Ape anthropology topic 20

**# Ape man science topic 20

First, discover by request , The request has only two parameters , One t and sign.

among t For timestamps ,sign For an encrypted string , The length of the string is 32.

Then analyze later ......

We enter window.sign Go inside this function . Because this is sign Encrypted place .

After repeated debugging for several times, it is found that getStringFromWasm0(r0, r1);, there r0 and r1 Is fixed . This function means to get encrypted parameters from a fixed location in memory .

We found the passed in parameters content, That is to say “2|1658741542000” That's this thing , It is quoted in only one place . Because I have analyzed .

//  Parameters are put into memory here .
var ptr0 = passStringToWasm0(content, _index_bg_wasm__WEBPACK_IMPORTED_MODULE_0__["__wbindgen_malloc"], _index_bg_wasm__WEBPACK_IMPORTED_MODULE_0__["__wbindgen_realloc"]);

//  Here to content Encrypted , At this time, directly take the parameters from the memory , therefore , The memory address is passed in 
_index_bg_wasm__WEBPACK_IMPORTED_MODULE_0__["sign"](retptr, ptr0, len0);

Use getStringFromWasm0(r0, r1); This function is tested and found ,ptr0 Memory address .

The last to enter

//  Encryption function 
_index_bg_wasm__WEBPACK_IMPORTED_MODULE_0__["sign"]

Check which function operates on this address .

call $match_twenty::sign::MD5:#️⃣:hd3cc2e6ebf304f6f

Here is the location of parameter encryption

Analysis of finished , Post code directly

import requests
import time
import hashlib

headers = {
    
    'authority': 'match.yuanrenxue.com',
    'accept': 'application/json, text/javascript, */*; q=0.01',
    'accept-language': 'zh-CN,zh;q=0.9,en;q=0.8',
    'cache-control': 'no-cache',
    'cookie': 'Hm_lvt_0362c7a08a9a04ccf3a8463c590e1e2f=1656481755,1656661058,1656985288,1658457383; Hm_lvt_c99546cf032aaa5a679230de9a95c7db=1658368336,1658454438,1658713011,1658720402; no-alert3=true; Hm_lvt_9bcbda9cbf86757998a2339a0437208e=1658368358,1658454446,1658713020,1658720406; tk=-111657350385238811; sessionid=dfl6r164x63xtt6tgv4r53im8bm075u1; Hm_lpvt_9bcbda9cbf86757998a2339a0437208e=1658736978; Hm_lpvt_c99546cf032aaa5a679230de9a95c7db=1658738427',
    'pragma': 'no-cache',
    'referer': 'https://match.yuanrenxue.com/match/20',
    'sec-ch-ua': '^\\^.Not/A)Brand^\\^;v=^\\^99^\\^, ^\\^Google',
    'sec-ch-ua-mobile': '?0',
    'sec-ch-ua-platform': '^\\^Windows^\\^',
    'sec-fetch-dest': 'empty',
    'sec-fetch-mode': 'cors',
    'sec-fetch-site': 'same-origin',
    'user-agent': 'yuanrenxue.project',
    'x-requested-with': 'XMLHttpRequest',
}
count = 0
for page in range(1, 6):
    #  Get the timestamp 
    t = time.time()
    t = str(int(t)) + "000"
    #  obtain sign  Parameters 
    sign = hashlib.md5((str(page) + "|" + t + 'D# Add encryption parameters ').encode()).hexdigest()
    params = (
        ('page', page),
        ('sign', sign),
        ('t', t),
    )
    response = requests.get('https://match.yuanrenxue.com/api/match/20', headers=headers, params=params)
    data = response.json().get('data')
    for i in data:
        count += i.get('value')
print(count)

**