Hacking C # CAPTCHA on C # - It's Easy!

    In this topic I want to tell you about hacking the so-called "Matan-captcha", an example of which was presented in a recent topic Matan captcha in PHP - it's easy! .
    After reading the author’s article about this wonderful captcha, I wanted to write a program to recognize it, as they say just for fun;)


    Let's start with the standard preparatory procedure, namely: search for vulnerabilities. Vulnerabilities marked in italics are not used in recognition.

    Weaknesses:
    1. Black characters on a white background.
    2. No noise and other artifacts (such as lines).
    3. Symbols never intersect.
    4. Always the same font.
    5. There are always 4 terms under the integral.
    6. Degrees and factors consist of one digit.
    7. Degrees and factors range from 2 to 5.
    Strengths include:
    1. The presence of nonlinear distortion.
    2. Possible absence of degree or factor x.
    3. Sometimes, dx stick together in one character.
    4. The width of the captcha changes.
    We compose a recognition algorithm:
    1. Get a captcha bitmap.
    2. Number all characters.
    3. Find the coordinates of the upper and lower limits.
    4. Recognize the constituent characters using a neural network.
    5. Find the first character of the integrand.
    6. Recognizing the characters alternately, move right to the last character.
    7. Solve the resulting integral.

    Original captcha




    Bitmap


    For a unit, we consider a pixel whose brightness according to the HSB color model <0.8, for zero, respectively> = = 0.8. After that, captcha will take the following form:


    Character numbering


    In order to number all the characters, we use the simplest recursive Flood fill algorithm to select connected areas in 8 directions.
    public int FloodFill(ref int[,] source, int num, int x, int y)
    {
        if (source[x, y] == -1)
        {
            source[x, y] = num;
            FloodFill(ref source, num, x - 1, y - 1);
            FloodFill(ref source, num, x - 1, y);
            FloodFill(ref source, num, x - 1, y + 1);
            FloodFill(ref source, num, x, y - 1);
            FloodFill(ref source, num, x, y + 1);
            FloodFill(ref source, num, x + 1, y - 1);
            FloodFill(ref source, num, x + 1, y);
            FloodFill(ref source, num, x + 1, y + 1);
            return ++num;
        }
        return num;
    }
    ...
    int num = 1;
    for (int x = 0; x < CaptchaWidth; x++)
        for (int y = 0; y < CaptchaHeight; y++)
            num = FloodFill(ref bit, num, x, y);
    

    Character recognition


    Given the non-linear distortions and the different size of the characters, the best option for recognizing them is an artificial neural network. To make the task a little easier, I used the free Fast Artificial Neural Network Library . It is written in C ++, and is good because it has interfaces for almost all popular programming languages, including C # .

    All characters are reduced to the same size before recognition: in this case 16px x 21px.
    Thus, an array of 336 elements (16 * 21) will be fed to the input of the neural network. Each element sets the color of the corresponding pixel as an integer: 0 or 1.
    The middle layer consists of 130 neurons. And at the output, an array of 14 elements with real values ​​from 0 to 1, corresponding to numbers from 0 to 9, the sign +, d, x, and stuck dx.

    The training took place on 3090 samples, among which the most characters are “x” and least “d”. Despite this, the training process on my C2D e6750 took only 40 seconds.
    Code for training NA:
    static void Main(string[] args)
    {
        NeuralNet net = new NeuralNet();
        //Указываем слои нейронной сети
        uint[] layers = { 336, 130, 14 };
        net.CreateStandardArray(layers);
        //Устанавливаем случайные веса
        net.RandomizeWeights(-0.1, 0.1);
        net.SetLearningRate(0.7f);
        //Загружаем данные для обучения НС
        TrainingData data = new TrainingData();
        data.ReadTrainFromFile("train.tr");
        //Обучаем сеть
        net.TrainOnData(data, 1000, 0, 0.001f);
        //Сохраняем готовую НС в файл
        net.Save("skynet.ann");
    }
    

    The structure of the text file train.tr:
    num_train_data num_input num_output
    inputdata seperated by space
    outputdata seperated by space
    ...
    inputdata seperated by space
    outputdata seperated by space
    

    Examples of characters transmitted for recognition:


    Integral Recognition


    First we find and recognize the limits. The upper one can consist of 1-2 digits, with a maximum value of 10. The lower one is in the range from 0 to -10.
    Facilitate the task of a neural network:
    • If the upper limit consists of two digits, then this is 10 (the lower of three).
    • We recognize the minus algorithmically by the threshold value of the symbol height.
    • In recognition, we will not take into account the NS outputs that do not match the numbers.
    Find the sign of the integral, simply moving to the right of the left border, indented from the upper border at half the height of the captcha. Everything to the right is an integrand.
    Knowing the number of the integral, the number of objects on the captcha, and the fact that these objects are numbered from left to right, with further sequential recognition of characters, we get approximately the following line “5x5 + x5-4x2 + 4x5dx”. First we simplify the work of the expression parser - we will bring it to the form "+ 5x5 + x5-4x2 + 4x5".
    Some patterns make it easy to get the final data to solve the integral:
    • The signs "+" and "-" separate the terms.
    • The numbers after the "x" are the degree.
    • Etc.
    At the output, we get 2 arrays with factors and powers of x. Further solution of the integral of difficulties no longer presents.

    Instead of a conclusion


    The recognition quality of the entire captcha is impressive: 93.8% in a sample of 500 pieces!



    Download the finished program that demonstrates the solution of the integral here . Or along with the source code (+ a program for training a neural network and a training sample) here .
    I hope that neither my server nor the server of the grishkaa habrayuzer will fall under the habraeffect;)

    Also popular now: