作品列表接口 /api/post/item_list/? 有一段 x-tt-params
观察后发现主要是由device_id、secUid、browser等信息组合成的字符串经过AES加密后生成。
调试可知 AES加密,128位,CBC,PKCS7。
在线测试
https://tool.lmeee.com/jiami/aes
本地模拟
var CryptoJS = require("crypto-js");
function aes(secUid){
e = {
"aid": "1988",
"app_name": "tiktok_web",
"channel": "tiktok_web",
"device_platform": "web_pc",
"device_id": "7202509366032811522",
"region": "TW",
"priority_region": "",
"os": "windows",
"referer": "",
"root_referer": "undefined",
"cookie_enabled": "true",
"screen_width": "1920",
"screen_height": "1080",
"browser_language": "zh-CN",
"browser_platform": "Win32",
"browser_name": "Mozilla",
"browser_version": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36",
"browser_online": "true",
"verifyFp": "undefined",
"app_language": "zh-Hans",
"webcast_language": "zh-Hans",
"tz_name": "Asia/Shanghai",
"is_page_visible": "true",
"focus_state": "true",
"is_fullscreen": "false",
"history_len": "3",
"battery_info": "1",
"from_page": "user",
"secUid": secUid,
"count": "30",
"cursor": "",
"language": "zh-Hans",
"userId": "undefined",
"is_encryption": "1"
}
const t = [];
return Object.keys(e).forEach((i=>{
const o = `${i}=${e[i]}`;
t.push(o)
}
)),
t.push("is_encryption=1"),
((e,t)=>{
const i = ((e,t)=>{
let i = e.toString();
const o = i.length;
return o < 16 ? i = new Array(16 - o + 1).join("0") + i : o > 16 && (i = i.slice(0, 16)),
i
}
)("webapp1.0+20210628")
, n = CryptoJS.enc.Utf8.parse(i);
return CryptoJS.AES.encrypt(e, n, {
iv: n,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
}).toString()
}
)(t.join("&"))
}
console.log(aes("MS4wLjABAAAA6aI0jkpA6X5yzejGmhzXFtd6vKbLKkJV1bQ4cATqZUmPGVenv3R0cJTsHdrI2NBG"))