Cracked next Captcha

Ok, when Micha saw my tiny hack he changed his implementation (as promised) and told me I’m not able to hack it again… Micha, your captcha failed again :P

Lets have another look to his code:

<p>
	Lösen Sie bitte die folgende Aufgabe (ggf. <em>x</em> bestimmen) <br />

		<img src="http://mathtran.open.ac.uk/cgi-bin/mathtran?D=1;tex=2%5E%7B%202%20%7D" alt="2^{ 2 }" title="2^{ 2 }"/>
	</p>
	<p><input name="captvalue" id="captvalue" value="" size="40" tabindex="4" type="text"/></p>
	<input name="captcha" value="kwCci5YUFw27oJWwxYc6JuuDuvhMd+K95V1TYf3vwJrZqZf2fJCdABUx/4pxMb08kkV/" type="hidden"/>

First of all he renamed the fields, so of course my last attack will fail :P The next problem is, that the hash for a 7 isn’t the hash for another 7 of a different calculation. Maybe he’s using the arithmetic problem or the time or other things for his hash calculation. So if we don’t know how his calculation for the hash is, the last attack is senseless… Btw he told me that he’s using encryption. If you’re bored, try to break it, it’s to much for me. But Micha bets three beer that I’m not able. So no chance to quit!

In my last post I had another idea to crack the captcha: Parse the formula. Ok, I wrote about parsing the URI to the external server that produces the picture, of course it’s much easier to parse the title - or alt -tag of the image! These fields are human readable to get the site handicapped accessible. Of course worthy that he provides this fields! So, after some reloads I had a small idea with what kind of problems I have to deal with:

Simple calculations
something like: , just calculate the solution
Convertings
like , first convert the formula before calculating the solution
Sums
for example , first rewrite the sum-symbol, than calculate the solution

That’s the theory, the code is this time a little bit longer:

// ==UserScript==
// @name           micha-captcha-hack-v2
// @namespace      binfalse
// @description    solve michas captchas without human thinking ;)
// @include        http://0rpheus.net/*
// ==/UserScript==

var capt_field = document.getElementsByName ("captvalue");
if (capt_field)
{
	//search for the image
	var imgs = document.getElementsByTagName ("img");
	var img = 0;
	for (var i = 0; i < imgs.length; i++)
	{
		if (imgs[i].src && imgs[i].src.indexOf ("mathtran.open.ac.uk") >= 0)
		{
			img = imgs[i];
			break;
		}
	}
	
	if (img != 0)
	{
		var problem = img.title;
		// parse simple math operations
		problem = problem.replace (/\\cos\s*0/, " 1 ");
		problem = problem.replace ("\\div", " / ");
		problem = problem.replace ("\\cdot", " * ");
		problem = problem.replace (/\\sin\s*\\frac\s*{\s*\\pi\s*}\s*{\s*2\s*}/, " 1 ");
		problem = problem.replace (/\\frac\s*{(.+?)}{(.+?)}/, "($1) / ($2)");
		problem = problem.replace (/\\sqrt\s*{(.+?)}/, " Math.sqrt ($1) ");
		problem = problem.replace (/([^m ]+)\s*\^\s*{(.+?)}/, " Math.pow ($1, $2) ");
		
		if (problem.indexOf ("=") < 0)
		{
			//simpel problem, just calc..
			capt_field[0].value = eval (problem);
		}
		else if (problem.indexOf ("sum") < 0)
		{
			//converting -> very simple scripted ;)
			var tmp = problem.indexOf ("=");
			var left = problem.substr (0, tmp);
			var right = problem.substr (tmp + 1);
			if (right.indexOf ('x') >= 0)
			{
				tmp = right;
				right = left;
				left = tmp;
			}
			// lhs is x -> convert every other shit to rhs ;)
			
			// kill adds
			var leftpieces = left.split ('+');
			for (var i = 0; i < leftpieces.length; i++)
				if (leftpieces[i].indexOf ('x') < 0)
					right = right + " - " + leftpieces[i];
				else
					left = leftpieces[i];
			
			// kill subs
			var leftpieces = left.split ('-');
			for (var i = 0; i < leftpieces.length; i++)
				if (leftpieces[i].indexOf ('x') < 0)
					right = right + " + " + leftpieces[i];
				else
					left = leftpieces[i];
			
			// kill mults
			var leftpieces = left.split ('*');
			for (var i = 0; i < leftpieces.length; i++)
				if (leftpieces[i].indexOf ('x') < 0)
					right = "(" + right + ") / " + leftpieces[i];
				else
					left = leftpieces[i];
			
			// kill divs
			var leftpieces = left.split ('/');
			for (var i = 0; i < leftpieces.length; i++)
				if (leftpieces[i].indexOf ('x') < 0)
					right = "(" + right + ") * " + leftpieces[i];
				else
					left = leftpieces[i];
			
			capt_field[0] = eval (right);
		}
		else
		{
			//sumproblem
			eval (problem.replace (/^.+sum.+?{(.+?)}.+{(.+?)}(.+)$/, "$2;to=$1;s='$3';"));
			var longprob = "";
			for (var i = n; i < to; i++)
				longprob = longprob + " " + s.replace ('n', i) + " +";
			longprob += 0;
			capt_field[0].value = eval (longprob);
		}
		
	}
	else
	{
		capt_field[0].value = "uuups, no img found!?";
		capt_field[0].style.background = "red";
	}
}

As you can see, it’s a little bit tricky and just works for some mathematical formulas that are of interest. If he combines the converting problem with brackets or something like that, this code fails.. But the algorithm is easy to modify for such changes ;)

But respect, to crack my captcha you don’t need that intelligence, it’s feasible in much less code. I hope he doesn’t rewrite his plugin again, don’t want to calculate that stuff by brain…

Cracked a captcha

Micha just implemented an own Captcha-Plugin for wordpress, I just cracked it some minutes later ;)

This version is deprecated, see Cracked next Captcha…

Micha was annoyed of his previous Captcha-Plugin, neither valid nor beautiful, so he decided to write his own tool for killing bots.

When I saw his new captchas I was wondering wheter he will get further comments. His captchas ask for solution of mathematical problems like or or .. Who the hell wants to calculate that stuff!? Me not! ;)

So I developed a little userscript that solves this problem. When you take a look to the source code of his website you’ll find something like this:

Lösen Sie bitte die folgende Aufgabe (ggf. <em>x</em> bestimmen) <br />

		<img src="http://mathtran.open.ac.uk/cgi-bin/mathtran?D=1;tex=228%20%5Cdiv%2019" alt="228 \div 19" title="228 \div 19"/>
	
	<p><input name="captvalue" id="captvalue" value="" size="40" tabindex="4" type="text"/></p>
	<input name="sercret" value="c9679a3b8ab5151bdf143c43091e59a757cb15ce" type="hidden"/>

So you see, there is an image created by an external server, an input field where you can put the solution and an input field of the type hidden with a crypt value (seems like a hash^^). The most of you will see several ways to hack this:

  1. Parse the string of the image like the external server does to create the -image. So you’ll get an arithmetic problem, easy to solve.
  2. Find out what kind of hash is in the value of the secret hidden input-field and try to find a number that matches that hash, maybe via brute force.
  3. Solve one captcha and fake the rest ;)

Of course the last solution is the easiest one. So I solved on captcha, solution was 7 and the secret key was 9ee4251f80923e6239ae66ab50a357daa6039f04 , hack done!

The development of the userscript was more than simple:

// ==UserScript==
// @name           micha-captcha-hack
// @namespace      binfalse
// @description    solve michas captchas without thinking ;)
// @include        http://0rpheus.net/*
// ==/UserScript==

var hidden_field = document.getElementsByName ("sercret");
var capt_field = document.getElementsByName ("captvalue");
if (hidden_field && capt_field)
{
	capt_field[0].value = 7;
	hidden_field[0].value = '9ee4251f80923e6239ae66ab50a357daa6039f04';
}

I think that this script won’t work for a long time, so there is no download available ;) If you want to use it, copy&paste, you know.

Ähm, before anybody starts to blame me, a similar workaround kills also my captcha-solution… :P

New logo for Iceweasel

Actually iceweasel is searching for a new logo.

When I updated a PC of our work group I recognized that iceweasel, iceape and icedove are searching for new logos. Micha just created one for iceweasel with xfig, here is a similar one with tikz:

\begin{tikzpicture}
\draw (-1,0) circle (1cm);
\draw (-1.2,0.3) circle (0.15cm);
\draw (-0.11,-0.4) -- (1,-1);
\draw (1,-1) -- (3,-1);
\draw (2,-1) -- (2.5,-2);
\draw (2,-1) -- (1.5,-2);
\draw (4,-1) -- (6,-1);
\draw (6,-1) -- (6.5,-2);
\draw (6,-1) -- (5.5,-2);
\draw (6,-1) -- (8,0.5);
\draw (-1.9,-0.4) .. controls +(190:1.8cm) and +(180:1.2cm) .. (-2,0);
\draw (-0.7,0.95) .. controls +(90:0.2cm) and +(60:1.8cm) .. (-1.1, 1);
\draw (-1.5,0.85) .. controls +(60:1.6cm) and +(60:0.2cm) .. (-0.85, 1.4);
\draw (3.5,-3) -- (2.5,1);
\draw (3.5,-3) -- (4.5,1);
\draw (3.5,2.5) circle (1cm);
\filldraw [white, draw=black] (2.8,1.7) circle (1cm);
\filldraw [white, draw=black] (4,1.5) circle (1cm);
\end{tikzpicture}

If the maintainer understand something about art they will use one of our creations! ;)

Tweet-button for website

Yeah, completely in twitter-fever! Just developed a tweet-button.

You can see the button at the end of every post. The button itself of course isn’t my work, I just copied it from twitter, but when you click the link around it you can tweet the actual post directly to twitter! Feel free to try it! ;)

It’s more than easy. All the code you need is (replace […]):

<a href="http://twitter.com/share?url=[URL_TO_THIS_SITE]&amp;lang=[en|de|..]&amp;via=[NAME_OF_YOUR_TWITTER_ACCOUNT_FOR_@_LINK]&amp;text=[TEXT_FOR_TWITTERMSG]" >
      Tweet it <img src="[TWITTER_IMAGE]"/>
</a>

So the code that I wrote in my theme is:

if ( is_singular() )
{
	$tweet = '<span id="tweetit"><a href="http://twitter.com/share?url=https%3A%2F%2F'.$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"].'&amp;lang=en&amp;via=binfalse&amp;text='.the_title('', '', false).'" >
	<span id="tweetittext">Tweet it</span>
	<img src="/wp-content/uploads/2010/08/btn_tweet_mini.png"/>
	</a></span>';
	$tweet .= "<br />";
}

After that just using the $tweet variable at any position I like ;)

Here you can find a documentation.

Journey to Usedom

The last two weeks I took a time out. The first week I visited my sister living on Usedom, Rumpel came with me.

Those of you who are following me on Twitter may have noticed the one or other story, it was one of the best trips I made! Very funny and of course much too short ;)

We cycled a lot of km’s, climbed on trees, swum in the Baltic Sea, took sunbathes on the beach, went to Poland and so on. Detailed reports would blow up the framework of this website, but I’ll provide some pictures at Picasa, here is also a YouTube video from Poland.

And I’ve prepared a funny animated gif of an interesting evening ;)

So, if you ever have the chance to go to Usedom: Do it!!

Usedom - Aug 2010
Usedom - Aug 2010


Martin Scharm

stuff. just for the records.