假定要破解apk的名字为mytest.apk，则破解步骤如下：步骤 1:得到resource及smali文件。1)得到apktool工具在http://code.google.com/p/android-apktool/下 载获得，apktool-1.0.0.tar.bz2和apktool-install-windows-2.1_r01-1.zip两个包都要下。解压缩下载的两个文件包，apktool-install-windows-2.1_r01-1.zip解压缩后得到的包里有aapt.exe 和apktool.bat.（注意要把apktool-1.0.0.tar.bz2解压后的一个.jar 文件copy进来）2).DOS命令窗口下进入到apktool.bat所在的文件夹里。D:\android\tool\apktool\apktool dC:\mytest.apk C:\out命令行解释：apktool d 要反编译的文件 输出文件夹特别注意：你要反编译的文件一定要放在C盘的根目录里，3).打开 C:\out文件夹 就可以得到各种资源了。步骤2：得到java文件方法a:1)、把apk文件改名为.zip，然后解压缩出其中的class.dex文件2)、安装把dex文件反编译为jar文件的工具dex2jar。http://code.google.com/p/dex2jar/downloads/list3)、把class.dex拷贝到dex2jar.bat所在目录。4)、生成jar文件classes.dex.dex2jar.jar[java] view plaincopyprint?dex2jar.bat classes.dexdex2jar.bat classes.dex5)、安装把jar反编译为java的工具。（JD-GUI）http://java.decompiler.free.fr/?q=jdgui6)、运行JD-GUI工具，打开上面的jar文件7)、File -> Save All Sources将生成Java源代码文件到c:\out方法b（TBV）:1).从out目录下取得dexdump。2).adb shell dexdump -d -f h /data/dalvik-cache/data@app@mytest.apk@classes.dex > twitpic.text步骤3：破解源代码1）.查找位置由于此软件要求积分大于1500才可下载，故打开java文件，查找1500发现有三个文件有定义，PlayActivity$$$$12.java，Cfg.java，ScoreDialog$$$$5.java。PlayActivity$$$$12.java[java] view plaincopyprint?final class PlayActivity$$$$12implements Runnable{public void run(){...int i = 1500;int j;Cfg.IS_WITHAD = j;if (j != 0){if (this.val$$$$arg1 >= i) //似乎为显示广告门限控制值break label91;boolean bool2 =Cfg.HIDDEN_GUANGGAO;label35: boolean bool3; //???Cfg.HIDDEN_GUANGGAO = bool3;Cfg.SaveBool(“hiddenguanggao“,bool3);}final class PlayActivity$$$$12implements Runnable{public void run(){...int i = 1500;int j;Cfg.IS_WITHAD = j;if (j != 0){if (this.val$$$$arg1 >= i) //似乎为显示广告门限控制值break label91;boolean bool2 =Cfg.HIDDEN_GUANGGAO;label35: boolean bool3; //???Cfg.HIDDEN_GUANGGAO = bool3;Cfg.SaveBool(“hiddenguanggao“,bool3);}ScoreDialog$$$$5.java[java] view plaincopyprint?final class ScoreDialog$$$$5implements Runnable{public void run(){Object localObject1 = null;int i = 17301659;int j = 1500; //Score...if (localProgressDialog != null)if (this.val$$$$arg1 < j) //可以猜出此为定义的分数之一，如不满足则弹出对话框{ScoreDialog localScoreDialog1=this.this$$$$0;final class ScoreDialog$$$$5implements Runnable{public void run(){Object localObject1 = null;int i = 17301659;int j = 1500; //Score...if (localProgressDialog != null)if (this.val$$$$arg1 < j) //可以猜出此为定义的分数之一，如不满足则弹出对话框{ScoreDialog localScoreDialog1=this.this$$$$0;Cfg.java[java] view plaincopyprint?public class Cfg{...public static final intHIDDEN_GUANGGAO_NEED_SCORE= 1500; //似乎为显示广告与否的分数门限值public class Cfg{...public static final intHIDDEN_GUANGGAO_NEED_SCORE= 1500; //似乎为显示广告与否的分数门限值PlayActivity$$$$12.java[java] view plaincopyprint?final class PlayActivity$$$$12implements Runnable{public void run(){boolean bool1 = true;DialogInterface.OnClickListenerlocalOnClickListener1 = null;int i = 1500;但HIDDEN_GUANGGAO_NEED_SCORE并未被其他任何文件应用，但保险起见任然改动此值。final class PlayActivity$$$$12implements Runnable{public void run(){boolean bool1 = true;DialogInterface.OnClickListenerlocalOnClickListener1 = null;int i = 1500;但HIDDEN_GUANGGAO_NEED_SCORE并未被其他任何文件应用，但保险起见任然改动此值。2）更改smali文件smali文件只是将java文件的后缀改为.smali，故可找到上述三文件对应的smali文件Cfg.smali[java] view plaincopyprint?.field public static finalHIDDEN_GUANGGAO_NEED_SCORE:I= 0x5DC //此处改为0x0.field public static finalHIDDEN_GUANGGAO_NEED_SCORE:I= 0x5DC //此处改为0x0PlayActivity$$$$12.smali[java] view plaincopyprint?.method public run()V.locals6.prologueconst/4 v2, 0x1const/4v4, 0x0const/16 v3, 0x5DC //此处改为0x0.method public run()V.locals 6.prologueconst/4 v2,0x1const/4 v4, 0x0const/16 v3,0x5DC //此处改为0x0ScoreDialog$$$$5.smali[java] view plaincopyprint?.method public run()V.locals 10.prologueconst/4 v7, 0x0const v5, 0x108009b //对应17301659const/16 v6, 0x5DC //此处改为0x0.method public run()V.locals 10.prologueconst/4 v7, 0x0const v5, 0x108009b //对应17301659const/16 v6, 0x5DC //此处改为0x0步骤4 将反编译完的文件重新打包成apk文件out.apk[java] view plaincopyprint?apktool b c:\out out_raw.apkapktool b c:\out out_raw.apk步骤5：对生成的apk签名：1).准备工具如没有安装JDK，请在Sun官方网站下载JDKhttp://www.java.net/download/jdk6/6u10/promoted/b32/binaries/jdk-6u10-rc2-bin-b32-windows-i586-p-12_sep_2008.exe，其实仅需要中的Keytool和Jarsigner。2)、准备签名文件[java] view plaincopyprint?“C:\Program Files\Java\jdk1.6.0_24\bin\keytool“ -genkey -alias wendy.keystore -keyalg RSA -validity 20000 -keystore wendy.keystore“C:\Program Files\Java\jdk1.6.0_24\bin\keytool“ -genkey -alias wendy.keystore -keyalg RSA -validity 20000 -keystore wendy.keystore注意密码为6位数，如123456。3)、签名[plain] view plaincopyprint?“C:\Program Files\Java\jdk1.6.0_24\bin\jarsigner“ -verbose -keystorewendy.keystore -signedjarout.apk out_raw.apkwendy.keystore“C:\Program Files\Java\jdk1.6.0_24\bin\jarsigner“ -verbose -keystorewendy.keystore -signedjarout.apk out_raw.apkwendy.keystore此处需输入第2步的密码123456，执行完即可生成签名后的apk文件out.apk.至此,破解完成！