pantaloons / 4charm

4chan client for Windows Phone
MIT License
20 stars 4 forks source link

Captcha Data is Corrupt #12

Open ghost opened 8 years ago

ghost commented 8 years ago

Lurking still works like a charm, however captcha does not work at all. Any idea how to update that? I am just a leecher myself but maybe someone has a idea.

snoozbuster commented 8 years ago

As mentioned in #10, ever since 4chan fully switched to noCAPTCHA (photo captcha) it doesn't work at all anymore. I looked into this a bit and found the following things.

  1. 4chan's official public API is read-only. Any third-party app allowing you to post is doing so by mimicking the way the browser makes a post.
  2. Because of this, any solution is naturally prone to suddenly breaking, as it relies on a non-public API.

That being said, I think that a good solution would be replacing the image captcha with a WebView (preferred) or WebBrowser control that would navigate to the noscript fallback URL (https://www.google.com/recaptcha/api/fallback?k=6Ldp2bsSAAAAAAJ5uyx_lx34lJeEpTLVkP5k04qc) and once success was detected, automatically copy the response token and submit it in the g-recaptcha-response field. WebView can expose fields in the HTML with a bit of Javascript, another option instead of navigating to the captcha URL directly would be to create a local HTML file that just contains some boilerplate Javascript and an iframe to the captcha fallback URL.

The downside would be that the interface is a little more clunky; when I was tinkering with it using the developer tools to inject and replace HTML you have to actually click a checkbox overlaid on the image instead of the image itself. This might be able to be remedied with some boilerplate Javascript (after all, we just need the simplicity of the fallback noCAPTCHA, we don't actually need to use no JS) but it would be a bit of work and prone to breaking.

RailsRoyale commented 8 years ago

This was the solution I was also thinking about.

Do you know if the checkbox captcha is the only type of captcha to deal with? Does 4chan also use the 3x3 grid of images as a captcha? I mainly lurk so I don't know.

snoozbuster commented 8 years ago

The checkbox captcha is the 3x3 grid of images but the UI isn't quite as nice because it doesn't use Javascript. I'll try and take a look at this today after I fix the problem with images that I introduced.

snoozbuster commented 8 years ago

So, I've hit a bit of a snag. I forgot that reCAPTCHA only allows requests from domains that are attached to the particular site key (presumably to prevent exactly the thing we're doing). My new theory is to load a legitimate 4chan page in an iframe (probably the main page for the current board) and then with either CSS or Javascript, strip out everything we don't want. I think that will work.

EDIT: You aren't allowed to manipulate the contents of an iframe if it's a cross-site request. I have a new, extremely far-fetched theory. reCAPTCHA will always work if the Referer: (yes, that's the correct spelling) header is from localhost or 127.0.0.1. So, what I'm going to try to do is make a request to the fallback URL with a forged referer header, then either display the response or inject it into a local page or something like that. The thing is, I really, really doubt that the end result (if Google even lets us get that far, since each submission of a response goes to Google and they will presumably check the headers and that point and say "hey, you aren't who you say you are", but even if we can forge all the headers correctly and get the response string, I really don't think that it will be valid when used on the production site.

I'll give it a try tomorrow, but I can't see any other workaround for this. Now, what might be possible is adding support for posting if users have a 4chan pass. It should be as simple as pointing a WebBrowser at sys.4chan.org/auth and then storing the cookie and submitting it with future requests; then we can avoid the whole captcha thing in the first place. I'm not really too keen on spending $20 or whatever it is to try it, though.

I'm going to take a look at other 4chan apps if I can and see if they have reply functionality and how they do it.

EDIT2: Clover, an open-source Android 4chan app, has posting support, so it is possible. I emailed Floens, hopefully he can shed some light on their solution.

snoozbuster commented 8 years ago

Floens replied to me and the code he pointed out was helpful, but it simply doesn't work on Windows Phone. If I use Python's SimpleHTTPServer on my machine to host the page and then browse to it through http://localhost/... it works, however. I'm thinking that the implementation of the web browser on Android either sends a referrer of localhost for local pages or hosts a secret web server internally or something like that. I tried using NavigateToString to navigate to a constructed piece of HTML that contained reCAPTCHA JS hoping that using dynamic instead of static content would work, but it didn't help. What I'm going to try next is replacing the image display with a web browser and hooking its Navigating event to a custom function that intercepts the target destination, makes a request with forged headers, and then displays the response with NavigateToString. If I use the noJS version of the captcha it should work, crossing fingers. It's going to take a little bit of retooling though and I want to see if Floens has any more insight on the topic before I go through with it.

M0ti0n commented 8 years ago

I don't know clover but The ImageBoard Browser is a WP 8.1 is a 4chan client that supports posting. And it works ok (posting). Maybe you could implemented posting in 4charm in similar way?

snoozbuster commented 8 years ago

That's a good question. Do you know if that app is open source?

M0ti0n commented 8 years ago

Don't know, but you can contact him here http://imageboard.uservoice.com/

M0ti0n commented 8 years ago

DId you have any luck finding out how capcha is done in ImageBoard Browser?

snoozbuster commented 8 years ago

I haven't, I've been pretty busy and haven't been working on this much (mainly because there's been mostly radio silence from pantaloons). It looks like you can only email him from the app; I assume you have it? Do you want to send him an email explaining the situation and sending him a link to this thread?

M0ti0n commented 8 years ago

I had no luck making contack through mail. Maybe you could try tweeter if you have it? I don't have it.

M0ti0n commented 8 years ago

Since we cant fix the capcha issue in 4 charm app it self. How hard would it be to implement a posting via Edge browser. So when I click reply it opens thread in edge with replay windows ready?

kevingosse commented 7 years ago

DId you have any luck finding out how capcha is done in ImageBoard Browser?

@M0ti0n

ImageBoard Browser is now open-source, so feel free to pick the bits you need: https://github.com/kevingosse/Imageboard-Browser

Cheers.