(android)如何破解多盟广告sdk (一)
16lz
2022-03-24
工具
1.网络抓包工具
广告sdk要和服务器通讯,想破解网络抓包自然少不了。我使用的tcpdump和wireshark。前者负责在android手机上抓包,后者负责分析包的内容。tcpdump的使用:
a.root手机 b.下载tcpdump,安装到手机adb push c:\wherever_you_put\tcpdump /data/local/tcpdump
c.修改文件属性 adb shellsuchmod 6755 /data/local/tcpdumpd.命令行抓包
/data/local/tcpdump -p -vv -s 0 -w/sdcard/capture.pcape.将抓到的包数据copy到电脑上分析
adb pull /sdcard/capture.pcap最好配合android手机上的流量控制软件(比如Lbe安全大师)一起使用,这样限制好网络流量,使抓的包是目标应用产生的流量信息。
wireshark的使用:
这里我就不赘叙了,大家自己研究啦2.jar包查看工具
本人使用jd-gui来分析经过反编译之后jar包的源码。源码尽管是经过混淆的,但是想找出其中的逻辑还没有蜀道难。分析
分析数据包,了解广告sdk与服务器的通讯方式,这里仅仅展示一部分分析结果,因为涉及一些私人信息,具体的就不公布了。 以下是多盟广告sdk与服务器通讯的状态,我们模拟点击的时候,需要记录这些内容。final static int ad_Request = 1; final static int ad_Click_Report = 2; final static int ad_Download_Start_Report = 3; final static int ad_Download_finish_Report = 4; final static int ad_Install_Success_Report = 5; final static int ad_Head_Request = 6; final static int ad_Report_Download = 7; final static int ad_Download = 8; final static int ad_Requested = 11; final static int ad_Click_Reported = 22; final static int ad_Download_finish_Reported = 44; final static int ad_Install_Success_Reported = 55; final static int ad_Downloaded = 88; final static int no_Ad = 0; final static int get_task_list = -1; final static int get_task_listed = -11;int status = no_Ad; boolean toHttps=true;//有可能使用https通讯,这时候多盟可以遥控广告sdk,让它做一些见不得人的事情。
public Request requestApkHead() { return new Request(null, this.getDownloadUrl(), null, null, "HEAD", androidBuild.getUserAgent(), null, true, 20000); } public Request requestDownloadApk() { String range = "bytes=0-" + (this.content_length - 1); return new Request(null, this.getDownloadUrl(), null, range, "GET", androidBuild.getUserAgent(), null, false, 20000); } public Request reportEvent(String eventType) { return new Request(null, this.getAdEvent_tracker(), reportEventContent(eventType), null, "POST", androidBuild.getUserAgent(), null, true, 20000); } public Request httpsGetTaskList() { return new Request(null, "https://api.domob.cn/d", httpsContent("get_task_list", null, null), null, "DOMOB.HTTPS", androidBuild.getUserAgent(), null, true, 10000); } public Request reportClick() { return new Request(null, this.getAdClick_tracker(), reportClickContent(), null, "POST", androidBuild.getUserAgent(), null, true, 20000); } Long lastRequestTs = null; public Request requestAd() { if (lastRequestTs == null || System.currentTimeMillis() - ControlParams.adRefreshSpan > lastRequestTs) { lastRequestTs = System.currentTimeMillis(); return new Request(null, "http://r.domob.cn/a/", requestAdContent(), null, "POST", androidBuild.getUserAgent(), null, true, 20000); } return null; } public boolean apkHeadResponse(Response response) { if (response.code != HttpURLConnection.HTTP_OK) return false; if (response.contentLength != null) { this.setContent_length(Integer.parseInt(response.contentLength)); return true; } else return false; } public boolean clickReportResponse(Response response) { if (response.code != HttpURLConnection.HTTP_OK) return false; return true; } public boolean eventReportResponse(Response response) { if (response.code != HttpURLConnection.HTTP_OK) return false; return true; } public boolean apkDownloadResponse(Response response) { if (response.code != HttpURLConnection.HTTP_OK) return false; return true; } public boolean adResponse(Response response) { if (response.code == null || response.code != HttpURLConnection.HTTP_OK) return false; String jsonRes = response.getResponseContent(); try { JSONObject responseContent = new JSONObject(new JSONTokener(jsonRes)); this.setSid(responseContent.optString("sid", null)); if (responseContent.optString("cid") != null) this.setCid(responseContent.optString("cid")); JSONObject adJSON = responseContent.optJSONObject("ad"); JSONObject errorJSON = responseContent.optJSONObject("error"); JSONObject controlJSON = responseContent.optJSONObject("control"); if (errorJSON != null) return false; if (adJSON != null) { String pkg, click_tracker, content, event_tracker, tracker; pkg = adJSON.optString("pkg", null); click_tracker = adJSON.optString("click_tracker", null); content = adJSON.optString("content", null); event_tracker = adJSON.optString("event_tracker", null); tracker = adJSON.optString("tracker", null); if (pkg != null && click_tracker != null && content != null && event_tracker != null && tracker != null) { this.setAdApkName(pkg); this.setAdClick_tracker(click_tracker); this.setAdContent(content); String[] parts = content.split("\""); URI uri; for (String part : parts) { if (part.startsWith("domob")) { uri = URI.create(part); String schema = uri.getScheme(); String host = uri.getHost(); if (schema.equals("domob")) { if (host.equals("inapp")) { ; } else if (host.equals("download")) { Map<String, String> maps = Utils.UrlString2Map(uri.getQuery()); this.setVn(maps.remove("vn")); this.setVc((maps.get("vc") == null) ? "1" : maps.remove("vc")); this.setName(maps.remove("name")); this.setAuto_run((maps.get("auto_run") == null) ? false : Boolean.valueOf(maps.remove("auto_run")).booleanValue()); this.setAdApkName(maps.remove("pkg")); String url = maps.remove("url"); String odi = maps.remove("odi"); this.setDownloadUrl(url + Utils.map2UrlString(maps) + odi); } else if (host.equals("report")) { String str2 = uri.getPath(); if ((str2 == null) || (str2.indexOf("/") == -1)) break; str2 = str2.substring(1); if (str2.equals("imp")) { ; } else if (str2.equals("clk")) { ; } else if (str2.equals("event")) { ; } } } } } this.setAdEvent_tracker(event_tracker); this.setTracker(tracker); return true; } else return false; } return false; } catch (Exception e) { e.printStackTrace(); } return false; } public boolean httpsResponse(Response response) { if (response.code != HttpURLConnection.HTTP_OK) return false; if (response.responseContent != null) { String[] pairs = response.getResponseContent().split("="); if (pairs.length == 2) { Long det = Long.parseLong(pairs[1]); next_time_https = System.currentTimeMillis() + det; logger.info(String.format("det:%s next_time:%s", det.toString(), next_time_https.toString())); } else return false; } return true; }public List<Request> getRequest() {} //这里就不黏贴源码了,涉及我的模拟广告点击行为。
更多相关文章
- android内存分析工具- MAT的初识(1)
- Android(安卓)EditText的使用
- Android(安卓)Sqlite 数据库—基础篇
- android学习五(android中基本控件的使用)
- Android(安卓)下使用 JSON 实现 HTTP 请求,外加几个示例!
- 一个用于Android的Web服务器
- 箭头函数的基础使用
- NPM 和webpack 的基础使用
- Python list sort方法的具体使用