Reverse engineering the obfuscated TikTok VM

Original Article ↗ Hacker News Discussion ↗

What “VM” Means in This Context

  • Debate over whether TikTok’s system is “just” a JS obfuscator or a true VM.
  • Pro‑VM side: it defines a custom bytecode, has scopes, nested functions, exception handling, and executes custom instructions–that’s a virtual machine, even if implemented in JS.
  • Skeptical side: since it runs on top of JS without special privileges or performance benefits, it’s “just” an obfuscation framework / interpreter, not a VM in the OS/hypervisor sense.
  • Clarifications:
    • Emulators and VMs are not mutually exclusive.
    • VM doesn’t imply speed or “closer to the metal”; Java, VMWare, etc. are VMs despite overhead.
    • “VM” vs “interpreter” is mostly historical/marketing; any made‑up instruction set executed by a program qualifies.

Why Use Such Heavy Obfuscation

  • Main argued purpose: anti‑bot and anti‑abuse.
    • Raising cost: if bots must run a full/real browser and execute opaque JS, each request becomes slower and more CPU‑intensive.
    • This shifts abuse economics: from ultra‑cheap HTTP scripts to costly headless‑browser farms.
  • Used to hide detailed environment checks and browser fingerprinting logic so that static analysis and cheap API clients are harder.
  • VM‑based obfuscation is described as common in malware, anti‑cheat, CAPTCHAs, and commercial protectors.

Effectiveness and Motivations

  • Supporters: similar systems (e.g., large‑scale anti‑bot VMs) reportedly wiped out major botnets by forcing bots to execute changing encrypted programs they couldn’t safely analyze.
  • Critics: TikTok still has visible spam; poor moderation suggests spam reduction may not be the real organizational priority.
  • Others note large companies are internally fragmented: engineering may aim at bots while moderation under‑invests.

Privacy, Scraping, and Legitimacy

  • Some see no legitimate reason for this level of obfuscation in a social app and suspect hidden or government‑aligned behavior.
  • Others counter that:
    • All major platforms face hostile botnets and state/commercial adversaries.
    • Obfuscation is standard “defense in depth,” separate from captchas.
  • Ethical split over scraping:
    • One side views scraping of public content as non‑malicious and corporate anti‑scraping as user‑hostile.
    • Others note measures also target write‑bots and mass spam, not just readers.

Reverse‑Engineering and Tooling

  • Commenters praise the write‑up and note similar reverse‑engineering efforts on TikTok’s VM and signatures.
  • Techniques mentioned: replacing the obfuscated JS via browser extensions or DevTools Local Overrides, or MITM proxies (Burp, mitmproxy, etc.) to rewrite responses.
  • On mobile, equivalent logic is compiled to native code rather than JS.

AI and Deobfuscation

  • Some report good results using LLMs to prettify, rename variables, and comment obfuscated JS, especially on small files.
  • Professional reverse‑engineers find LLMs unreliable for serious deobfuscation, especially with complex JS malware.
  • Hybrid tools exist that constrain LLM output to preserve the AST, using traditional Babel‑style deobfuscation plus AI for naming/explanations.