该样本是从 豌豆荚 下载的，是 64 位的，我放一个在百度网盘，下载。

最近在学习研究 拼夕夕app 里面的一个参数，是和设备指纹相关的，在请求中的参数是 etag，这个参数是通过以下接口返回的。

pdd_id 就是 etag，接口中的 Post 参数 “key” 和 “data” 是通过 nativeGenerate2 函数返回的，这个函数在 libpdd_secure.so 里。

调用 nativeGenerate2 函数时，第 6 个参数是关键参数，就是 i.c(context, remove3, map)。

public static String generate(Context context, Map<String, String> map) {
	String str = null;
	if (b.p(32953, null, context, map)) {
		return b.w();
	}
	if (!isLibraryLoaded) {
		return "";
	}
	tryInitEagle();
	String remove = map.remove("uid");
	String remove2 = map.remove("cookie");
	String remove3 = map.remove("pddid");
	File a2 = StorageApi.a("com.xunmeng.pinduoduo.secure.SecureNative");
	if (a2 != null) {
		str = i.H(a2);
	}
	return nativeGenerate2(context, remove, remove2, remove3, str, i.c(context, remove3, map), System.currentTimeMillis());
}

接下来，hook 一下这个函数，frida 脚本如下：

var i = Java.use("com.xunmeng.pinduoduo.secure.i");
console.log("发现需要的类: " + i);
i.c.overload('android.content.Context', 'java.lang.String', 'java.util.Map').implementation = function (p1, p2, p3) {
    var ret = this.c(p1, p2, p3);
    console.log(ret);
    printJavaStackTrace()
    return ret;
}

输出的结果和堆栈信息

version=134&info=g6iUSuzNlWeDi%2FxPng%2FN%2B8ZyQEP%2FnQuHC42hki6euDbZ%2BMcoUltc%2BPXrz5kpyhIznPNfKi81PeEP%0A%2B%2F114shsXHgn%2FRfPwVaGrVl%2BCyVTEt%2BcjQuGcA4pbWF5hCrAXyIdrKmtEVnOO4kg%2F5hLLOeUuVSp%0ApefmUSdyOsTKe8xoianqRGIWuJKcR0bvgq5VaiEvyp64nr%2Be01EuHdZFY6E2bqXlo9ZsB7uXpmwO%0A5lW7k%2BqW7YfwaTXUqn7boPIkppf0JsvMY1Bgt67CptIyBv8VVXUiL0kOaTk0Di0FOFGTSnZVKuEW%0AucAlHBlC%2BNvWEnp1AS9HuEv7eJez8VQzOP%2BFNld53wEmsgxun8EtyzVykOGV4cQsD3Rx8Bjt0KZX%0AyJxoz6ATG82Mt6bNiGz9MJiJB5FJrlOviH3mhJmbywUjnOch5QcvQQdLp6ys7cuqVqqEN3oVH9r8%0A0UN%2F90MYe96Ie8df9I7PK2eQlfPJC%2FgceKOtdujZjly9FrmBTuCmT69eXOINy3mtBw4DM2v92SJI%0Az1BENgOIvA2gfN6OcARSN4B9zF9rUaIwQgVK47W9dtlgepergWoHCgaOifqscadlxjAZR5Dd8STd%0AawI3fUd%2B0PjfTGf1yHXuk4PLqkiEJ0j8L4KF0XnqEAwnBcRsGeIl9KVWYKFF9lUH1LFmmaRQ01ZS%0AIik4gWPKcYBEw68oeB%2FzWCUFQDsUKClafPcvF3j45vD3jl7lUiVqMbyvgp1ELwRO0%2Fh68f3p1qmd%0AKq2sziLTUSbSlVyZ51eidVPPuZ9aEgg51sizyhyUPhKxslmtb7J8PKBhRRvFSO5u9RkgF7hQw%2FlL%0AVmEJE2UBkJjXpAWPHmZv6aQAD3euNGqBE0GAXOm%2Fy5Km9Os1s1sVF8%2FoBKc0HZpXUh2J%2FCVc6S1t%0ANmaFouBolOGVcZ%2Fpa243%2Fngpr2WAfjc8OSo2Lux5MKfIcgMGXy%2BBjlUE4yCofJV5thIqMoyAXH2n%0Anl3bWcXiq8WWTMIGzaKXSUQmJClgV4B89phzZacnKCK4MA9RJpuRfpNCV46CYHM%2Fm9FEQtgZHKVV%0AQ09Oi9riVqJux3va1fWGzfRGcMNi9f%2FVqRbWSoR9m8bGVJXj4EkeQtKQX2XuUgdhBZQFSo3%2Fi1XQ%0AiAfn07fBSrk29OMM42GEzKyCEfXLPrW9lDjSsUtaY0KiKIgLKUryVkTl3CurKAohAFZVr8eo2duV%0AO1aNxuFkb0ksoqGMSs%2FkRn523b%2FQR4KLqFihzRbezgu%2BFPMCZtAX1PHvhCx%2FjN4gCzeavSAmVaF%2F%0AX69s%2FzqZDdJyxMuyrpDgdEC9zSth08nZGF21lHEWDhdawE%2Br%2F99Y1ai6YgG4XsucAd0%2BkO0ztIjr%0AaJpA7XR%2FFeewH%2B%2FxEgt9WW0xQT2O%2FLYdWc5honIRfIxk%2FLmfh8WxkX4%2BI9l%2F2kqq7GVkSlHpJd1F%0AILLWcUImINbzAzPU154TlhN9XrbgtHrRBT3GZ4gV7Aos6RyrlR5ycu9U%2BPfaB4fzESqIasaU4Umk%0A1OnTdcjRbFQAL4T%2FZHM5UeiLAfrnLRk2RpzWICKnVjDzB9UB77HsZ9N1BvrW6TtfYMovvNf%2B%2FHcW%0Aci%2Ff5x%2BPFjxzrjow%2BmzmYuCqy6AmMGBRVkFP7GqeBQY3fIJ44e9ZuQieXsJPbrd9KBZp0XZwOYnN%0AQqZMkAPfM0v989K%2BWf8NsTPFYfgr90TiK30OUdqOb5Qg9rEyNOTy0XRTXoiM%2BRxKQtJOtIcvq8wQ%0AEeTpdu1lNRudCpX0de%2FczyBnUsmgF%2F9zY%2BZR9aaaWSTdHMe6PEIIEG2A3Q6Xb9eA4jgItRdw2ajA%0Acd52jRunrFjX3zci%2FXQlXFqRqclWeP51hhGBaC%2FAvGp1Z0Nn5w9EDge3cpHVtE%2FePkU7zi29Iqeu%0Ad0FQrMgwNZTvPGLpsq3rYBuuoE3N8PkmLhilAcjxqe1aJh7%2Ff5e7usSOJSbv9ExGJmdKlUnAFhvz%0A4Ynd9APdMVbisK4jP82j9PH%2Bw8GXmqlD6w%2BbixZ66bIMmwSWDF2NVxtfyJvxfkZ4ioSWHI2FBauw%0ANLSbjLGnwbAeFJLkaU8xkTFQk5wCRu4Pf8l7F7Imh1z%2B1ckJxeJ%2BUNXhW6JDtxSViY9NvMna08f%2B%0ATbMNwEhjk5BJX9KiWa%2FSeXx1NjfZqPhVDTLZNAlHAhWiMZ87AD%2BGReBiLb3qTMczcf93LVmftetg%0AmSXB5wsDG9o5u9BYGHDr0yk2KzI1%2F1MFO%2BFnfY2AZWAoj5TK85u%2FYf1B5ZD2Lxl4pP930xXN7NDV%0ATTjCnKvPX8sifhinkCB%2FWpyxwEJf3yhIANzMFhArjaA28q1f8Wj45rTBd9Kb%2Bz40RQMBuWJlkg39%0AqRjfYXeYRYb4rRe7Wm8kl798RuGxX7MrBw6eOcYUpAztH52ResWurqjk9s14H5n%2FiLzXeUFUSsvN%0AE7rB4LC3M7csqQeBrgFSKlfatiuwYP4tNEWRP%2Fyts4wNHxlE3fjHsP%2F4eNuWQbGjAS37URzaBHB3%0A1X4DviUlZnVs11%2FKNDc8EJ2gJM4gtDTU97r0f2TfhRXk27wWKv3fEFQsHS3ZsLtNyNdOh4eWUxsK%0AFNbxFdYnm5MQfHZpP7o8emhIrqUHNm%2BGOVPMa4OTkHmbcd86aOcrPrQtFMAwvJ3TDbluPuASCtuC%0AXlajUpZyFQQic1gc6Flluq%2B90hIIkFsQq%2BoaDoWZaVlY1PrIzjSeEYokXvfGYMUIx4QYZJBPafKA%0A3ejmiyysr8XXd8Tb9uTwq99QR%2FyMcVGiWuzGoAbMrgs%2BjTUAywaawJGze779OA0YNUJAbL4se7WG%0Ab%2BV9JLCICnFAg2GKGn3kbh7tLv3TUsLd1XbMWPPbLtS3HPMVW7MOHLWdbU6BiRueMbfArtStT0Ao%0A2Ctpn9ZXZm74zA23jugrAiUCP58lr8PMdHKOs0QLEsZEJRtKnqoH2q3ZBfl5QqixP%2BpPp6Yy%2F2n9%0AExjp36UeHqHW01rdAPhD3tmLz%2Fx2eAXiLGbRHHWJtbwsU2pQJbmW6r3Mbx%2B%2FUeG4cNrNDV9DCYK0%0AykH9jY1B%2FytA7EnIQx%2FGiAmt5H5RYMA6dW8927KuJOSONiXEhTGNvBteRBgaFz2SB8qktoax%2BzOh%0AenWCPVtOPvvBzf6qLZzRSGAB8KqpJoPhGm6YoDrvxHYVTmuINP3ljyyg%2BJd332u9PLDyRQsv%2BHBm%0AKDSwXNTrnzI%2BS7aeMltGeDZHRWit1TRphiF9qhRBacPSMsG6itWJ39p8ekJrd3kODBqJYQ7osvps%0AUjdmObjdwRwGr595VRIspQHf%2Fks3llhbMay4QmVo8Sa6nVsmGin9BRMZdfaR2nb8cq1pY3DdVMiv%0ABVXjw7gIa8gAAvjmQEEjOPSln5mAj00Hm6HB7U2Vpup0pe9iTAOGiybmZKPw8hDV0ip7nfLR0Mwy%0A2kPZcc%2B8fgmkLSM%2F0263lhBOLuyDwJezHbHgGvn2bwM36rDph20ETFXJ5qepWXPUzd35pJF7kTPd%0ASkQRAcVLnkok4NKe%2FKSGPHh5d3H%2F7Lba7enYSH%2BYWRuCtM1TGnzGGYKa0Ftu3aUckhFg%2Fe%2B%2BclqF%0AVUUPuNr4geYqPnheRzzbd%2F%2FN%2FTMzBgV772ieXncr9TdEBCInm8mHKO20epFSBw%3D%3D%0A
java.lang.Exception
	at com.xunmeng.pinduoduo.secure.i.c(Native Method)
	at com.xunmeng.pinduoduo.secure.SecureNative.generate(Unknown Source:65)
	at com.aimi.android.common.b.a.d(Unknown Source:14)
	at com.xunmeng.pinduoduo.appstartup.app.e.m(Unknown Source:132)
	at com.xunmeng.pinduoduo.appstartup.app.f.run(Unknown Source:17)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
	at java.lang.Thread.run(Thread.java:764)

可以看到 info 很长，是个关键参数，里面应该是加密了设备的相关信息。

在继续往下调查的过程中，这个函数的返回值是从 map 里面取的，hook 这个函数 com.xunmeng.pinduoduo.a.i.h 的时候，app 一直崩溃。

public static synchronized String c(Context context, String str, Map<String, String> map) {
	synchronized (i.class) {
		if (b.q(32918, null, context, str, map)) {
			return b.w();
		}
		Logger.i("Pdd.InfoCollectMgr", "getCollectInfo");
		if (!a()) {
			return e.c(context, str, map);
		}
		HashMap hashMap = new HashMap();
		hashMap.put("context", context);
		hashMap.put("pddid", str);
		hashMap.put("userData", map);
		hashMap.put("InfoCollectVmp_METHOD_KEY", 1);
		System.putThreadLocalParams(hashMap);
		h().run();
		return (String) com.xunmeng.pinduoduo.a.i.h(System.getThreadLocalParams(), j.c);
	}
}

无意中竟然在 Java 层发现了 vm 代码，还有 HELLO.java，继续分析，分析。。我不装了，我分析不下去了。

[培训]《安卓高级研修班(网课)》月薪三万计划，掌 握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法