This is a Proof of Concept (PoC) Python script that logs accounts combinations using TikTok's mobile API. The code is no longer functional as of 2023, but it offers insights into TikTok's API architecture and algorithms.
You may find that this code is the basis of 99% of TikTok bruteforce tools sold as it was leaked when functionning.
When interfacing with TikTok's API, you might notice a query string containing two pairs of big numbers, denoted by iid and did. These are abbreviations for Install-Device-Id and Device-Id, respectively.
?iid=xxx&did=xxxThese device ids are generated by sending an HTTP POST request to /service/2/device_register along with encrypted device data. Here is the algorithm to encrypt the device data.
The server responds with a JSON object that contains device ids:
{
"device_id": 7280600177604888325,
"install_id": 7280600177604888325,
"device_id_str": "7280600177604888325",
"install_id_str": "7280600177604888325",
"new_user": true
}To establish more trust, send another HTTP POST request to https://xlog-va.byteoversea.com/v2/s? with additional device data.
The following diagram provides an overview of the device registration flow:
... soon
All code except ttencrypt.py, xlog.py and gorgon.py was written by me, @xtekky