PDA

View Full Version : How does captcha work?Can it be beaten?



Kirin
20th March 2005, 04:34 AM
There was lot of talk going on of autobuyers which could recognize and defeat the captcha system which basically means that few understand how they work.SO here is how captcha works.

The turing.image.php is passed a 32 char string everytime a page loads.
eg:c89e46b36b51fee8b4b316ab2f511f41
This it converts int a 3/4 letter string such as say'4u56'.

SO to make an autobuyer we just have to figure out the algorithm of converting a 4 letter word into a 32 letter string.
But there are actually 35^32 :eek: 32 letterstrings so its almost impossible unless the guy who made the turing.image.php and the one who knows the encryption algorithm makes an autobuyer.

I hope people who know about the captcha system contribute more to this thread and those who didnt atleast learn now.

Zap
20th March 2005, 04:36 AM
some claims they have beaten it, and it I think it is possible but I don't want to tell why, because 1. don't want to help those who makes autobuyers 2. I can't program so what do I know?

Kirin
20th March 2005, 04:52 AM
Speak it out,if there is a vulnerability ,there will be a solution.
(But I think you are most probably mistaken)

Jedi
20th March 2005, 11:35 PM
To be frank, if not because of cheaters creating auto scripts, captcha system won't exist in the first place and it would be more convinient for honest players to enjoy the game. Pages load faster and everyone would be happier, including the admins.

Sorry, even if I know how to decypher captcha, I won't support cheaters. You're playing with other human beings for goodness sake, not against AI. It's stupid to cheat in a game played with friends, which would signify your character in real life.

Kirin
21st March 2005, 03:53 AM
I am trying to get more info , prove that the guys who talk about autobuyers in Age 4 are stark raving mad and not trying to decrypt captcha(which is impossible anyway)
If I had done so,then zap would have deleted the thread without replying.

Unfortunately there seem to be none with an interest in knowing why things are the way there are.
Repeat=> Dont complain about captcha here!!!!!

Lord_Seregon
21st March 2005, 06:46 AM
Just the fact that you would openly suggest that this be beaten shows too much to players that respect fair play.

Cheating and accusations of cheating seems to be the only way that some poeple can survive.

Kirin
21st March 2005, 06:58 AM
Can't anybody understand English! :smileysto .
I am saying that whatever people say it cant be beaten.
I was trying to collect more info about the captcha system.

EworTam
21st March 2005, 08:45 AM
So if I get this right, you're not asking "How does captcha work?Can it be beaten?" but you're telling us how it works, and telling us that it is almost impossible to be beaten??

That is good news I guess, I hope nobody figures out how to beat it. It would ruin a good age.

However Im guessing you want to create an autobuyer, judging buy this sentence:

SO to make an autobuyer we just have to figure out the algorithm of converting a 4 letter word into a 32 letter string.
I think if you read GuA more often you would find the majority of the KoC community are against autobuyers. I doubt if should be planning how to beat the captcha, or informing others how to do so, on the game forums considering as it is against the rules and all.

Lord_Seregon
21st March 2005, 08:50 AM
Appolpgies, I also thought this was more a how you will eventually beat it not that it can't be beaten.

Maybe you can find a better way to WRITE ENGLISH, and if your not trying to beat it why do you need info in it. Just type the info and play, posts like this make you look like a cheat even if your not.

Kirin
21st March 2005, 10:59 AM
However Im guessing you want to create an autobuyer, judging buy this sentence:
.
DUH! I was saying that that was kind of impossible for eg:
35^2=1225
35^35=1.01e54 that is approximately a number which has 55 digits!!!!

Have you all never felt the need to understand what is going on ??

It appears that there are no GEEKS here :icon_poli :icon_mad:

MysteryQuest
21st March 2005, 03:10 PM
The Captcha is beaten, recently a few people were suspended (only for 1 day) for using an autobuyer. So don't try to abuse the broken CAPTCHAs.. Now they have hard rules for it I hope the admins will ban faster. :)

Flare
21st March 2005, 03:26 PM
not that i was trying to make an autobuyer or anything, but i did look a littl einto how it works. I can tell you there is no point in trying to "decypher" the 32 bit argument passed to captcha, because it is NOT an encrypted version of the captcha text. it is most likely a session ID used to look up the captcha tet on the server.

try it yourself: open an armoury window, get the page source and find the turing.image.php?xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx part. copy this and open a new browser and go to the url www.kingsofchaos.com/turing.image.php?xxxxxxxxxxxxxxxxxxxxxx (copy the 32 bits from the page source).

You will notice that the captcha image displayed is the same as the one you saw in the armory. now go back to your armory page and refresh, then go back and refresh the captcha image. it will update to the new captcha string from the refreshed armory page even though the 32 character argument has not changed. obviously the server keeps a track of what 32 character session codes relate to the current captcha string.


SO DONT BOTHER TRYING TO DECRYPT THE 32 CHARACTER ARGUMENT.

AND DONT TRY MAKE/USE AUTOBUYERS THATS CHEATING.

Baloo-DM
21st March 2005, 04:35 PM
To be frank, if not because of cheaters creating auto scripts, captcha system won't exist in the first place and it would be more convinient for honest players to enjoy the game. Pages load faster and everyone would be happier, including the admins.

Sorry, even if I know how to decypher captcha, I won't support cheaters. You're playing with other human beings for goodness sake, not against AI. It's stupid to cheat in a game played with friends, which would signify your character in real life.

dude. why do you even bother wasting your time typing that post. cheaters will always exist and they just fuck up the game for us people who wanna play fairly. there is seriously no point

arkanoid
21st March 2005, 11:51 PM
The Captcha is beaten, recently a few people were suspended (only for 1 day) for using an autobuyer. So don't try to abuse the broken CAPTCHAs.. Now they have hard rules for it I hope the admins will ban faster. :)

If that is the case then its very worrying that system is used on alot of secure transactions net wide, and IF they did beat it why are they wasting there time using it on a game ? lol.

cash register's going kerchingggggggggggggggggg springs to mind.

Jedi
22nd March 2005, 12:32 AM
dude. why do you even bother wasting your time typing that post. cheaters will always exist and they just fuck up the game for us people who wanna play fairly. there is seriously no point

No point? dude. why not? that's what this forum is for, to express one's opinion on the subject. I know I can't stop cheaters but at least I did emphasize my stance on this issue. I've been playing KOC for a while now, and this captcha business is not a pleasant addition to the game. The game is free, there's no more prize, and yet, people will always cheat which I find personally is mind boggling.

It is an interesting discovery made here, no doubt, but I would not go to an extent of making a discussion out of it. I prefer for the admins working on something new to the gameplay, rather than spending time trying to mitigate security breaches won't you agree?

And if you analyze the threads and posts made in GUA alone, I find it ridiculous that people actually flaming each other over a game which in principle should be entertaining. Some of them even lost their touch in reality. I believe GUA would make a good case study to those studying psychology on impact of human behavorial over Internet-based game. Zap should get a PhD for introducing the ways to know you're KOC-addicted thread. There you go, you got me rambling off topic...

People should play KOC for fun.

Thanks for reading this. Cheers and have a nice nightmare.

ps: I sincerely apologize in advance if I have offended anyone for my statement above. No hard feelings I hope.

elvsking
22nd March 2005, 07:28 AM
I start to be bored by this, I already see a lot of post on a lot of different forum on auto buyers, in GUA this discussion is old even from the first time this system was introduces. Kirin makes some calculation maybe this is a way to brake the system but they are other, some player are already using AB (I donít know them and I donít chare). Any imagine system is easy to brake because you only need to compare some imagine this solution is not good it will take a lot of HDD space to keep all the imagines and the program will need a lot of time to compare the imagines, but he have 30 minutes to do this and is possible with a fast computer, if not he can buy every 90 minutes and is not a problem. Of course I think of a more easy way at the first I think you could only store imagine and the corresponding code (a big alliance can break the cod in a week or so). But I donít like this solution so I think of another a program able to do all the work automatically, at first this was stupid, he need a lot of time to brake the imagines and this will not work (this is ridicules as the method describe by Kirin it will be easy to brake a bank account and from their you can get money, this is only for fun). After that I figure how to reduce the number to a more realistic level easy for a computer to use this. You could understand I will not reveal my method because is like given the code to a programmer is a public forum and in the game are a lot of good programmers and they can make an AB easy.

The main idea of this is the system is easy to brake if I will reveal to you my method you will understand my point but I will never do this. I hate AB and I will not help in making one. I donít make an AB and I will never make one, but maybe I will use my method if the admins will continue to make the imagine more hard to reed or stuff like this (I hate when I have a lot of gold and write the wrong cod) to make me a program to ďtranslateĒ the imagine in a language I will understand.

And to answer Baloo-dm: The cheaters will be until the admins will make a system more hard to brake this system is still easy to brake but they are more gold in the game and from this I understand some AB are history. Make a system even harder to brake, changed him every age and you get more cheaters to play nice, or quit playing. Or is the second way PM them and convinced them to stop cheating.

To prevent AB you most understand this: humans are smart and computers are stupid. Even if you will make a ďsmart programĒ (an auto program capable of auto processing the imagines) he will work on a very easy concept: he will need to have a data base of situation to choose from. Make a system without a data base, algorithms or staff like this, forgot all the mats you know donít use this because computers are best in math use a system in what you need to use your imagination or abstract thinking because a computer donít have this function. Let say some animation, never give a computer a code because he will brake it, donít use algorithms a programmer will tray to brake them, use random function, random coordinates, this is the only way to make a security system he can be brake and the player will be more happy. I will.


I hope some player will make the time to reed all this. All this is my personal opinions.



P.S. Iím a student at computer science.

Simius
22nd March 2005, 08:19 AM
But there are actually 35^32 :eek: 32 letterstrings so its almost impossible unless the guy who made the turing.image.php and the one who knows the encryption algorithm makes an autobuyer.
It's a bit less ;) 16^32, cause only 0-9 and a-f are used. But this would still mean it's impossible to find a relation between the text in the image and the hash (unless you are very lucky and there is a very easy relation between those). And according to Flare's post there isn't even any relation between the code and the text in the image (I didn't check that though).

Flare
22nd March 2005, 04:18 PM
And according to Flare's post there isn't even any relation between the code and the text in the image (I didn't check that though).


in fact I have since found that you dont even need the 32 character string at all! it must be completely session based, with the server remembering which is the currect captcha string for your session. go to w w w. kingsofchaos. com/turing .image. php (no 32 char string in URL) and it will display the current captcha for your session. ie. no 32 char argument passed from your web browser to the server.

seems that the only way you could make an autobuyer is to make an image recognition one, and given how hard it is for even humans to recognise some of those characters it seems unlikely that it is do-able.

Kirin
23rd March 2005, 05:58 AM
a big alliance can break the cod in a week or so.
What has alliances have to do with this?


never give a computer a code because he will break it, donít use algorithms a programmer will try to break them

:worship2:
So in short make somebody sit in the serverside and type in the letters.:rofl:

I tried Flares method but it doesnt work for me.
w w w. kingsofchaos. com/turing .image. php.
and
w w w. kingsofchaos. com/turing .image. php?1asd12312swdfwe341231..
All I get is a vertical blank bar.
Can anybody else check it out ?

Simus:it is 32^32 as I have seen V,Q,Y,frequently.See jedis sig.

Jedi & Baloo-DM this is not the place for your discussion.

pitagora
23rd March 2005, 07:03 AM
I start to be bored by this, I already see a lot of post on a lot of different forum on auto buyers, in GUA this discussion is old even from the first time this system was introduces. Kirin makes some calculation maybe this is a way to brake the system but they are other, some player are already using AB (I donít know them and I donít chare). Any imagine system is easy to brake because you only need to compare some imagine this solution is not good it will take a lot of HDD space to keep all the imagines and the program will need a lot of time to compare the imagines, but he have 30 minutes to do this and is possible with a fast computer, if not he can buy every 90 minutes and is not a problem. Of course I think of a more easy way at the first I think you could only store imagine and the corresponding code (a big alliance can break the cod in a week or so). But I donít like this solution so I think of another a program able to do all the work automatically, at first this was stupid, he need a lot of time to brake the imagines and this will not work (this is ridicules as the method describe by Kirin it will be easy to brake a bank account and from their you can get money, this is only for fun). After that I figure how to reduce the number to a more realistic level easy for a computer to use this. You could understand I will not reveal my method because is like given the code to a programmer is a public forum and in the game are a lot of good programmers and they can make an AB easy.

The main idea of this is the system is easy to brake if I will reveal to you my method you will understand my point but I will never do this. I hate AB and I will not help in making one. I donít make an AB and I will never make one, but maybe I will use my method if the admins will continue to make the imagine more hard to reed or stuff like this (I hate when I have a lot of gold and write the wrong cod) to make me a program to ďtranslateĒ the imagine in a language I will understand.

And to answer Baloo-dm: The cheaters will be until the admins will make a system more hard to brake this system is still easy to brake but they are more gold in the game and from this I understand some AB are history. Make a system even harder to brake, changed him every age and you get more cheaters to play nice, or quit playing. Or is the second way PM them and convinced them to stop cheating.

To prevent AB you most understand this: humans are smart and computers are stupid. Even if you will make a ďsmart programĒ (an auto program capable of auto processing the imagines) he will work on a very easy concept: he will need to have a data base of situation to choose from. Make a system without a data base, algorithms or staff like this, forgot all the mats you know donít use this because computers are best in math use a system in what you need to use your imagination or abstract thinking because a computer donít have this function. Let say some animation, never give a computer a code because he will brake it, donít use algorithms a programmer will tray to brake them, use random function, random coordinates, this is the only way to make a security system he can be brake and the player will be more happy. I will.


I hope some player will make the time to reed all this. All this is my personal opinions.



P.S. Iím a student at computer science.

i'm surprized by the diffrence on how much u think you know and how little you know. You are probably in the first year and think you are so good. Your solution implies a titanic work from the programmer...and also uselss. The capcha in koc has allready been defeted and the program is only 200Kb. No huge databases are required. Perhaps they didn't teach you in school about image regonition algoritms. Each character is individualy recognized so it woun't matter how many letters&numbers combination are out there. And by the way...that text in capcha in random generated...they don't use 1Tb to store images :))

elvsking
23rd March 2005, 12:01 PM
What has alliances have to do with this?


Is easy if you get more computers the program will be faster at the beginning. I will give you an example: 1 computer will need 100 days to do this, 100 computers will need a day. If you donít have 100 computers at your place you can find help from your alliances.




So in short make somebody sit in the serverside and type in the letters.:rofl:


And way you think is a man? A computer can do this.



i'm surprized by the diffrence on how much u think you know and how little you know. You are probably in the first year and think you are so good. Your solution implies a titanic work from the programmer...and also uselss. The capcha in koc has allready been defeted and the program is only 200Kb. No huge databases are required. Perhaps they didn't teach you in school about image regonition algoritms. Each character is individualy recognized so it woun't matter how many letters&numbers combination are out there. And by the way...that text in capcha in random generated...they don't use 1Tb to store images :))

About my program I will not need a 1 TB data base, I think 1 mb will be more then enough. The programmer work will be like 1 week (at my level). What are the benefit is simple. If you want to get rid of AB just change the letters with some object first letter of the object will be the letter you need. Try to use your AB then. My program will self adapt to the changes in 30 minutes or so, without any support from me, he will be able to solve any imagine in a very short time. He can be use without any major changes even like an AC. And the best part is ho long the KOC admins will use imagine system my program will work. What I post on the forum are some stupid ways to make an AB, my solution will not be post on this forum or others. Because some player can use this to create an AB. I donít know what you want maybe to post the code on GUA, so you can see it work. I will not do this if you want an AB you can make one with the information I give you in my last post, but like I say is easy to break a useful code then this one, but the principle is there and on GUA players are interesting in ho to stop AB not to create more. And for this you need to know ho it work not to have one.

Simius
24th March 2005, 02:00 AM
Simus:it is 32^32 as I have seen V,Q,Y,frequently.See jedis sig.

No it's not, if your talking about ^32 then your not talking about the image, since the image has only 4 characters anyways, so that would mean a power of 4. So you must be talking about the 32 character string in the image name, and that one only consits of 0-9 and a-f like I said before.


I tried Flares method but it doesnt work for me.
I tried it as well, and it does work, so there is no relation between the 32 character string and the characters on the image, like he said. I did notice that when you refresh the image it may look slightly different (different type of characters, but still the same characters), so it must only be storing the characters on the server.

orioncainm2
27th March 2005, 02:37 AM
seems that the only way you could make an autobuyer is to make an image recognition one, and given how hard it is for even humans to recognise some of those characters it seems unlikely that it is do-able.[/QUOTE]

I was really curious about this, so I made some experiments on my own. I think all this codebraking stuff is just pitting one's intelligence against the programmer's and I think it is quite fun like chess. With that said, I have no intention of cheating whatsoever plus I couldn't anyway with my knowledge of programming.

However, I found a way to "clear up the image" in the verification screens and I am just posting it here so that the admins can improve their system. I am a graphics designer not a programmer so I decided to work with what I have. I took a random verification image and converted it to vector graphics form (.svg) and then took out all the lines thinner than 7 pixels. I did this by hand but it shouldn't be too hard to write something like a macro for this with the transformation options available in vector editing programs. Then I enlarged the image about 4 times and used fills for enclosed spaces. Since I know nothing about image recognition I simply printed the image and scanned it back using OCR. I made 7 trials got 100% correct on 3 and got two letters right in 2 the other two was just nonsense. Perhaps this could be improved with better OCR methods, I don't know. But until the time of printing the process take 10-15 seconds for one image.

Just thought I should warn you guys. BTW, the way to make sure that vector graphics mess up completely is to add shades of gray and something other than straight lines in the background. Curves or dots of different sizes would work fine.

Thanks for making this great game, have been at it for only a week now and can't stop. Thanks for all the effort you spend about making it cheater free as well.

dmc
27th March 2005, 03:35 AM
seems that the only way you could make an autobuyer is to make an image recognition one, and given how hard it is for even humans to recognise some of those characters it seems unlikely that it is do-able

1. Decrypting
I dont know the exact way on koc but this is a guess.
When someone enters a page koc makes a random number between 1 and 15. Now the page makes somehow a md5 hash from the number combined with a timestamp and or other things. The hash that has been generated is set as session. So koc remembers the time and the other things and you have the hash as session.
Now when you click a number koc combines that number again with the timestamp and otherthings and generates the hash again and compares it with your session hash. When its the same you pressed the right number.

In this way it is impossible to decrypt the hash.

2. OCR, Optical Character Recognition
All ocr software out there is based on standard fonts an languages.
When you try to get the text from the koc captha system it can't be recognised because its not a default font. If it does recognise it would giving problems cause the proffesional ocr software tries to find a word regarding the text.
An other way is to copy all captha system characters and make a font of it. Then u could use it in your own build ocr program but this whole process is big. So i dont think people would really put time in this. But programmers who have expierience with this could do this.

Conclusion decrypting the code would be almost impossible. Using ocr software would not recognise the captha system. Making your own ocr software with the koc fonts would recognise it but you would be stupid putting al that time in such thing.

So koc can do 2 things and that is, changing the captcha system fonts once in a while. And capture the users event (check if it really was a click from a mouse that clicked te button and not software that just does a script submit)

Kerberos
27th March 2005, 04:28 PM
The simple fact is that the webpage needs to know some matching between images(or some related property of that image) and the correct string. If an algorithm can determine if the string is correct, there can be an algorithm to determine what the correct string is. I'm sure KOC uses some kind of encryption, but every encryption has a decryption. I'm sure the decryption is very difficult to figure out, but we are talking possible, not practical.

Chaos NOW!!!
27th March 2005, 10:16 PM
It is not necessary to build a program that does it all. The key component is simply a good OCR application. The OCR application then simply need to be trained to recoqnize all the weird characters correctly. This would probably take some effort, but I believe it will get it right more often than I do...

Second step is easy: Make a script that logs onto KoC using your browser, goes to the right page and so on, prints the page (or partial screenshot) and sends it to the OCR appliction that recognizes a preset area, copies the output and goes back to the browser to paste it and voila. Almost anyone could pull this off...

I don't know if anyone has a system working already. I have, however, noticed that I am starting to get a lot of impersonal recruiting messages again...

I don't want an autobuyer, but as someone said, it is tempting to make an automated system that can recognize and enter the correct code. I would love it on the attack page.

The most annoying thing about the capcha system is that you cannot work with many windows open, since the captcha is not unique to a window. Really pisses me off... If you could at least enter the codes in advance, and then spy, sabotage, attack, and buy as fast as you used to be able to do.

Chaos NOW!!!

Kirin
29th March 2005, 06:43 AM
It is not necessary to build a program that does it all. The key component is simply a good OCR application. The OCR application then simply need to be trained to recoqnize all the weird characters correctly. This would probably take some effort

Till now all OCR apps only work for a particular font with a particular background.So someone has to develop an OCR just for KoC.Effeciency of OCR apps are also very low.
Why would anyone waste that much time for a game?

Chaos NOW!!!
29th March 2005, 08:05 AM
There are OCR applications that can learn to read any font, however childish...

You can even teach them to read your own scribbles. It works just fine. I use it all the time. I also have experience using OCR with scans of old manuscripts with wierd old lettering. Tricky, but it can be made to work. It makes my work as a translator easier sometimes...

The time waste is exactly why I wouldn't do it for KoC. As I said, I don't want an autobuyer. It is the captchas on the attack page that piss me off, and an automated system for the attack page would never be fast enough to make it worth while...

No captchas are good captchas.

Captcha later,
Chaos NOW!!!

Lord_Seregon
29th March 2005, 08:17 AM
There are OCR applications that can learn to read any font, however childish...



But are they capable of reading fonts in an image.

EworTam
29th March 2005, 08:26 AM
No captchas are good captchas.

Captcha later,
Chaos NOW!!!

If 'chaos' is everyone autobanked upto their eyeballs, automessaging your inbox or even autosabbing and autoattacking you then I want none of it. Captchas are a slight inconvenience, they are far from perfect, but they keep the game fair.

As you said, you personally wouldn't use such programs, but every needs to be captcha-ed to ensure the game is kept fair.

I agree with you about the windows when attacking though. I knw nothing about coding, but last age their was the same problem with trying to click all of your officers at the same time on different pages, so I don't know if the admins can find any way to solve this problem. The only thing I can think of is you only need to type in the code to get to the attack page from the stats page, so only needing one captcha for sabbing or attacking.

elvsking
29th March 2005, 11:25 AM
But are they capable of reading fonts in an image.

Yes this is what they are creating to do. You have a text from a magazine or something and you scan him, the programs recognize the characters. Some programs are very good at this, the one I use recognize with a 99% accuracy and this is more then you need for koc. But you will need to make some manually recognizes of the characters he donít know. If you donít have this programs and you have some programming skills you could make one of your one, is not to hard.