This is a fantastic guest post by Harry over at DarkSEO Programming. His blog has some AWESOME code examples and tutorials along with an even deeper explanation of this post so definitely check it out and subscribe so he’ll continue blogging.

This post is a practical explanation of how to crack phpBB2 easily. You need to know some basic programming but 90% of the code is written for you in free software.

Programs you Need

C++/Visual C++ express edition - On Linux everything should compile simply. On windows everything should compile simply, but it doesn’t always (normally?). Anyway the best tool I found to compile on windows is Visual C++ express edition. Download

GOCR - this program takes care of the character recognition. Also splits the characters up for us ;) . It’s pretty easy to do that manually but hey. Download

ImageMagick - this comes with Linux. ImageMagick lets us edit images very easily from C++, php etc. Install this with the development headers and libraries. Download from here

A (modified) phpbb2 install - phpBB2 will lock you out after a number of registration attempts so we need to change a line in it for testing purposes. After you have it all working you should have a good success rate and it will be unlikely to lock you out. Find this section of code: (it’s in includes/usercp_register.php)

if ($row = $db->sql_fetchrow($result))
{
if ($row['attempts'] > 3)
{
message_die(GENERAL_MESSAGE, $lang['Too_many_registers']);
}
}
$db->sql_freeresult($result);

Make it this:

if ($row = $db->sql_fetchrow($result))
{
//if ($row[’attempts’] > 3)
//{
// message_die(GENERAL_MESSAGE, $lang[’Too_many_registers’]);
//}
}
$db->sql_freeresult($result);

Possibly a version of php and maybe apache web server on your desktop PC. I used php to automate the downloading of the captcha because it’s very good at interpreting strings and downloading static web pages.

Getting C++ Working First

The problem on windows is there is a vast number of C++ compilers, and they all need setting up differently. However I wrote the programs in C++ because it seemed the easiest language to quickly edit images with ImageMagick. I wanted to use ImageMagick because it allows us to apply a lot of effects to the image if we need to remove different types of backgrounds from the captcha.

Once you’ve installed Visual C++ 2008 express (not C#, I honestly don’t know if C# will work) you need to create a Win32 Application. In the project properties set the include path to something like (depending on your imagemagick installation) C:\Program Files\ImageMagick-6.3.7-Q16\include and the library path to C:\Program Files\ImageMagick-6.3.7-Q16\lib. Then add these to your additional library dependencies CORE_RL_magick_.lib CORE_RL_Magick++_.lib CORE_RL_wand_.lib. You can now begin typing the programs below.

If that all sounds complicated don’t worry about it. This post covers the theory of cracking phpBB2 as well. I just try to include as much code as possible so that you can see it in action. As long as you understand the theory you can code this in php, perl, C or any other language. I’ve compiled a working program at the bottom of this post so you don’t need to get it all working straight away to play with things.

Getting started

Ok this is a phpBB2 captcha:

It won’t immediately be interpreted by GOCR because GOCR can’t work out where the letters start and end. Here’s the weakness though. The background is lighter than the text so we can exclude it by getting rid of the lighter colors. With ImageMagick we can do this in a few lines of C++. Type the program below and compile/run it and it will remove the background. I’ll explain it below.


using namespace Magick;

int main( int /*argc*/, char ** argv)
{

// Initialize ImageMagick install location for Windows
InitializeMagick(*argv);

// load in the unedited image
Image phpBB("test.png");

// remove noise
phpBB.threshold(34000);

// save image
phpBB.write("convert.pnm");

return(1);
}

All this does is loads in the image, and then calls the function threshold attached to the image. Threshold filters out any pixels below a certain darkness. On linux you have to save the image as a .png however on windows GOCR will only read .pnm files so on linux we have to put the line instead:


// save image
phpBB.write("convert.png");


The background removed.

Ok that’s one part sorted. Problem 2. We now have another image that GOCR won’t be able to tell where letters start and end. It’s too grainy. What we notice though is that each unjoined dot in a letter that is surrounded by dots 3 pixels away should probably be connected together. So I add a piece of code onto the above program that looks 3 pixels to the right and 3 pixels below. If it finds any black dots it fills in the gaps. We now have chunky letters. GOCR can now identify where each letter starts and ends :D . We’re pretty much nearly done.


using namespace Magick;

void fill_holes(PixelPacket * pixels, int cur_pixel, int size_x, int size_y)
{
int max_pixel, found;

///////////// pixels to right /////////////////////
found = 0;
max_pixel = cur_pixel+3; // the furthest we want to search
// set a limit so that we can't go over the end of the picture and crash
if(max_pixel>=size_x*size_y)
max_pixel = size_x*size_y-1;

// first of all are we a black pixel, no point if we are not
if(*(pixels+cur_pixel)==Color("black"))
{
// start searching from the right backwards
for(int index=max_pixel; index>cur_pixel; index--)
{
// should we be coloring?
if(found)
*(pixels+index)=Color("black");

if(*(pixels+index)==Color("black"))
found=1;
}
}

///////////// pixels to bottom /////////////////////
found = 0;
max_pixel = cur_pixel+(size_x*3);
if(max_pixel>=size_x*size_y)
max_pixel = size_x*size_y-1;

if(*(pixels+cur_pixel)==Color("black"))
{
for(int index=max_pixel; index>cur_pixel; index-=size_x)
{
// should we be coloring?
if(found)
*(pixels+index)=Color("black");

if(*(pixels+index)==Color("black"))
found=1;
}
}

}

int main( int /*argc*/, char ** argv)
{

// Initialize ImageMagick install location for Windows
InitializeMagick(*argv);

// load in the unedited image
Image phpBB("test.png");

// remove noise
phpBB.threshold(34000);

/////////////////////////////////////////////////////////////////////////////////////////////////////
// Beef up "holey" parts
/////////////////////////////////////////////////////////////////////////////////////////////////////
phpBB.modifyImage(); // Ensure that there is only one reference to
// underlying image; if this is not done, then the
// image pixels *may* remain unmodified. [???]
Pixels my_pixel_cache(phpBB); // allocate an image pixel cache associated with my_image
PixelPacket* pixels; // 'pixels' is a pointer to a PixelPacket array

// define the view area that will be accessed via the image pixel cache
// literally below we are selecting the entire picture
int start_x = 0;
int start_y = 0;
int size_x = phpBB.columns();
int size_y = phpBB.rows();

// return a pointer to the pixels of the defined pixel cache
pixels = my_pixel_cache.get(start_x, start_y, size_x, size_y);

// go through each pixel and if it is black and has black neighbors fill in the gaps
// this calls the function fill_holes from above
for(int index=0; index fill_holes(pixels, index, size_x, size_y);

// now that the operations on my_pixel_cache have been finalized
// ensure that the pixel cache is transferred back to my_image
my_pixel_cache.sync();

// save image
phpBB.write("convert.pnm");

return(1);
}

I admit this looks complicated on first view. However you definitely don’t have to do this in C++ though if you can find an easier way to perform the same task. All it does is remove the background and join close dots together.

I’ve given the C++ source code because that’s what was easier for me, however the syntax can be quite confusing if you’re new to C++. Especially the code that accesses blocks of memory to edit the pixels. This is more a study of how to crack the captcha, but in case you want to code it in another language here’s the general idea of the algorithm that fills in the holes in the letters:

1. Go through each pixel in the picture. Remember where we are in a variable called cur_pixel
2. Start three pixels to the right of cur_pixel. If it’s black color the pixels between this position and cur_pixel black.
3. Work backwards one by one until we reach cur_pixel again. If any pixels we land on are black then color the space in between them and cur_pixel black.
4. Go back to step 1 until we’ve been through every pixel in the picture

NOTE: Just make sure you don’t let any variables go over the edge of the image otherwise you might crash your program.

I used the same algorithm but modified it slightly so that it also looked 3 pixels below, however the steps were exactly the same.

Training GOCR

The font we’re left with is not recognized natively by GOCR so we have to train it. It’s not recognized partly because it’s a bit jagged.

Assuming our cleaned up picture is called convert.pnm and our training data is going to be stored in a directory call data/ we’d type this.

gocr -p ./data/ -m 256 -m 130 convert.pnm

Just make sure the directory data/ exists (and is empty). I should point out that you need to open up a command prompt to do this from. It doesn’t have nice windows. Which is good because it makes it easier to integrate into php at a later date.

Any letters it doesn’t recognize it will ask you what they are. Just make sure you type the right answer. -m 256 means use a user defined database for character recognition. -m 130 means learn new letters.

You can find my data/ directory in the zip at the end of this post. It just saves you the time of going through checking each letter and makes it all work instantly.

Speeding it up

Downloading, converting, and training for each phpbb2 captcha takes a little while. It can be sped up with a simple bit of php code but I don’t want to make this post much longer. You’ll find my script at the end in my code package. The php code runs from the command prompt though by typing “php filename.php”. It’s sort of conceptual in the sense that it works, but it’s not perfect.

Done

Ok once GOCR starts getting 90% of the letters right we can reduce the required accuracy so that it guesses the letters it doesn’t know.

Below I’ve reduced the accuracy requirement to 25% using -a 25. Otherwise GOCR prints the default underscore character even for slightly different looking characters that have already been entered. -m 2 means don’t use the default letter database. I probably could have used this earlier but didn’t. Ah well, it doesn’t do a whole lot.

gocr -p ./data/ -m 256 -m 2 -a 25 convert.pnm

We can get the output of gocr in php using:

echo exec(”/full/path/gocr -p ./data/ -m 256 -m 2 -a 25 convert.pnm”);

Alternatives

In some instances you may not have access to GOCR or you don’t want to use it. Although it should be usable if you have access to a dedicated server. In this case I would separate the letters out manually and resize them all to the same size. I would then put them through a php neural network which can be downloaded from here FANN download

It would take a bit of work but it should hopefully be as good as using GOCR. I don’t know how well each one reacts to letters which are rotated though. Neural networks simply memorize patterns. I haven’t checked the inner workings of GOCR. It looks complicated.

My code

All the code can be found here to crack phpBB2 captcha.

Zip Download

In conclusion to this tutorial it’s a nightmare trying to port over all my code from linux to windows unless it’s written in Java :D . If only Java was small and quick as well.

It’s worth stating that phpbb2 was easy to crack because the letters didn’t touch or overlap. If they had touched or overlapped it would probably have been very hard to crack.

I plan to look at that line and square captcha that comes with phpBB3 over on my site and document how secure it is.

Thanks for the awesome guest post Harry.