CaptchaTheFlag - Protect your game from bots

Depends on your definition of a spoof but point is, you cannot bypass a CAPTCHA by giving it wrong information because you cannot reasonably provide the information that would work in your benefit.
Neural networks are not that simple. If it was trained to detect someone trying that, it will detect it no matter what you do, especially if it logs other information like your account age, avatar, blurb, badges, favourites, etc. If you make a CAPTCHA on Roblox that includes all of those parameters as well as every variable you can get from the mouse, then you get into unsolvable territory.

1 Like

@WishingTie After trying a few captchas, got this error

That solution wouldn’t work at all. You have no control over the client so it could simply check for the box with the red color. There is no way around it, CaptchaTheFlag is only useful if most games aren’t using it, which is the case right now.

Theres some issues but Its really great, love how clean it is aswell as how simple it is well still doing the job

This is great! I love how it’s so simple to use. @WishingTie I would include in the readme that you need to move the captcha script into the serverscriptservice to have it work with that example.

To all people who think that this is “to stop bots and not exploiters”.
Bots actually seem to be using some script injectors to fire Chat:Chat(). Here is a tutorial how to break all laws of reality:

  1. Go into a game, “Prison Life” during a bot attack (if bots are in other games, they’ll probably be there too).
  2. Right after joining, you are taken to team select screen. Notice that your team is “Neutral” and your chat GUI is disabled. Right after picking a team the chat GUI will be enabled.
  3. Wait for a bot to appear.
  4. Cover yourself in oil
  5. The bot will do its thing - send a scam link. See anything wrong? The bot chatted while being in the “Neutral” team! Reminder - your chat GUI is disabled when you are in that team. This means that they’ve chatted without needing the GUI. They’re doing that at ultrasonic speeds, which means that this is the way they always send links, and this makes this whole CAPTCHA kinda pointless.

There’s one trouble with this tutorial though - the game is slowly declining in popularity, and the chances of bots appearing are declining too.

7 Likes

I think there might be better ways of detecting bots and removing their chats and removing them from the game after being sure they are bots.

Many bots repeat the same message or a handful of messages repeatedly. We can simply log these messages and block them from reaching chat, if there are enough infractions we can kick and eventually ban the player.

It’s better to punish the bad actor and not all the legit players.

What is a better idea is blurry numbers or something similar

Maybe using runtime CSG to generate skewed letters in a way that it’s hard to analyze for client modifications. :thinking:

3 Likes

Does it display a puzzle based on account age or always?

Does this keep track of mouse movement (like google CAPTCHA)? If not then it’s simply a button click that can easily be simulated (or they could just destroy the GUI itself).

Does this mute the player in chat? If not, most bots just use a script injector to send chat messages afaik. You should mute the player in the chat, which, isn’t too hard to do thankfully, its built in to the chat scripts so you can just require the chat modules and call a quick function or two.

Also, you should implement a challenge where players select something based on their username, or one of their friend’s usernames. For example, you could have them do a click selection for any of these and generate a few random answers (you can bold the relevant character(s) in the name too):

  • Nth letter
  • Nth capital letter
  • Nth lowercase letter
  • Nth number
  • Nth number above x
  • Nth number below x
  • Number of capital letters
  • Number of lowercase letters
  • Number of letters
  • Number of numbers

The above questions are easy to generate, easy for the user to answer, and somewhat hard for a bot to potentially understand.

Additionally, I’m not sure if you do this already, but, you should make your script entirely server sided and have the client send their answer choice as a number meaning the nth answer. The server would then unmute them in the chat and hide the GUI, rather than client code.

The above would require a bot to parse your GUI, which, you could even completely randomize the structure of to make it impossible for bots to access the text directly via code. This would require bots to use OCR (optical character recognition) or try and find the text through other means which would be difficult and less effective.

On top of that, you could insert random colored or strikethrough key words into the text to make it hard for bots to process the text via OCR, and add garbage RichText to make it harder to process if they manage to get the text. For example, <s></s>How many <s>letters</s> <font size="0" color="rgb(255, 255, 255)">numbers</font><font size="14" color="rgb(0, 0, 0)">letters</font> are in <font color="rgb(255, 0, 0)">numbers</font> <s>RandomPlayerName's</s> your name?

image

2 Likes

Clever idea, the rich text part, but…

Yep, I’m aware. That’s why I suggested the inclusion of extra keywords that are visually distinct.
If you use the Content property, you get rid of the extra distinction and its harder to filter out bad content.
That forces them to use the RichText property, so they have to process the content manually to decide what is and isn’t important.

1 Like

Hey everyone, I’ve noticied that this thread has gotten a some attention again so I’ll respond to some replies.

This script isn’t dependant on the Chat Gui, so if bots use Chat:Chat() (which they most likely are), the Captcha will be prompted to them regardless, and their chat messages wont go through until they solve the Captcha (assuming the developer uses a ChatModule to invoke this script).

The reason this script isn’t using a blacklist for words is because it would be impossible to filter every single scam word. That’s what the old version of this script did, and it wasn’t very useful.

I’d also like to clarify that you shouldn’t totally depend on this script to keep bots out of your game. If this gains enough popularity, bots will start to be programmed to overcome this obstacle. This is simply just a roadblock to make bots struggle to scam players in smaller games.

Unfortunately, there are still some bugs in the script and I haven’t had any time recently to fix them. On top of that, v2 isn’t possible to solve if you can’t differenciate/identify colors, renderring it impossible to some groups such as those with colorblindness. Other people have made better suggestions such as text-based challenges, so I’m giving this up to the public domain. Feel free to do anything you want with the code and assets, no creditting required. Use this as your license: Creative Commons — CC0 1.0 Universal

I have requested this topic to be locked because it is a very old thread that is continuously brought to the front page of the Devforum every time it is interacted with.

I don’t see how this would help since bots don’t have to play the game they can just chat there message in chat and leave…

1 Like

Somehow no one on this thread has yet mentioned that no bots run Lua code or see UI. This does absolutely nothing to stop bots, period. It doesn’t matter if the bot is quickly thrown together.

Bots fire the remote event for chatting directly, they do not touch any Lua code in your game. This does nothing to stop bots, no matter how many times you prompt it.

Lots of people here are suggesting bots work out where to click on the screen when sending messages, this is not the case. Bots do not simulate clicks on the screen, they fire remotes directly.

2 Likes

ChatService is handled Server-side; this script alone provides no protection against firing remotes, however the developer could handle the chat message from a server-side script. For example:

  1. A bot fires a remote to send a chat message
  2. Using a ModuleScript in ChatService, the developer stops the message from being sent to the rest of the clients (handled server-side)
  3. Send Captcha to the bot for it to solve
  4. If solved, prevent the client from being asked to solve a Captcha again

Obviously this won’t stop every bot (especially the bots that are coded to specifically bypass this script) but it makes it much harder for a bot to send a scam message than just firing a remote.

You point out that bots with exploits can pass V1, however bots with exploits could also pass V2 with zero effort (just use a line or two of code to find which box matches whatever colour is labelled in the request. Not too hard to just string match and “if gui.button.color == green” or code to that extent)

I kinda see no point to using V2 over V1, because bots will either not have exploits and not pass either of them, or they will have exploits and can pass both of them several times over before you could blink.

I love the concept though however. It looks very professional, would be easy for any user to finish and would definitely stop 99% of bots. (Heck, I daresay 100% of bots even, since next to no bots have exploits or are designed to pass this)

1 Like

Locked at the request of the OP