Human Verification Captcha by dispeller (AKA ToldFable)

Patched previous bypass

Do you need a human verification system for your Roblox project?

Feel free to use this one!
image

Features:

  • Difficult to reverse engineer/crack/bot

  • Stand alone and secure. No web services, or modules required by ID.

  • Players can refresh the text if they don’t like the one they’re given
    (Adjustable cooldown included)

  • Players can not chat while on the Human verification screen. Chat is disabled.
    (If the player enables the chat CoreGui using hax and then chats, they get kicked)

  • The randomly generated text is filtered using ChatService FilterStringAsync before being shown to the player

  • Mobile friendly


Using the module is very simple.
Here’s a script from the test place.

-- dispeller
-- Example Captcha script
-- 07/02/2020

Captcha = require(script.Captcha)

--game.Players.PlayerAdded:Connect(function(addedPlayer)
--	Captcha(addedPlayer)
--end)

workspace.RedButton.Red.ClickDetector.MouseClick:Connect(function(ClickerPlayer)
	local inCaptcha = Captcha(ClickerPlayer)
	if inCaptcha then
		inCaptcha:Connect(function()
			print(ClickerPlayer.Name,'did the captcha!')
		end)
	end
end)

You can adjust the length of the captcha and the refresh debounce delay inside the module.

-- Captcha by dispeller
-- dispeller
-- 07/01/2020

refreshDebounceDelay = 1
-- The player can refresh the code 1 time every refreshDebounceDelay seconds

CaptchaLength = 5
-- I DON'T RECCOMEND PUTTING THIS ANY HIGHER THAN 6. 
-- Built in Roblox limit on TextSize will make the text really small.
-- Even with TextScaled, TextSize can not be a decimal.
-- As a result, anything higher than 7 makes the text really small
-- At default CaptchaLength of 5 there are 7,893,600 possible combinations
-- No real need to go over 7

-- Formula to find how many possible combinations:
-- (26!)/(26-CaptchaLength)!
-- a little less than this because of filtering to make sure random string is safe to show players

Get the model here:

Check out the test place here: (uncopylocked too)

Main Module:
https://pastebin.com/raw/Ja5JTCZK

Text Art Letters module :
https://pastebin.com/raw/eEYBWgCr

Ui LocalScript:
https://pastebin.com/raw/Zw89nGAh


Improvements log:

  • Looks like just stretching the letters was not enough. Thank you to @sircfenner for informing me of this. Added random obstruction. Sacrifices a little readability for better protection. Also redid the text art for the letters.
79 Likes

Hi @dispeller!

Thank you for sharing this resource, it is very interesting and useful.

Would you kindly create a link to Source code (preferably Github and/or Pastebin) for people who want to read the source but don’t have any access to a PC or maybe want to contribute to the source

7 Likes

This is actually a nice resource, and I’m interested in how you crates it, I hope it’s frame based instead of just modified text labels or it would be easy to crack, but I know your a good programmer so I’ll truest you on the reliability side.

What I’m actually interested in is what potential use cases you see for this in games?

4 Likes

Can’t wait to see how many games uses this for their verification system!
Keep up the great work!
Thank you for your contribution!

5 Likes

Thanks for sharing this, I believe that you could use this as as a requirement to use the ChatBox in your game and stop those scamBots joining your server and advertising scam sites.

3 Likes

You could use it to prevent the scamBots joining your game and advertising their scam sites in the chat, by making it so that if you do not pass that verification the chat will not allow you to type messages, or it will be disabled completely.

2 Likes

This is a good Idea and I have been trying to make something like this for some time now. But I suggest for the source code to have it do something where they cannot interact with the environment or teleport them to a side game so that exploiters don’t find a bypass that the scam bots can use. But its a good Idea none the less. Great work. :+1:

1 Like

It looks like this is reasonably easy to bypass (having the source code helps a lot).

In the video below, I have some Lua code running on the client that solves it and inputs the answer into the textbox. It would be simple to make this fire a remote with the answer instead.

It works by extracting the characters out of the image-text and comparing them against the stretched versions of characters a-z. This works because the characters are very often separated by a blank column so it’s trivial to extract them.

15 Likes

@sircfenner
Thanks for telling me this.
I’ve updated the module.
This update should hopefully patch this bypass.


@RuizuKun_Dev
Sure thing. I’ll update the OP with a pastebin.


@LuaBearyGood

It uses a TextLabel. It’s not that easy to crack. I’ve thought about a system that uses vector based frame characters but using a bunch of box frames wouldn’t be any more secure than using a TextLabel.


@ReaperNexcon
That’s a good idea.

1 Like

My only problem is with any half decent engineering effort could a bot just find the text labels text values and compare positions to crack the verification system?

1 Like

The TextLabel’s text is full of text art, not the actual strings of letters.
The text art is warped and also obstructed with extra pixels.

If you want an extra layer of security, you can edit the characters used to generate the text art yourself under the Text Art Letters module.
With enough effort, any Captcha can be bypassed.
Even Google’s Captcha has been bypassed.
The point of a Captcha is to make it difficult.

2 Likes

It’s very good but easy for someone to bypass. Since it prints the code to output, someone could easily press F9 or fn + F9 and they could get the code.

1 Like

It only prints it on the server side.
The code is never visible like that on the client side.
Normal users do not have access to the server side console.

5 Likes

Thank you for this convenient tool! Looking forward to seeing this being used in games.

2 Likes

It looks like this is reasonably easy to bypass (having the source code helps a lot).

In the video below, I have some Lua code running on the client that solves it and inputs the answer into the textbox. It would be simple to make this fire a remote with the answer instead.

Well. You could always encrypt the event and then decrypt it after. I have done it a few times before as I have had to deal with exploiters trying to get by it.

It’s better to have server side checks and better obstruction.
I have a debounce cooldown on the RemoteFunction, and I’ve added more obstruction to the text to make it harder to solve the code’s text art algorithmically.

By default, the player can only try 1 code every 1 second.
With the default Captcha length of 5, there are more than 7 million possible combinations.
If someone wanted to brute force it, it would take around 1944 hours or 81 days to try every possible combination.
You could change the settings to be once every 2 seconds, and it would go to roughly 162 days.
(This is not factoring in the fact that the randomly generated codes are filtered with Chat Service to make sure they don’t say anything inappropriate)

Not to mention, if the user gets the code wrong once then they get a new captcha.
Brute force is basically impossible.

3 Likes

As I see in open source. Correct answer is being generated by server and dots for captcha will be sent from server too, so I think exploiter can’t bypass this

5 Likes