elyelysiox/recaptcha-vm — explained in plain English
Analysis updated 2026-05-18
Decrypt and read the configuration and main bytecode reCAPTCHA loads into the browser
Disassemble reCAPTCHA's bytecode into a human-readable list of instructions
Study the 42 documented opcodes covering arithmetic, property access, and event handling
Analyze the control flow graph of reCAPTCHA's fingerprint collection logic
| elyelysiox/recaptcha-vm | adindazu/ultimatevocal | applicative-systems/gcan | |
|---|---|---|---|
| Stars | 18 | 18 | 18 |
| Language | Rust | Rust | Rust |
| Setup difficulty | hard | moderate | easy |
| Complexity | 5/5 | 2/5 | 2/5 |
| Audience | researcher | developer | ops devops |
Figures from each repo's GitHub metadata at analysis time.
Requires strong familiarity with Rust, bytecode interpreters, and XOR-based obfuscation, the decompiler module is still incomplete.
This is a Rust-based research project that reverse-engineers the virtual machine Google embeds inside reCAPTCHA. reCAPTCHA runs a custom bytecode interpreter inside your browser to collect fingerprinting signals (mouse movement, timing, browser properties, and so on) before deciding whether to show a challenge. This project documents and implements the tools to read and analyze that bytecode. The repository contains four components. The bytecode module handles decoding and decrypting the two forms of bytecode the VM uses. The configuration bytecode is loaded first, carrying encrypted strings and encryption keys, it is decrypted by XOR-folding two separate keys to produce a seed, then running a linear congruential generator over the encrypted bytes. The main bytecode is dynamically constructed inside reCAPTCHA's JavaScript and contains the fingerprint collection logic, it is encrypted separately during execution and decrypted at VM boot. The disassembler module reads the decrypted bytecode and translates it into a human-readable list of instructions. The project documents all 42 opcodes in the VM's instruction set, covering arithmetic, string operations, property access on JavaScript objects and the window, conditional jumps, function calls, event handling, and several specialized operations like obtaining the current performance timestamp or decrypting an encrypted string from the character set. The VM runs with 2048 registers. The instruction pointer and register indices are encoded as variable-length 7-bit continuation integers. The decompiler module is partially complete. The control flow graph analyzer (which maps the branching structure of the bytecode) and the instruction lifter (which converts raw instructions into a higher-level representation) are done, but the full decompiler output is still a work in progress. The encryption module handles the payload encryption functions the VM uses when sending signals back out of the browser context. This project is aimed at security researchers, bot-detection analysts, and developers who need to understand what reCAPTCHA is measuring inside their users' browsers. Reading the code requires comfort with Rust and with concepts like bytecode interpreters and XOR-based obfuscation.
A Rust research project that decodes and disassembles the custom bytecode virtual machine reCAPTCHA runs in the browser to collect fingerprinting signals.
Mainly Rust. The stack also includes Rust.
License is not stated in the provided text.
Setup difficulty is rated hard, with roughly 1day+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.