安卓端某音乐类 APP 逆向分享（二）协议分析

以歌曲搜索协议为例，查看charles中歌曲搜索协议详情

拷贝出搜索协议的Curl形式

curl -H 'Host: interface3.music.xxx.com' -H 'Cookie: EVNSM=1.0.0; NMCID=oufhty.1667355455436.01.4; versioncode=8008050; buildver=221010200836; resolution=2392x1440; deviceIdYD=wXaFrap7x7ZBWAURUBfBNAopTRcMc1%2Fy%0A; ntes_kaola_ad=1; mobilename=Nexus6P; __csrf=bc87126a6e2c5bc1dc13f7a4fa7fb778; osver=8.1.0; deviceIdZX=%7B%22aids%22%3A%22%7B%5C%22appAid%5C%22%3A%5C%22A01-6S9ZfZ7LMPtbOkDBD%2BFfTamoXzwyjGEJ%5C%22%2C%5C%22venderAid%5C%22%3A%5C%22A01-PqsfZ2rfR6KV8rvlwLGkZBEsuquepT9g%5C%22%7D%22%2C%22value%22%3A%22Z01-1669950551-USe4BwCrTIsqYCHf-1391%22%7D; os=android; channel=huawei1; MUSIC_A=a23f763a90a6919afc6057778b9afcdc569fd258186e6fd1bf855317ba0d9adda5b6bfc7288fa31698f2ac0d17d8913ec8dd202061f1d462b072135bf1e89dbcf0bd7354569c6e0509f224412056dc1625c09b866a57b69ffc49e31475acc5340edf70a74334194ee3f818419820dd2c5956e2d30fe4acf2993166e004087dd3d62e78f0fc05b8fb1b6ca03ab633f3e8bba9d8290cc8af8f478d6e9baa1bff7d06248ec4b32bc0d7a9ace7cd2bcac6d9; deviceId=ODY3OTc5MDIxNjY1OTg2CWRjOmVlOjA2OmZlOjhlOjkzCTlkMjQzYzU0M2E1MmZlOWMJMDFhMjg5MzUwNDg1MWNjMA%3D%3D; appver=8.8.50; NMDI=Q1NKTQkBDABJS5RM3paF7woBVGJrAAAAvWyTiVt%2FAcOpNRzxMTtj0J5oprczJrhgeBAUaNVRv9S0D78sABS4HgbI8oLFnYZtfIYQVuh5d5dlbiKE2nz%2FB8ByJinncNLCkfE%2BIueQioG1t3eqcD0Pbdyl%2FYt%2B1GPwbmRYBGMbOVmktvI%3D; NMTID=00O9ZJM3lTmq-FilktnmIzFLNbbgNgAAAGENiEz0g; packageType=release' -H 'user-agent: NeteaseMusic/8.8.50.221010200836(8008050);Dalvik/2.1.0 (Linux; U; Android 8.1.0; Nexus 6P Build/OPM7.181205.001)' -H 'cmpageid: SearchActivity' -H 'mconfig-info: {"IuRPVVmc3WWul9fT":{"version":"2893824","appver":"8.8.50"},"tPJJnts2H31BZXmp":{"version":"1153024","appver":"3.25.00"},"c0Ve6C0uNl2Am0Rl":{"version":"266240","appver":"1.4.30"},"zr4bw6pKFDIZScpo":{"version":"217088","appver":"1.4.0"}}' -H 'x-mam-custommark: cronet' -H 'content-type: application/x-www-form-urlencoded' --data-binary "params=74A595527B7A1647174ADDB4F261E92FF2AFA5F42E4694960F9C5A3746841C9BA4DFA4F09AC5266109659469E031F06AE91ECFE7DB48EB4E9EFC1ECCD7562F7836FF6A0218FA861FA3B69A37A27D61C2D60AB011FF10E2DFD68262EE9744A31640FB1FC650D5679D5B2350FB9EC4B73249F33DAD34FA177056C73768AF0885D281D29C1A7519F3F5FA30E932136FD659CF6C47F01040B9BA4A618B78F47A196998F46DEC37FD735ED312A237A9E9AE6FDD6C48905EEB6CAC4690856B227F3F6D32CCCE962363AFD520809E0202581A878AD53FFE77994AAA5B043C443BDA8A8859275765D439349776109D0BA76F0A4BDEF80553627B556F57AD602BD9483FD84CB00F0495A2BE73564891F12AB7C087F7EF25FFE170B5C832E020AEB68C0E97778A6DBDDF0771DB716644226BFAC2D842A987E3464540E1DE6E4B3B414165F2F5BFB6CF486C2D85D1D1B115DB0ECF7E228483C122E70CAA64587D68B73CCFA258115A0008A19D0A7521A57FB4A803BC" --compressed 'https://interface3.music.163.com/eapi/search/song/page'

可以看到歌曲搜索协议的链接是： 

https://interface3.music.xxx.com/eapi/search/song/page

请求方法为post，提交的表单数据是（只有一个加密参数params需要破解）：

params=74A595527B7A1647174ADDB4F261E92FF2AFA5F42E4694960F9C5A3746841C9BA4DFA4F09AC5266109659469E031F06AE91ECFE7DB48EB4E9EFC1ECCD7562F7836FF6A0218FA861FA3B69A37A27D61C2D60AB011FF10E2DFD68262EE9744A31640FB1FC650D5679D5B2350FB9EC4B73249F33DAD34FA177056C73768AF0885D281D29C1A7519F3F5FA30E932136FD659CF6C47F01040B9BA4A618B78F47A196998F46DEC37FD735ED312A237A9E9AE6FDD6C48905EEB6CAC4690856B227F3F6D32CCCE962363AFD520809E0202581A878AD53FFE77994AAA5B043C443BDA8A8859275765D439349776109D0BA76F0A4BDEF80553627B556F57AD602BD9483FD84CB00F0495A2BE73564891F12AB7C087F7EF25FFE170B5C832E020AEB68C0E97778A6DBDDF0771DB716644226BFAC2D842A987E3464540E1DE6E4B3B414165F2F5BFB6CF486C2D85D1D1B115DB0ECF7E228483C122E70CAA64587D68B73CCFA258115A0008A19D0A7521A57FB4A803BC

请求头中内容较多，主要的参数在Cookie中：

Cookie: EVNSM=1.0.0; NMCID=oufhty.1667355455436.01.4; versioncode=8008050; buildver=221010200836; resolution=2392x1440; deviceIdYD=wXaFrap7x7ZBWAURUBfBNAopTRcMc1%2Fy%0A; ntes_kaola_ad=1; mobilename=Nexus6P; __csrf=bc87126a6e2c5bc1dc13f7a4fa7fb778; osver=8.1.0; deviceIdZX=%7B%22aids%22%3A%22%7B%5C%22appAid%5C%22%3A%5C%22A01-6S9ZfZ7LMPtbOkDBD%2BFfTamoXzwyjGEJ%5C%22%2C%5C%22venderAid%5C%22%3A%5C%22A01-PqsfZ2rfR6KV8rvlwLGkZBEsuquepT9g%5C%22%7D%22%2C%22value%22%3A%22Z01-1669950551-USe4BwCrTIsqYCHf-1391%22%7D; os=android; channel=huawei1; MUSIC_A=a23f763a90a6919afc6057778b9afcdc569fd258186e6fd1bf855317ba0d9adda5b6bfc7288fa31698f2ac0d17d8913ec8dd202061f1d462b072135bf1e89dbcf0bd7354569c6e0509f224412056dc1625c09b866a57b69ffc49e31475acc5340edf70a74334194ee3f818419820dd2c5956e2d30fe4acf2993166e004087dd3d62e78f0fc05b8fb1b6ca03ab633f3e8bba9d8290cc8af8f478d6e9baa1bff7d06248ec4b32bc0d7a9ace7cd2bcac6d9; deviceId=ODY3OTc5MDIxNjY1OTg2CWRjOmVlOjA2OmZlOjhlOjkzCTlkMjQzYzU0M2E1MmZlOWMJMDFhMjg5MzUwNDg1MWNjMA%3D%3D; appver=8.8.50; NMDI=Q1NKTQkBDABJS5RM3paF7woBVGJrAAAAvWyTiVt%2FAcOpNRzxMTtj0J5oprczJrhgeBAUaNVRv9S0D78sABS4HgbI8oLFnYZtfIYQVuh5d5dlbiKE2nz%2FB8ByJinncNLCkfE%2BIueQioG1t3eqcD0Pbdyl%2FYt%2B1GPwbmRYBGMbOVmktvI%3D; NMTID=00O9ZJM3lTmq-FilktnmIzFLNbbgNgAAAGENiEz0g; packageType=release

拆解下Cookie中的参数：

• EVNSM=1.0.0，固定参数
• NMCID=oufhty.1667355455436.01.4，猜测oufhty是随机产生的6位字符串，1667355455436是13位的时间戳，最后的01.4是固定的
• versioncode=8008050，客户端版本信息，固定参数
• buildver=221010200836，客户端构建版本信息，固定参数
• resolution=2392x1440，终端设备的分辨率
• deviceIdYD=wXaFrap7x7ZBWAURUBfBNAopTRcMc1%2Fy%0A，某个设备ID信息，采用base64编码，暂时不知道是如何生成的
• ntes_kaola_ad=1，固定参数
• mobilename=Nexus6P，终端的设备型号
• __csrf=bc87126a6e2c5bc1dc13f7a4fa7fb778，猜测是某个认证信息，暂时不知道是如何生成的
• osver=8.1.0，终端的安卓系统版本
• os=android，操作系统，固定参数
• channel=huawei1，一般channel是客户端应用的下载渠道，这里暂不确定含义，可以作为固定参数传入
• MUSIC_A=a23f763a90a6919afc6057778b9afcdc569fd258186e6fd1bf855317ba0d9adda5b6bfc7288fa31698f2ac0d17d8913ec8dd202061f1d462b072135bf1e89dbcf0bd7354569c6e0509f224412056dc1625c09b866a57b69ffc49e31475acc5340edf70a74334194ee3f818419820dd2c5956e2d30fe4acf2993166e004087dd3d62e78f0fc05b8fb1b6ca03ab633f3e8bba9d8290cc8af8f478d6e9baa1bff7d06248ec4b32bc0d7a9ace7cd2bcac6d9，猜测是某个认证信息，暂时不知道是如何生成的
• deviceId=ODY3OTc5MDIxNjY1OTg2CWRjOmVlOjA2OmZlOjhlOjkzCTlkMjQzYzU0M2E1MmZlOWMJMDFhMjg5MzUwNDg1MWNjMA%3D%3D，设备ID信息，采用base64编码，解码明文是867979021665986 dc:ee:06:fe:8e:93 9d243c543a52fe9c 01a2893504851cc0，其中867979021665986是终端设备的imei串号，dc:ee:06:fe:8e:93是设备的mac地址，9d243c543a52fe9c是设备的android_id，01a2893504851cc0是云音乐生产的一个id，生成位置在这个native函数中com.netease.is.deviceid.factory.JNIFactory.w1c2724538080aa1b，跟踪反编译代码该id也可置为空字符串或null，后面需要可再深入分析
• appver=8.8.50，客户端版本信息，固定参数
• NMDI=Q1NKTQkBDABJS5RM3paF7woBVGJrAAAAvWyTiVt%2FAcOpNRzxMTtj0J5oprczJrhgeBAUaNVRv9S0D78sABS4HgbI8oLFnYZtfIYQVuh5d5dlbiKE2nz%2FB8ByJinncNLCkfE%2BIueQioG1t3eqcD0Pbdyl%2FYt%2B1GPwbmRYBGMbOVmktvI%3D，暂时不知道如何生成的
• NMTID=00O9ZJM3lTmq-FilktnmIzFLNbbgNgAAAGENiEz0g，暂时不知道如何生成的

最后，响应的数据也是加密的。所以本次逆向的工作还是很多的，总结一下接下来要做的事情：

1. 请求参数params加密破解，params由什么内容组成，是怎么加密的
2. 请求Cookie中的加密参数破解及生产，其中包含deviceIdYD、__csrf、deviceIdZX、MUSIC_A、deviceId、NMDI、NMTID
3. 响应数据解密破解