代码收藏家技术教程 2022-07-18

【WEB逆向】关于tiktok参数msToken，X-Bogus，_signature生成

tiktok逆向

开始正题

算法介绍

算法生成研究

代码跟踪

代码编写

开发者测试

总结

福利

本文只是技术探讨，如果对tiktok造成影响请告知，本人及时删除。在线联系邮箱:57428397@qq.com

开始正题

从视频评论区下手，打开开发者工具，发送评论会出现一条包

https://www.tiktok.com/api/comment/publish/?aid=1988&app_language=zh-Hant-TW&app_name=tiktok_web&aweme_id=7034791620910451970&battery_info=0.97&browser_language=zh-CN&browser_name=Mozilla&browser_online=true&browser_platform=Win32&browser_version=5.0%20%28Windows%20NT%2010.0%3B%20Win64%3B%20x64%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F94.0.4606.81%20Safari%2F537.36&channel=tiktok_web&cookie_enabled=true&device_id=7062797146567869953&device_platform=web_pc&focus_state=true&from_page=video&history_len=6&is_fullscreen=false&is_page_visible=true&os=windows&priority_region=US&referer=https%3A%2F%2Fwww.tiktok.com%2F&region=JP&root_referer=https%3A%2F%2Fwww.tiktok.com%2F&screen_height=823&screen_width=1463&text=123&text_extra=%5B%5D&tz_name=Asia%2FShanghai&verifyFp=verify_kzfyihmc_9MFy9BZO_vzrg_4eUB_BTQG_EeTWUe5uPwoi&webcast_language=zh-Hant-TW&msToken=IVYTTNbhk_pTgje2K7regs0KEEwVJfSinrz8snNUYRpKZE8Al5M6Z6_J0VwoJex1AACYzRkaU_MyOd_gmMZr2f8Y0IY6onC0Eu6tJXeoTm3_HPoJIAd3fY2mdLcjnrmWsOpCcg==&X-Bogus=DFSzswVLlnzANyacS-pUaM9WX7nK&_signature=_02B4Z6wo00001I-I6yQAAIDAD4oRZc.C5PSPiO-AAEHq03

msToken=IVYTTNbhk_pTgje2K7regs0KEEwVJfSinrz8snNUYRpKZE8Al5M6Z6_J0VwoJex1AACYzRkaU_MyOd_gmMZr2f8Y0IY6onC0Eu6tJXeoTm3_HPoJIAd3fY2mdLcjnrmWsOpCcg==&X-Bogus=DFSzswVLlnzANyacS-pUaM9WX7nK&_signature=_02B4Z6wo00001I-I6yQAAIDAD4oRZc.C5PSPiO-AAEHq03

算法介绍

根据js代码抽取和去除花指令需要大量时间，以及绕过检测，
本编文件根本写不完。所以这里简单讲解一下算法生成过程，
tiktok的此次算法生成是使用JSVMP虚拟机模式，
膨胀了大量代码，校验是否为浏览器环境，其中检测了document,window,location,navigator.cavas,symbol,tostring.html，body,script,prototype等等，

算法生成研究

msToken，X-Bogus，_signature是jsVmp生成。

参数	必选	备注
msToken	true	非对称算法生成，和_signature参数相辅相成
X-Bogus	false	发现了cookie参与了运算，但是发空值，服务器并未进行检验，后期算法更新估计就会更新这一块，
_signature	true	检验是否浏览器环境，如果非浏览器生成的算法则发包报错，其中关键点，_signature生成的时候，浏览器环境user-agent参与运算。

代码跟踪

代码太多贴入js文件。

    window.byted_acrawler.init({
        aid: 1988,
        dfp: !1,
        boe: !1,
        intercept: !0,
        enablePathList: ["/*"],
        region: "va-tiktok",
        mode: 513,
        isSDK: false
    });
//加上下面js
//https://sf16-secsdk.ttwstatic.com/obj/rc-web-sdk-gcs/webmssdk/1.0.0.195/webmssdk.js

代码编写

    var p = new XMLHttpRequest;
    p.open("GET", 'https://www.tiktok.com/api/comment/publish/?aid=1988&app_language=zh-Hant-TW&app_name=tiktok_web&aweme_id=7034791620910451970&battery_info=0.97&browser_language=zh-CN&browser_name=Mozilla&browser_online=true&browser_platform=Win32&browser_version=5.0%20%28Windows%20NT%2010.0%3B%20Win64%3B%20x64%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F94.0.4606.81%20Safari%2F537.36&channel=tiktok_web&cookie_enabled=true&device_id=7062797146567869953&device_platform=web_pc&focus_state=true&from_page=video&history_len=6&is_fullscreen=false&is_page_visible=true&os=windows&priority_region=US&referer=https%3A%2F%2Fwww.tiktok.com%2F&region=JP&root_referer=https%3A%2F%2Fwww.tiktok.com%2F&screen_height=823&screen_width=1463&text=123&text_extra=%5B%5D&tz_name=Asia%2FShanghai&verifyFp=verify_kzfyihmc_9MFy9BZO_vzrg_4eUB_BTQG_EeTWUe5uPwoi&webcast_language=zh-Hant-TW', !0);
    p.timeout = 60000;
    p.setRequestHeader("Accept", "application/json, text/plain, */*");
    p.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
    p.setRequestHeader("x-tt-passport-csrf-token", "89fedbd4e9c37c1d3d7af4c84664cb7f");
    var result = p.send();

开发者测试

生成成功

https://www.tiktok.com/api/comment/publish/?aid=1988&app_language=zh-Hant-TW&app_name=tiktok_web&aweme_id=7034791620910451970&battery_info=0.97&browser_language=zh-CN&browser_name=Mozilla&browser_online=true&browser_platform=Win32&browser_version=5.0%20%28Windows%20NT%2010.0%3B%20Win64%3B%20x64%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F94.0.4606.81%20Safari%2F537.36&channel=tiktok_web&cookie_enabled=true&device_id=7062797146567869953&device_platform=web_pc&focus_state=true&from_page=video&history_len=6&is_fullscreen=false&is_page_visible=true&os=windows&priority_region=US&referer=https%3A%2F%2Fwww.tiktok.com%2F&region=JP&root_referer=https%3A%2F%2Fwww.tiktok.com%2F&screen_height=823&screen_width=1463&text=123&text_extra=%5B%5D&tz_name=Asia%2FShanghai&verifyFp=verify_kzfyihmc_9MFy9BZO_vzrg_4eUB_BTQG_EeTWUe5uPwoi&webcast_language=zh-Hant-TW&msToken=p-sf0P6Zvzb45o1IVUBI1B3oqhCHWqYlDw07TZcgR5KYeRkT8pXsv-iFtsQ9JfuDxHh2pTk0stg6mYP2E0JZDwmZ2tXWrC8tAdTdYSexHUCac1g9uQberA3ycXfsx46p7Iob-A==&X-Bogus=DFSzswVLvSGANyacS-pm8F9WX7nV&_signature=_02B4Z6wo00001HbypnQAAIDA9vBcNaVFL9x28qLAAH.A18

总结

如果直接用浏览器生成，难度就会变得非常低，但是由于浏览器是V8引擎，单线程使用，调用速度可能达不到理想范围

福利

本人尝试自己编译V8并从webkie源码抽离浏览器环境，构建虚拟浏览器环境，并成功执行，在此免费开放接口进行测试。

import requests

url = "http://120.24.75.121:8800/?platform=tiktok&type=0"

payload = "https://www.tiktok.com/api/comment/publish/?aid=1988&app_language=zh-Hant-TW&app_name=tiktok_web&aweme_id=7034791620910451970&battery_info=0.97&browser_language=zh-CN&browser_name=Mozilla&browser_online=true&browser_platform=Win32&browser_version=5.0%20%28Windows%20NT%2010.0%3B%20Win64%3B%20x64%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F94.0.4606.81%20Safari%2F537.36&channel=tiktok_web&cookie_enabled=true&device_id=7062797146567869953&device_platform=web_pc&focus_state=true&from_page=video&history_len=6&is_fullscreen=false&is_page_visible=true&os=windows&priority_region=US&referer=https%3A%2F%2Fwww.tiktok.com%2F&region=JP&root_referer=https%3A%2F%2Fwww.tiktok.com%2F&screen_height=823&screen_width=1463&text=123&text_extra=%5B%5D&tz_name=Asia%2FShanghai&verifyFp=verify_kzfyihmc_9MFy9BZO_vzrg_4eUB_BTQG_EeTWUe5uPwoi&webcast_language=zh-Hant-TW"
headers = {
  'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36',
  'Content-Type': 'text/plain'
}

response = requests.request("GET", url, headers=headers, data=payload)

print(response.text)

来源：Hisen(斜飞)