Parse KCaptcha, reassemble ... under .NET
KCaptcha is a fairly common PHP library for generating captcha. I have been familiar with this project for quite a long time, and just the same thought doesn’t leave me: “how does everything work inside, how does it all work”? Yes, it happens: the brain allocates something, at first glance, extremely inconspicuous and unassuming, but then for a long time does not miss this something from the head. So it was with programming, when I first saw a piece of JavaScript code, so it became with the library from Sergey Kruglov, which I decided to study.
But first things first. I will not hide, disassemble and understand KCaptcha I tried many times. My attempts ended in failure. This was facilitated by a minimum of free time, a very small number of comments in the code, and problems with motivation (she kept only on interest), but mainly, of course, the absence of at least some experience behind them.
As time went on, I then took up KCaptcha, then again threw. But time after time, in small steps, the understanding of the code came. The overall picture gradually loomed. Perhaps someone will find this ridiculous: think about it, generating a random key plus outputting to an image! I did not think so. Now I look at these algorithms a bit down, but the memory of trying to understand, would be confusing and sometimes not amenable to code, does not make it possible to laugh at myself.
')
Why bother with code? Connect, and use your health! Fortunately, the library makes it easy to abstract from unnecessary details. I asked this question myself, until I had to work on a single ASP.NET project. Then there was a need to protect some pages from spammers. I think no need to explain that the easiest and most common way to protect against bots is a captcha.
Before, I didn’t use anything other than PHP in my work , and, of course, I have never seen CAPTCHA solutions for .NET. A quick search in Google did not give anything except ReCaptcha wrappers in C #. Deeper analysis of hosting for opensource projects led to some results, but these were long-abandoned, unfinished crafts. They did not even remotely resembled the familiar and already partially studied KCaptcha.
For all the previous time I gained a little bit of experience, and now there was complete order with motivation. Resolved! I have to transfer KCaptcha from PHP to .NET.
The very first part of our program. It is from her that everything else will be repelled. The algorithm is quite simple and maybe even typical for its scope. There is an alphabetic array consisting of the letters used to generate the key. From it n elements are randomly extracted, where n is the key length. Everything is elementary.
However, even in such a simple place we go further! First, we discard all similar symbols: Have you ever had to solve a captcha where 0 (digit) or O (letter) is present? Do you have to? Then you can easily understand why this is done. Secondly, during the generation we follow the combinations of letters / numbers: some symbols, when partially overlaid, form difficult-to-read combinations. For example, the letters r and n. It is easy to understand that together they can be interpreted as m.
And so, we have a string key. It is time to transfer it to the image .
Here KCaptcha is original. Instead of vector fonts that have become the de facto standard, a set of bitmap images containing alphabet symbols is used. Images are marked up in a special way. This is done in order to recognize the surroundings on which the significant pixels (simply speaking - the letters) are located.
Here, the one pixel wide bar at the top of the image is the markup, the black pixels are meaningful areas, the white ones are spaces between characters.
In fact, bitmap fonts have some advantages: we can more accurately position the result, providing better gluing the letters together. In addition, the raster should give an increase in performance compared to the vector and ensure independence from the installed fonts, thereby making the library cross-platform. However, there are also disadvantages: weak scalability (severe loss of quality when resizing) and a predisposition to recognition (see below).
The whole idea is to draw a mark-up scale before drawing, which will be a pointer to the starting and ending position of each character. Then, guided by this scale, transfer the entire line to the image, slightly adjusting the coordinates along the y axis randomly and at the same time replacing the gray gradation with the alpha channel.
From this point on, we have a completely usable library. However, there is one thing! The result can filter only very very weak bots. A targeted attack of such a captcha will give a very decent percentage of recognized images. The fact is that if an attacker has used the fonts, the hacking will turn into just a pixel-by-pixel search of the entire captcha and compare it with the original font files.
But there is a solution - a distorting filter . KCaptcha uses sine distortion for this, or rather even the imposition of several sinusoids on each other. This gives a much more resistant to recovery result. The results of a single wave can be negated by indirect signs, but with two or more - it will be more difficult.
To smooth the filter, linear interpolation is applied.
I have not applied in practice the result of my work due to a failed site on ASP.NET. But after completion, everything turned into a small opensource project. The internal structure, the algorithms, and the code itself are quite different from the original in order to now have their own name (over which, however, I did not think for long). Please do not kick much - NCaptcha .
But first things first. I will not hide, disassemble and understand KCaptcha I tried many times. My attempts ended in failure. This was facilitated by a minimum of free time, a very small number of comments in the code, and problems with motivation (she kept only on interest), but mainly, of course, the absence of at least some experience behind them.
As time went on, I then took up KCaptcha, then again threw. But time after time, in small steps, the understanding of the code came. The overall picture gradually loomed. Perhaps someone will find this ridiculous: think about it, generating a random key plus outputting to an image! I did not think so. Now I look at these algorithms a bit down, but the memory of trying to understand, would be confusing and sometimes not amenable to code, does not make it possible to laugh at myself.
')
Why bother with code? Connect, and use your health! Fortunately, the library makes it easy to abstract from unnecessary details. I asked this question myself, until I had to work on a single ASP.NET project. Then there was a need to protect some pages from spammers. I think no need to explain that the easiest and most common way to protect against bots is a captcha.
Before, I didn’t use anything other than PHP in my work , and, of course, I have never seen CAPTCHA solutions for .NET. A quick search in Google did not give anything except ReCaptcha wrappers in C #. Deeper analysis of hosting for opensource projects led to some results, but these were long-abandoned, unfinished crafts. They did not even remotely resembled the familiar and already partially studied KCaptcha.
For all the previous time I gained a little bit of experience, and now there was complete order with motivation. Resolved! I have to transfer KCaptcha from PHP to .NET.
Key generation
The very first part of our program. It is from her that everything else will be repelled. The algorithm is quite simple and maybe even typical for its scope. There is an alphabetic array consisting of the letters used to generate the key. From it n elements are randomly extracted, where n is the key length. Everything is elementary.
However, even in such a simple place we go further! First, we discard all similar symbols: Have you ever had to solve a captcha where 0 (digit) or O (letter) is present? Do you have to? Then you can easily understand why this is done. Secondly, during the generation we follow the combinations of letters / numbers: some symbols, when partially overlaid, form difficult-to-read combinations. For example, the letters r and n. It is easy to understand that together they can be interpreted as m.
Drawing
And so, we have a string key. It is time to transfer it to the image .
Here KCaptcha is original. Instead of vector fonts that have become the de facto standard, a set of bitmap images containing alphabet symbols is used. Images are marked up in a special way. This is done in order to recognize the surroundings on which the significant pixels (simply speaking - the letters) are located.
Here, the one pixel wide bar at the top of the image is the markup, the black pixels are meaningful areas, the white ones are spaces between characters.
In fact, bitmap fonts have some advantages: we can more accurately position the result, providing better gluing the letters together. In addition, the raster should give an increase in performance compared to the vector and ensure independence from the installed fonts, thereby making the library cross-platform. However, there are also disadvantages: weak scalability (severe loss of quality when resizing) and a predisposition to recognition (see below).
The whole idea is to draw a mark-up scale before drawing, which will be a pointer to the starting and ending position of each character. Then, guided by this scale, transfer the entire line to the image, slightly adjusting the coordinates along the y axis randomly and at the same time replacing the gray gradation with the alpha channel.
Distortion
From this point on, we have a completely usable library. However, there is one thing! The result can filter only very very weak bots. A targeted attack of such a captcha will give a very decent percentage of recognized images. The fact is that if an attacker has used the fonts, the hacking will turn into just a pixel-by-pixel search of the entire captcha and compare it with the original font files.
But there is a solution - a distorting filter . KCaptcha uses sine distortion for this, or rather even the imposition of several sinusoids on each other. This gives a much more resistant to recovery result. The results of a single wave can be negated by indirect signs, but with two or more - it will be more difficult.
To smooth the filter, linear interpolation is applied.
Total
I have not applied in practice the result of my work due to a failed site on ASP.NET. But after completion, everything turned into a small opensource project. The internal structure, the algorithms, and the code itself are quite different from the original in order to now have their own name (over which, however, I did not think for long). Please do not kick much - NCaptcha .
Source: https://habr.com/ru/post/135900/
All Articles