【WP】猿人学_15_备周则意怠_常见则不疑

https://match.yuanrenxue.cn/match/15

抓包分析

抓包分析有一个m参数，三个数字组成

追栈/扣代码

根据启动器顺序追栈，一般优先跳过 jQuery

直接能找到加密函数

每次获取的数字都不一样

window.m = function() {
t1 = parseInt(Date.parse(new Date()) / 1000 / 2);
t2 = parseInt(Date.parse(new Date()) / 1000 / 2 - Math.floor(Math.random() * (50) + 1));
return window.q(t1, t2).toString() + '|' + t1 + '|' + t2;
};

找到加密函数，本地运行，需要补环境window = global;需要用到window.q函数，这个函数是二进制wasm导出的。

在控制台输出函数点击则可以跳转函数位置

wasm文件可以直接使用python调用。刷新页面找到wasm文件双击即可下载到本地。

构建Python代码

• 安装pywasm

pip install pywasm

把上面的JS转化成Python代码

import random
import time

import pywasm

# 加载WASM模块
vm = pywasm.load('main.wasm')


# 定义encode函数
def encode(t1, t2):
    return vm.exec('encode', [t1, t2])


# 定义m函数
def m():
    t1 = int(time.time() // 2)
    t2 = int(time.time() // 2 - random.randint(1, 50))
    encoded_result = encode(t1, t2)
    return f'{encoded_result}|{t1}|{t2}'


# 执行m函数并打印结果
print(m())

11846484|858829793|858829743

构建爬虫代码尝试。

完整代码

import random
import time

import pywasm
import requests

# 加载WASM模块
vm = pywasm.load('main.wasm')


# 定义encode函数
def encode(t1, t2):
    return vm.exec('encode', [t1, t2])


# 定义m函数
def m():
    t1 = int(time.time() // 2)
    t2 = int(time.time() // 2 - random.randint(1, 50))
    encoded_result = encode(t1, t2)
    return f'{encoded_result}|{t1}|{t2}'


headers = {
    "authority": "match.yuanrenxue.cn",
    "accept": "application/json, text/javascript, */*; q=0.01",
    "accept-language": "zh-CN,zh;q=0.9",
    "referer": "https://match.yuanrenxue.cn/match/15",
    "sec-ch-ua": "\"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Google Chrome\";v=\"122\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"Windows\"",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "same-origin",
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36",
    "x-requested-with": "XMLHttpRequest"
}
cookies = {
    "sessionid": "zwy0uz1vd0ge1e42310i34b37584m1lj",
    "Hm_lvt_c99546cf032aaa5a679230de9a95c7db": "1717578931,1717603706,1717646819,1717658072",
    "Hm_lvt_9bcbda9cbf86757998a2339a0437208e": "1717578942,1717639423,1717658081",
    "qpfccr": "true",
    "no-alert3": "true",
    "Hm_lpvt_9bcbda9cbf86757998a2339a0437208e": "1717658404",
    "m": "a4bc4a41fac1af0f16d90557df669d6f|1717659407000",
    "Hm_lpvt_c99546cf032aaa5a679230de9a95c7db": "1717659649"
}
url = "https://match.yuanrenxue.cn/api/match/15"

ret = 0
for pageIndex in range(1, 6):
    params = {
        "m": m(),
        "page": pageIndex
    }
    response = requests.get(url, headers=headers, cookies=cookies, params=params)
    print(response.text)
    data = response.json()["data"]
    for item in data:
        ret += item['value']
print(ret)

使用代码请自行修改cookie

{"status": "1", "state": "success", "data": [{"value": 2086}, {"value": 9613}, {"value": 8563}, {"value": 9659}, {"value": 7656}, {"value": 4363}, {"value": 8892}, {"value": 3371}, {"value": 1335}, {"value": 3312}]}
{"status": "1", "state": "success", "data": [{"value": 8992}, {"value": 678}, {"value": 3708}, {"value": 8387}, {"value": 2657}, {"value": 1345}, {"value": 9763}, {"value": 800}, {"value": 4328}, {"value": 104}]}
{"status": "1", "state": "success", "data": [{"value": 2795}, {"value": 2594}, {"value": 9150}, {"value": 6656}, {"value": 5834}, {"value": 476}, {"value": 1968}, {"value": 1218}, {"value": 5901}, {"value": 1851}]}
{"status": "1", "state": "success", "data": [{"value": 1317}, {"value": 6556}, {"value": 2163}, {"value": 1628}, {"value": 930}, {"value": 2919}, {"value": 9012}, {"value": 8671}, {"value": 1232}, {"value": 4586}]}
{"status": "1", "state": "success", "data": [{"value": 492}, {"value": 7595}, {"value": 3262}, {"value": 9299}, {"value": 7287}, {"value": 4316}, {"value": 3091}, {"value": 1926}, {"value": 2803}, {"value": 2248}]}
219388

实际上cookie里面还有一个m，最开始我没有注意到，不过好在这个不应该操作