The Arcive of Official vBulletin Modifications Site.

Harmor's Bot Protection · **Released**: 04-12-2007

Here is a demo

Let me explain how this works.

On the registration page a potiental user has to enter a random character of a word.
I have done something different though. It randomly selects a username from the database to be used as the word.

Some of you may be asking "Can you explain how it does the checking"?
On the registration page I have a hidden form that contains a hashed version of the correct character. After the form is submitted it checks if the the hashed version of the character you typed against the correct hash.

If you installed this hack you can enable it by going to
vBulletin Options --> User Registration Options
The option to enable/disable the feature and to add your own hash are at the bottom.

If you are upgrading this hack you'll need to edit the "register" template.

Go to your ACP >> Styles & Templates >> Style Manager
Expand the template you want to edit.
Expand the Registration Templates category

Open: register
Find:

HTML Code:

What is the first character of <b>$ahbot[username]</b>?

Replace with:

HTML Code:

What is the $char_loc character of the word <b>$ahbot[username]</b>?

Pyrix · #12 04-13-2007, 12:12 PM

Just thinking, you may be able to secure it a little more by appending the vbulletin license number (or a random string stored in vb options) to the character before you hash it (both times). This is known as 'salting', and would make the 'MD5 hash table' bypass much, much harder. You might want to Google that and read up on it

Don't know what you can do about the other thing though - you could turn it into an image but then what advantage does it give over vb's default captcha?

harmor19 · #13 04-13-2007, 01:19 PM

Can bots read the source code?

DiSpy · #14 04-13-2007, 01:41 PM

Pyrix is right, salting the hash would work wonders... may I suggest letting the admins choose their own salt in the admin CP. That way each board has it's own salt.

The second issue about the bot automatically "looking at the webpage" for a value, can also be solved using the admin CP. Just let users customize the question in thier own words, and customize the title (where it says "Harmor's Bot Protection" and "What is the first character of" in the screen shot).

Also, I was thinking... how hard would it be to allow the admin to choose EITHER the 1st, 2nd, 3rd character the users should enter (set via admin cp). This would make is at least not exactly the same on all boards, and since vB has min usernames set at more than 3, it should always work.

Just my $0.02 cents.

harmor19 · #15 04-13-2007, 02:22 PM

Hopefully I increased the security of this hack. It now selects a random character instead of asking the user to enter the first character.

Here is a snippet of code I added.

PHP Code:


			
if(empty($vbulletin->options['harmor_bot_protection_hash']))
{
  $vbulletin->options['harmor_bot_protection_hash'] = "gwetg7gaswegty7sawfrtq2w6t";
}

$word = $ahbot['username']{$ah_rand - 1};
$hash = md5(md5($word).$vbulletin->options['harmor_bot_protection_hash']);

The screenshot has been updated as well. Attachment 63065

Mr Chad · #16 04-13-2007, 04:20 PM

Quote:

Originally Posted by harmor19

Can bots read the source code?

of course they can...

they filter through the source to find hash's so they can do things (and the hashs were made to stop them).

harmor19 · #17 04-13-2007, 04:29 PM

Quote:

Originally Posted by Mr Chad

of course they can...

they filter through the source to find hash's so they can do things (and the hashs were made to stop them).

Thanks for answering my question.

smess · #18 04-13-2007, 09:53 PM

what happens for example if people have a space in their name so the user name is "no gas" and you ask for the third letter? is it g or space, etc??

harmor19 · #19 04-13-2007, 10:06 PM

Quote:

Originally Posted by smess

what happens for example if people have a space in their name so the user name is "no gas" and you ask for the third letter? is it g or space, etc??

I didn't take that into account. I'll update the hack soon. Thank you for pointing that out.

harmor19 · #20 04-14-2007, 07:14 AM

Quote:

Originally Posted by smess

what happens for example if people have a space in their name so the user name is "no gas" and you ask for the third letter? is it g or space, etc??

I have updated the hack to remove spaces in usernames. "no gas" becomes "nogas".

TeamDevotion · #21 04-16-2007, 04:12 AM

Isn't this the point of image verification?

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.05309 seconds Memory Usage 2,317KB Queries Executed 25 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (2)bbcode_html (1)bbcode_php (4)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)modsystem_post (1)navbar (6)navbar_link (120)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (11)post_thanks_box (11)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (11)post_thanks_postbit_info (10)postbit (11)postbit_onlinestatus (11)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!