Analysis updated 2026-05-18
Study a real-world example of heavy JavaScript obfuscation used in a production anti-bot system
Look up an explanation of a specific obfuscation technique, such as control flow flattening or encrypted string pools
Reference the documented technique catalog when researching how anti-bot fingerprinting scripts are built
| elyelysiox/recaptcha | 863401402/image-provenance | fastify/fastify-schedule | |
|---|---|---|---|
| Stars | 122 | 124 | 119 |
| Language | JavaScript | JavaScript | JavaScript |
| Last pushed | — | — | 2026-07-01 |
| Maintenance | — | — | Active |
| Setup difficulty | easy | easy | easy |
| Complexity | 5/5 | 1/5 | 2/5 |
| Audience | researcher | general | developer |
Figures from each repo's GitHub metadata at analysis time.
This is a documentation repository with no software to install or run.
This repository is a written technical analysis of Google's reCAPTCHA anti-bot system. It is documentation, not a working tool: there is no software here that a person installs or runs. Instead, the author has studied how reCAPTCHA's client-side code is built and written up what they found. The write-up focuses on a handful of areas. It covers the structure of the data reCAPTCHA sends and receives, the fingerprinting signals the system collects from a browser to help decide whether a visitor is human, and the ways the code defends itself against being read or modified, including anti-debugging and anti-tampering checks. It also touches on the use of virtual machine style execution inside the script itself. A large part of the document catalogs the specific obfuscation tricks reCAPTCHA's code uses to make itself hard to reverse engineer, such as rewriting normal control flow as chained comma expressions, mixing arithmetic and bitwise operations to disguise simple logic, routing function calls through lookup tables addressed by shifting numeric indexes, flattening code into a central dispatcher loop, encrypting all the text strings in the script into one block that gets decoded piece by piece at runtime, and padding the file with large amounts of dead code that never actually runs. Each technique is illustrated with a short annotated code snippet and, in several cases, a screenshot of the original obfuscated code. The README is explicit that this is research and documentation of an existing public system's defensive engineering, not a redistribution of Google's code or a ready-made bypass. Contact details for the author are given for Discord and Telegram. No license file or license section is mentioned in the README, and the project has no listed dependencies or install steps since it is not a runnable program. The full README is longer than what was shown.
A written technical breakdown of the obfuscation and anti-bot techniques used inside Google's reCAPTCHA client-side script, aimed at people studying how the system defends itself.
Mainly JavaScript. The stack also includes JavaScript.
No license is stated in the README, so no explicit reuse rights are granted.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.