Reverse Engineering TikTok's VM Obfuscation

This is really awesome work.<p>I spent a lot of time in the early 2000s coming up with nasty obfuscation techniques to protect certain IP that inherently needed to be run client-side in casino games. Up to and including inserting bytecode that was custom crafted to intentionally crash off-the-shelf decompilers that had to run the code to disassemble it (and forcing them to phone home in the process where possible!)<p>My view on obfuscation is that since it&#x27;s never a valid security practice, it&#x27;s only admissible for hiding machinery from the general public. For instance, if you have IP you want to protect from average script kiddies. Any serious IP can be replicated by someone with deep pockets anyway. Most other uses of code obfuscation are nefarious, and obfuscated code should always be assumed to be malicious until proven otherwise. I&#x27;m not a reputable large company, but no reputable large company should be going to these lengths to hide their process from the user, because doing so serves no valid security purpose.

It is interesting, that while technologies like canvas, WebGL or WebRTC were intented for other purposes, their main usage became fingerprinting. For example, WebGL provides valuable information about GPU model and its drivers.<p>This shows how browser developers race to provide new features ignoring privacy impact.<p>I don&#x27;t understand why features that allow fingerprinting (reading back canvas pixels or GPU buffers) are not hidden behind a permission.

TikTok changes this algorithm about once every three months. I&#x27;ve reverse-engineered it about two times, and have since given up and decided to run a headless browser to do it for me. I&#x27;d love to see some tool developed to automate solving this so I can sign requests in a more limited context (ala Cloudflare Workers &#x2F; C@E)

I&#x27;ve seen some of these techniques elsewhere; e.g. javascript-obfuscator supports replacing variable names with hex values [1] or transforming call structure into something more complex [2]. Bytecode generation is new to me; is there an existing JS obfuscation tool, preferably open source, that supports it?<p>[1]: <a href="https:&#x2F;&#x2F;github.com&#x2F;javascript-obfuscator&#x2F;javascript-obfuscator#identifiernamesgenerator">https:&#x2F;&#x2F;github.com&#x2F;javascript-obfuscator&#x2F;javascript-obfuscat...</a><p>[2]: <a href="https:&#x2F;&#x2F;github.com&#x2F;javascript-obfuscator&#x2F;javascript-obfuscator#stringarraycallstransform">https:&#x2F;&#x2F;github.com&#x2F;javascript-obfuscator&#x2F;javascript-obfuscat...</a>

FYI, most CAPTCHA and anti-DDoS services (e.g. Cloudflare) do something very similar, sending the user an obfuscated program implemented on top of an obfuscated JS VM, that they effectively have to execute as-is, in a real browser, to get back the correct results the gateway is looking for. This is done to prevent simple scraping scripts (the ScraPy type) from being able to be used to scrape the site. If you want to do scraping, you have to spend the extra overhead of doing it by driving a real browser to do it. (And not even a headless one; they have tricks to detect that, too.)

This is excellent work.<p>It also shows how Tiktok <i>may</i> be in violation of several US&#x2F;EU privacy laws. I really wonder now who this data is shared with. Perhaps someone should bring this article to the FTC’s attention for further review.

Awesome, really awesome work. However:<p>&gt; If that is something you are interested in, keep an eye out for the second part of this series :)<p>Your site is missing an RSS&#x2F;Atom feed, so I can&#x27;t do that. ::sad face::

Given that the beginning of the &quot;weird string&quot; has a magic number and a version field, I wonder if the point of this is not so much obfuscation as transpilation? The magic number corresponds to ASCII &quot;HNOJ&quot; &quot;@?RC&quot;, or perhaps &quot;JONH&quot; &quot;CR?@&quot;, which doesn&#x27;t turn anything up on Google but it seems odd to include that redundant header if your main goal is minification or obfuscation.

Can someone explain what VM they are talking about, and where that VM is running on, and what is running in it?

Isn&#x27;t the same concept also used in Youtube? I believe a python mock of the equivalent VM exist in youtube-dl.

I never knew that Tiktok was shipped with its own virtual machine!<p>But that explains the obvious subdomain vm.tiktok.com

Something hit me when reading this, you know how zknark is touted as tech which in future allow to create app that can work on user private data while preserving user&#x27;s privacy, could it be used as (opposite) an obfuscation technique to, u encrypt users data inside and zk oracle in user side and send to server. You could reverse engineer what are the inputs to the oracle, but not further what exactly it sends to the server?

Deobfuscated script without the vm part: <a href="https:&#x2F;&#x2F;gist.github.com&#x2F;mhasbini&#x2F;f9269d230ed8eb6dfdbb1bd1be9114b9" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;mhasbini&#x2F;f9269d230ed8eb6dfdbb1bd1be9...</a>

There needs to be a publicly funded charity that pays people to work fulltime de-obsfucating all the major apps. This should be a well-resourced ongoing operation.

That HTTP request is kind of hideous. All those extra parameters that have nothing to do with what the response will end up being, and which change often. Seems like a great way to toss out all your API-response edge-cache-ability.

Can I conclude that TikTok implemented a custom VM in Javascript ? Any idea what its used for and how many instructions it can process and are there other comparable implementations ?

This article is 2 hours old and his Twitter is already changed?

Solid case! Thanks for taking the time to write it up.<p>Those who care and have to use TikTok can probably add their own virtualization layer (and tolerate the hit in cost&#x2F;performance).

The hunt begins.

&gt; void 0 (a fancy obfuscated way of saying undefined)<p>Kind of. But it was possible at one point, maybe still is, to rebind `undefined` to some other value, causing trouble. `void` is an operator, a language keyword; it’s guaranteed to give you the true undefined value. (In other words, the value whose type is `undefined`.)<p>If you’re coding against an environment as adversarial as these people clearly believe they are, you’d go with `void` as well.

Nice use of low altitude satellites to track individuals and sniff telecoms all over the world<p>This decompiled object class also spy on the grid network, that&#x27;s quite interesting and very clever<p>I never knew we could also lobby governments to push for some office and cloud software full of spyware, even France had to ban them! [1]<p>This TikTok app is very dangerous!<p>Of course &#x2F;s<p>[1] - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33686599" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33686599</a>