(Android) how to crack the domob ad SDK (I)

Tool 1. The advertisement SDK of the network packet capture tool must communicate with the server. It is essential to crack the network packet capture. I used tcpdump and Wireshark. The former is responsible for capturing packets on the Android phone, and the latter is responsible for analyzing the package content. Tcpdump usage: A. Root mobile phone B. Download tcpdump and install it on the mobile phone

adb push c:\wherever_you_put\tcpdump /data/local/tcpdump

C. Modify file attributes

adb shellsuchmod 6755 /data/local/tcpdump

D. Command Line packet capture

/data/local/tcpdump -p -vv -s 0 -w/sdcard/capture.pcap

E. Copy the captured package data to the computer for analysis.

adb pull /sdcard/capture.pcap

It is best to work with the traffic control software on the Android phone (such as the LBE Security Master) to limit network traffic so that the traffic information generated by the target application is captured.

 
Wireshark usage: I will not go into details here. You have studied it yourself. 2. view the jar package using the tool JD-Gui to analyze the source code of the jar package after decompilation. Although the source code is obfuscated, it is not difficult to find out the logic. Analyze and analyze data packets to learn about the communication methods between the ad SDK and the server. Here, we only show some analysis results, because some private information is involved, and the details will not be published. The following figure shows the communication status between the domob ad SDK and the server. We need to record the content when simulating a click.

Final Static int ad_request = 1; Final Static int ad_click_report = 2; Final Static int ad_download_start_report = 3; Final Static int ad_download_finish_report = 4; Final Static int ad_install_success_report = 5; final Static int ad_head_request = 6; Final Static int ad_report_download = 7; Final Static int ad_download = 8; Final Static int ad_requested = 11; Final Static int ad_click_reported = 22; final Static int records = 44; Final Static int ad_install_success_reported = 55; Final Static int ad_downloaded = 88; Final Static int no_ad = 0; Final Static int get_task_list =-1; final Static int get_task_listed =-11;
    
Int status = no_ad; Boolean tohttps = true; // HTTPS communication may be used. At this time, domob can remotely control the ad SDK and let it do something insightful.

 public Request requestApkHead() {        return new Request(null, this.getDownloadUrl(), null, null, "HEAD", androidBuild.getUserAgent(), null, true, 20000);    }    public Request requestDownloadApk() {        String range = "bytes=0-" + (this.content_length - 1);        return new Request(null, this.getDownloadUrl(), null, range, "GET", androidBuild.getUserAgent(), null, false, 20000);    }    public Request reportEvent(String eventType) {        return new Request(null, this.getAdEvent_tracker(), reportEventContent(eventType), null, "POST", androidBuild.getUserAgent(), null, true, 20000);    }    public Request httpsGetTaskList() {        return new Request(null, "https://api.domob.cn/d", httpsContent("get_task_list", null, null), null, "DOMOB.HTTPS", androidBuild.getUserAgent(), null, true, 10000);    }    public Request reportClick() {        return new Request(null, this.getAdClick_tracker(), reportClickContent(), null, "POST", androidBuild.getUserAgent(), null, true, 20000);    }    Long lastRequestTs = null;    public Request requestAd() {        if (lastRequestTs == null || System.currentTimeMillis() - ControlParams.adRefreshSpan > lastRequestTs) {            lastRequestTs = System.currentTimeMillis();            return new Request(null, "http://r.domob.cn/a/", requestAdContent(), null, "POST", androidBuild.getUserAgent(), null, true, 20000);        }        return null;    }    public boolean apkHeadResponse(Response response) {        if (response.code != HttpURLConnection.HTTP_OK)            return false;        if (response.contentLength != null) {            this.setContent_length(Integer.parseInt(response.contentLength));            return true;        } else            return false;    }    public boolean clickReportResponse(Response response) {        if (response.code != HttpURLConnection.HTTP_OK)            return false;        return true;    }    public boolean eventReportResponse(Response response) {        if (response.code != HttpURLConnection.HTTP_OK)            return false;        return true;    }    public boolean apkDownloadResponse(Response response) {        if (response.code != HttpURLConnection.HTTP_OK)            return false;        return true;    }    public boolean adResponse(Response response) {        if (response.code == null || response.code != HttpURLConnection.HTTP_OK)            return false;        String jsonRes = response.getResponseContent();        try {            JSONObject responseContent = new JSONObject(new JSONTokener(jsonRes));            this.setSid(responseContent.optString("sid", null));            if (responseContent.optString("cid") != null)                this.setCid(responseContent.optString("cid"));            JSONObject adJSON = responseContent.optJSONObject("ad");            JSONObject errorJSON = responseContent.optJSONObject("error");            JSONObject controlJSON = responseContent.optJSONObject("control");             if (errorJSON != null)                return false;            if (adJSON != null) {                String pkg, click_tracker, content, event_tracker, tracker;                pkg = adJSON.optString("pkg", null);                click_tracker = adJSON.optString("click_tracker", null);                content = adJSON.optString("content", null);                event_tracker = adJSON.optString("event_tracker", null);                tracker = adJSON.optString("tracker", null);                if (pkg != null && click_tracker != null && content != null && event_tracker != null && tracker != null) {                    this.setAdApkName(pkg);                    this.setAdClick_tracker(click_tracker);                    this.setAdContent(content);                    String[] parts = content.split("\"");                    URI uri;                    for (String part : parts) {                        if (part.startsWith("domob")) {                            uri = URI.create(part);                            String schema = uri.getScheme();                            String host = uri.getHost();                            if (schema.equals("domob")) {                                if (host.equals("inapp")) {                                    ;                                } else if (host.equals("download")) {                                    Map<String, String> maps = Utils.UrlString2Map(uri.getQuery());                                    this.setVn(maps.remove("vn"));                                    this.setVc((maps.get("vc") == null) ? "1" : maps.remove("vc"));                                    this.setName(maps.remove("name"));                                    this.setAuto_run((maps.get("auto_run") == null) ? false : Boolean.valueOf(maps.remove("auto_run")).booleanValue());                                    this.setAdApkName(maps.remove("pkg"));                                    String url = maps.remove("url");                                    String odi = maps.remove("odi");                                    this.setDownloadUrl(url + Utils.map2UrlString(maps) + odi);                                } else if (host.equals("report")) {                                    String str2 = uri.getPath();                                    if ((str2 == null) || (str2.indexOf("/") == -1))                                        break;                                    str2 = str2.substring(1);                                    if (str2.equals("imp")) {                                        ;                                    } else if (str2.equals("clk")) {                                        ;                                    } else if (str2.equals("event")) {                                        ;                                    }                                }                            }                        }                    }                    this.setAdEvent_tracker(event_tracker);                    this.setTracker(tracker);                    return true;                } else                    return false;            }            return false;        } catch (Exception e) {            e.printStackTrace();        }        return false;    }    public boolean httpsResponse(Response response) {        if (response.code != HttpURLConnection.HTTP_OK)            return false;        if (response.responseContent != null) {            String[] pairs = response.getResponseContent().split("=");            if (pairs.length == 2) {                Long det = Long.parseLong(pairs[1]);                next_time_https = System.currentTimeMillis() + det;                logger.info(String.format("det:%s next_time:%s", det.toString(), next_time_https.toString()));            } else                return false;        }        return true;    }
Public list <request> getrequest () {}// the source code will not be pasted here, involving my ad click simulation behavior.