Breaking LostFilm Captcha (php)

Deciding to download another series of House, I looked at LostFilm and found that now on the site to download you need to register.
Only I decided to register, as I caught sight of their newfangled captcha:


Captcha seemed to me quite simple (although it is not devoid of slices of originality).

So, captcha is an image with three figures and an inscription.
The figures are displayed in a random order, without any distortion or position changes along the axes (only the type of the figure and the order changes). There are four figures in total: a circle (circle), a square (square), a triangle (triangle) and a cross (x).


Under the figures the inscription is displayed, which indicates which of the figures you want to choose.
')
All this "miracle" is located in the file login.bogi.ru/captcha.php , displayed by the standard phpGD library, file size 170x95px, type PNG.

Registration takes place by sending a GET HTTP request (in this case, XHR, but this does not matter, because there is no check for substitution):
bogi.ru/auth/registration?first=FIRST_NAME
&last=LAST_NAME
&nick=NICK
&email=EMAIL
&password=PASSWORD
&sex=1
&captcha=1
&sid=
&ajax=1
&target=http%3A%2F%2Flostfilm.tv%2F
We are most interested in the fields email, password, captcha and sid.

The sap identifier for captcha is transmitted via sid.
The captcha parameter indicates the number of the figure 1, 2 or 3.

The full path to the captcha picture will look like this:
login.bogi.ru/captcha.php?sid=a0vxd4rgs0gsz5gh38gan903sac



Get the picture from the source code of the registration page, for example, from the hidden sid field:

 $reg = "/name=\"sid\" value=\"([^\/]+)\"/";//<input type="hidden" name="sid" value="7cf6e89e9ee5dd19cdae1328208198" /> preg_match($reg, $site_html, $sid); $sid = $sid[1]; 

After receiving the image, you can proceed to parse it.
To begin with, I divided the entire image into two areas:
1) Figures
2) Inscription



Since neither the figures nor the inscription are distorted and do not change their position, it is easy to compose their matrices for each case (4 * 2 = 8 matrices).
For example:

 for($x=0; $x<$width; $x++) { for($y=0; $y<$height; $y++) { $color[$x][$y] = imagecolorat($img, $x, $y); //sign if($y > 70) { $sign[$x1][$y1] .= ($color[$x][$y]==2147483647?0:1); $y1++; } //FIGURE 1 if($y > 10 && $y < 40 && $x > 20 && $x < 50) { $figures[0][$f0x] .= ($color[$x][$y]==16777215?0:1); } //FIGURE 2 if($y > 10 && $y < 40 && $x > 70 && $x < 100) { $figures[1][$f1x] .= ($color[$x][$y]==16777215?0:1); } //FIGURE 3 if($y > 10 && $y < 40 && $x > 120 && $x < 150) { $figures[2][$f2x] .= ($color[$x][$y]==16777215?0:1); } } if(count($sign)){$x1++; $y1=0;} if($x > 20 && $x < 50) $f0x++; if($x > 70 && $x < 100) $f1x++; if($x > 120 && $x < 150) $f2x++; } 

Here I make the matrix for 3 figures ($ figures) and the matrix for the inscription ($ sign). The background colors (in the figures are white, in the inscription is transparent) I replace with 0, the rest - 1.
The result is a matrix like this:


It remains the case for small, you need to make a bank of matrices for all figures and inscriptions, and then comparing the disassembled images with previously saved matrices you can set the number of the figure, and therefore - to solve the captcha.

The reconciliation code is quite simple:

 if($sign == $signs['x']) { if($figures[0] == $drawings['x']){$result = 1;} elseif($figures[1] == $drawings['x']){$result = 2;} elseif($figures[2] == $drawings['x']){$result = 3;} else{$result = 0;} } elseif($sign == $signs['circle']) { if($figures[0] == $drawings['circle']){$result = 1;} elseif($figures[1] == $drawings['circle']){$result = 2;} elseif($figures[2] == $drawings['circle']){$result = 3;} else{$result = 0;} } elseif($sign == $signs['square']) { if($figures[0] == $drawings['square']){$result = 1;} elseif($figures[1] == $drawings['square']){$result = 2;} elseif($figures[2] == $drawings['square']){$result = 3;} else{$result = 0;} } elseif($sign == $signs['triangle']) { if($figures[0] == $drawings['triangle']){$result = 1;} elseif($figures[1] == $drawings['triangle']){$result = 2;} elseif($figures[2] == $drawings['triangle']){$result = 3;} else{$result = 0;} } 

Here, $ signs are matrixes of inscriptions, $ drawings is a set of matrixes of figures, $ sign is the current inscription, $ figures is a set of current figures.

As a result, we get the number of the picture (or 0 if it could not be disassembled).

All that remains is to send a registration request:

 $regURL = "http://bogi.ru/auth/registration?first=TestBot&last=Bot1a&nick=bot".substr(uniqid(), 0, 5)."&email=bot".substr(uniqid(), 0, 5)."@gmail.com&password=qwerty123&sex=1&captcha=".$result."&sid=".$sid."&ajax=1&target=http%3A%2F%2Flostfilm.tv%2F"; $data = file_get_contents($regURL); 

In response, we get
callback({"error":0,"text":""});
What does it mean "Hooray! Registration is successful . ”

I would like to note that this captcha is extremely unreliable, it can be easily cracked even by an inexperienced programmer in a short time, and of course you should not use it if you want to protect your site from bots and spammers.

PS In general, it took about an hour to “break” this captcha; it takes about 5 seconds to parse one picture (along with parsing and registration). Just in case, I sent a report on the work done to those. support LostFilm, and then went to watch the 10 series of Haus.