acheong08 / ChatGPT

Reverse engineered ChatGPT API
GNU General Public License v2.0
28.02k stars 4.48k forks source link

[BUG] infinite loop while init a chatbot #385

Closed iaston closed 1 year ago

iaston commented 1 year ago

Describe the bug When init a chatbot, it got stuck in an infinite loop. Even though i have cleared all cookies in chrome. image image image

To Reproduce Steps to reproduce the behavior:

  1. run sample code in python3.9 as show in screenshot.
  2. waiting and error while show

Expected behavior

Output In the correct directory, run python3 -m revChatGPT --debug image

Environment (please complete the following information):

Please update your packages before reporting! pip3 install --upgrade OpenAIAuth revChatGPT

Additional context Add any other context about the problem here.

acheong08 commented 1 year ago

A few possibilities:

  1. Expired session token
  2. Using proxy (which sometimes lead to cloudflare issues)
Svenskithesource commented 1 year ago

A few possibilities:

  1. Expired session token
  2. Using proxy (which sometimes lead to cloudflare issues)

I'm facing the same issue and it's definitely neither of the possibilities you mentioned. I'm not using a proxy and I double-checked my session token.

acheong08 commented 1 year ago

That is very strange. Does it say "failed to refresh session" or repeated "Browser spawned"?

acheong08 commented 1 year ago

It's a bit difficult to resolve when I can't replicated so as much detail as possible would be appreciated.

OS version: Python version: Chrome version: Country: Selenium version: Undetected Chromedriver version: Full error logs and output:

Put output in code block
Svenskithesource commented 1 year ago
acheong08 commented 1 year ago

Cookie is found but it doesn't pass cloudflare. It could be a bug with some form of fingerprinting. Any way for me to replicate this?

On another note, does this also happen with Microsoft login or email/password? If you don't have 2captcha, you can find some leaked on GitHub: https://github.com/search?o=desc&q=config+%3D+%7B+++++++++++++%27server%27%3A+++++++++++%272captcha.com%27%2C+++++++++++++%27apiKey%27%3A+++++++++++%27&s=indexed&type=Code (lol)

Svenskithesource commented 1 year ago

I don't have access to an openai account with email/password or Microsoft. This is the webpage that gets returned which causes the Clearence refreshing to happen.

<!DOCTYPE html>
<html lang="en-US">
<head>
    <title>Just a moment...</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=Edge">
    <meta name="robots" content="noindex,nofollow">
    <meta name="viewport" content="width=device-width,initial-scale=1">
    <link href="/cdn-cgi/styles/challenges.css" rel="stylesheet">

</head>
<body class="no-js">
    <div class="main-wrapper" role="main">
    <div class="main-content">
        <h1 class="zone-name-title h1">
            <img class="heading-favicon" src="/favicon.ico"
                 onerror="this.onerror=null;this.parentNode.removeChild(this)">
            chat.openai.com
        </h1>
        <h2 class="h2" id="challenge-running">
            Checking if the site connection is secure
        </h2>
        <noscript>
            <div id="challenge-error-title">
                <div class="h2">
                    <span class="icon-wrapper">
                        <div class="heading-icon warning-icon"></div>
                    </span>
                    <span id="challenge-error-text">
                        Enable JavaScript and cookies to continue
                    </span>
                </div>
            </div>
        </noscript>
        <div id="trk_jschal_js" style="display:none;background-image:url('/cdn-cgi/images/trace/managed/nojs/transparent.gif?ray=781bfefe58cbd484')"></div>
        <div id="challenge-body-text" class="core-msg spacer">
            chat.openai.com needs to review the security of your connection before proceeding.
        </div>
        <form id="challenge-form" action="/api/auth/session?__cf_chl_f_tk=blurred" method="POST" enctype="application/x-www-form-urlencoded">
            <input type="hidden" name="md" value="8vuXGXcnYikblurredH7bI8-1672416107-0-Ae3RBkp4Fc7pMdMRIt_HxITjyK_K5Dgx-rTE1MzQyRU71xgISXui8HY5L2peGUS_8PozC0bZ_abm9Bfi5fsYblurredzfxpbm7t_fg6qn-UIp2JNtwypAW3IDSblurrediOukqLo0qgnR64OI_0a0BG1WR2c6w7c2U2SNeLmUxaZiixW03G0phb90WTWJJnPUlgqlwVsXGbYQqoHcERryM3vB8HWrIWcucJ1uRytQqOozU3M_XWJEnnbJcC01rgLwVA8yiY2cKWaQucoMrWJgGrQuIOwUsaOykDwYlxNHG-8Pe49i_8mQ_QDzpoWuyvqjovwej6OPM5y6WblurrediucWvqs7L">
            <input type="hidden" name="r" value="lGOkOaOy_jSUfLN46ESIPoWhCCEq1.H08Pfk8eptYZw-1672416107-0-AQT3jHXdkhBn3X890Ev7nBq9V0rZ5dglenaXHJcDp3oigcDmYEsYE/xwmFJGuWp8+2JZo5k2uzgf1BdoPo7Cvl2lO4ko25tYal6iluxlNjjlgQF6b+grEENgYrmbnpVCNCVf+eJIF1uJg9EK588S5BsIN0ItntmfJ8IvcgzGeSiYzM4tAX1J5MQUQU4LYzyllnHz++gyu/Nn0ANU6m91L5wiyjZZtFy/elpblurredWo+I5ts8TIFEGIwYJj7ACPllA8Z1+bXKK6w/79Z1HVpGNIz2Zo3kdrK1jMBnMxsjQAI9+c64R19NOQReUW3KuFlx63dJK8TOBFKTAEwFkQBtPTwTKW7/rj7cP1RzCbXVtqcW5KffgqG269qmRr8ZarEHCiONV9Mv165AsGrj3tonuu4H+stuNQRO2oDmQ4M7AvlDhk8lWOrAAOK0NsLHv/q6UNmeumghGH1liEuu7XKop9irdHjRtlJS0Vh5PcYqVPbRtXEYUx791tf8UTJoWOPRhbgf4Thzfxe4OHDPf/WW6g/25N/SYICb/5doDcw37+DEtoDITMWsBymiYIZ11ZS9+0TmpUjBd4Igt8C1Hhg2KReIIYkaZJmRnJg9c+Bo/mIBcoCNgNoYbBOTSnyI+vOOInH+MT5U1oNQBKYtuobOzg0JXQ3NSjwluu3w/M401TrLORZbclblfE9S3ya+UgV0FAE/Lo1icXj3Uz4H3Z5UD1VaIfWGrm4/pNQfHDFxAIJuZGkJxB3ZHoQAsiyB7aM8ynnebzMgL12QOx1Y2TnKMW8+lYxXko2HnGTLwlwEaFQaX5OH0LL+X98ysSk33Z53CwBAxlCkvEou2Uy8NmzUQjZhAVbLtehuwyisLVM1Ob5JxmnxHvOiQ7P7W5lZc206udcH3VFCgO/7Sek92C+snhEFont8Uzpu5OwCM5RwRF0mnSqZjO2AFdR1JrnyKe+cxZ1B7h+UZyFXCamabVVHnkUsQH/DBSzRBtdlTXeu5kSGmKQtTQYjhGOvYjm3EFOqr9QR2Yk+QVlblurredGu6+uxsLOXRWGl2sTftbdy1rXgXj0ucBmHhKj+VefW07r1Q9Go7BK8hl2r6w41ivAKFt4FHmPALyAu6Ttqvd9FwkAPJNoHLfod5p3EwwBFxeB7ywPzM2nA+Fjh1/RP86BHrsY6XE07Ci8vALGM27636YD32WCz6ST84RY9cqiCiAPsmequXXXhauMst+D8xOgCXxOlEgSXEWw819fCnXwyFGb7NK9oS0k94QWYZg3dznrQihmVTjZMXL4B1Bo3FQ5DX7AalyWF8HvP/XWukymotGMvEGKtrBpU8dksIeaTWz/3xWJq6FhZ7gbQ2tv11yef7Hs0ALvzurZ41kDcGyCx8T9eM98ZTANDtY44+H61r8BoLowbjA0zEW6l/4T1KjHCMNTIGEKR/FepQCZJN13IvXEYpCkgG5YpZSo4tFXU4gttp8yIDMcWxb/N45HrXeNc3xMgjrzoeGV6a3SfcQCVFQp4vRG3mipHTnDJby63LzSgPHxrbpX8QU59Eyq+5BBwowA4KergO4ZWES85ToRMCC1mvFRDNPC4R2pxVSyU5hX4wgkAASDD5yQofX8uynXaFw8dhJN00I4vh+7d+6qpZvAZGfk+pAuqdxj5LyL13AlV0f9oxexkTkKh2nxtQJaAi6L8N1/BVAigF3SseNDlFgoTDixFeZXYNJixdateaeXSpsiSpb4JZ+xoep3easNP2p1qdTb0XFXKnK+TqpPnyTbeEC3xIIjgrgvdcpJpwNaYtpT+zy+tuQi6mS3XvIYNLMPGBspm6yTA0ZP1m2Z6u3v6WRim73FjSSG7cYTo1E8s">
        </form>
    </div>
</div>
<script>
    (function(){
        window._cf_chl_opt={
            cvId: '2',
            cType: 'managed',
            cNounce: '69909',
            cRay: 'blurred',
            cHash: 'blurred',
            cUPMDTk: "\/api\/auth\/session?__cf_chl_tk=blurred",
            cFPWv: 'g',
            cTTimeMs: '1000',
            cTplV: 4,
            cTplB: 'cf',
            cRq: {
                ru: 'blurred',
                ra: 'blurred',
                rm: 'R0VU',
                d: 'blurred',
                t: 'blurred=',
                m: 'blurred=',
                i1: 'blurred+Q==',
                i2: 'OF0++blurred==',
                zh: 'blurred+blurred=',
                uh: 'blurred+ejtUZNcz6o7wFM=',
                hh: 'blurred=',
            }
        };
        var trkjs = document.createElement('img');
        trkjs.setAttribute('src', '/cdn-cgi/images/trace/managed/js/transparent.gif?ray=blurred');
        trkjs.setAttribute('style', 'display: none');
        document.body.appendChild(trkjs);
        var cpo = document.createElement('script');
        cpo.src = '/cdn-cgi/challenge-platform/h/g/orchestrate/managed/v1?ray=blurred';
        window._cf_chl_opt.cOgUHash = location.hash === '' && location.href.indexOf('#') !== -1 ? '#' : location.hash;
        window._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, -window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;
        if (window.history && window.history.replaceState) {
            var ogU = location.pathname + window._cf_chl_opt.cOgUQuery + window._cf_chl_opt.cOgUHash;
            history.replaceState(null, null, "\/api\/auth\/session?__cf_chl_rt_tk=blurred" + window._cf_chl_opt.cOgUHash);
            cpo.onload = function() {
                history.replaceState(null, null, ogU);
            };
        }
        document.getElementsByTagName('head')[0].appendChild(cpo);
    }());
</script>

    <div class="footer" role="contentinfo">
        <div class="footer-inner">
            <div class="clearfix diagnostic-wrapper">
                <div class="ray-id">Ray ID: <code>blurred</code></div>
            </div>
            <div class="text-center">Performance &amp; security by <a rel="noopener noreferrer" href="https://www.cloudflare.com?utm_source=challenge&utm_campaign=m" target="_blank">Cloudflare</a></div>
        </div>
    </div>
</body>
</html>

So I think there's something wrong with bypassing cloudflare rather than the session token. Maybe the tls package is detected. I checked if it sends the correct cf_clearance cookie and the user agent and the session token and all are sent correctly.

acheong08 commented 1 year ago

I don't have access to an openai account with email/password or Microsoft. This is the webpage that gets returned which causes the Clearence refreshing to happen.

That is confusing. Then how are you getting a session token?

So I think there's something wrong with bypassing cloudflare rather than the session token. Maybe the tls package is detected.

It is either that or the IP address or user agent from which you got the cf_clearance differs from the Chrome browser.

It's unlikely that the TLS package is getting detected as that should be universal and it seems to be working for most people. Still a possibility though

Svenskithesource commented 1 year ago

That is confusing. Then how are you getting a session token?

I'm using a Google account for my openai account.

It is either that or the IP address or user agent from which you got the cf_clearance differs from the Chrome browser.

Both user agent and cf_clearance are grabbed by the program from the browser so those don't differ. I also don't have any kind of proxy or VPN enabled so the IP should be the same.

acheong08 commented 1 year ago

I suppose it is probably a TLS fingerprint issue then. Do you know how to find the JA3 fingerprint in wireshark?

acheong08 commented 1 year ago

Another possibility: Cloudflare is now tracking the JA3 fingerprint across sessions. I might need to update the default JA3 fingerprint. The default right now is chrome_105 but you have chrome_108.

Svenskithesource commented 1 year ago

I suppose it is probably a TLS fingerprint issue then. Do you know how to find the JA3 fingerprint in wireshark?

JA3: 9e316a9ca82900f98871744be5d2e7e9 JA3 Full-String: 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,11-5-18-35-43-45-0-13-10-17513-27-23-16-65281-51-21,29-23-24,0

Another possibility: Cloudflare is now tracking the JA3 fingerprint across sessions. I might need to update the default JA3 fingerprint. The default right now is chrome_105 but you have chrome_108.

I changed it to chrome_108 but it's still behaving the same.

Svenskithesource commented 1 year ago

Just tried to manually specify the ja3 but still the same behaviour

acheong08 commented 1 year ago

I'm getting completely different JA3 fingerprints.

JA3: bc43e9c6f0fcbca8d1b85b102df4c7cf

Svenskithesource commented 1 year ago

I'm getting completely different JA3 fingerprints.

What's your chrome version?

acheong08 commented 1 year ago

108

acheong08 commented 1 year ago

It might not be JA3 fingerprints though. Might be another mechanism I'm unaware of

Svenskithesource commented 1 year ago

Can you share your ja3 fingerprint and full chrome version

acheong08 commented 1 year ago

Chromium 108.0.5359.124 snap

Frame 265: 569 bytes on wire (4552 bits), 569 bytes captured (4552 bits) on interface wg1, id 0
Raw packet data
Internet Protocol Version 4, Src: 10.66.66.2, Dst: 93.184.216.34
Transmission Control Protocol, Src Port: 55230, Dst Port: 443, Seq: 1, Ack: 1, Len: 517
Transport Layer Security
    TLSv1.3 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 512
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 508
            Version: TLS 1.2 (0x0303)
            Random: a13b1696150a22356632c207f7b41a9e79a06bc89003e5907bef85d093c170f4
            Session ID Length: 32
            Session ID: 012c4b3e7f280eb7f9dd1d759a191b95ca3121d4c9f24f912b64693ce8b71507
            Cipher Suites Length: 32
            Cipher Suites (16 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 403
            Extension: Reserved (GREASE) (len=0)
            Extension: server_name (len=16)
            Extension: extended_master_secret (len=0)
            Extension: renegotiation_info (len=1)
            Extension: supported_groups (len=10)
            Extension: ec_point_formats (len=2)
            Extension: session_ticket (len=0)
            Extension: application_layer_protocol_negotiation (len=14)
            Extension: status_request (len=5)
            Extension: signature_algorithms (len=18)
            Extension: signed_certificate_timestamp (len=0)
            Extension: key_share (len=43)
            Extension: psk_key_exchange_modes (len=2)
            Extension: supported_versions (len=7)
            Extension: compress_certificate (len=3)
            Extension: application_settings (len=5)
            Extension: Reserved (GREASE) (len=1)
            Extension: padding (len=204)
            [JA3 Fullstring: 771,51914-4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,27242-0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513-56026-21,51914-29-23-24,0]
            [JA3: bc43e9c6f0fcbca8d1b85b102df4c7cf]
Svenskithesource commented 1 year ago

Can you try to use the same version as me?

acheong08 commented 1 year ago

My internet is shit and chome will probably take an hour to download (and it's 1AM). Maybe tomorrow

Svenskithesource commented 1 year ago

I'm noticing a difference that I'm using ipv6 and you're using ipv4 in Google Chrome. Maybe that is something that will cause problems if the tls package uses ipv4.

acheong08 commented 1 year ago

The TLS client is very rudimentary so I doubt there is intentional / well thought out ipv6 support. I forked it with minor changes and didn't read the full source code. Can you try using it with ipv4?

Svenskithesource commented 1 year ago

Looks like it does use ipv6 when I checked with wireshark. I also noticed the browser spawned by selenium has a different ja3 than the normal browser. I will try to force it to use ipv4 but I'm not sure how to do that.

acheong08 commented 1 year ago

Not sure on Windows but there should be a network setting for that. https://superuser.com/questions/436574/ipv4-vs-ipv6-priority-in-windows-7

Svenskithesource commented 1 year ago

Yup, using ipv4 still has the same issue. Interestingly the ja3 of the normal browser changed. Maybe that one is randomized? For some reason Wireshark also doesn't pick up the openai requests from the selenium browser but only the normal browser. Also just for information, when the program starts the browser is it supposed to be logged in?

acheong08 commented 1 year ago

Also just for information, when the program starts the browser is it supposed to be logged in?

Not if you're using session token

acheong08 commented 1 year ago

Maybe that one is randomized?

Possibly. It may be specific parts of the JA3 string it picks up on

acheong08 commented 1 year ago

selenium browser

Rather than opening up selenium, mine spawns my default browser. Is that not the case for you?

Svenskithesource commented 1 year ago

selenium browser

Rather than opening up selenium, mine spawns my default browser. Is that not the case for you?

Mine also spawns my default browser, I assumed it was slightly different because they had different ja3 but now that I noticed that the normal browser randomizes them I'm not sure that they're different. I can't check if the ja3 of the browser spawned by selenium is different because wireshark doesn't pick those requests up anymore.

acheong08 commented 1 year ago

I have no idea what is going on and can't fix it. Need help from others experiencing this issue

AprilNEA commented 1 year ago

I have the same problem in Windows

acheong08 commented 1 year ago

Bug in TLS-client could be contributing factor: https://github.com/FlorianREGAZ/Python-Tls-Client/issues/25

Session cookies not getting updated

acheong08 commented 1 year ago

Check out acheong08/ChatGPT-lite. It solves all the annoying browser problems at the cost of your privacy

AprilNEA commented 1 year ago

Check out acheong08/ChatGPT-lite. It solves all the annoying browser problems at the cost of your privacy

It does not appear to be able to authenticate as an email and password.

acheong08 commented 1 year ago

Yeah. No email/password support there yet

AprilNEA commented 1 year ago

Yeah. No email/password support there yet

Is this session fixed, or will it expire?

acheong08 commented 1 year ago

It automatically refreshes on the server side

AprilNEA commented 1 year ago

It automatically refreshes on the server side

Wow that's cool

acheong08 commented 1 year ago

@PawanOsman's work

xLolom commented 1 year ago

I am facing a similar issue. However, by switching from sessiontoken to email+password+2captcha authentication (not sure it's related tho)_ I am now able to pass the login phase on the ChatGPT website . But after that I am back again stuck in the infinite loop.

image

I ran in debug mode and the functions that spawn a browser are executed in this order: email_login -> get_cf_cookies -> get_cf_cookies -> get_cf_cookies -> ...

I'm thinking that the function refresh_session() might be calling get_cf_cookies() again and again.

acheong08 commented 1 year ago

The reason here is that refresh session is returning a cloudflare page rather than the intended data. Might be due to new cloudflare protections put in place. I haven't been able to replicate this though.

xLolom commented 1 year ago

Would you need any data about my setup to compare the difference with yours? Or could you provide somewhere an example (screenshot, gif, video,...) of the expected behavior? I'm intrigued to know what it is like.

acheong08 commented 1 year ago

Screencast from 01-07-2023 12:36:10 AM.webm

^

xLolom commented 1 year ago

Well I am not sure why, but everything is now working perfectly for me without having to do anything 🙃 It's a good thing, I guess

moonmengmeng commented 1 year ago

chongfu I got the same problem, and can not solve it.....