preference/CheckBoxPreference;

    iget-object v3, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->hY:Lcom/rs/autorun/misc/AutorunPreferencesActivity;

    new-instance v4, Ljava/lang/StringBuilder;

    invoke-direct {v4}, Ljava/lang/StringBuilder;-><init>()V

    sget-object v5, Lh/l;->PACKAGE_NAME:Ljava/lang/String;

    invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v4

    const-string v5, ".pro"

    invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v4

    invoke-virtual {v4}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

#v4 的值现在为 com.rs.autorun.pro
    move-result-object v4

    new-instance v5, Ljava/lang/StringBuilder;

    invoke-direct {v5}, Ljava/lang/StringBuilder;-><init>()V

    sget-object v6, Lh/l;->PACKAGE_NAME:Ljava/lang/String;

    invoke-virtual {v5, v6}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v5

    const-string v6, ".pro.MainActivity"

    invoke-virtual {v5, v6}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v5

    invoke-virtual {v5}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

#v5 的值现在为 com.rs.autorun.pro.MainActivity
    move-result-object v5

#m->a() 方法检测  com.rs.autorun.pro包的MainActivity组件是否已经启用。
    invoke-static {v3, v4, v5, v0}, Lh/m;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;Z)Z

    move-result v3
#如果启用了,跳转到:cond_6
    if-nez v3, :cond_6

    :goto_2
    invoke-virtual {v2, v0}, Landroid/preference/CheckBoxPreference;->setChecked(Z)V

    iget-object v0, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->ie:Landroid/preference/CheckBoxPreference;

    new-instance v1, Lcom/rs/autorun/misc/j;

    invoke-direct {v1, p0}, Lcom/rs/autorun/misc/j;-><init>(Lcom/rs/autorun/misc/AutorunPreferencesActivity;)V

    invoke-virtual {v0, v1}, Landroid/preference/CheckBoxPreference;->setOnPreferenceClickListener(Landroid/preference/Preference$OnPreferenceClickListener;)V

    .line 93
    :cond_2
    :goto_3
    return-void

#弹出"需要donate版才能使用此功能"对话框
#ia为prevent checkbox对象
    .line 90
    :cond_3
    iget-object v2, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->ia:Landroid/preference/CheckBoxPreference;

    new-instance v3, Lcom/rs/autorun/misc/c;

    invoke-direct {v3, p0}, Lcom/rs/autorun/misc/c;-><init>(Lcom/rs/autorun/misc/AutorunPreferencesActivity;)V
#设置prevent checkbox对象(v2)的OnPreferenceClick事件的listener为v3 ( com/rs/autorun/misc/c)
#关于com/rs/autorun/misc/c 类的详细代码,稍后再分析。现在你只需要知道com/rs/autorun/misc/c类的功能就是执行AutorunPreferencesActivity的a()方法,这个a()方法就是我上面帖出来的那个,其功能为调用com/rs/autorun/ui/BuyProVersionActivity
#然后调用android的setChecked方法将被点击的复选框设置为没有选中状态。
    invoke-virtual {v2, v3}, Landroid/preference/CheckBoxPreference;->setOnPreferenceClickListener(Landroid/preference/Preference$OnPreferenceClickListener;)V

    sget-object v2, Lh/c;->kd:Ljava/lang/Boolean;

    invoke-virtual {v2}, Ljava/lang/Boolean;->booleanValue()Z

    move-result v2

    if-eqz v2, :cond_0

    iget-object v2, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->ia:Landroid/preference/CheckBoxPreference;

    invoke-virtual {v2, v1}, Landroid/preference/CheckBoxPreference;->setChecked(Z)V

    goto/16 :goto_0

    .line 91
    :cond_4
    iget-object v2, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->hZ:Landroid/preference/CheckBoxPreference;

    new-instance v3, Lcom/rs/autorun/misc/e;

    invoke-direct {v3, p0}, Lcom/rs/autorun/misc/e;-><init>(Lcom/rs/autorun/misc/AutorunPreferencesActivity;)V

    invoke-virtual {v2, v3}, Landroid/preference/CheckBoxPreference;->setOnPreferenceClickListener(Landroid/preference/Preference$OnPreferenceClickListener;)V

    sget-object v2, Lh/c;->kd:Ljava/lang/Boolean;

    invoke-virtual {v2}, Ljava/lang/Boolean;->booleanValue()Z

    move-result v2

    if-eqz v2, :cond_1

    iget-object v2, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->hZ:Landroid/preference/CheckBoxPreference;

    invoke-virtual {v2, v1}, Landroid/preference/CheckBoxPreference;->setChecked(Z)V

    goto/16 :goto_1

    :cond_5
    iget-object v2, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->hZ:Landroid/preference/CheckBoxPreference;

    invoke-virtual {v2, v1}, Landroid/preference/CheckBoxPreference;->setEnabled(Z)V

    goto/16 :goto_1

    :cond_6
    move v0, v1 #设置v0值为0x0 (false)

    .line 92
    goto :goto_2

    :cond_7
    iget-object v0, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->ik:Landroid/preference/Preference;

    new-instance v1, Lcom/rs/autorun/misc/k;

    invoke-direct {v1, p0}, Lcom/rs/autorun/misc/k;-><init>(Lcom/rs/autorun/misc/AutorunPreferencesActivity;)V

    invoke-virtual {v0, v1}, Landroid/preference/Preference;->setOnPreferenceClickListener(Landroid/preference/Preference$OnPreferenceClickListener;)V

    goto :goto_3
.end method


#最后看 onSharedPreferenceChanged方法,这是配置被改变时要触发的事件方法:

.method public onSharedPreferenceChanged(Landroid/content/SharedPreferences;Ljava/lang/String;)V
    .locals 4
    .parameter
    .parameter

    .prologue
    const/4 v3, 0x0

    .line 307
    const-string v0, "donator"

    invoke-virtual {p2, v0}, Ljava/lang/String;->equalsIgnoreCase(Ljava/lang/String;)Z

    move-result v0

    if-eqz v0, :cond_0

    .line 308
    const-string v0, "donator"

    invoke-virtual {p0, v0}, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->findPreference(Ljava/lang/CharSequence;)Landroid/preference/Preference;

    move-result-object v0

    check-cast v0, Landroid/preference/EditTextPreference;

    .line 309
    invoke-virtual {p0}, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->getApplicationContext()Landroid/content/Context;

    move-result-object v1

    invoke-static {v3}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v2

    invoke-static {v1, v2}, Lh/m;->a(Landroid/content/Context;Ljava/lang/Boolean;)Ljava/lang/Boolean;

    move-result-object v1

    invoke-virtual {v1}, Ljava/lang/Boolean;->booleanValue()Z

    move-result v1

    if-eqz v1, :cond_0

    .line 310
    invoke-virtual {v0}, Landroid/preference/EditTextPreference;->getText()Ljava/lang/String;

    move-result-object v0

    invoke-virtual {v0}, Ljava/lang/String;->trim()Ljava/lang/String;

    move-result-object v0

    .line 314
    invoke-static {v0, v3}, Lh/c;->a(Ljava/lang/String;Z)Z

    .line 317
    :cond_0
    const-string v0, "cnmodeEnabled"

    invoke-virtual {p2, v0}, Ljava/lang/String;->equalsIgnoreCase(Ljava/lang/String;)Z

    move-result v0

    if-eqz v0, :cond_2

    .line 319
    iget-object v0, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->hZ:Landroid/preference/CheckBoxPreference;

    invoke-virtual {v0}, Landroid/preference/CheckBoxPreference;->isChecked()Z

    move-result v0

    if-eqz v0, :cond_2

    .line 320
    invoke-static {}, Lh/j;->bP()Lh/j;

    move-result-object v0

    const-string v1, "exit"

    invoke-virtual {v0, v1}, Lh/j;->A(Ljava/lang/String;)V

    .line 321
    iget-object v0, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->ib:Landroid/preference/CheckBoxPreference;

    invoke-virtual {v0}, Landroid/preference/CheckBoxPreference;->isChecked()Z

    move-result v0

    if-eqz v0, :cond_1

    .line 322
    invoke-virtual {p0, v3}, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->showDialog(I)V

    .line 324
    :cond_1
    iget-object v0, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->ib:Landroid/preference/CheckBoxPreference;

    invoke-virtual {v0, v3}, Landroid/preference/CheckBoxPreference;->setChecked(Z)V

    .line 327
    :cond_2
    const-string v0, "enableSystem"

    invoke-virtual {p2, v0}, Ljava/lang/String;->equalsIgnoreCase(Ljava/lang/String;)Z

    move-result v0

    if-eqz v0, :cond_4

    .line 328
    iget-object v0, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->ib:Landroid/preference/CheckBoxPreference;

    invoke-virtual {v0}, Landroid/preference/CheckBoxPreference;->isChecked()Z

    move-result v0

    if-eqz v0, :cond_4

    .line 329
    iget-object v0, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->hZ:Landroid/preference/CheckBoxPreference;

    invoke-virtual {v0}, Landroid/preference/CheckBoxPreference;->isChecked()Z

    move-result v0

    if-eqz v0, :cond_3

    .line 330
    invoke-virtual {p0, v3}, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->showDialog(I)V

    .line 332
    :cond_3
    iget-object v0, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->hZ:Landroid/preference/CheckBoxPreference;

    invoke-virtual {v0, v3}, Landroid/preference/CheckBoxPreference;->setChecked(Z)V

    .line 335
    :cond_4
    const-string v0, "enableAdvanced"

    invoke-virtual {p2, v0}, Ljava/lang/String;->equalsIgnoreCase(Ljava/lang/String;)Z

    move-result v0

    if-eqz v0, :cond_6

    .line 336
    iget-object v0, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->ic:Landroid/preference/CheckBoxPreference;

    invoke-virtual {v0}, Landroid/preference/CheckBoxPreference;->isChecked()Z

    move-result v0

    if-eqz v0, :cond_5

    .line 337
    const v0, 0x7f0b005d

    invoke-virtual {p0, v0}, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->getText(I)Ljava/lang/CharSequence;

    move-result-object v0

    iget-object v1, p0, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->hY:Lcom/rs/autorun/misc/AutorunPreferencesActivity;

    invoke-static {v0, v1}, Lh/m;->a(Ljava/lang/CharSequence;Landroid/content/Context;)V

    .line 339
    :cond_5
    const/4 v0, 0x1

    invoke-virtual {p0, v0}, Lcom/rs/autorun/misc/AutorunPreferencesActivity;->showDialog(I)V

    .line 341
    :cond_6
    return-void
.end method

从上面的代码分析得出,要使用pro版的功能,就要改变其中的某些跳转。而这些跳转的关键flag就是h.c.ka 和 h.c.kb 的值。这两个值起到开关的作用。

打开com.rs.autorun-1\smali\h\c.smali ,由其源码名字Donate.java也可以再次看出这个文件是用于标志此程序是否要启用pro功能的。再次验证了我上面的分析的正确性。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
.class public final Lh/c;
.super Ljava/lang/Object;
.source "Donate.java"


# static fields
.field public static ka:Ljava/lang/Boolean;

.field public static kb:Ljava/lang/Boolean;

.field public static kc:Ljava/lang/Boolean;

.field public static kd:Ljava/lang/Boolean;

.field public static ke:Ljava/lang/String;

.field public static kf:I

.field private static kg:Landroid/app/Application;

.field private static final kh:Lh/e;

.field private static ki:Ljava/util/ArrayList;


# direct methods
.method static constructor <clinit>()V
    .locals 2

    .prologue
#这个就是ka和kb成员变量的默认值了。。。只需要将它修改为 0x1 ,即可达到目的~~
    const/4 v1, 0x0

    .line 22
    invoke-static {v1}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v0

    sput-object v0, Lh/c;->ka:Ljava/lang/Boolean;

    .line 23
    invoke-static {v1}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v0

    sput-object v0, Lh/c;->kb:Ljava/lang/Boolean;

    .line 24
    invoke-static {v1}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v0

    sput-object v0, Lh/c;->kc:Ljava/lang/Boolean;

    .line 25
    invoke-static {v1}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v0

    sput-object v0, Lh/c;->kd:Ljava/lang/Boolean;

    .line 26
    const-string v0, ""

    sput-object v0, Lh/c;->ke:Ljava/lang/String;

    .line 172
    new-instance v0, Lh/e;

    invoke-direct {v0, v1}, Lh/e;-><init>(B)V

    sput-object v0, Lh/c;->kh:Lh/e;

    .line 185
    new-instance v0, Ljava/util/ArrayList;

    invoke-direct {v0}, Ljava/util/ArrayList;-><init>()V

    sput-object v0, Lh/c;->ki:Ljava/util/ArrayList;

    return-void
.end method

.method private static C(Landroid/content/Context;)Z
    .locals 3
    .parameter

    .prologue
    .line 199
    invoke-static {p0}, Landroid/preference/PreferenceManager;->getDefaultSharedPreferences(Landroid/content/Context;)Landroid/content/SharedPreferences;

    move-result-object v0

    const-string v1, "lcn132"

    const-string v2, "" #这里默认是空,修改为pl9812

    invoke-interface {v0, v1, v2}, Landroid/content/SharedPreferences;->getString(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;

    move-result-object v0

    .line 200
    sput-object v0, Lh/c;->ke:Ljava/lang/String;

    const-string v1, ""

    invoke-virtual {v0, v1}, Ljava/lang/String;->equalsIgnoreCase(Ljava/lang/String;)Z

    move-result v0

    if-nez v0, :cond_0

    const/4 v0, 0x1

    :goto_0
    return v0

    :cond_0
    const/4 v0, 0x0

    goto :goto_0
.end method

.method public static a(Landroid/app/Application;)V
    .locals 0
    .parameter

    .prologue
    .line 36
    sput-object p0, Lh/c;->kg:Landroid/app/Application;

    .line 37
    return-void
.end method

.method public static a(Landroid/os/Handler;)V
    .locals 1
    .parameter

    .prologue
    .line 188
    sget-object v0, Lh/c;->ki:Ljava/util/ArrayList;

    invoke-virtual {v0, p0}, Ljava/util/ArrayList;->add(Ljava/lang/Object;)Z

    .line 189
    return-void
.end method

.method public static a(Ljava/lang/String;Z)Z
    .locals 6
    .parameter
    .parameter

    .prologue
    const/4 v2, 0x0

    const/4 v1, 0x1

    .line 46
    sget-object v0, Lh/c;->kg:Landroid/app/Application;

    invoke-virtual {v0}, Landroid/app/Application;->getPackageManager()Landroid/content/pm/PackageManager;

    move-result-object v0

    sget-object v3, Lh/c;->kg:Landroid/app/Application;

    invoke-virtual {v3}, Landroid/app/Application;->getPackageName()Ljava/lang/String;

    move-result-object v3

    new-instance v4, Ljava/lang/StringBuilder;

    invoke-direct {v4}, Ljava/lang/StringBuilder;-><init>()V

    sget-object v5, Lh/c;->kg:Landroid/app/Application;

    invoke-virtual {v5}, Landroid/app/Application;->getPackageName()Ljava/lang/String;

    move-result-object v5

    invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v4

#这里是检验com.rs.autorun.pro 包的签名是否和 com.rs.autorun 包一样,由于我们并没有安装com.rs.autorun.pro,因此,这里用一个小技巧,让它和自己比吧
    const-string v5, ".pro" #这里由原来的.pro修改为空

    invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v4

    invoke-virtual {v4}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v4

    invoke-virtual {v0, v3, v4}, Landroid/content/pm/PackageManager;->checkSignatures(Ljava/lang/String;Ljava/lang/String;)I

    move-result v0

#比较签名时,如果结果小于0表示两个包没有相同的签名。这里的意思是,没有相同的签名就跳转到:cond_2
    if-ltz v0, :cond_2 #自己的签名肯定是相同的,因此,这里  v0 值为 0 ,不满足条件,不会跳转。这正是我们需要的。

    sget-object v0, Lh/c;->kg:Landroid/app/Application;

    invoke-virtual {v0}, Landroid/app/Application;->getPackageManager()Landroid/content/pm/PackageManager;

    move-result-object v0

    new-instance v3, Ljava/lang/StringBuilder;

    invoke-direct {v3}, Ljava/lang/StringBuilder;-><init>()V

    sget-object v4, Lh/c;->kg:Landroid/app/Application;

    invoke-virtual {v4}, Landroid/app/Application;->getPackageName()Ljava/lang/String;

    move-result-object v4

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

#下面是判断com.rs.autorun.pro的版本号是否 >= kf ,同样,由于这个包我们并没有安装(这个包就是key app的包),我们再次故技重演。

    const-string v4, ".pro" #修改为空字符串

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v3


    invoke-static {v0, v3}, Lh/m;->a(Landroid/content/pm/PackageManager;Ljava/lang/String;)I

    move-result v0

    sget v3, Lh/c;->kf:I

#将 com.rs.autorun.pro的版本号与 h.c.kf 比较
#如果 v0 (com.rs.autorun.pro的版本号) 小于 v3 (h.c.kf),跳转到 :cond_1 ,这个跳转是我们最不想要的。这里我们可以改变跳转或者改变跳转后的代码。由于其代码修改也比较方便,因此,这里我们不修改跳转。
#由于 这里, kf为静态成员变量,初值应该为0 ,相当于把其版本号与0相比较。
    if-lt v0, v3, :cond_1 #如果 .pro 包的版本号 小于0,则跳转到 :cond_1

    invoke-static {v1}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v0

    sput-object v0, Lh/c;->ka:Ljava/lang/Boolean;

    const-string v0, ""

    sput-object v0, Lh/c;->ke:Ljava/lang/String;

    invoke-static {v1}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v0

    sput-object v0, Lh/c;->kb:Ljava/lang/Boolean;

    sget-object v0, Lh/c;->kg:Landroid/app/Application;

    invoke-static {v0}, Lh/f;->b(Landroid/app/Application;)Lh/f;

    move-result-object v0

    sget-object v3, Lh/c;->kh:Lh/e;

    invoke-virtual {v0, v3}, Lh/f;->b(Landroid/os/Handler;)V

    :goto_0
    sget-object v0, Lh/c;->ka:Ljava/lang/Boolean;

    invoke-virtual {v0}, Ljava/lang/Boolean;->booleanValue()Z

    move-result v0

    if-nez v0, :cond_0

    sget-object v0, Lh/m;->lf:Ljava/lang/String;

    sget-object v3, Lh/c;->kg:Landroid/app/Application;

    invoke-static {v0, v1, v3}, Lh/m;->a(Ljava/lang/CharSequence;ILandroid/content/Context;)V

    :cond_0
    invoke-static {v1}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v0

    :goto_1
    invoke-virtual {v0}, Ljava/lang/Boolean;->booleanValue()Z

    move-result v0

    if-eqz v0, :cond_4

    move v0, v1

    .line 54
    :goto_2
    return v0

    .line 46
    :cond_1
    invoke-static {v2}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean; #v2 为0 ,v1 为 1 ,这里我们修改v2为v1,即使它跳转到这里,也干的是同样的事情~~

    move-result-object v0

    sput-object v0, Lh/c;->ka:Ljava/lang/Boolean;

    const-string v0, ""

    sput-object v0, Lh/c;->ke:Ljava/lang/String;

    invoke-static {v2}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean; #这里同样修改v2为v1

    move-result-object v0

    sput-object v0, Lh/c;->kb:Ljava/lang/Boolean;

    goto :goto_0

    :cond_2
    sget-object v0, Lh/c;->kg:Landroid/app/Application;

    invoke-static {v0}, Landroid/preference/PreferenceManager;->getDefaultSharedPreferences(Landroid/content/Context;)Landroid/content/SharedPreferences;

    move-result-object v0

    const-string v3, "lcn132"

    const-string v4, ""

    invoke-interface {v0, v3, v4}, Landroid/content/SharedPreferences;->getString(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;

    move-result-object v0

    const-string v3, "pl9812"

    invoke-virtual {v0, v3}, Ljava/lang/String;->equalsIgnoreCase(Ljava/lang/String;)Z

    move-result v0

    if-eqz v0, :cond_3

    sget-object v0, Lh/c;->kg:Landroid/app/Application;

    const-string v3, ""

    invoke-static {v0, v3}, Lh/c;->j(Landroid/content/Context;Ljava/lang/String;)V

    :cond_3
    invoke-static {v2}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v0

    goto :goto_1

    .line 49
    :cond_4
    const-string v0, ""

    invoke-virtual {p0, v0}, Ljava/lang/String;->equalsIgnoreCase(Ljava/lang/String;)Z

    move-result v0

    if-nez v0, :cond_5

    .line 51
    new-instance v0, Lh/d;

    invoke-direct {v0, p1}, Lh/d;-><init>(Z)V

    new-array v3, v1, [Ljava/lang/String;

    aput-object p0, v3, v2

    invoke-virtual {v0, v3}, Lh/d;->execute([Ljava/lang/Object;)Landroid/os/AsyncTask;

    move v0, v1

    .line 52
    goto :goto_2

    :cond_5
    move v0, v2

    .line 54
    goto :goto_2
.end method

.method static synthetic b(Ljava/lang/String;Z)Ljava/lang/Boolean;
    .locals 6
    .parameter
    .parameter

    .prologue
    const/4 v5, 0x1

    const/4 v0, 0x0

    .line 17
    sget-object v1, Lh/l;->kQ:Ljava/lang/Boolean;

    invoke-virtual {v1}, Ljava/lang/Boolean;->booleanValue()Z

    move-result v1

    if-nez v1, :cond_0

    move p1, v0

    :cond_0
    invoke-static {v0}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v1

    sput-object v1, Lh/c;->kd:Ljava/lang/Boolean;

    if-eqz p1, :cond_2

    sget-object v1, Lh/c;->kg:Landroid/app/Application;

    invoke-static {v1}, Lh/c;->C(Landroid/content/Context;)Z

    move-result v1

    if-eqz v1, :cond_2

    invoke-static {}, Ljava/lang/Math;->random()D

    move-result-wide v1

    const-wide v3, 0x3feccccccccccccdL

    cmpg-double v1, v1, v3

    if-gez v1, :cond_2

    invoke-static {v5}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v0

    sput-object v0, Lh/c;->ka:Ljava/lang/Boolean;

    :cond_1
    :goto_0
    sget-object v0, Lh/c;->ka:Ljava/lang/Boolean;

    return-object v0

    :cond_2
    sget-object v1, Lh/c;->kg:Landroid/app/Application;

    invoke-static {v0}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v2

    invoke-static {v1, v2}, Lh/m;->a(Landroid/content/Context;Ljava/lang/Boolean;)Ljava/lang/Boolean;

    move-result-object v1

    invoke-virtual {v1}, Ljava/lang/Boolean;->booleanValue()Z

    move-result v1

    if-eqz v1, :cond_4

    invoke-static {v5}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v1

    sput-object v1, Lh/c;->kd:Ljava/lang/Boolean;

    new-instance v1, Ljava/util/ArrayList;

    const/4 v2, 0x2

    invoke-direct {v1, v2}, Ljava/util/ArrayList;-><init>(I)V

    new-instance v2, Lorg/apache/http/message/BasicNameValuePair;

    const-string v3, "email"

    invoke-direct {v2, v3, p0}, Lorg/apache/http/message/BasicNameValuePair;-><init>(Ljava/lang/String;Ljava/lang/String;)V

    invoke-interface {v1, v2}, Ljava/util/List;->add(Ljava/lang/Object;)Z

    sget-object v2, Lh/l;->lb:Ljava/lang/String;

    invoke-static {v2, v1}, Lh/m;->a(Ljava/lang/String;Ljava/util/List;)Ljava/lang/String;

    move-result-object v1

    invoke-virtual {v1}, Ljava/lang/String;->trim()Ljava/lang/String;

    move-result-object v2

    const-string v3, ""

    invoke-virtual {v2, v3}, Ljava/lang/String;->equalsIgnoreCase(Ljava/lang/String;)Z

    move-result v2

    if-nez v2, :cond_3

    sget-object v2, Lh/l;->lb:Ljava/lang/String;

    const-string v3, "http://andrs.w3pla.net/"

    invoke-virtual {v2, v3}, Ljava/lang/String;->startsWith(Ljava/lang/String;)Z

    move-result v2

    if-eqz v2, :cond_3

    const-string v2, "#!name#!="

    invoke-virtual {v1, v2}, Ljava/lang/String;->startsWith(Ljava/lang/String;)Z

    move-result v2

    if-eqz v2, :cond_3

    invoke-static {v5}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v0

    sput-object v0, Lh/c;->ka:Ljava/lang/Boolean;

    invoke-virtual {v1}, Ljava/lang/String;->trim()Ljava/lang/String;

    move-result-object v0

    const-string v1, "#!name#!="

    const-string v2, ""

    invoke-virtual {v0, v1, v2}, Ljava/lang/String;->replaceFirst(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;

    move-result-object v0

    sput-object v0, Lh/c;->ke:Ljava/lang/String;

    :goto_1
    sget-object v0, Lh/c;->kg:Landroid/app/Application;

    sget-object v1, Lh/c;->ke:Ljava/lang/String;

    invoke-static {v0, v1}, Lh/c;->j(Landroid/content/Context;Ljava/lang/String;)V

    goto :goto_0

    :cond_3
    invoke-static {v0}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean; #这里改用v5

    move-result-object v0

    sput-object v0, Lh/c;->ka:Ljava/lang/Boolean;

    const-string v0, "" #这里应该是注册者的email,随便填写吧

    sput-object v0, Lh/c;->ke:Ljava/lang/String;

    goto :goto_1

    :cond_4
    sget-object v0, Lh/c;->kg:Landroid/app/Application;

    invoke-static {v0}, Lh/c;->C(Landroid/content/Context;)Z

    move-result v0

    if-eqz v0, :cond_1 #这个跳转也可以改一下的

    invoke-static {v5}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v0

    sput-object v0, Lh/c;->ka:Ljava/lang/Boolean;

    goto/16 :goto_0
.end method

.method static synthetic bL()V
    .locals 6

    .prologue
    .line 17
    sget-object v0, Lh/c;->ki:Ljava/util/ArrayList;

    invoke-virtual {v0}, Ljava/util/ArrayList;->iterator()Ljava/util/Iterator;

    move-result-object v1

    :goto_0
    invoke-interface {v1}, Ljava/util/Iterator;->hasNext()Z

    move-result v0

    if-eqz v0, :cond_0

    invoke-interface {v1}, Ljava/util/Iterator;->next()Ljava/lang/Object;

    move-result-object v0

    check-cast v0, Landroid/os/Handler;

    const/4 v2, 0x0

    const/4 v3, 0x0

    const/16 v4, 0x52c

    const/4 v5, 0x2

    invoke-static {v2, v3, v4, v5}, Landroid/os/Message;->obtain(Landroid/os/Handler;III)Landroid/os/Message;

    move-result-object v2

    invoke-virtual {v0, v2}, Landroid/os/Handler;->sendMessage(Landroid/os/Message;)Z

    goto :goto_0

    :cond_0
    return-void
.end method

.method static synthetic bM()Landroid/app/Application;
    .locals 1

    .prologue
    .line 17
    sget-object v0, Lh/c;->kg:Landroid/app/Application;

    return-object v0
.end method

.method public static j(Landroid/content/Context;Ljava/lang/String;)V
    .locals 2
    .parameter
    .parameter

    .prologue
    .line 210
    invoke-static {p0}, Landroid/preference/PreferenceManager;->getDefaultSharedPreferences(Landroid/content/Context;)Landroid/content/SharedPreferences;

    move-result-object v0

    invoke-interface {v0}, Landroid/content/SharedPreferences;->edit()Landroid/content/SharedPreferences$Editor;

    move-result-object v0

    .line 211
    const-string v1, "lcn132"

    invoke-interface {v0, v1, p1}, Landroid/content/SharedPreferences$Editor;->putString(Ljava/lang/String;Ljava/lang/String;)Landroid/content/SharedPreferences$Editor;

    .line 212
    invoke-interface {v0}, Landroid/content/SharedPreferences$Editor;->commit()Z

    .line 213
    return-void
.end method

到此,4个receiver的限制就算解除了。阻止应用重启、启用Chuck Norris模式也可以启用了。

重新打包,签名,安装。

可以看到“Get Pro"按钮已经是灰色的了。

"防止重启"复选框也可以选择了。

下载
com.rs.autorun-cracked-by-hywd.apk

更多
4 Responses Post a comment
  1. 权子

    网站打开速度嗖嗖的,期待开源。

  2. yetone

    省人民币的教程都是好教程!

Leave a Reply

Note: You may use basic HTML in your comments. Your email address will not be published.

Subscribe to this comment feed via RSS