某音乐APP逆向分析详细教学文档<\/strong><\/h1>
1. 前置准备<\/strong><\/h2>
1.1 工具清单<\/strong><\/h3>

夜神模拟器（Android 9）<\/strong>：用于运行目标APP（照顾无真机用户）。<\/li>
Pixel 1 真机<\/strong>：用于后续SO层分析（Unidbg仅支持ARM架构）。<\/li>
Frida<\/strong>：动态Hook工具，用于代码注入。<\/li>
Jadx<\/strong>：APK反编译工具，用于静态分析。<\/li>
Charles\/Burp Suite<\/strong>：抓包工具，用于分析网络请求。<\/li>
SocksDroid\/Postern<\/strong>：代理工具，用于模拟器抓包。<\/li>
目标APP（版本11.7.0）<\/strong>：待分析的某音乐APP。<\/li> <\/ul>
1.2 注意事项<\/strong><\/h3>

本文仅用于学习，若侵犯公司利益，请联系删除。<\/li>
抓包时需配置代理（IP+端口），确保流量经过Charles\/Burp。<\/li> <\/ul>

2. 抓包分析<\/strong><\/h2>
2.1 抓包配置<\/strong><\/h3>

获取本机IP（ipconfig<\/code>或Charles帮助菜单）。<\/li>
在SocksDroid\/Postern中配置代理（IP+端口）。<\/li>
启动目标APP，进行登录操作（账号密码登录）。<\/li>
观察抓包结果，重点关注signature<\/code>等关键参数。<\/li> <\/ol> 2.2 关键发现<\/strong><\/h3> 登录时即使不验证图片验证码，仍可抓包成功。<\/li> signature<\/code>参数出现在登录请求中，是后续分析重点。<\/li> <\/ul> 3. 绕过Root检测<\/strong><\/h2> 3.1 检测逻辑分析<\/strong><\/h3> 反编译APK，搜索字符串"当前处于root环境,请注意账号安全"<\/code>。<\/li> 定位到br.bu()<\/code>函数，其返回值决定是否弹窗： if<\/span> (<\/span>br.<\/span>bu<\/span>())<\/span> {<\/span> <\/span><\/span> showToast(<\/span>"当前处于root环境,请注意账号安全"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> bu()<\/code>函数内部逻辑： return<\/span> bF()<\/span> ||<\/span> bG();<\/span> \/\/ 任意一个为true即触发检测 <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ul> 3.2 绕过方案<\/strong><\/h3> 方案1：Hook bu()<\/code>函数<\/strong><\/h4> function<\/span> kugousign<\/span>() { <\/span><\/span> Java<\/span>.perform<\/span>(function<\/span> () { <\/span><\/span> let<\/span> br<\/span> =<\/span> Java<\/span>.use<\/span>("com.kugou.common.utils.br"<\/span>); <\/span><\/span> br<\/span>["bu"<\/span>].implementation<\/span> =<\/span> function<\/span> () { <\/span><\/span> console<\/span>.log<\/span>('bu is called'<\/span>); <\/span><\/span> return<\/span> false<\/span>; \/\/ 强制返回false <\/span><\/span><\/span><\/span> }; <\/span><\/span> }); <\/span><\/span>} <\/span><\/span>setImmediate<\/span>(kugousign<\/span>); <\/span><\/span><\/code><\/pre>方案2：Hook bF()<\/code>和bG()<\/code>函数<\/strong><\/h4> br<\/span>["bF"<\/span>].implementation<\/span> =<\/span> function<\/span> () { <\/span><\/span> console<\/span>.log<\/span>('bF is called'<\/span>); <\/span><\/span> return<\/span> false<\/span>; <\/span><\/span>}; <\/span><\/span>br<\/span>["bG"<\/span>].implementation<\/span> =<\/span> function<\/span> () { <\/span><\/span> console<\/span>.log<\/span>('bG is called'<\/span>); <\/span><\/span> return<\/span> false<\/span>; <\/span><\/span>}; <\/span><\/span><\/code><\/pre> 4. 绕过Frida检测<\/strong><\/h2> 4.1 检测原理<\/strong><\/h3> APP通过ptrace<\/code>占坑检测Frida（Frida附加进程时会占用ptrace<\/code>）。<\/li> APP启动子进程提前附加父进程，导致Frida无法附加。<\/li> <\/ul> 4.2 绕过方法<\/strong><\/h3> 先启动Frida<\/strong>，但不附加进程： frida -U -f com.kugou.android -l sign.js <\/span><\/span><\/code><\/pre><\/li> 手动输入%resume<\/code><\/strong>，恢复进程执行。<\/li> <\/ol> 5. Signature算法分析<\/strong><\/h2> 5.1 定位关键函数<\/strong><\/h3> 通过抓包和反编译，定位到com.kugou.common.useraccount.b.u<\/code>类。<\/li> signature<\/code>由a()<\/code>方法生成： public<\/span> String a<\/span>(<\/span>String str,<\/span> Map map,<\/span> String str2)<\/span> {<\/span> <\/span><\/span> \/\/ 生成signature的逻辑 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 5.2 Frida验证<\/strong><\/h3> let<\/span> w<\/span> =<\/span> Java<\/span>.use<\/span>("com.kugou.common.network.w"<\/span>); <\/span><\/span>w<\/span>["a"<\/span>].overload<\/span>('java.lang.String'<\/span>, 'java.util.Map'<\/span>, 'java.lang.String'<\/span>).implementation<\/span> =<\/span> function<\/span> (str<\/span>, map<\/span>, str2<\/span>) { <\/span><\/span> console<\/span>.log<\/span>('a is called: str='<\/span> +<\/span> str<\/span> +<\/span> ', map='<\/span> +<\/span> map<\/span> +<\/span> ', str2='<\/span> +<\/span> str2<\/span>); <\/span><\/span> let<\/span> ret<\/span> =<\/span> this<\/span>.a<\/span>(str<\/span>, map<\/span>, str2<\/span>); <\/span><\/span> console<\/span>.log<\/span>('a ret value is '<\/span> +<\/span> ret<\/span>); <\/span><\/span> return<\/span> ret<\/span>; <\/span><\/span>}; <\/span><\/span><\/code><\/pre> 对比Frida输出和Charles抓包结果，确认signature<\/code>生成逻辑正确。<\/li> <\/ul> 5.3 参数分析<\/strong><\/h3> 固定参数<\/strong>： support_third<\/code>、dev<\/code>（设备型号）、plat<\/code>、support_multi<\/code>、support_verify<\/code>、gitversion<\/code>、t3<\/code>。<\/li> <\/ul> <\/li> 可变参数<\/strong>： params<\/code>、clienttime_ms<\/code>（时间戳）、dfid<\/code>、pk<\/code>、t1<\/code>、t2<\/code>、key<\/code>、username<\/code>。<\/li> <\/ul> <\/li> <\/ul> 6. 关键参数生成逻辑<\/strong><\/h2> 6.1 pk<\/code>参数<\/strong><\/h3> 生成逻辑： String pk =<\/span> new<\/span> ba().<\/span>a<\/span>(<\/span>br.<\/span>a<\/span>(<\/span>Long.<\/span>valueOf<\/span>(<\/span>br.<\/span>as<\/span>()),<\/span> com.<\/span>kugou<\/span>.<\/span>common<\/span>.<\/span>config<\/span>.<\/span>c<\/span>.<\/span>a<\/span>().<\/span>b<\/span>(<\/span>com.<\/span>kugou<\/span>.<\/span>android<\/span>.<\/span>app<\/span>.<\/span>a<\/span>.<\/span>a<\/span>.<\/span>lp<\/span>),<\/span> Integer.<\/span>valueOf<\/span>(<\/span>br.<\/span>F<\/span>(<\/span>KGCommonApplication.<\/span>getContext<\/span>())),<\/span> Long.<\/span>valueOf<\/span>(<\/span>currentTimeMillis)));<\/span> <\/span><\/span><\/code><\/pre><\/li> 分步解析<\/strong>： br.as()<\/code>：返回固定值1005<\/code>。<\/li> com.kugou.android.app.a.a.lp<\/code>：固定字符串"OIlwieks28dk2k092lksi2UIkp"<\/code>。<\/li> br.F()<\/code>：返回设备相关定值11709<\/code>。<\/li> currentTimeMillis<\/code>：当前时间戳（秒级）。<\/li> <\/ol> <\/li> 最终拼接<\/strong>： String keyRaw =<\/span> "1005"<\/span> +<\/span> "OIlwieks28dk2k092lksi2UIkp"<\/span> +<\/span> "11709"<\/span> +<\/span> timestamp;<\/span> <\/span><\/span><\/code><\/pre><\/li> MD5加密<\/strong>： String pk =<\/span> MD5(<\/span>keyRaw).<\/span>substring<\/span>(<\/span>0<\/span>,<\/span> 16<\/span>);<\/span> \/\/ 取前16位 <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ul> 6.2 dfid<\/code>参数<\/strong><\/h3> 生成逻辑： String dfid =<\/span> c.<\/span>o<\/span>.<\/span>k<\/span>();<\/span> <\/span><\/span><\/code><\/pre><\/li> 实际来源于com.kugou.common.preferences.a.c(5, "")<\/code>，可写死。<\/li> <\/ul> 6.3 t1<\/code>和t2<\/code>参数<\/strong><\/h3> 来源<\/strong>： t1<\/code>：NativeParams.getToken()<\/code><\/li> t2<\/code>：NativeParams.getMachineIdCode()<\/code><\/li> <\/ul> <\/li> SO层分析<\/strong>：使用Frida定位到libj.so<\/code>中的_d()<\/code>和_e()<\/code>方法。<\/li> 使用Unidbg模拟执行： public<\/span> class<\/span> videos<\/span> extends<\/span> AbstractJni {<\/span> <\/span><\/span> public<\/span> String calls<\/span>()<\/span> {<\/span> <\/span><\/span> String ret =<\/span> NativeApi.<\/span>callJniMethodObject<\/span>(<\/span>emulator,<\/span> "_d(Ljava\/lang\/Object;)Ljava\/lang\/String;"<\/span>,<\/span> arg1).<\/span>getValue<\/span>().<\/span>toString<\/span>();<\/span> <\/span><\/span> return<\/span> ret;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 补环境<\/strong>：需实现SecretAccess.getAndroidId()<\/code>和SecretAccess.getSafeDeviceId()<\/code>： @Override<\/span> <\/span><\/span>public<\/span> DvmObject<?><\/span> callStaticObjectMethodV(<\/span>BaseVM vm,<\/span> DvmClass dvmClass,<\/span> String signature,<\/span> VaList vaList)<\/span> {<\/span> <\/span><\/span> switch<\/span> (<\/span>signature)<\/span> {<\/span> <\/span><\/span> case<\/span> "com\/kugou\/common\/utils\/SecretAccess->getAndroidId()Ljava\/lang\/String;"<\/span>:<\/span> <\/span><\/span> return<\/span> new<\/span> StringObject(<\/span>vm,<\/span> "5c083d1045985cf2"<\/span>);<\/span> <\/span><\/span> case<\/span> "com\/kugou\/common\/utils\/SecretAccess->getSafeDeviceId()Ljava\/lang\/String;"<\/span>:<\/span> <\/span><\/span> return<\/span> new<\/span> StringObject(<\/span>vm,<\/span> "null"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> super<\/span>.<\/span>callStaticObjectMethodV<\/span>(<\/span>vm,<\/span> dvmClass,<\/span> signature,<\/span> vaList);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ul> 6.4 params<\/code>参数<\/strong><\/h3> 生成逻辑： String params =<\/span> a.<\/span>b<\/span>(<\/span>str,<\/span> str2);<\/span> <\/span><\/span><\/code><\/pre><\/li> 内部为AES加密： SecretKeySpec keySpec =<\/span> new<\/span> SecretKeySpec(<\/span>str3.<\/span>getBytes<\/span>(<\/span>"UTF-8"<\/span>),<\/span> "AES"<\/span>);<\/span> <\/span><\/span>IvParameterSpec ivSpec =<\/span> new<\/span> IvParameterSpec(<\/span>str4.<\/span>getBytes<\/span>());<\/span> <\/span><\/span>Cipher cipher =<\/span> Cipher.<\/span>getInstance<\/span>(<\/span>"AES\/CBC\/PKCS5Padding"<\/span>);<\/span> <\/span><\/span>cipher.<\/span>init<\/span>(<\/span>Cipher.<\/span>ENCRYPT_MODE<\/span>,<\/span> keySpec,<\/span> ivSpec);<\/span> <\/span><\/span>byte<\/span>[]<\/span> encrypted =<\/span> cipher.<\/span>doFinal<\/span>(<\/span>str.<\/span>getBytes<\/span>());<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 7. 最终Signature生成<\/strong><\/h2> 步骤<\/strong>：将所有参数按key=value<\/code>形式拼接。<\/li> 按key<\/code>升序排序。<\/li> 拼接为字符串并MD5加密。<\/li> <\/ol> <\/li> 示例<\/strong>： String raw =<\/span> "clienttime_ms=123456789&dfid=xxx&key=xxx&pk=xxx&t1=xxx&t2=xxx"<\/span>;<\/span> <\/span><\/span>String signature =<\/span> MD5(<\/span>raw);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 8. 总结<\/strong><\/h2> 抓包<\/strong>：确认关键参数（signature<\/code>、pk<\/code>、dfid<\/code>等）。<\/li> 反编译<\/strong>：定位核心逻辑（com.kugou.common.useraccount.b.u<\/code>）。<\/li> Frida Hook<\/strong>：动态验证参数生成逻辑。<\/li> Unidbg<\/strong>：模拟执行SO层代码（libj.so<\/code>）。<\/li> 补环境<\/strong>：处理缺失的JNI方法（如getAndroidId<\/code>）。<\/li> 算法还原<\/strong>：拼接参数 + MD5\/AES加密。<\/li> <\/ol> 通过以上步骤，可完整还原某音乐APP的签名算法，实现自动化请求。<\/p>