Android应用逆向分析：关键请求参数生成机制解析<\/h1>

概述<\/h2>
本文档基于对某Android应用的Java层逆向分析，详细解析其关键请求参数（x-bili-trace-id<\/code>、Authorization<\/code>和key<\/code>）的生成逻辑与算法实现。适用于移动安全研究人员、逆向工程师及对API安全机制感兴趣的技术人员。<\/p>

一、x-bili-trace-id<\/code>参数生成分析<\/h2>
1. 定位与代码追踪<\/h3>

在JADX中搜索x-bili-trace-id<\/code>可定位到相关代码逻辑。<\/li>
核心生成逻辑位于j()<\/code>函数，最终跳转到h()<\/code>函数，与RpcExtra<\/code>类关联。<\/li>
<\/ul>
2. 生成逻辑详解<\/h3>
步骤1：生成随机字节数组<\/h4>

定义一个16位的字节数组（byte[16]<\/code>）。<\/li>
使用Random<\/code>类填充随机数（熵源）。<\/li>
<\/ul>
步骤2：处理时间戳<\/h4>
long<\/span> currentTimeMillis =<\/span> System.<\/span>currentTimeMillis<\/span>()<\/span> \/<\/span> 1000<\/span>;<\/span> \/\/ 毫秒转秒
<\/span><\/span><\/span><\/span>int<\/span> timestamp =<\/span> (<\/span>int<\/span>)<\/span> currentTimeMillis;<\/span>
<\/span><\/span><\/code><\/pre>步骤3：字节数组后4位填充时间戳<\/h4>

从数组最后一个元素（索引15）向前遍历至索引12（共4字节）。<\/li>
每次循环将timestamp<\/code>右移8位，取低8位写入数组：
for<\/span> (<\/span>int<\/span> i =<\/span> 15<\/span>;<\/span> i >=<\/span> 12<\/span>;<\/span> i--)<\/span> {<\/span>
<\/span><\/span>    array[<\/span>i]<\/span> =<\/span> (<\/span>byte<\/span>)<\/span> (<\/span>timestamp &<\/span> 0xFF<\/span>);<\/span>
<\/span><\/span>    timestamp >>=<\/span> 8<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
步骤4：转换为十六进制字符串<\/h4>

调用XTraceKt.a()<\/code>方法（Kotlin实现），将字节数组转换为16进制字符串。<\/li>
示例：[0x1A, 0x3F]<\/code> → "1A3F"<\/code>。<\/li>
<\/ul>
步骤5：拼接最终格式<\/h4>

取完整字符串的前半部分（substring(0, length\/2)<\/code>）。<\/li>
拼接格式：{原字符串}:{前半部分}:0:0<\/code>。<\/li>
<\/ul>

二、Authorization<\/code>参数生成分析<\/h2>
1. 定位与确认<\/h3>

搜索Authorization<\/code>定位到生成方法，通过Frida Hook确认其有效性。<\/li>
<\/ul>
2. 核心方法调用链<\/h3>
d() → c() → apiSign() → getMapParamsSign()
<\/code><\/pre>
3. 签名算法关键点<\/h3>

getSignHash()<\/code>方法调用gs()<\/code>，后者通过反射初始化KeyInfo<\/code>类。<\/li>
gs()<\/code>为native<\/code>方法，实际逻辑在SO库中（本文暂不展开）。<\/li>
<\/ul>

三、key<\/code>参数生成分析<\/h2>
1. 代码位置<\/h3>

位于com.kugou.android.app.common.comment.b.i<\/code>的b()<\/code>方法。<\/li>
<\/ul>
2. 参数组成<\/h3>
调用形式：br.a(param1, param2, param3, param4)<\/code><\/p>

param1<\/strong>: 定值（通过Frida Hook确认）。<\/li>
param2<\/strong>: 定值（同上）。<\/li>
param3<\/strong>: 由F()<\/code>函数生成，结果为定值。<\/li>
param4<\/strong>: 时间戳（毫秒级，需转换为秒级）。<\/li>
<\/ol>
3. 最终处理：MD5与十六进制转换<\/h3>

br.a()<\/code>对拼接后的参数进行MD5哈希。<\/li>
将MD5结果（字节数组）传入c()<\/code>方法处理。<\/li>
c()<\/code>遍历数组，对每个字节调用a()<\/code>方法转换为十六进制字符串：
String a<\/span>(<\/span>byte<\/span> b)<\/span> {<\/span>
<\/span><\/span>    char<\/span>[]<\/span> hexChars =<\/span> {<\/span>'0'<\/span>,<\/span>'1'<\/span>,<\/span>'2'<\/span>,<\/span>'3'<\/span>,<\/span>'4'<\/span>,<\/span>'5'<\/span>,<\/span>'6'<\/span>,<\/span>'7'<\/span>,<\/span>'8'<\/span>,<\/span>'9'<\/span>,<\/span>'A'<\/span>,<\/span>'B'<\/span>,<\/span>'C'<\/span>,<\/span>'D'<\/span>,<\/span>'E'<\/span>,<\/span>'F'<\/span>};<\/span>
<\/span><\/span>    return<\/span> String.<\/span>valueOf<\/span>(<\/span>hexChars[(<\/span>b >><\/span> 4<\/span>)<\/span> &<\/span> 0xF<\/span>])<\/span> +<\/span> hexChars[<\/span>b &<\/span> 0xF<\/span>];<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>

关键工具与技术<\/h2>

JADX<\/strong>: 用于反编译APK，定位关键代码。<\/li>
Frida<\/strong>:

Hook关键函数，动态验证参数值。<\/li>
打印中间变量，确认定值或动态值。<\/li>
<\/ul>
<\/li>
代码分析<\/strong>: 结合静态阅读与动态调试，厘清调用链。<\/li>
<\/ol>

总结与改进方向<\/h2>
已解析内容<\/h3>

x-bili-trace-id<\/code>: 基于时间戳+随机数的可逆生成机制。<\/li>
key<\/code>: 多定值+时间戳的MD5哈希机制。<\/li>
Authorization<\/code>: 依赖Native层签名，Java层为反射调用。<\/li>
<\/ul>
未解析内容<\/h3>

Authorization<\/code>的Native层逻辑（gs()<\/code>方法）。<\/li>
部分定值的来源（如key<\/code>的param1\/param2）。<\/li>
<\/ul>
后续建议<\/h3>

对SO库进行逆向分析，完整还原Authorization<\/code>生成逻辑。<\/li>
使用Frida批量Hook相关函数，自动化参数生成。<\/li>
结合抓包工具（如Charles）验证参数有效性。<\/li>
<\/ol>

附录：代码片段示例<\/h2>
x-bili-trace-id<\/code>生成伪代码<\/h3>
byte<\/span>[]<\/span> array =<\/span> new<\/span> byte<\/span>[<\/span>16<\/span>];<\/span>
<\/span><\/span>new<\/span> Random().<\/span>nextBytes<\/span>(<\/span>array);<\/span> \/\/ 填充随机数
<\/span><\/span><\/span><\/span>long<\/span> timestamp =<\/span> System.<\/span>currentTimeMillis<\/span>()<\/span> \/<\/span> 1000<\/span>;<\/span>
<\/span><\/span>for<\/span> (<\/span>int<\/span> i =<\/span> 15<\/span>;<\/span> i >=<\/span> 12<\/span>;<\/span> i--)<\/span> {<\/span>
<\/span><\/span>    array[<\/span>i]<\/span> =<\/span> (<\/span>byte<\/span>)<\/span> (<\/span>timestamp &<\/span> 0xFF<\/span>);<\/span>
<\/span><\/span>    timestamp >>=<\/span> 8<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>String hex =<\/span> XTraceKt.<\/span>a<\/span>(<\/span>array);<\/span> \/\/ 字节数组转Hex
<\/span><\/span><\/span><\/span>String result =<\/span> hex +<\/span> ":"<\/span> +<\/span> hex.<\/span>substring<\/span>(<\/span>0<\/span>,<\/span> hex.<\/span>length<\/span>()\/<\/span>2<\/span>)<\/span> +<\/span> ":0:0"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>key<\/code>的MD5处理伪代码<\/h3>
String input =<\/span> param1 +<\/span> param2 +<\/span> param3 +<\/span> param4;<\/span>
<\/span><\/span>byte<\/span>[]<\/span> md5Bytes =<\/span> MD5(<\/span>input);<\/span>
<\/span><\/span>StringBuilder sb =<\/span> new<\/span> StringBuilder();<\/span>
<\/span><\/span>for<\/span> (<\/span>byte<\/span> b :<\/span> md5Bytes)<\/span> {<\/span>
<\/span><\/span>    sb.<\/span>append<\/span>(<\/span>a(<\/span>b));<\/span> \/\/ 单字节转Hex
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span>return<\/span> sb.<\/span>toString<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>
注意<\/strong>：本文仅用于技术研究，请勿用于非法用途。<\/p>