Follow us on Twitter!
Hacking isn't just Computers & Exploits. It's a Philosophy. - Mr_Cheese
Friday, April 18, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 17
Guests Online: 15
Members Online: 2

Registered Members: 82822
Newest Member: TheBunter
Latest Articles
View Thread

HellBound Hackers | Computer General | Increasing Security

Page 3 of 7 < 1 2 3 4 5 6 > >>
Author

RE: CAPTCHA Questions

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 06-09-08 19:59
I know the exact way to crack yours, It is theoretically simple. I just am too lazy to code the crack Wink Also note my time is worth about $50/hour (professionally) so if this took me 2 hours of thinking and coding to crack it would not be worth my while Wink

Mine is totally different and you cannot crack it with checking the time. You would need the bot to check all the characters and be able to read them.

Also note that yours has a lot of redundant code. you could tighten up those lines with a nice for loop to go through and make the 10 lines.

Remember, yours is strictly based off microtime and mktime so it is simple to crack.

If you take a character set and pick a random number of them (5-10 for example) it becomes 100% more difficult to get it all done correctly. I am just working on misplacing my characters into different locations in my spare time (which ATM is 0).

Please let me know what you all think of my code though. I was not looking for other peoples code. Thank you all for your input into MY CAPTCHA project though.

@SwartMumba: Let me know what you think of mine. I know you are a CAPTCHA cracking wiz!


Just ask Yahoo!Taboo! http://www.erikwestlake.com
Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 06-09-08 20:05
AldarHawk wrote:
I know the exact way to crack yours, It is theoretically simple. I just am too lazy to code the crack ;) Also note my time is worth about $50/hour (professionally) so if this took me 2 hours of thinking and coding to crack it would not be worth my while ;)

Mine is totally different and you cannot crack it with checking the time. You would need the bot to check all the characters and be able to read them.

Also note that yours has a lot of redundant code. you could tighten up those lines with a nice for loop to go through and make the 10 lines.

Remember, yours is strictly based off microtime and mktime so it is simple to crack.

If you take a character set and pick a random number of them (5-10 for example) it becomes 100% more difficult to get it all done correctly. I am just working on misplacing my characters into different locations in my spare time (which ATM is 0).

Please let me know what you all think of my code though. I was not looking for other peoples code. Thank you all for your input into MY CAPTCHA project though.

@SwartMumba: Let me know what you think of mine. I know you are a CAPTCHA cracking wiz!


Ha, that's fine I don't expect people to hop on it to crack, but you're completely wrong. Take a look at the line again:

Code

$str1 = str_shuffle(md5(microtime() * mktime()));





Note the str_shuffle command used on the md5(microtime() * mktime())), after the md5'd microtime is multiplied by the mktime, then all the characters are shuffled and randomized even further :p. It can't be cracked with time :). And yeah I know a lot of it is redundant, it was the easiest way to produce it though with the randomized position of the lines (all you gotta do is copy and paste the first line of code and just add different values to rand() :p.) Here is my code:

Code

<?php
session_start();
$str1 = str_shuffle(md5(microtime() * mktime()));
$str = substr($str1,0,5);
$captcha = imagecreatefrompng("./captcha.png");
$color = imagecolorallocate($captcha,rand(0,50),rand(0,50),rand(0,50));
imageline($captcha,rand(0,50),rand(0,100),rand(0,200),rand(0,200),$black);
imageline($captcha,rand(0,50),rand(0,100),rand(0,200),rand(0,200),$color);
imageline($captcha,rand(0,50),rand(0,100),rand(0,200),rand(0,200),$color);
imageline($captcha,rand(0,50),rand(0,100),rand(0,200),rand(0,200),$color);
imageline($captcha,rand(0,50),rand(0,100),rand(0,200),rand(0,200),$color);
imageline($captcha,rand(0,50),rand(0,100),rand(0,200),rand(0,200),$color);
imageline($captcha,rand(50,200),rand(0,100),rand(50,200),rand(80,200),$color);
imageline($captcha,rand(50,250),rand(0,100),rand(0,200),rand(50,200),$color);
imageline($captcha,rand(70,150),rand(0,100),rand(50,200),rand(0,200),$color);
imageline($captcha,rand(20,150),rand(0,100),rand(20,150),rand(35,200),$color);
imageline($captcha,rand(80,200),rand(0,100),rand(50,200),rand(85,200),$color);
imageline($captcha,rand(0,50),rand(0,100),rand(0,200),rand(0,200),$color);
imagestring($captcha,rand(1,5),rand(0,100),rand(0,50),$str,$color);
$_SESSION['str'] = md5($str);
header("Content-type: image/png");
imagepng($captcha);
?>





Of course it's not crackproof...2 people have already possibly cracked it (until I repatched it :p) It's not bad for 20 minutes of work.




Edited by on 06-09-08 20:07
Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 06-09-08 20:22
Also, I wasn't calling you out on your code or anything like that, I simply think this is the way the community should be. When one person proposes a piece of code to do something, other people should try their solutions to and compare etc. It's how things get secure Pfft.


Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 06-09-08 20:24
slpctrl wrote:


updated version : http://pastebin.ca/1195821

This one handles the random text color and posts the result along with the session to your form.. yea sometimes it can take upwards of over 30 seconds to crack. It shouldn't output only a few of the characters*. If you get an error please post the exact error. It'll output the result of sending the request to your "code.php" .. somewhere in the output you should see "Correct!".. the last line contains the text in the image.

This one requires cURL.

I tried this on all transformations of all the characters (excluding ordering and colour.. as those are irrelevent to the way I am doing it)

Same short description.. same paypal..

edit: needed to clarify something

Edited by on 06-09-08 20:34
Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 06-09-08 22:04
Alright, I'll paypal you something but it's not gonna be 100 bucks, because this wasn't at all what I was looking for. :angry: /dissapointment.

Now that I've started on this, like most things I do (B)) I decided to perfect it. Here is a new code. Yeah it's still really redundant, but I can't use a loop because of the different rand values and other values that are different for each variable. Hurr is the code for my new one:

Code

<?php
session_start();
$str1 = str_shuffle(md5(microtime() * mktime()));
sleep(.5);
$str2 = str_shuffle(md5(microtime() * mktime()));
$str = substr($str1,0,5);
$xtra1 = substr($str2,0,5);
$xtra2 = substr($str2,5,10);
$xtra3 = substr($str2,10,15);
$xtra4 = substr($str2,15,20);
$xtra5 = substr($str2,20,25);
$captcha = imagecreatefrompng("./captcha.png");
$color = imagecolorallocatealpha($captcha,255,0,0,40);
$linecolor = imagecolorallocatealpha($captcha,255,0,0,rand(0,100));
$textcolor = imagecolorallocatealpha($captcha,230,0,0,100);
imageline($captcha,rand(0,50),rand(0,100),rand(0,200),rand(0,200),$linecolor);
imageline($captcha,rand(0,50),rand(0,100),rand(0,200),rand(0,200),$linecolor);
imageline($captcha,rand(0,50),rand(0,100),rand(0,200),rand(0,200),$linecolor);
imageline($captcha,rand(0,50),rand(0,100),rand(0,200),rand(0,200),$linecolor);
imageline($captcha,rand(0,50),rand(0,100),rand(0,200),rand(0,200),$linecolor);
imageline($captcha,rand(0,50),rand(0,100),rand(0,200),rand(0,200),$linecolor);
imageline($captcha,rand(50,200),rand(0,100),rand(50,200),rand(80,200),$linecolor);
imageline($captcha,rand(50,250),rand(0,100),rand(0,200),rand(50,200),$linecolor);
imageline($captcha,rand(70,150),rand(0,100),rand(50,200),rand(0,200),$linecolor);
imageline($captcha,rand(20,150),rand(0,100),rand(20,150),rand(35,200),$linecolor);
imageline($captcha,rand(80,200),rand(0,100),rand(50,200),rand(85,200),$linecolor);
imageline($captcha,rand(0,50),rand(0,100),rand(0,200),rand(0,200),$linecolor);
imagestring($captcha,3,rand(0,100),rand(0,50),$str,$color);
imagestring($captcha,rand(1,5),rand(0,200),rand(0,70),$xtra1,$textcolor);
imagestring($captcha,rand(1,5),rand(0,200),rand(0,70),$xtra2,$textcolor);
imagestring($captcha,rand(1,5),rand(0,200),rand(0,70),$xtra3,$textcolor);
imagestring($captcha,rand(1,5),rand(0,200),rand(0,70),$xtra4,$textcolor);
imagestring($captcha,rand(1,5),rand(0,200),rand(0,70),$xtra5,$textcolor);
$_SESSION['str'] = md5($str);
header("Content-type: image/png");
imagepng($captcha);
?>





That's just to draw the image, I'm not gonna repost the form and validation as it's the same. Still crackable, but now it's a bit more difficult. Same URL if you'd like to see the captcha in action ( slpctrl.freehostia.com/code.php ) :p

Edit: slight adjustment to the line colors.




Edited by on 06-09-08 22:07
Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 06-09-08 23:25
I havent given too much attention in writing a program that would crack the captcha, but did notice a few things, that I would look at if I were going to.

Code

$color = imagecolorallocatealpha($captcha,255,0,0,40);
$linecolor = imagecolorallocatealpha($captcha,255,0,0,rand(0,100));
$textcolor = imagecolorallocatealpha($captcha,230,0,0,100);





Here you are always using the same color for the lines/text.

Getting the image and replacing/filter out anything not equal to the text color of (230,0,0,100) would be fairly simple. For example just replace everything else with a white color and work on the image like that.

Im really new to image processing, captcha included, but I dont see whats wrong with my thought process here.

If I am way off, please enlighten me


Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 06-09-08 23:35
stdio wrote:
I havent given too much attention in writing a program that would crack the captcha, but did notice a few things, that I would look at if I were going to.

Code

$color = imagecolorallocatealpha($captcha,255,0,0,40);
$linecolor = imagecolorallocatealpha($captcha,255,0,0,rand(0,100));
$textcolor = imagecolorallocatealpha($captcha,230,0,0,100);





Here you are always using the same color for the lines/text.

Getting the image and replacing/filter out anything not equal to the text color of (230,0,0,100) would be fairly simple. For example just replace everything else with a white color and work on the image like that.

Im really new to image processing, captcha included, but I dont see whats wrong with my thought process here.

If I am way off, please enlighten me


I donno what you're saying, does that change your thoughts?

Edit: oops, that image takes my sig out of the bottom layer :wow: Here's a link: take a look at it:

http://slpctrl.freehostia.com/captcha.php or
http://slpctrl.freehostia.com/code.php

Also, the differences are in the alpha value (transparency) in the colors.

Take a look at the image:

[img]http://slpctrl.freehostia.com/captcha.php[/img]





Edited by on 06-09-08 23:39
Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 06-09-08 23:41
I did look at the image, the text is red, the lines are red, the backgroud letters are faded red, on a gradient black/white bg. Looking the same and being the same are two different things.. If the text color is ALWAYS the same (seemed that way through multiple refreshes). Then it is fairly safe to assume one could easily capture just those pixels and filter out / change anything not equal to them.

Clarification edit:

(255,0,0)
(255,0,0)
(230,0,0)

These are the RGB values for each thing in your captcha. The 230 is only there in the text for valid part to send back, anything with 230 = pass and any pixel != 230,*,* can be filtered out or changed to another static color, white for example. This would then produce an image with only a white backgroud, and the red (230,0,0) text pixels.




Edited by on 06-09-08 23:47
Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 06-09-08 23:46
stdio wrote:
I did look at the image, the text is red, the lines are red, the backgroud letters are faded red, on a gradient black/white bg. Looking the same and being the same are two different things.. If the text color is ALWAYS the same (seemed that way through multiple refreshes). Then it is fairly safe to assume one could easily capture just those pixels and filter out / change anything not equal to them.


So then do it Pfft The text is slightly transparent so that the background, lines, and other background text will ever so slightly come through making trouble for the bot.


Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 06-09-08 23:48
slpctrl wrote:
I reread, and yeah I did assume (because every other community I go to actually has coders that have a fucking clue, and if I were to offer them money they would have produced beautiful code for me to be able to follow...in fact, webdeveloper.com did for free, I should have considered the source though) that some decent code would have been produced because of money being offered. But, given that only 2 attempted, I now know that very very few here have a fucking clue, and are more interested in the whole 'I'm a leet hacker I know what I'm talking about so I'll sit here and flame, be condescending little shitheads instead of lifting a finger to do an iota of anything that would be considered productive'. $100 bucks won't even knick my pockets; I guess it's a tiny price to pay to see what this community is really made of.

My choice to not bother coding for your CAPTCHA was based upon the facts that my time is worth more than you were offering, and the fact that I code PHP for a living for 60+ hours a week. THAT is why you don't see my code in the code banks; I take my off-time to relax. This is also why I did not bother to pick apart your code. I gave you the benefit of the doubt and did not speak up until I felt you were in the wrong.

I don't have to justify my productivity on this site to you... any number of other people can easily do so on my behalf. My contributions have been intellectual property of a different sort than your contributions to the code bank. Do not undervalue them because your emotions and your naivety do not enable you to focus. Here, I'll make it easier for you:

slpctrl wrote:
Alright, I'll paypal you something but it's not gonna be 100 bucks, because this wasn't at all what I was looking for. :angry: /dissapointment.

Address that, or shut up. Everything else you say is irrelevant.

Edit: Edited, didn't quote. Sue me.




Edited by on 07-09-08 02:22
Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 06-09-08 23:51
I actually may just write something to try.

but you said your text is transparent not true.

$textcolor = imagecolorallocatealpha($captcha,230,0,0,100);

assuming I read this right. the 100 is the transparency of the text, and its set to 100% so always 100% filled with (230,0,0) only the lines/background have a transparency effect added to them, which is a different color to begin with.


Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 07-09-08 00:00
stdio wrote:
I actually may just write something to try.

but you said your text is transparent not true.

$textcolor = imagecolorallocatealpha($captcha,230,0,0,100);

assuming I read this right. the 100 is the transparency of the text, and its set to 100% so always 100% filled with (230,0,0) only the lines/background have a transparency effect added to them, which is a different color to begin with.


127 is completely transparent, 0 has no transparency.


Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 07-09-08 00:04
^^ Thank you for the clarification. Though I will probably still try to write something, not so much to crack the captcha entirely, but see if I cant get the text part seperated from the rest of the image.


Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 07-09-08 00:23
slpctrl wrote:
stuff


You actually never clarified what you wanted.. all you said was "whoever could crack this".. what I did was on par with packing a bank safe with explosives.. but it still blew the safe apart. My code - without any human interaction - requested an image and pasted the text in the image directly to your little form and got the result back "Correct!".. you didn't specify anything else that was required beyond that.

I would be happy if you gave me enough money to buy a domain name for a year and a couple months of hosting.. there's an idea I want to start up

stdio wrote:
filter


Yea you're right.. I wrote a simple filter.. it doesn't get rid of the lines.. but that could also be filtered out of there quite easily

http://pastebin.ca/1195990


Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 07-09-08 00:27
Chinchilla3k wrote:
slpctrl wrote:
stuff


You actually never clarified what you wanted.. all you said was "whoever could crack this".. what I did was on par with packing a bank safe with explosives.. but it still blew the safe apart. My code - without any human interaction - requested an image and pasted the text in the image directly to your little form and got the result back "Correct!".. you didn't specify anything else that was required beyond that.

I would be happy if you gave me enough money to buy a domain name for a year and a couple months of hosting.. there's an idea I want to start up

stdio wrote:
filter


Yea you're right.. I wrote a simple filter.. it doesn't get rid of the lines.. but that could also be filtered out of there quite easily

http://pastebin.ca/1195990




Btw, I'll paypal you 50 bucks tomorrow I don't have a paypal hooked up to my bank account. The reason I decide to pay people to do things like this is so I can learn and I did, it just wasn't the end result of what I wanted but it was still good coding and I learned something quite useful :happy:.

Edit: 50 bucks is enough right? I might want to learn some more about this and it's capabilities, if you'd like to teach me some new shit some time in the future I'll pay you for your time too Pfft.




Edited by on 07-09-08 00:28
Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 07-09-08 00:40
slpctrl wrote:
Not necessarily. I've got a CAPTCHA in the works right now, and I'm willing to bet nobody will be able to crack it, despite the whole 'theoretically able to crack'. In fact, I'll offer anyone 100 bucks to build a bot to crack it.

slpctrl wrote:
Btw, I'll paypal you 50 bucks tomorrow I don't have a paypal hooked up to my bank account. The reason I decide to pay people to do things like this is so I can learn and I did, it just wasn't the end result of what I wanted but it was still good coding and I learned something quite useful :happy:.

Edit: 50 bucks is enough right?


Oh, yeah, I'm sure 50 bucks is alright... as long as you don't mind people knowing that your word is officially worth about as much as yours31f's posts. Can't imagine anyone else taking your offer of money to help you learn when you revise the deal halfway through. That's a shitty move. If you don't plan to follow through, don't bother saying it.


Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 07-09-08 00:45
Zephyr_Pure wrote:
slpctrl wrote:
Not necessarily. I've got a CAPTCHA in the works right now, and I'm willing to bet nobody will be able to crack it, despite the whole 'theoretically able to crack'. In fact, I'll offer anyone 100 bucks to build a bot to crack it.

slpctrl wrote:
Btw, I'll paypal you 50 bucks tomorrow I don't have a paypal hooked up to my bank account. The reason I decide to pay people to do things like this is so I can learn and I did, it just wasn't the end result of what I wanted but it was still good coding and I learned something quite useful :happy:.

Edit: 50 bucks is enough right?


Oh, yeah, I'm sure 50 bucks is alright... as long as you don't mind people knowing that your word is officially worth about as much as yours31f's posts. Can't imagine anyone else taking your offer of money to help you learn when you revise the deal halfway through. That's a shitty move. If you don't plan to follow through, don't bother saying it.


Well let's keep it real, he made a shitty half assed admittedly attempt to make it. It worked about half the time on my server. So cracking it 50% of the time (because of how inefficient the code is) is worth 50% of the pay. In fact, I don't know anyone that would have paid him for it. Everyone else would have told him to fuck off to be completely real and honest about it.

For 100 bucks I'd expect someone to take the time to do a nice script, but then again I guess asking for quality code no matter how much I'm offering would be just too much, now wouldn't it. Go fuck yourself.

Let's look at the first comment in the code:


/*
not the best way to do it but a very straightforward PoC.
even for this approach of 'ocr' there are still many optimizations
that could be done.. like skipping whiteblocks or doing some
preprocessing to see which rows have the most pixels and test
rows adjacent to that first...etc
*/


There are many optimizations that could be done, I just didn't because I'm lazy and just needed to make the money. Fuck no I'm not going to pay him 100 bucks for a half assed, half working script.

I feel I'm being pretty fucking nice to be completely honest. I get errors from his script out the asshole. And not only the fatal error, took over the time alloted to process the PHP, I got quite a few errors that I guess I should have documented. I'll put everything back up though and list all the errors.




Edited by on 07-09-08 00:50
Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 07-09-08 00:52
slpctrl wrote:
stuff


$50 is more than enough. The challenge was fun to do. I agree with you when you said that 'hacking' sites should be like this.. people paste code or w/e and challenge others to break it... that's probably one of the most entertaining ways to learn. I will help you for free if you keep your word.. as long as I have time.. and as long as it's something creative/interesting.. if you want we can continue this tit-for-tat learning.

(you develop something and I develop something to get past it).. it's fun and I'll do it for free.. although I can't guarantee a lot of time to this.

edit: I just read your reply.. I did it the way I did it because it was the quickest thing to do and the easiest to understand.. I asked you to document the errors.. the code I have - on my server, and for the "latest code" you had at the time - worked 100% of the time for me.

Edited by on 07-09-08 00:59
Author

RE: CAPTCHA Questions

clone4
Member



Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank:
Mad User
Posted on 07-09-08 00:52
@Chinchilla3k: Dude you are greedy as a bitch !

@slpctrl: I wouldn't say it's the most efficient way to learn, but I catch your drift,if some money is involved, more 'people' will be attracted... Still don't agree with that though, I mean paying someone to help you learn and improve your knowledge is against whole community thought



[img][/img]img164.imageshack.us/img164/5713/perlvl0.jpg

clone4.freehostia.com/ubuntu_3.png
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl

clone_4@hotmail.com
Author

RE: CAPTCHA Questions


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 07-09-08 00:53
In fact, and for the purposes to bump this and tell you once again to go fuck yourself, I didn't ask for a script that worked 50% of the time, based first off of inefficiency, but that the script actually didn't work every time. It worked sometimes. I guess next time I'll be specific to say that if you can only produce a script that works 50% of the time, don't fucking bother even talking to me. I've got plenty of money; money isn't an issue so I'll give him the 100 bucks this time, for his shitty ass half assed script, and next time because of self righteous pricks like yourself I'll tell them if you can't produce something decent don't bother even posting.

Chinchilla3k wrote:
slpctrl wrote:
stuff


$50 is more than enough. The challenge was fun to do. I agree with you when you said that 'hacking' sites should be like this.. people paste code or w/e and challenge others to break it... that's probably one of the most entertaining ways to learn. I will help you for free if you keep your word.. as long as I have time.. and as long as it's something creative/interesting.. if you want we can continue this tit-for-tat learning.

(you develop something and I develop something to get past it).. it's fun and I'll do it for free.. although I can't guarantee a lot of time to this.


Nah, I'll pay you your 100 bucks. And next time, to keep self righteous assholes completely the fuck away from me, I'll specify that the script needs to be efficient enough to not time out, and it needs to be right every time.




Edited by on 07-09-08 00:55
Page 3 of 7 < 1 2 3 4 5 6 > >>