PDD App搜索请求加密参数anti-token逆向分析教学文档<\/h1>

1. 分析背景与目标<\/h2>
分析PDD(拼多多)App搜索请求中的加密参数`anti-token<\/code>，目标是通过逆向工程技术定位并获取该参数，实现搜索请求的复现。<\/p>`

2. 工具准备<\/h2>

jadx<\/strong>: Java反编译工具，用于分析APK代码<\/li>
Charles<\/strong>: 网络抓包工具，用于捕获和分析HTTP请求<\/li>
frida<\/strong>: 动态分析工具，用于运行时Hook和RPC调用<\/li>
IDA Pro<\/strong>: 反汇编工具，用于分析native层代码<\/li>
<\/ul>
3. 请求分析流程<\/h2>
3.1 抓包分析<\/h3>

使用Charles抓取PDD App的搜索请求<\/li>
观察请求参数，发现存在加密参数anti-token<\/code><\/li>
确认anti-token<\/code>为必要参数，缺失时无法获得正确响应<\/li>
<\/ol>
3.2 Java层分析<\/h3>
3.2.1 定位参数生成位置<\/h4>

Hook HashMap.put方法<\/strong>:

由于header构造通常使用HashMap，可以Hook其put方法<\/li>
当参数为anti-token<\/code>时打印调用堆栈<\/li>
<\/ul>
<\/li>
<\/ol>
\/\/ frida hook代码示例
<\/span><\/span><\/span><\/span>Java<\/span>.perform<\/span>(function<\/span>() {
<\/span><\/span>    var<\/span> HashMap<\/span> =<\/span> Java<\/span>.use<\/span>('java.util.HashMap'<\/span>);
<\/span><\/span>    HashMap<\/span>.put<\/span>.implementation<\/span> =<\/span> function<\/span>(key<\/span>, value<\/span>) {
<\/span><\/span>        if<\/span> (key<\/span> ===<\/span> 'anti-token'<\/span>) {
<\/span><\/span>            console<\/span>.log<\/span>('anti-token:'<\/span>, value<\/span>);
<\/span><\/span>            console<\/span>.log<\/span>(Java<\/span>.use<\/span>("android.util.Log"<\/span>).getStackTraceString<\/span>(
<\/span><\/span>                Java<\/span>.use<\/span>("java.lang.Throwable"<\/span>).$new<\/span>()));
<\/span><\/span>        }
<\/span><\/span>        return<\/span> this<\/span>.put<\/span>.call<\/span>(this<\/span>, key<\/span>, value<\/span>);
<\/span><\/span>    };
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>
通过堆栈定位关键类<\/strong>:

对比抓包结果和堆栈信息，定位到com.xunmeng.pinduoduo.secure.DeviceNative<\/code>类<\/li>
<\/ul>
<\/li>
<\/ol>
3.2.2 反编译分析<\/h4>

使用jadx打开APK，搜索anti-token<\/code>相关信息<\/li>
定位到关键方法getAntiToken()<\/code>，发现其调用了native方法deviceInfo2()<\/code><\/li>
<\/ol>
\/\/ 伪代码
<\/span><\/span><\/span><\/span>public<\/span> String getAntiToken<\/span>()<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        return<\/span> deviceInfo2(<\/span>context,<\/span> System.<\/span>currentTimeMillis<\/span>());<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Throwable unused)<\/span> {<\/span>
<\/span><\/span>        return<\/span> ""<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
查找实现类<\/strong>:

由于直接跟进会跳转到接口定义，需要搜索方法名f<\/code>(需重命名后搜索)<\/li>
最终定位到实现类com.xunmeng.pinduoduo.secure.DeviceNative<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
4. RPC调用方案<\/h2>
4.1 RPC原理<\/h3>
无需了解具体生成逻辑，直接动态调用内部函数获取返回值作为请求参数。<\/p>
4.2 实现代码<\/h3>
\/\/ frida RPC代码
<\/span><\/span><\/span><\/span>rpc<\/span>.exports<\/span> =<\/span> {
<\/span><\/span>    getAntiToken<\/span>:<\/span> function<\/span>() {
<\/span><\/span>        var<\/span> result<\/span> =<\/span> ""<\/span>;
<\/span><\/span>        Java<\/span>.perform<\/span>(function<\/span>() {
<\/span><\/span>            var<\/span> DeviceNative<\/span> =<\/span> Java<\/span>.use<\/span>("com.xunmeng.pinduoduo.secure.DeviceNative"<\/span>);
<\/span><\/span>            var<\/span> currentApplication<\/span> =<\/span> Java<\/span>.use<\/span>("android.app.ActivityThread"<\/span>).currentApplication<\/span>();
<\/span><\/span>            var<\/span> context<\/span> =<\/span> currentApplication<\/span>.getApplicationContext<\/span>();
<\/span><\/span>            var<\/span> timestamp<\/span> =<\/span> Java<\/span>.use<\/span>("java.lang.System"<\/span>).currentTimeMillis<\/span>();
<\/span><\/span>            result<\/span> =<\/span> DeviceNative<\/span>.deviceInfo2<\/span>(context<\/span>, timestamp<\/span>);
<\/span><\/span>        });
<\/span><\/span>        return<\/span> result<\/span>;
<\/span><\/span>    }
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>4.3 Python调用示例<\/h3>
import<\/span> frida
<\/span><\/span>
<\/span><\/span>def<\/span> get_anti_token<\/span>():
<\/span><\/span>    session =<\/span> frida.<\/span>get_usb_device().<\/span>attach("com.xunmeng.pinduoduo"<\/span>)
<\/span><\/span>    script =<\/span> session.<\/span>create_script(open("rpc.js"<\/span>).<\/span>read())
<\/span><\/span>    script.<\/span>load()
<\/span><\/span>    return<\/span> script.<\/span>exports.<\/span>getantitoken()
<\/span><\/span><\/code><\/pre>5. Native层分析<\/h2>
5.1 定位动态加载的so文件<\/h3>

Hook JNI注册过程<\/strong>:

拦截RegisterNatives<\/code>函数调用<\/li>
获取native方法注册时的so模块信息<\/li>
<\/ul>
<\/li>
<\/ol>
\/\/ frida hook RegisterNatives代码
<\/span><\/span><\/span><\/span>Interceptor<\/span>.attach<\/span>(addrRegisterNatives<\/span>, {
<\/span><\/span>    onEnter<\/span>:<\/span> function<\/span>(args<\/span>) {
<\/span><\/span>        var<\/span> java_class<\/span> =<\/span> args<\/span>[1<\/span>];
<\/span><\/span>        var<\/span> class_name<\/span> =<\/span> Java<\/span>.vm<\/span>.tryGetEnv<\/span>().getClassName<\/span>(java_class<\/span>);
<\/span><\/span>        if<\/span> (class_name<\/span>.indexOf<\/span>("com.xunmeng.pinduoduo.secure.DeviceNative"<\/span>) !==<\/span> -<\/span>1<\/span>) {
<\/span><\/span>            var<\/span> methods_ptr<\/span> =<\/span> args<\/span>[2<\/span>];
<\/span><\/span>            var<\/span> method_count<\/span> =<\/span> args<\/span>[3<\/span>].toInt32<\/span>();
<\/span><\/span>            for<\/span> (var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> method_count<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>                var<\/span> name_ptr<\/span> =<\/span> Memory<\/span>.readPointer<\/span>(methods_ptr<\/span>.add<\/span>(i<\/span> *<\/span> Process<\/span>.pointerSize<\/span> *<\/span> 3<\/span>));
<\/span><\/span>                var<\/span> sig_ptr<\/span> =<\/span> Memory<\/span>.readPointer<\/span>(methods_ptr<\/span>.add<\/span>(i<\/span> *<\/span> Process<\/span>.pointerSize<\/span> *<\/span> 3<\/span> +<\/span> Process<\/span>.pointerSize<\/span>));
<\/span><\/span>                var<\/span> fnPtr_ptr<\/span> =<\/span> Memory<\/span>.readPointer<\/span>(methods_ptr<\/span>.add<\/span>(i<\/span> *<\/span> Process<\/span>.pointerSize<\/span> *<\/span> 3<\/span> +<\/span> Process<\/span>.pointerSize<\/span> *<\/span> 2<\/span>));
<\/span><\/span>                var<\/span> name<\/span> =<\/span> Memory<\/span>.readCString<\/span>(name_ptr<\/span>);
<\/span><\/span>                var<\/span> sig<\/span> =<\/span> Memory<\/span>.readCString<\/span>(sig_ptr<\/span>);
<\/span><\/span>                var<\/span> mod<\/span> =<\/span> Process<\/span>.findModuleByAddress<\/span>(fnPtr_ptr<\/span>);
<\/span><\/span>                console<\/span>.log<\/span>("name:"<\/span>, name<\/span>, "sig:"<\/span>, sig<\/span>, "module:"<\/span>, mod<\/span>.name<\/span>, "offset:"<\/span>, fnPtr_ptr<\/span>.sub<\/span>(mod<\/span>.base<\/span>));
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>
运行结果<\/strong>:

定位到deviceInfo2<\/code>函数位于libpddsecure.so<\/code>中<\/li>
<\/ul>
<\/li>
<\/ol>
5.2 IDA静态分析<\/h3>

使用IDA打开libpddsecure.so<\/code><\/li>
定位到deviceInfo2<\/code>函数<\/li>
发现使用了OLLVM混淆，反混淆难度大<\/li>
<\/ol>
5.3 函数逻辑分析<\/h3>
初步分析表明：<\/p>

函数会读取大量设备信息<\/li>
结合时间戳生成一个与设备和时间相关的值<\/li>
该值作为anti-token<\/code>用于请求验证<\/li>
<\/ol>
6. 总结与建议<\/h2>
6.1 技术总结<\/h3>


参数定位<\/strong>:<\/p>

通过Hook常用类方法定位关键代码<\/li>
结合堆栈分析和字符串搜索缩小范围<\/li>
<\/ul>
<\/li>

RPC方案<\/strong>:<\/p>

适用于快速获取参数值而不关心生成逻辑<\/li>
需要保持运行环境一致性<\/li>
<\/ul>
<\/li>

Native分析<\/strong>:<\/p>

动态注册的native方法需要通过Hook JNI注册过程定位<\/li>
混淆代码增加了静态分析难度<\/li>
<\/ul>
<\/li>
<\/ol>
6.2 实践建议<\/h3>

对于数据爬取需求，优先考虑RPC方案<\/li>
对于安全研究，可深入分析so文件的反混淆<\/li>
注意法律合规性，仅用于授权研究<\/li>
<\/ol>
7. 扩展知识<\/h2>


JNI动态注册<\/strong>:<\/p>

通过JNI_OnLoad<\/code>和RegisterNatives<\/code>实现<\/li>
比静态注册更灵活且更安全<\/li>
<\/ul>
<\/li>

OLLVM混淆<\/strong>:<\/p>

常见的代码保护技术<\/li>
包括控制流平坦化、指令替换、虚假分支等<\/li>
<\/ul>
<\/li>

Frida高级用法<\/strong>:<\/p>

内存搜索和修改<\/li>
主动调用与RPC<\/li>
多线程处理<\/li>
<\/ul>
<\/li>
<\/ol>
8. 参考资料<\/h2>

Frida官方文档<\/li>
Android JNI编程指南<\/li>
OLLVM反混淆技术研究<\/li>
移动安全逆向分析实战<\/li>
<\/ol>

PDD App搜索请求加密参数anti-token逆向分析教学文档<\/h1>

1. 分析背景与目标<\/h2> 分析PDD(拼多多)App搜索请求中的加密参数anti-token<\/code>，目标是通过逆向工程技术定位并获取该参数，实现搜索请求的复现。<\/p>

3. 请求分析流程<\/h2>

3.2 Java层分析<\/h3>

4. RPC调用方案<\/h2>

4.1 RPC原理<\/h3> 无需了解具体生成逻辑，直接动态调用内部函数获取返回值作为请求参数。<\/p>

5. Native层分析<\/h2>

6. 总结与建议<\/h2>

8. 参考资料<\/h2> Frida官方文档<\/li> Android JNI编程指南<\/li> OLLVM反混淆技术研究<\/li> 移动安全逆向分析实战<\/li> <\/ol>

1. 分析背景与目标<\/h2>
分析PDD(拼多多)App搜索请求中的加密参数`anti-token<\/code>，目标是通过逆向工程技术定位并获取该参数，实现搜索请求的复现。<\/p>`

4.1 RPC原理<\/h3>
无需了解具体生成逻辑，直接动态调用内部函数获取返回值作为请求参数。<\/p>

8. 参考资料<\/h2>

Frida官方文档<\/li>
Android JNI编程指南<\/li>
OLLVM反混淆技术研究<\/li>
移动安全逆向分析实战<\/li> <\/ol>