What difference does it make that the challenge.jar code (client side) originates the string to be matched?
difference is that captcha is used to ensure to the server that the visitor is not a robot, so at sometime the server must know the security code.
In your sample this is a random generated string (client side) of 2 characters, but now how would you tell to the server that the client is not a robot ?
you will probably send a boolean flag to the server saying the client is ok, but this network packet can simply be reproduced (using proxy, wireshark or equivalent software)
another possible hack would be to grab you applet jar file and then disasseble, modify & recompil it
1 - the security code must not be transmitted by network in a readable format : must be sent to the client as an image / a video
2 - the code entered by the visitor must be sent to the server : the server have to validate or invalidate it (not the client)
this way the client never really receive/know the security code, and the algorithm to decode the security code is not present on the user computer (transfered in an image with some noise, your client application must NOT be able to decode the security code)