[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-78217":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":14,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":9,"pushedAt":9,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":15,"starSnapshotCount":15,"syncStatus":13,"lastSyncTime":27,"discoverSource":28},78217,"recaptcha","elyelysiox\u002Frecaptcha","elyelysiox","Documentation and reverse engineering of reCAPTCHA",null,"JavaScript",184,29,2,1,0,17,133,9,61.93,false,"main",true,[],"2026-06-12 04:01:23","\n## Description\n\nThis repository contains a technical analysis of Google's antibot (reCAPTCHA) focusing on:\n\n- Payload Structure and Values\n- Fingerprinting Techniques\n- Obfuscation Techniques\n- Anti-debugging\u002FTampering Techniques\n- Virtual Machines\n\n## Contact\n\n- Discord: `@g_recaptcha`\n- Telegram: `@lyxlobyx`\n\n## Obfuscation Techniques\n\nreCAPTCHA is one of the anti-bot systems with the most sophisticated obfuscation techniques, employing a series of transformations that make the code less readable and more difficult to reverse engineer. Most obfuscations can be easily manipulated using the Abstract Syntax Tree (AST), but some are processed at runtime, rendering the AST useless in this case. Polymorphism is also applied to the code to change its structure in each version of the script. For example, the code doesn't perform the action directly. Instead, it uses objects or functions that change shape\n\n- ***Sequence Expressions***\n The code is flattened by converting each block statement into a continuous comma-separated expression, it can appear in if statements, function arguments, and even within objects\n ![seq](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002Fphotos\u002F32418923412.png)\n\n\n- ***Mixed Boolean Arithmetic***\n Intertwines arithmetic operations (addition, subtraction, multiplication) with bitwise operations (AND, OR, XOR, NOT) to hide the original logic, for example `-2 * ~(h & H) + -2 + (h ^ H)`\n\n- ***Indirect Function Table***\n Each function is built within a table, and is called using its index, like `functions[index](args)`\n\n- ***Inline Constant Array***\n A local array literal is assigned inline, mid-expression, the array groups constants (numbers, strings) that are reused throughout the function body via index access\n ```javascript\n \u002F\u002F b = [14, 1, \"call\"] assigned inline inside a sequence expression\n function(Y, Q, c, l, G, X, W, J, b, P) {\n (Y & 94) == Y && (b = [14, 1, \"call\"], ...)\n W[b[2]](J, G) \u002F\u002F W.call(J, G)\n Y >> b[1] & b[0] \u002F\u002F Y >> 1 & 14\n }\n ```\n\n- ***Function Multiplexing***\n Multiple logically distinct functions are merged into one, using a numeric parameter as a block selector. The active block is determined by evaluating the parameter against bitwise conditions. Callers pass a numeric literal as the selector\n\n ```javascript\n function(N, y, U, Y, h, H, m, C, u) {\n C = [26, 47, 6];\n \n \u002F\u002F block 1\n if ((N - 2 ^ 14) \u003C N && (N - C[2] | 28) >= N) {\n \u002F\u002F convert value to string logic\n }\n \n \u002F\u002F block 2\n if ((N + 4 & 40) >= N && (N + 5 & C[0]) \u003C N) {\n Y = bB();\n throw Error(Y === void 0 ? \"unexpected value \" + U + y : Y);\n }\n \n return u;\n }\n ```\n\n- ***Logical Operator Branching***\n Replaces if statements and if\u002Felse blocks with logical operator short-circuit evaluation, converting control flow into expressions. combined with sequence expressions, multiple branches appear as a single continuous comma-separated expression\n ```javascript\n \u002F\u002F if (a) { block }\n a && (block)\n \n \u002F\u002F if (!a) { block }\n a || (block)\n \n \u002F\u002F if (a) { x } else { y }\n a ? x : y\n \n \u002F\u002F combined with CFF and sequence expressions:\n (Y | 1) & 14 || (c = Q.O, J = c.O.length + c.g.length),\n (Y ^ 59) >> 3 == 3 && (Q.classList\n ? Q.classList.add(c)\n : Z[31](31, Q, c) || (l = f[0](84, \"string\", \"\", Q), ...)),\n ```\n- ***Bind Native Methods Constants***\n Binds native browser methods to their original receivers, storing them as constants to prevent tampering\n\n ```javascript\n LO = (Tw = self) == null ? void 0 :\n (K9 = Tw.Math) == null ? void 0 :\n (v4 = K9.floor) == null ? void 0 :\n (mF = v4.bind) == null ? void 0 :\n mF.call(v4, Math) \u002F\u002F Math.floor.bind(Math)\n\n LO(x) \u002F\u002F Math.floor(x)\n U4() \u002F\u002F Math.random()\n Ge(obj, prop) \u002F\u002F Object.defineProperty(obj, prop)\n ```\n\n- ***Dead Code***\n Inaccessible or unused blocks of code are injected throughout the file, increasing its size to over 60,000 lines, this makes static analysis and LLM-based reverse engineering difficult\n\n- ***Control Flow Flattening***\n Transforms each part of the code (declarations and loops) into a flat state machine. It hides the original execution logic by routing all code blocks through a central \"dispatcher\" block\n \n Dispatchers can change shape; some have 2-3 state variables, and the loop\u002Fcondition type changes. They look like this\n\n ![cff1](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002Fphotos\u002F2814721849.png)\n\n This is a CFF with 2 state variables, one handles the catch block and the other the try block.\n\n- ***Encrypted String Pool***\n All string literals (DOM APIs, browser properties, CSS values, error messages, etc) are encrypted into a single massive string pool. A decryption function uses a seed and an LCG-based XOR cipher to extract each string at runtime\n \n There are 1990+ call sites spread across the code, the decryption function uses a running key that accumulates decoded codepoints, making each character dependent on all previous ones\n\n ```javascript\n X = function(J, b, P, F, U) {\n U = [\"codePointAt\", 127, \"char encrypted pool\"];\n for (F = (P = 0, b = \"\", l); P \u003C Q; P++)\n J = (U[2][U[0]](c + P) ^ F) & U[1], \u002F\u002F XOR with running key\n b += String.fromCodePoint(J),\n F += J; \u002F\u002F accumulate key\n return G = b;\n }\n \n \u002F\u002F call sites pass a seed to locate and decrypt each string\n Z[23](64, 4, 54961, 103)() \u002F\u002F → \"lang\"\n Z[23](66, 4, 54961, 103)() \u002F\u002F → \"addEventListener\"\n Z[23](32, 12, 20287, 852)() \u002F\u002F → \"inline-block\"\n ```\n\n ![decstrings](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002Fphotos\u002F128093828.png)\n\n- ***Stateful Value Iterator***\n reCAPTCHA uses stateful function that returns a sequence of runtime objects and values (like window, document.body, numeric constants) in a fixed order, each call advances an internal cursor, calling it out of sequence or too many times corrupts all subsequent reads. A timeout mechanism invalidates the state after a fixed interval, returning null for any late reads\n\n ```javascript\n \u002F\u002F sequential calls return different values:\n c() \u002F\u002F → window\n c() \u002F\u002F → document.body\n c() \u002F\u002F → 123\n c() \u002F\u002F → null (timeout expired)\n \n l(c(), G[2], G[W[1]], G[1]) + l(c(), G[2], G[W[1]], 12)\n \u002F\u002F ↑ window ↑ window\n\n 10 * l(c(), G[2], G[W[1]], G[1]) + l(c(), G[2], G[W[1]], 12))\n \n c().querySelectorAll(a[X[2]](98, X[1], X[1]))\n \u002F\u002F ↑ document.body \n \n ```\n\n- ***Computed Function Table***\n This is similar to `Indirect Function Table`, but here the index of the function to be obtained is calculated at runtime with a seed, using XOR and Modulus\n \n ```javascript\n c = ((Q ^ no | U[1]) >> 5) + no\n A = mN[(c % U[2] + U[2]) % U[2]] \u002F\u002F mN is the function table (50+ functions)\n ```\n ```javascript\n q[29](5, 6977) \u002F\u002F seed=6977 → index resolves to function at mN[X]\n q[29](53, 6187) \u002F\u002F seed=6187 → different index, different function\n ```\n \n ![computed](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002Fphotos\u002F124898914221.png)\n\n- ***Runtime Value Encryption***\n Some values ​​(captcha configuration parameters, anchor parameters, etc) are never stored in plain text; they are encrypted immediately after collection and decrypted only at the time of use, have a prefix `B` at the beginning\n\n ![hiddenv](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002Fphotos\u002F4214879218412.png)\n\n- ***Async Control Flow Obfuscation***\n Synchronous logic is converted into generator-based state machines wrapped in recursive Promise chains, tracing any value through the debugger forces stepping through multiple async handlers, losing the original execution context at each .then() boundary\n\n## Anchor Payload\u002FResponse\n\n### Payload Structure\n\nComponents to initialize reCAPTCHA\n```\nar: \u003CWidgetInit?>\nk: \u003CWebsite Key>\nco: \u003CWebsite URL Base64-Encoded>\nhl: \u003CBrowser Main Language>\nv: \u003CRecaptcha Version>\nsize: \u003CType>\nsa: \u003CSite Action>\nanchor-ms: \u003CWidget Load Timeout>\nexecute-ms: \u003CExecution Timeout>\ncb: \u003CCallBack ID>\n```\n\n### Response\n\nThe response contains:\n- CAPTCHA iframe window design\n- Anchor token used for payload validation (\u002Freload)\n- The main configuration for initialization, executed in the `recaptcha.anchor.Main.init` method to receive it in recaptcha_en.js\n\n### Structure:\n\nNote: Recaptcha BotGuard was removed `04\u002F01\u002F2026`, You can see some samples [here](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha-payload\u002Ftree\u002Fmain\u002Fbotguard_scripts)\n```javascript\n[\n \"ainput\",\n [\n \"bgdata\",\n \"\",\n \"LyogQW50aS1zcGFtLiBXYW50IHRvIHNheSBoZWxsbz8gQ29ud...\", \u002F\u002F BotGuard Script Base64-Encoded\n \"YWVtZ0h5MGNCWXJDQ2lidGh0RW13RmhWdlc3aU5yeVpzSmx6U...\", \u002F\u002F BotGuard VM Bytecode Double Base64-Encoded \n \"wrB8fsOVU8K0YAzDsyQpw7ZHw6jDnMK1AMO6SRcvw53CsGlQw6\u002FDuMO0wqr\" \u002F\u002F VM Config Bytecode Base64-Encoded\n ],\n null,\n [\n \"conf\",\n null,\n \"6LfTV4gkAAAAACDVrUvp9_DalxUPvFSU7M2HJDO-\", \u002F\u002F Website Key\n 0,\n null,\n null,\n null,\n 1,\n \u002F\u002F Indexes for fingerprinting or something else\n [16, 21, 125, 63, 73, 95, 87, 41, 43, 42, 83, 102, 105, 109, 121],\n [-7614991, 137],\n 0,\n null,\n null,\n null,\n null,\n 0,\n null,\n 0,\n null,\n 700, \u002F\u002F Time Start for Time Variances of Fingerprint Values\n 1,\n null,\n 0,\n \u002F\u002F Encoded metadata for the VM's main bytecode constructs\n \"CvsCEg8I8ajhFRgAOgZUOU5CNWISDwjmjuIVGAA6BlFCb29IYxIPCMfm1DgYADoGZHhkTmlkEg8Is4qgOBgBOgZMV0o1a2ISDwiB7OgVGAA6Bkh1dlBqZhIPCK6e6zcYADoGR2JpT1FkEg8I94jmNxgAOgZvaWxlRGQSDwjwzeMVGAE6BmZJVkloYhIPCOLKoDcYAToGZ0xOQ0hjEg8I3r+3NxgBOgZlYXp1NmQSDwjY0oEyGAA6BkFxNzd2ZhIOCLjllDIYAToFUUJPRDASDwio7784GAA6BkdGVU5jZhIPCLWzqzgYAToGb3JZVjZkEg8I0tuVNxgAOgZmZmFXQWUSDwiV2JQyGAE6BlBxNjBuZBIPCKuRyjgYADoGQVo0TmJiEg8IxfOINxgAOgZhWG9pYWMSDwiNyoYyGAE6Bk93TjR0ZhIOCIr9iDcYADoFTWZJSTQaJwgDEiMdJv3NgTUZp4oJGYQKGZzijAIZzPMRGa+VQBnqsCYZ5a8MGQ==\",\n 0,\n 1,\n null,\n null,\n 1,\n null,\n null,\n 0,\n null,\n null,\n 0,\n 0,\n \"cf5e3c3a6ab6c494c829a7932d9577c1e6de862dd4912e55dc7fe2e40a1f7604\"\n ],\n \"https:\u002F\u002Fwho.clickbait.team:443\", \u002F\u002F Website URL:Port\n null,\n [\n 3,\n 1,\n 1\n ],\n null,\n null,\n null,\n 1,\n 3600,\n [\n \"https:\u002F\u002Fwww.google.com\u002Fintl\u002Fes\u002Fpolicies\u002Fprivacy\u002F\",\n \"https:\u002F\u002Fwww.google.com\u002Fintl\u002Fes\u002Fpolicies\u002Fterms\u002F\"\n ],\n \"vQWNjTpMwdevQPWmE8akDzp8jsOZfa1VqTzVHaPiQ\u002Fc=\",\n 1,\n 0,\n null,\n 1,\n 1777669303203, \u002F\u002F Fingerprint Data Encryption Key\n 0,\n 0,\n [203], \u002F\u002F Config Bytecode Key\n null,\n [185], \u002F\u002F Config Bytecode Key\n \"RC--rg1OSRnOD0ayA\",\n null,\n null,\n null,\n null,\n null,\n \u002F\u002F Bft Signature, Used in reCAPTCHA V2\n \"0dAFcWeA4RepD9zDjeMQE73pAT27pXZ7Nz_419U2K36QNqzHaKtLIDkwZQLi-Ud8OvSZHbDEcxQxusBQnsF5QQErMRpJMcUplaFg\",\n 1777752103288 \n]\n```\n\n## Fingerprint\nThe values ​​are based on the decrypted values ​​from the first sample fingerprint, look [here](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha-payload\u002Fblob\u002Fmain\u002Ffingerprint\u002Fdecrypted_values.json)\n\nEach subfield of the fingerprint values ​​has a base format:\n\n`[value, key, elapsed]`\n\nWhere `key` is the encryption key, and `elapsed` is the time it took the collector to obtain and encrypt the value. This allows reCAPTCHA to detect:\n- Excessively fast execution\n- Hooks\n- Breakpoints and sandboxing\n\n### Collector Execution Order\nThe system uses an internal scheduler:\n\n```\n[42, 45, 53, 30, 28, 54, 29, 31, 32, 33, 34, 35, 37, 36, 38, 39, 43, 40, 41, 46, 48, 57, 58, 60, 61, 62, 63, 64, 66, 68, 69, 71, 72, 79, 55]\n```\n\nThis represents:\n\n- Execution Order\n- Collector Pipeline\n- Signal Generation Sequence\n\n### Fingerprint Signals Codes & Key Derivation\nTransforms fingerprint signals into deterministic encryption keys through a multi-stage derivation pipeline\n\nEach fingerprint value is:\n\n- Normalized\n- Encoded into a compact signal code\n- Converted into a numeric encryption key\n- Encrypted using the derived key\n\nThe process is deterministic, meaning the same input value always generates the same signal code and encryption key\n\n```\nRaw Value\n ↓\nSignal Code Derivation\n ↓\nCompact Signal Code\n ↓\nNumeric Key Derivation\n ↓\nEncryption Key\n ↓\nValue Encryption\n```\n\n### Example\n\n***Input Signal***\n```\n\"BUTTON,195a81c9\"\n```\n\n***Step 1 - Derive Signal Code***\n```javascript\nderiveSignalCode(\"BUTTON,195a81c9\")\n\u002F\u002F → \"wg\"\n```\n\nThe generated signal code is a compact deterministic identifier for the original value.\n\n***Step 2 - Derive Numeric Key***\n```javascript\nderiveKey(\"wg\")\n\u002F\u002F → 3792\n```\n\nThe signal code is transformed into a numeric encryption key.\n\n***Step 3 — Encrypt Value***\n\n```javascript\nencryptValueWithKey(3792, \"wgia1z9pwq\")\n\u002F\u002F → \"bYVbh6BUsE_5pLA\"\n```\n\nThe next value will be encrypted with the derived key, following the collector order.\n\n### Aggregate Fingerprint Structure\n\nAll generated signal codes are aggregated into a compact serialized structure\n\n**Process**\n```\nvalue -> \"BUTTON,195a81c9\" seed code -> wg key -> 3792\nvalue -> \"wgia1z9pwq\" seed code -> 21 key -> 1599\nvalue -> 1 seed code -> p1 key -> 3521\nvalue -> \"8cc68d83\" seed code -> ld key -> 3448\nvalue -> \"https:\u002F\u002Fnextcaptcha.com\u002Fdemo...\" seed code -> 9p key -> 1879\nvalue -> 4 seed code -> op key -> 3553\nvalue -> false seed code -> 1r key -> 1633\nvalue -> 7 seed code -> qf key -> 3605\nvalue -> \"jYAQSHAEAI\" seed code -> 1z key -> 1641\nvalue -> \"\" seed code -> 80 key -> 1784\nvalue -> 2 seed code -> jk key -> 3393\nvalue -> \"AAAAAAAAAA\" seed code -> 1z key -> 1641\nvalue -> \"h3\" seed code -> 9p key -> 1879\nvalue -> \"0,BUTTON,195a81c9\" seed code -> ia key -> 3352\nvalue -> -1 seed code -> 1u key -> 1636\nvalue -> 0 seed code -> wq key -> 3802\nvalue -> \"74,fbfbc5b3\" seed code -> 6z key -> 1796\nvalue -> 0 seed code -> wq key -> 3802\nvalue -> 0 seed code -> wq key -> 3802\nvalue -> 2 seed code -> jk key -> 3393\nvalue -> 0 seed code -> wq key -> 3802\nvalue -> \"-1,-1\" seed code -> 1m key -> 1628\nvalue -> \"static.cloudflareinsights.co,...\" seed code -> 1g key -> 1622\nvalue -> \"\" seed code -> 80 key -> 1784\nvalue -> \"https:\u002F\u002Fnextcaptcha.com,https....\" seed code -> pd key -> 3572\nvalue -> \"[4,\\\"CABIBQAggA\\\",\\\"BAgAAgAAgA\\\"]\" seed code -> 1n key -> 1629\nvalue -> \"Demostración empresarial de reCAPTCHA v3...\" seed code -> 1k key -> 1626\nvalue -> \"[2,76852,77850,77351]\" seed code -> 9b key -> 1865\nvalue -> \"sha384-TNm\" seed code -> 23 key -> 1601\nvalue -> \"[1680,1050,876,1166,844,876]\" seed code -> 13 key -> 1570\nvalue -> \"[300,null,1778502450481]\" seed code -> ex key -> 3251\nvalue -> \"[null,null,\\\"\\\",\\\"\\\"]\" seed code -> rx key -> 3654\nvalue -> \"[2147483648,70806416,65303240]\" seed code -> 2r key -> 1664\nvalue -> \"GA1.1.354395113.1778502448\" seed code -> 1g key -> 1622\nvalue -> false seed code -> 1r key -> 1633\nvalue -> \"[[[1,\\\"wg\\\"],...\" seed code -> 85 key -> 1789\n```\n\n**Final**\n\n```json\n[\n [\n [1, \"wg\"], [1, \"21\"], [1, \"p1\"],\n [1, \"ld\"], [1, \"9p\"], [1, \"op\"],\n [1, \"1r\"], [1, \"qf\"], [1, \"1z\"],\n [1, \"80\"], [1, \"jk\"], [1, \"1z\"],\n [1, \"9p\"], [1, \"ia\"], [1, \"1u\"],\n [1, \"wq\"], [1, \"6z\"], [1, \"wq\"],\n [1, \"wq\"], [1, \"jk\"], [1, \"wq\"],\n [1, \"1m\"], [1, \"1g\"], [1, \"80\"],\n [1, \"pd\"], [1, \"1n\"], [1, \"1k\"],\n [1, \"9b\"], [1, \"23\"], [1, \"13\"],\n [1, \"ex\"], [1, \"rx\"], [1, \"2r\"],\n [1, \"1g\"], [1, \"1r\"]\n ],\n \"54\"\n]\n```\n\n### Signals\n\n- **Idx 4** (`string`)\n - Value: `_website key_ + '6d'`\n - Hashed: `true`\n - Description: Website Key hashed with SHA-256 (truncated)\n\n- **Idx 5** (`integer`)\n - Value: `window.localStorage.length * 2`\n - Hashed: `false`\n - Description: `window.localStorage` length\n\n- **Idx 16** (`string`)\n - Value: `yM5Us\u002Fj\u002Ffn6EDgtmPlP4Pxj605nMJN9dRYHyy5Mn`\n - Hashed: `true`\n - Description: Hashed all `\u003CHEAD>` elements, [Sample](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002FhashHeadElements.js)\n\n- **Idx 27** (`string`)\n - Value: `location.origin`\n - Hashed: `false`\n - Description: Website URL\n\n- **Idx 28** (`boolean`)\n - Value: `false`\n - Hashed: `false`\n - Description: `window.parent != window` and `window.frameElement != null` checks\n\n- **Idx 29** (`string`)\n - Value: `e2a3cd70`\n - Hashed: `true`\n - Description: Hashed grecaptcha.execute function body with SHA-256\n\n- **Idx 30** (`integer`)\n - Value: `0`\n - Hashed: `false`\n - Description: The index script containing the load URL `https:\u002F\u002Fwww.gstatic.com\u002Frecaptcha\u002Freleases\u002F\u003Cversion>\u002F`, [Sample](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002FgetRecaptchaScriptIndex.js)\n\n- **Idx 31** (`string`)\n - Value: `AAgkAQI0SB`\n - Hashed: `true`\n - Description: Hashed `document.cookie` keys, [Sample](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002FhashCookies.js)\n\n- **Idx 32** (`string`)\n - Value: `\"\"`\n - Hashed: `false`\n - Description: Referrer URL `document.referrer`\n\n- **Idx 34** (`string`)\n - Value: `AAAAAAAAAA`\n - Hashed: `true`\n - Description: Hashed all `\u003CINPUT>` attribute names, [Sample](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002FhashInputElements.js)\n\n- **Idx 35** (`string`)\n - Value: `0,DIV,f0c7414e`\n - Hashed: `true`\n - Description: `document.activeElement`, parse if it matches with a regex `(?i)buy|pay|place|order|donate|purchase`, then hash tagName + element ID + classNames, `\u003CisMatched,TagName,Hashed>`\n\n- **Idx 36** (`string`)\n - Value: `h3`, `h2` or `http\u002F1.1`\n - Hashed: `false`\n - Description: `nextHopProtocol` of `PerformanceNavigationTiming`\n\n- **Idx 37** (`integer`)\n - Value: `-1`\n - Hashed: `false`\n - Description: `performance.timing.unloadEventStart`\n\n- **Idx 38** (`integer`)\n - Value: `96`\n - Hashed: `false`\n - Description: DNS lookup `performance.timing.domainLookupStart - performance.timing.domainLookupEnd`\n\n- **Idx 39** (`integer`)\n - Value: `0`\n - Hashed: `false`\n - Description: Navigation type `performance.navigation.type`\n\n- **Idx 40** (`integer`)\n - Value: `0`\n - Hashed: `false`\n - Description: Last scroll-Y position `window.scrollY`\n\n- **Idx 41** (`string`)\n - Value: `DIV,a08cd360`\n - Hashed: `true`\n - Description: The hovered element where the mouse is positioned, hashed target + all `\u003CINPUT>` elements + `location.url` + `window.scrollY`\n\n- **Idx 42** (`string`)\n - Value: `9,e3b0c442`\n - Hashed: `true`\n - Description: Hashed a random text script with SHA-256 plus the index, [Sample](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002FhashRandomScript.js)\n\n- **Idx 44** (`string`)\n - Value: `2v591z63wq`\n - Hashed: `true`\n - Description: Hovered element, `document.activeElement`, all `\u003CINPUT>` elements hashed, `location.url`, `window.scrollY`, Example:\n ```javascript\n [\n deriveSignalCode(hash(hoveredElement)),\n deriveSignalCode(hash(document.activeElement)),\n deriveSignalCode(hash(document.querySelectorAll('input'))),\n deriveSignalCode(location.url),\n deriveSignalCode(String(window.scrollY))\n ].join('')\n ```\n\n- **Idx 45** (`integer`)\n - Value: `4`\n - Hashed: `false`\n - Description: Length of `window.history`\n\n- **Idx 46** (`string`)\n - Value: `https:\u002F\u002Fstatic.kogstatic.com\u002F0000\u002F34c...`\n - Hashed: `false`\n - Description: An error occurred in a website script\n\n- **Idx 47** (`integer`)\n - Value: `0`\n - Hashed: `false`\n - Description: `window.length`\n\n- **Idx 49** (`string`)\n - Value: `h2-0`\n - Hashed: `false`\n - Description: `nextHopProtocol` of `PerformanceResourceTiming`\n\n- **Idx 50** (`array`)\n - Value: `[1,0,null,1,1,[\"805b1z63wq\"],\"MWc2MzZwMnR0ZHNkMw==\",0,null,[[1]]]`\n - Hashed: `true`\n - Description: Contains user behaviors, hashed hovered elements interactions, and timeout to capture another element\n\n- **Idx 51** (`array`)\n - Value: `[0]`\n - Hashed: `false`\n - Description: `document.innerText` text contains anything labeled `try again` | `incorrect` | `invalid` | `declined`\n\n- **Idx 52** (`integer`)\n - Value: `11`\n - Hashed: `false`\n - Description: `isActive * 10 + hasBeenActive` from `userActivation`\n\n- **Idx 53** (`integer`)\n - Value: `4`\n - Hashed: `false`\n - Description: `window.document.length % 2 == 0 ? 5 : 4`\n\n- **Idx 54** (`boolean`)\n - Value: `false`\n - Hashed: `false`\n - Description: `window.document.hidden`\n\n- **Idx 55** (`array`)\n - Value: `[[[1,\"2v\"],[1,\"9z\"],[1,\"z8\"],[1,\"us\"],[1,..`\n - Hashed: `false`\n - Description: Ordering of generated signals codes by fingerprint values\n\n- **Idx 56** (`string`)\n - Value: `-1,-1`\n - Hashed: `false`\n - Description: `window.opener` checks\n\n- **Idx 57** (`string`)\n - Value: `www.gstatic.com,_,static.kogstatic.com,www.google.com,www.googletagmanager.,...`\n - Hashed: `false`\n - Description: HTML links of `document.scripts`\n\n- **Idx 58** (`string`)\n - Value: `mapslitepromosdismissed1`\n - Hashed: `false`\n - Description: Sampled `window.localStorage` key\n\n- **Idx 59** (`string`)\n - Value: `\"\"`\n - Hashed: `false`\n - Description: `window.name`\n\n- **Idx 60** (`string`)\n - Value: `https:\u002F\u002Fwww.kogama.com,https:\u002F\u002Fwww.google.com,https:\u002F\u002Fjs.stripe.com`\n - Hashed: `false`\n - Description: URLs for open message events\n\n- **Idx 61** (`array`)\n - Value: `[0,\"AAAAAAAAAA\",\"AAAAAAAAAA\"]`\n - Hashed: `true`\n - Description: Hashes of attribute names and target element types recorded by `MutationObserver`, [Sample](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002FwriteMutationObservers.js)\n\n- **Idx 62** (`string`)\n - Value: `document.title`\n - Hashed: `false`\n - Description: Full website title\n\n- **Idx 63** (`array`)\n - Value: `[]`\n - Hashed: `true`\n - Description: Hashed long IDs of `document.cookie`, [Sample](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002FderirveCookies.js)\n\n- **Idx 64** (`integer`)\n - Value: `55557`\n - Hashed: `false`\n - Description: Time elapsed from the anchor to the reload\n\n- **Idx 65** (`string`)\n - Value: `sha384-3qc`\n - Hashed: `true`\n - Description: Integrity hash of render script (truncated)\n\n- **Idx 67** (`array`)\n - Value: `[width,height,outerHeight,innerWith,innerHeigh,availHeigh]`\n - Hashed: `false`\n - Description: Screen resolution and dimensions\n\n- **Idx 68** (`array`)\n - Value: `[300,null,1777685870223]`\n - Hashed: `false`\n - Description: Timezone offset and current Unix timestamp\n\n- **Idx 69** (`string`)\n - Value: `09AKhCRwjrDFiHsrRA--o23-HB-eWqOtk_XQ-rLE1...`\n - Hashed: `false`\n - Description: A session token used for human identification, stored in `window.sessionStorage` and increments the score if valid\n\n- **Idx 70** (`array`)\n - Value: `[null,null,\"\",\"\",null,\"1l0fl\"]`\n - Hashed: `false`\n - Description: Website Product Prices, Data, etc\n\n- **Idx 71** (`array`)\n - Value: `[jsHeapSizeLimit,usedJSHeapSize,totalJSHeapSize]`\n - Hashed: `false`\n - Description: Performance JavaScript heap memory\n\n- **Idx 72** (`array`)\n - Value: `[[[\"Google Chrome\",\"147\"],[\"Not.A\u002FBrand\",...`\n - Hashed: `false`\n - Description: `userAgentData`, browser version, name\n\n- **Idx 73** (`array`)\n - Value: `[[null,2,0,\"Mozilla\u002F5.0 (Windows NT 10.0;...`\n - Hashed: `false`\n - Description: VM Signals data\n\n- **Idx 77** (`string`)\n - Value: `null`\n - Hashed: `false`\n - Description: Google GA cookie, may appear if the website uses Google Tag Manager\n\n- **Idx 78** (`integer`)\n - Value: `\"\"`\n - Hashed: `false`\n - Description: Unix timestamp, sometimes it appears\n\n### VM Signals\nThe following are the browser values ​​obtained by the internal reCAPTCHA VM, along with the signal key. Some values ​​are not shown in the sample fingerprint because the VM only extracts certain values ​​from the configuration bytecode. Therefore, other values ​​will be displayed. For more details, see [here](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha-vm)\n\nBase Signal Format:\n\n```\n[\n null,\n collectorElapsed,\n encryptElapsed,\n value\n]\n```\n\nWhere `collectorElapsed` means how long (ms) it took the collector to obtain the value\nAnd `encryptElapsed` means how long (ms) it took to encrypt the value.\nThese times are measured during the VM's execution.\n\n### Structure\n\n```json\n[\n null,\n 7,\n 0,\n \"Mozilla\u002F5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F144.0.0.0 Safari\u002F537.36\"\n],\nnull,\nnull,\n[ null, 0, 0, \"[]\" ],\nnull,\nnull,\n[\n null,\n 4,\n 0,\n \"[\\\"Join And Get Free Trial!\\\",\\\"\\\",\\\"Captcha Solving Service\\\",\\\"Products\\\",\\\"Docs\\\"]\"\n],\n[ null, 0, 0, \"false\" ],\nnull,\n[ null, 0, 0, \"0\" ],\n[ null, 1, 0, \"[null,null,null,null,\\\"false\\\"]\" ],\n[ null, 3, 4, \"[[[0,921],[1,2053]],[[235054,1,1,1],[164277,3,4,1]],2,39]\" ],\n[ null, 1, 4, \"[[[0,0,979]],1,0]\" ],\n[ null, 1, 1, \"[[[1,0]]]\" ],\n[\n null,\n 4,\n 1,\n \"[886,2300,262.2099999997952,392.7600000009595,2050.2399999993577]\"\n],\n[ null, 1, 1, \"[[[1123,0,0]]]\" ],\n[ null, 1, 2, \"[[[1123,0]]]\" ],\n[ null, 1, 3, \"[0,null,null,null,null,null,null]\" ],\n[\n null,\n 5,\n 9,\n \"[1,[[2050,125,633,266,[609,266,105,44],3,1,50,1,1]],[3,3,318],[28,777,858,28],0,0,25]\"\n],\n[ null, 0, 0, \"\" ],\n[ null, 0, 0, \"229.6\" ],\n[ null, 0, 0, \"false\" ],\n[ null, 1, 0, \"[1,0,0,Infinity]\" ],\n[ null, 1, 1, \"[\"0\",-1,-1,999]\" ],\n[ null, 1, 0, \"[\\\"undefined\\\",3]\" ],\n[ null, 1, 6, \"[2,4,53324367238]\" ],\n[\n null,\n 12,\n 0,\n \"[\\\"Google Inc. (Intel Inc.)\\\",\\\"ANGLE (Intel Inc., Intel(R) UHD Graphics 630, OpenGL 4.1)\\\",30]\"\n],\n[\n null,\n 28,\n 2,\n \"[1542343452,0,105002991,3556653,96784904,-731949068,-902263026,-1914850612,571474391,-1588406278,3443508,1967713171,-1249474914,-1588406278,0,918504841,-807058197]\"\n]\n```\n\n- **Key 417** (`string`)\n - Value: `Mozilla\u002F5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u002F537.36...`\n - Description: Full Browser User-Agent\n\n- **Key 727** (`array`)\n - Value: `[]`\n - Description: Product Prices Blocks, contains prices for commercial products on the website, these may appear on marketplace websites such as Amazon, eBay, AliExpress, etc, [Sample](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002FfindProductPricesBlock.js)\n\n- **Key 150** (`array`)\n - Value: `[\\\"Join And Get Free Trial!\\\",\\\"\\\",\\\"Captcha Solving Service\\\",\\\"Prod...`\n - Description: Links extracted from the `\u003Ca>` elements of the website, the VM rarely extracts these values\n\n- **Key 545** (`boolean`)\n - Value: `false`\n - Description: `navigator.webdriver`\n\n- **Key 370** (`integer`)\n - Value: `0`\n - Description: Max Device Touch Points `navigator.maxTouchPoints`\n\n- **Key 779** (`array`)\n - Value: `[null,null,null,null,\"false\"]`\n - Description: Extracts data from shipping\u002Fbilling fields, [Sample](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002FformFieldScrape.js)\n \n `postal|postalcode|postalcode|postal_code|zip` → searches for postal code field\n \n `ship|deliver` → shipping section\n \n `billing|payment|credit` → billing section\n \n `country` → country selector\n \n `addr.*(match|equal)|(match|equal).*address` → \"same address\" checkbox\n \n Reads name, id, autocomplete, className of each element\n Three phases: text inputs, SELECT statements, checkboxes\n\n- **Key 659** (`array`)\n - Value: `[[[0,921],[1,2053]],[[235054,1,1,1],[164277,3,4,1]],2,39]`\n - Description: Contains data of the pressed elements on the page in the format `[[[count,ts]],[[hashedElem,tagType,type,autoComplete]],pressedCount,behaviorChecksum]`\n\n- **Key 959** (`array`)\n - Value: `[[[0,0,979]],1,0]`\n - Description: Scroll movements, in the format `[[[scrollX,scrollY,ts]],count,behaviorChecksum]`\n\n- **Key 895** (`array`)\n - Value: `[[[1,0]]]`\n - Description: VisibilityStateEntry, check if the user left the page, in the format `[[[isVisible,startTime]]]`\n\n- **Key 1092** (`array`)\n - Value: `[886,2300,262.2099999997952,392.7600000009595,2050.2399999993577]`\n - Description: reCAPTCHA Performance, PerformanceNavigationTiming and PerformanceEventTiming, in format `[vmStart,vmEnd,domContentLoadedEventEnd,loadEventEnd,firstUserInteractionTime]`\n\n- **Key 41** (`array`)\n - Value: `[[[1123,0,0]]]`\n - Description: ClearTimeout\n\n- **Key 43** (`array`)\n - Value: `[[[1123,0]]]`\n - Description: ClearTimeout\n\n- **Key 549** (`array`)\n - Value: `[0,null,null,null,null,null,null]`\n - Description: KeyboardEvent, computed keys + timestamps\n\n- **Key 352** (`array`)\n - Value: `1,[[2050,125,633,266,[609,266,105,44],3,1,50,1,1]],[3,3,318],...`\n - Description: It contains mouse movements, time, dimensions, positions of pressed elements and biometrics\n\n *Base Format*:\n ```\n [\n eventsCount,\n mouseEvents,\n [\n unknownEntropy,\n averageInterEventDelay,\n timingVarianceScore\n ],\n [\n totalPoints,\n clickSequenceScore,\n totalCursorDistance,\n totalPoints\n ],\n 0,\n 0,\n behaviorChecksum\n ]\n ```\n *Mouse Event*:\n ```\n [\n timestamp,\n clickDuration,\n clientX,\n clientY,\n [\n elementLeft,\n elementTop,\n elementWidth,\n elementHeight\n ],\n elementTagType,\n pointerType,\n pressure,\n pointerTravelDistance,\n pointerArea\n ]\n ```\n\n- **Key 360** (`string`)\n - Value: `\"\"`\n - Description: Collected Website Prices Total $ parsing with a regex ``(?i)total[\\S\\s]{0,20}?(?:(?:(?:USD|\\$)\\s*)?[\\d\\.,]+\\s*(?:USD|\\$)|(?:USD|\\$)\\s*[\\d\\.,]+)``, [Sample](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002FwebsitePricesTotal.js)\n\n- **Key 1278** (`integer`)\n - Value: `229.6`\n - Description: Division by 10 of current runtime timing `Math.trunc(performance.now()) \u002F 10`\n \n- **Key 1422** (`boolean`)\n - Value: `false`\n - Description: Parse if there are OTP\u002F2FA fields on the website, [Sample](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002FparseOTPFields.js)\n\n- **Key 614** (`array`)\n - Value: `[1,0,0,Infinity]`\n - Description: Device battery information, in the format `[level,isCharging,chargingTime,dischargingTime]`\n\n- **Key 2033** (`array`)\n - Value: `[\"0\",-1,-1,999]`\n - Description: Some VM constant values ​​and VM runtime timing\n\n- **Key 1313** (`array`)\n - Value: `[\"undefined\",3]`\n - Description: Android, Chrome checks, `[typeof window.android, Object.keys(window.chrome).length]`\n\n- **Key 1994** (`array`)\n - Value: `[2,4,53324367238]`\n - Description: `[navigator.hardwareConcurrency, navigator.deviceMemory, navigator.storage.estimate().qouta]`\n\n- **Key 1310** (`array`)\n - Value: `[\"Google Inc. (Intel Inc.)\",\"ANGLE (Intel Inc.,...`\n - Description: WebGL Renderer, Vendor and Total Extensions, [Sample](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002FwebglSignals.js)\n\n\n- **Key 291** (`array`)\n - Value: `[1542343452,0,105002991,3556653,96784904,-731949068,-902263026,...`\n - Description: Hashed specific Prototypes key of browser objects, like `SpeechSynthesisEvent`, `NetworkInformation`, `HTMLElement`, etc, [Sample](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002FhashBrowserProtos.js)\n\n## Reload Request Payload\n\nThis data is serialized using protobuf (Protocol Buffers), an efficient, neutral method for serializing structured data, developed by Google.\n\n```javascript\n[\n \"rreq\",\n \"U5VsmTDhJM1iOJUyw4DEUTYv\",\n \"03AFcWeA5Els3SIQviW2OYCHYD4uDhKlFPG6A48z2nk74BC2vrXSRvtpP9uVkWW96kUKm7sHIr...\",\n null,\n null,\n \"-383788762\",\n \"q\",\n \"05APQrAobTCFGtbKVY3NwExv-K_G7oqmzGyUcTXi532CBKvSJUiT49tkRSgGD__OdfVRZtrI3i...\",\n \"submit\",\n null,\n null,\n null,\n null,\n null,\n \"6LcAbwIqAAAAAJvVAhSSJ8qzYsujc7kn1knmSgQX\",\n null,\n \"0XA4cHhALxgMF9_Kt6uze2ZTR08XAe2x8o3BrU1hbTouNf3o1cnRmYRxZW01IA0BCNC_qJykb...\",\n null,\n null,\n null,\n \"tbMywxNTQsODQ0XSxbMSwyOTksMTA4Nl1dLFtbMiw2MSwxMzIuNzM5OTk5OTk5ODQ2MzNdLF...\",\n \"0aAPQrAobqMEazjp9PGLYWTgxWGGcq9k5MJNI6LFBWfTh0UkDaVobdH-InwAYsTXtxs3rH_fI\",\n \"BDAAYAIAGEcAAUoYI4lDCKAsCJlcgB6AAJtgggoIEEOALSoQRZxSZyAJBHANCkAJQYhFJES...\",\n null,\n null,\n \"W1tbNTAwNiw0M10sWzY0NjA3LDFdLFs0NTQ2NCwxXSxbMzU4MzcsMV1dXQ==\",\n null,\n null,\n]\n```\n\n### Components\n\n- **Idx 1**\n reCAPTCHA Version\n\n- **Idx 2**\n Anchor Token for Validation\n\n- **Idx 5**\n Hashed the entire serialized fingerprint data, [Sample](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002FhashFingerprint.js)\n\n- **Idx 6**\n Type\n\n `q` → V3 Challenge\n \n `fi` → V2\u002FInvisible Challenge\n \n `a` → Audio Challenge\n \n `qr` → Quick Response Code (new)\n\n- **Idx 7**\n Usage patterns, contains patterns from previously solved captchas, can significantly increase the score if valid\n\n- **Idx 8**\n Action\n\n- **Idx 14**\n Website Key\n\n- **Idx 16**\n Encrypted the entire serialized fingerprint data with the encryption key from anchor \n \n- **Idx 20**\n VM Delta Timing, Telematry, Website Scripts Urls and Collected Browser Objects Length + Elapsed. It's Base64-Encoded, need to add \"W1\" at the beginning to decode it\n\n ```javascript\n atob(\"W1tbMywwLDgyOV0sWzEs...\")\n \u002F\u002F → [[[3,0,829],[1,42,863]],[[2,727,1341.300000011921]...\n ```\n\n *Base Format*:\n ```\n [\n [recaptchaResources],\n [tasksTiming],\n [\n null,\n null,\n null,\n idleTimeoutDelta,\n deltaTimming\n 0,\n 0,\n 0,\n ],\n websiteScriptsUrls,\n [collectionElapsed, browserObjectsLength]\n ]\n ```\n\n *TaskTimimg*:\n\n ```\n [\n PerformanceLongTaskTiming.name == \"self\" ? 2 : 4,\n PerformanceLongTaskTiming.duration,\n PerformanceLongTaskTiming.startTime\n ]\n ```\n\n *reCAPTCHA Resource*:\n\n ```\n [\n resourceType,\n duration,\n startTime\n ]\n ```\n\n | Resource | Type |\n |---|---|\n | `recaptcha\u002Fapi.js` | 3 |\n | `recaptcha\u002Freleases\u002F\u003Cversion>` | 1 |\n | `https:\u002F\u002Fwww.google.com\u002Frecaptcha\u002Fapi2\u002Fanchor` | 2 |\n | `https:\u002F\u002Fwww.google.com\u002Frecaptcha\u002Fapi2\u002Fbframe` | 4 |\n\n- **Idx 21**\n Token from the previous captcha solved\n\n- **Idx 22**\n Hashed all brower objects keys\n\n- **Idx 25**\n Count of `pointermove`, `pointerdown`, `pointerup`, `keydown`, `keyup`, `focusin` events in Base64-Encoded The values `​​5006`, `64607`, etc. are the hashed names of the event types\n\n | Hashed | Type |\n |---|---|\n | `5006` | pointermove |\n | `64607` | pointerdown |\n | `45464` | pointerup |\n | `31617` | keydown |\n | `37178` | keyup |\n | `35837` | focusin |\n\n *Base Format*:\n ```\n [[\n [eventType, Count],\n ]]\n ```\n\n\n## Anti-debugging\u002FTampering\n- ***Symbol-based Integrity Tag***\n reCAPTCHA set a Symbol key `Symbol(jas)` to every array and object with a numeric value used as an integrity check. Since Symbols are non-enumerable and invisible to standard cloning operations (like JSON.stringify), any attempt to replace or clone these structures loses the tag, which reCAPTCHA detects as tampering\n\n ![tamp](https:\u002F\u002Fgithub.com\u002Felyelysiox\u002Frecaptcha\u002Fblob\u002Fmain\u002Fphotos\u002F849230834092888898.png)\n\n- ***Closure Variable Capture***\n Some values ​​are intentionally scoped in an outer function and consumed only inside nested callbacks or closures, the variable never exists in the same scope where it is used\n\n- ***Crash Source Tab***\n I'm not sure how this can be achieved, but basically when a timeout occurs (in this case due to a setInterval), for about 10-15 seconds, the source tab of devtools will crash\n\n https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F4ae3bf68-5ae7-4adc-a0b9-36cc11b64998\n\n## reCAPTCHA Botguard\n\nAlthough BotGuard was removed by Google, I will explain a little about how it works internally for those who are interested in how it is, and how different it is from other types of botguard\n\nFirst, the token generation process: the VM generates tokens for persistent errors during execution. These errors can be due to bytecode offset deviations, missing VM registers, incorrect VM state, and poor control flow integrity. These errors are captured by the dispatcher, which calls a function that writes bytes for the token.\n\nThe VM uses ARX Cipher, an algorithm created by the NSA in 2013, similar to Speck for encrypting data. It is also used in all Google BotGuard. The algorithm changes with each version, as do the constant (3990), the order of operations and rounds. It looks like this:\n\n```javascript\n\u002F*\nD -> cipher state array\nP -> seed\nE -> byte index\n*\u002F\nVl = function(D, P, E, F, v) {\n F = D[3] | 0;\n D = D[2] | 0;\n for (v = 0; v \u003C 14; v++) {\n E = E >>> 8 | E \u003C\u003C 24;\n E += P | 0;\n E ^= D + 3990;\n P = P \u003C\u003C 3 | P >>> 29;\n P ^= E;\n F = F >>> 8 | F \u003C\u003C 24;\n F += D | 0;\n F ^= v + 3990;\n D = D \u003C\u003C 3 | D >>> 29;\n D ^= F;\n }\n return [P >>> 24 & 255, P >>> 16 & 255, P >>> 8 & 255, P >>> 0 & 255, E >>> 24 & 255, E >>> 16 & 255, E >>> 8 & 255, E >>> 0 & 255];\n}\n```\n\n### Byte Writer & Encryption\n\nThe main encryption function has two modes: encryption and no encryption.\nThe encryption mode uses ARX Cipher, Bitwise + XOR to encrypt the data and set it in a buffer. There are 4 types of buffers: \n\n- Main buffer `180`\n- Entropy Pad buffer `353` \n- Error Buffer `304`\n- PoE (Proof of Execution) buffer `243` (not used in this type of botguard).\n\nThe no-encryption mode just set already encrypted bytes to the buffer\n\n```javascript\n\u002F\u002F (The sequence flatten messed up the statements a bit)\n\u002F*\nQ -> cipher state array\nFQ(v, c) -> derive a seed\nc = (z \u003C\u003C 3) - 4 -> index\nFQ(v, (c | 0) + 4) -> position\n*\u002F\nt = function(D, P, E, F, v, Q) {\n if (E.O == E) {\n P = function(h, A, c, x, z) {\n A = v.length; \u002F\u002F buffer length\n z = (A | 0) - 4 >> 3;\n if (v.Jw != z) { \u002F\u002F vm.block_index != index\n v.Jw = z; \u002F\u002F set new block index\n c = (z \u003C\u003C 3) - 4;\n x = [0, 0, Q[1], Q[2]];\n try {\n v.zB = Vl(x, FQ(v, c), FQ(v, (c | 0) + 4)); \u002F\u002F call ARX Cipher to generate keyStream\n } catch (V) {\n throw V;\n }\n }\n v.push(v.zB[A & 7] ^ h); \u002F\u002F sets A to bits 0-7, and obtains a byte from the keystream and applies xor with a byte of the data to be encrypted\n };\n v = Z(P, E); \u002F\u002F get buffer\n if (P == 180 || P == 243 || P == 353) { \n Q = Z(189, E);\n } else { \u002F\u002F set encripted bytes to buffer\n P = function(h) {\n v.push(h);\n };\n }\n F && P(F & 255);\n E = D.length;\n for (F = 0; F \u003C E; F++) {\n P(D[F]);\n }\n }\n}\n```\n\nAnd this is the function that handles errors and calls the byte writer\n\n```javascript\n\u002F\u002F (The sequence flatten messed up the statements a bit)\n\np = function(D, P, E, F, v, Q, h, A) {\n D = E[1];\n A = E[2];\n Q = Z(465, P) >> 3; \n h.push(D, Q >> 8 & 255, Q & 255); \u002F\u002F error code\u002Fheader bytes\n E.message && (D += E.message);\n A = void 0;\n E && E[0] === U && (E = void 0);\n h = Z(244, P);\n h.length == 0 && (A != void 0 && h.push(A & 255));\n D = \"\";\n E && (E.stack && (D += \":\" + E.stack));\n E = Z(0, P); \u002F\u002F buffer size limit (2048)\n if (!P.TB && E[0] > 3) {\n D = D.slice(0, (E[0] | 0) - 3); \n E[0] -= (D.length | 0) + 3; \u002F\u002F reduce size limit\n D = Pv(D);\n E = P.O;\n P.O = P;\n try {\n v = (v = Z(304, P)) && v[v.length - 1] || 95;\n if (P.n3) {\n \u002F\u002F this path is never executed\n (F = Z(123, P)) && F[F.length - 1] == v || t([v & 255], 123, P);\n } else {\n t([95], 304, P); \u002F\u002F set byte to error buffer\n }\n t(O(2, D.length).concat(D), 180, P, 9); \u002F\u002F set bytes to main buffer\n } finally {\n P.O = E;\n }\n }\n}\n```\n\n\nAt the end of the execution, the VM calls the main function that prepares the payload with these buffers and generates the token, which is a signature.\nUnlike other BotGuard VM, this VM does not have a fingerprinting system, Google Botguard nor does it perform these error-emitting + writing bytes, and is much simpler and easier to reverse engineer.\n\n## Disclaimer\n\nThis repository is exclusively for educational and research purposes. The code, techniques, and concepts presented here are intended for the academic study and understanding of the topics covered.\n","该项目是对Google的reCAPTCHA反机器人系统进行文档记录和技术逆向分析。核心功能包括解析reCAPTCHA的载荷结构、指纹识别技术、混淆技术、反调试\u002F篡改技术和虚拟机检测方法。项目详细探讨了多种高级混淆技术,如序列表达式、混合布尔算术、间接函数表、内联常量数组、函数多路复用和逻辑运算符分支等,这些技术使得代码难以阅读和逆向工程。适合安全研究人员、开发人员以及对反爬虫机制感兴趣的用户深入理解reCAPTCHA的工作原理及其防护手段。","2026-06-11 03:56:36","CREATED_QUERY"]