Do you need a human verification system for your Roblox project?
Feel free to use this one!
Features:
Difficult to reverse engineer/crack/bot
Stand alone and secure. No web services, or modules required by ID.
Players can refresh the text if they don’t like the one they’re given
(Adjustable cooldown included)
Players can not chat while on the Human verification screen. Chat is disabled.
(If the player enables the chat CoreGui using hax and then chats, they get kicked)
The randomly generated text is filtered using ChatService FilterStringAsync before being shown to the player
Using the module is very simple.
Here’s a script from the test place.
-- dispeller
-- Example Captcha script
-- 07/02/2020
Captcha = require(script.Captcha)
--game.Players.PlayerAdded:Connect(function(addedPlayer)
-- Captcha(addedPlayer)
--end)
workspace.RedButton.Red.ClickDetector.MouseClick:Connect(function(ClickerPlayer)
local inCaptcha = Captcha(ClickerPlayer)
if inCaptcha then
inCaptcha:Connect(function()
print(ClickerPlayer.Name,'did the captcha!')
end)
end
end)
You can adjust the length of the captcha and the refresh debounce delay inside the module.
-- Captcha by dispeller
-- dispeller
-- 07/01/2020
refreshDebounceDelay = 1
-- The player can refresh the code 1 time every refreshDebounceDelay seconds
CaptchaLength = 5
-- I DON'T RECCOMEND PUTTING THIS ANY HIGHER THAN 6.
-- Built in Roblox limit on TextSize will make the text really small.
-- Even with TextScaled, TextSize can not be a decimal.
-- As a result, anything higher than 7 makes the text really small
-- At default CaptchaLength of 5 there are 7,893,600 possible combinations
-- No real need to go over 7
-- Formula to find how many possible combinations:
-- (26!)/(26-CaptchaLength)!
-- a little less than this because of filtering to make sure random string is safe to show players
Looks like just stretching the letters was not enough. Thank you to @sircfenner for informing me of this. Added random obstruction. Sacrifices a little readability for better protection. Also redid the text art for the letters.
This is actually a nice resource, and I’m interested in how you crates it, I hope it’s frame based instead of just modified text labels or it would be easy to crack, but I know your a good programmer so I’ll truest you on the reliability side.
What I’m actually interested in is what potential use cases you see for this in games?
Thanks for sharing this, I believe that you could use this as as a requirement to use the ChatBox in your game and stop those scamBots joining your server and advertising scam sites.
You could use it to prevent the scamBots joining your game and advertising their scam sites in the chat, by making it so that if you do not pass that verification the chat will not allow you to type messages, or it will be disabled completely.
This is a good Idea and I have been trying to make something like this for some time now. But I suggest for the source code to have it do something where they cannot interact with the environment or teleport them to a side game so that exploiters don’t find a bypass that the scam bots can use. But its a good Idea none the less. Great work.
It looks like this is reasonably easy to bypass (having the source code helps a lot).
In the video below, I have some Lua code running on the client that solves it and inputs the answer into the textbox. It would be simple to make this fire a remote with the answer instead.
It works by extracting the characters out of the image-text and comparing them against the stretched versions of characters a-z. This works because the characters are very often separated by a blank column so it’s trivial to extract them.
It uses a TextLabel. It’s not that easy to crack. I’ve thought about a system that uses vector based frame characters but using a bunch of box frames wouldn’t be any more secure than using a TextLabel.
My only problem is with any half decent engineering effort could a bot just find the text labels text values and compare positions to crack the verification system?
The TextLabel’s text is full of text art, not the actual strings of letters.
The text art is warped and also obstructed with extra pixels.
If you want an extra layer of security, you can edit the characters used to generate the text art yourself under the Text Art Letters module.
With enough effort, any Captcha can be bypassed.
Even Google’s Captcha has been bypassed.
The point of a Captcha is to make it difficult.
It’s very good but easy for someone to bypass. Since it prints the code to output, someone could easily press F9 or fn + F9 and they could get the code.
It only prints it on the server side.
The code is never visible like that on the client side.
Normal users do not have access to the server side console.
It looks like this is reasonably easy to bypass (having the source code helps a lot).
In the video below, I have some Lua code running on the client that solves it and inputs the answer into the textbox. It would be simple to make this fire a remote with the answer instead.
Well. You could always encrypt the event and then decrypt it after. I have done it a few times before as I have had to deal with exploiters trying to get by it.
It’s better to have server side checks and better obstruction.
I have a debounce cooldown on the RemoteFunction, and I’ve added more obstruction to the text to make it harder to solve the code’s text art algorithmically.
By default, the player can only try 1 code every 1 second.
With the default Captcha length of 5, there are more than 7 million possible combinations.
If someone wanted to brute force it, it would take around 1944 hours or 81 days to try every possible combination.
You could change the settings to be once every 2 seconds, and it would go to roughly 162 days.
(This is not factoring in the fact that the randomly generated codes are filtered with Chat Service to make sure they don’t say anything inappropriate)
Not to mention, if the user gets the code wrong once then they get a new captcha.
Brute force is basically impossible.
As I see in open source. Correct answer is being generated by server and dots for captcha will be sent from server too, so I think exploiter can’t bypass this
