-
Table of contents
tiktok reverse
This article is just a technical discussion. If it affects tiktok, please let me know and I will delete it in time. Contact VV online: HH19991111LV
Find the title from the video homepage, as shown below:
You will find the encryption parameters of msToken, X-Bogus, and _signature, and then
start algorithm research
Algorithm Introduction
It takes a lot of time to extract and remove the spent instructions according to the js code, and to bypass the detection,
this document cannot be finished at all. So here is a brief explanation of the algorithm generation process.
The algorithm generation of tiktok uses the JSVMP virtual machine mode, which
expands a lot of code and verifies whether it is a browser environment. Document, window, location, navigator.cavas, symbol, tostring.html, body, script, prototype, etc.,
Algorithm Generation Research
msToken, X-Bogus, _signature are generated by jsVmp.
parameter | required | Remark |
---|---|---|
msToken | true | Asymmetric algorithm generation, complementing the _signature parameter |
X-Bogus | false | It was found that the cookie was involved in the calculation, but the server did not check it when it sent a null value. It is estimated that this piece will be updated in the later algorithm update. |
_signature | true | Check whether it is in the browser environment. If the algorithm is not generated by the browser, it will send a packet and report an error. The key point is that when _signature is generated, the browser environment user-agent participates in the operation. |
code tracking
Too much code is pasted into the js file.
window.byted_acrawler.init({
aid: 1988,
dfp: !1,
boe: !1,
intercept: !0,
enablePathList: ["/*"],
region: "va-tiktok",
mode: 513,
isSDK: false
});
//加上下面js
//https://sf16-secsdk.ttwstatic.com/obj/rc-web-sdk-gcs/webmssdk/1.0.0.195/webmssdk.js
code writing
var p = new XMLHttpRequest;
p.open("GET", 'https://www.tiktok.com/api/comment/publish/?aid=1988&app_language=zh-Hant-TW&app_name=tiktok_web&aweme_id=7034791620910451970&battery_info=0.97&browser_language=zh-CN&browser_name=Mozilla&browser_online=true&browser_platform=Win32&browser_version=5.0%20%28Windows%20NT%2010.0%3B%20Win64%3B%20x64%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F94.0.4606.81%20Safari%2F537.36&channel=tiktok_web&cookie_enabled=true&device_id=7062797146567869953&device_platform=web_pc&focus_state=true&from_page=video&history_len=6&is_fullscreen=false&is_page_visible=true&os=windows&priority_region=US&referer=https%3A%2F%2Fwww.tiktok.com%2F®ion=JP&root_referer=https%3A%2F%2Fwww.tiktok.com%2F&screen_height=823&screen_width=1463&text=123&text_extra=%5B%5D&tz_name=Asia%2FShanghai&verifyFp=verify_kzfyihmc_9MFy9BZO_vzrg_4eUB_BTQG_EeTWUe5uPwoi&webcast_language=zh-Hant-TW', !0);
p.timeout = 60000;
p.setRequestHeader("Accept", "application/json, text/plain, */*");
p.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
p.setRequestHeader("x-tt-passport-csrf-token", "89fedbd4e9c37c1d3d7af4c84664cb7f");
var result = p.send();
developer test
https://www.tiktok.com/api/comment/list/?aid=1988&app_language=ja-JP&app_name=tiktok_web&aweme_id=7228801069831179527&browser_language=zh-CN&browser_name=Mozilla&browser_online=true&browser_platform=Win32&browser_version=5.0%20%28Windows%20NT%2010.0%3B%20Win64%3B%20x64%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F113.0.0.0%20Safari%2F537.36&channel=tiktok_web&cookie_enabled=true&count=20¤t_region=JP&cursor=0&device_id=7231761221069440513&device_platform=web_pc&focus_state=true&fromWeb=1&from_page=video&history_len=9&is_fullscreen=false&is_page_visible=true&os=windows&priority_region=&referer=®ion=JP&screen_height=1412&screen_width=2510&tz_name=Asia%2FShanghai&webcast_language=zh-Hans&msToken=g9DUJp7Zp2PoJZdfKNwFrli2niA1VrMhIR7v-uZy5SRLwgVqOMws0EawtMDrwFqaCsVWjqncIB0Oo41U8x4PuH3JOqwDBJdNj3jC9_qgGzfVxwjlGheCWF0IQyJQep_MgTzcQmjmGz8WnG0MRQ==&X-Bogus=DFSzswVOmCxANxKftt7nPYXAIQRM&_signature=_02B4Z6wo00001rlxQvQAAIDD2nuCn8zE5o65cUZAAMo897
Tested separately in the v8 environment and nodejs environment, the effect is OK.
The reason is that fastapi has built the basic interface of tiktok
The basic interface of tiktok
Comment screenshot
Here is a screenshot of part of the comment
If it involves researching technical issues, the code will not be published. If you think the article is better, please give me some attention
Source: H~