Topic: Brute-forceable puzzle - free crypto for whoever manages to crack it [SOLVED] - page 3. (Read 941 times)
August 02, 2021, 08:10:11 AM
It means it could be BTC or ETH or both.
August 02, 2021, 08:02:36 AM
Remember that you don't know which crypto wallet this is, or if the award is only on one or more crypto wallets with the same seed words.
Does it mean that award is not on the first address (from first account)?
August 02, 2021, 06:29:21 AM
Remember that you don't know which crypto wallet this is, or if the award is only on one or more crypto wallets with the same seed words.
August 02, 2021, 05:25:12 AM
Field day 2, so to get a list of addresses that could've been OP's challenge address, I went to the "outputs" database dumps of Blockchair and downloaded the spreadsheets for August 1 and July 31 (the former was not available until today hence the wait). It is a little slow, but the download speed is a manageable 10 minutes on a high-speed ethernet network.
The next step is to (1) filter out all the coinbase outputs, (2) filter all the non- pubkeyhash outputs and (3) filter out all outputs <= $10.
Then we filter outputs that are less than $100 because let's be honest, a challenge worth less than $100 are not worth solving
when I applied this filter on the website it eliminated a surprisingly large number of transactions.
I am expecting to be left with some 10 thousand addresses which can then be placed in a bloom filter.
All spreadsheet software are either lagging or outright crash when I open the DB dump so I have to resort to dirty Python tricks again to apply the above.
I'm sure even most developers have trouble doing that.
The next step is to (1) filter out all the coinbase outputs, (2) filter all the non- pubkeyhash outputs and (3) filter out all outputs <= $10.
Then we filter outputs that are less than $100 because let's be honest, a challenge worth less than $100 are not worth solving
when I applied this filter on the website it eliminated a surprisingly large number of transactions.I am expecting to be left with some 10 thousand addresses which can then be placed in a bloom filter.
All spreadsheet software are either lagging or outright crash when I open the DB dump so I have to resort to dirty Python tricks again to apply the above.
How do I explain to my mother to AES decrypt "71TjQQYPkadCq8qUA6Lqt7FhUBEjPSzgDSbBA6spbtD/j8v3JXp9Vpco0H8rS/TK2/IOMS0aHF5QIyLihGuP2dSgdoKdyDrb82O72tNPdT4=" and ensure to type it out correctly?
I'm sure even most developers have trouble doing that.
August 02, 2021, 01:26:46 AM
How do I explain to my mother to AES decrypt "71TjQQYPkadCq8qUA6Lqt7FhUBEjPSzgDSbBA6spbtD/j8v3JXp9Vpco0H8rS/TK2/IOMS0aHF5QIyLihGuP2dSgdoKdyDrb82O72tNPdT4=" and ensure to type it out correctly?
Birthdays and anniversaries everyone remembers, and with 24 seed words you can shift it with up to 8 dates. Never said it's unbreakable, but it's not easy to break either, it gives you plenty of time to react in case of theft and it's simple enough by knowing the dates to do it by hand.
Birthdays and anniversaries everyone remembers, and with 24 seed words you can shift it with up to 8 dates. Never said it's unbreakable, but it's not easy to break either, it gives you plenty of time to react in case of theft and it's simple enough by knowing the dates to do it by hand.
August 02, 2021, 01:03:37 AM
What's a safer and easier alternative to store your seed words and in case something happens to you, your loved ones can decrypt the words?
Encryption using a cryptographic strong encryption algorithm such as AES using a proper passphrase then creating proper backups from the encrypted result and the passphrase used and storing them separately.Quote
Other than a complex passphrase on a Trezor/Ledger, which you would also need to write down in plain-text and make it a security risk?
Even though this is called "passphrase" but it is not encrypting anything, it is "extending" the seed phrase and should not be considered a proper security measure.P.S. https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own
August 02, 2021, 12:59:01 AM
Shift ciphers aren't considered strong and should never be used to encrypt anything important such as a bitcoin mnemonic.
Also whether or not someone solves this "puzzle" should not be used as an indication of security of this algorithm.
Is it safer than storing it in plain-text? Yes. Does it give you a lot of more time to react and move your coins in case someone breaks in and steals your written down seed words? Yes.Also whether or not someone solves this "puzzle" should not be used as an indication of security of this algorithm.
What's a safer and easier alternative to store your seed words and in case something happens to you, your loved ones can decrypt the words? Other than a complex passphrase on a Trezor/Ledger, which you would also need to write down in plain-text and make it a security risk?
August 02, 2021, 12:01:56 AM
Shift ciphers aren't considered strong and should never be used to encrypt anything important such as a bitcoin mnemonic.
Also whether or not someone solves this "puzzle" should not be used as an indication of security of this algorithm.
Also whether or not someone solves this "puzzle" should not be used as an indication of security of this algorithm.
August 01, 2021, 01:09:39 PM
Oh it does 
it allows us to go to a block explorer and skim it for addresses inside transactions made between midnight (wherever your TZ is) and date of the OP so we can check the results against a list of addresses instead of making an expensive network call.
Hey, that's cheating! it allows us to go to a block explorer and skim it for addresses inside transactions made between midnight (wherever your TZ is) and date of the OP so we can check the results against a list of addresses instead of making an expensive network call.
August 01, 2021, 12:58:02 PM
Timezone/country doesn't matter
Oh it does
it allows us to go to a block explorer and skim it for addresses inside transactions made between midnight (wherever your TZ is) and date of the OP so we can check the results against a list of addresses instead of making an expensive network call. This assumes you made the transaction today though, where "today" begins at midnight, your timzeone.But if you don't tell us we can always assume it was made in Hawaii timezone (UTC-10) which isn't going to add too many extra addresses if we use its midnight as the starting point.
A few gems I'll post here; they are the basis for a client-server implementation I'm writing that'll let everyone share the load on their systems:
Server:
Code:
!/usr/bin/env python
# Python Network Programming Cookbook,
Second Edition -- Chapter - 1
# This program is optimized for Python 2.7.12
and Python 3.5.2.
# It may run on any other version with/without
modifications.
import socket
import sys
import argparse
host = 'localhost'
data_payload = 2048
def echo_server(port):
""" A simple echo server """
# Create a UDP socket
sock = socket.socket(socket.AF_INET,
socket.SOCK_DGRAM)
# Bind the socket to the port
server_address = (host, port)
print ("Starting up echo server
on %s port %s" % server_address)
sock.bind(server_address)
while True:
print ("Waiting to receive message
from client")
data, address = sock.
recvfrom(data_payload)
print ("received %s bytes
from %s" % (len(data), address))
print ("Data: %s" %data)
if data == "PROOFOFWORK":
pass
# validates via block explorer
elif data == "GETWORK":
# generate work and send it to client
else:
# unrecognized command
if proof_of_work == true:
message = "MATCH {} {} {}".format(address, pubkey, prvkey)
# send this to all clients:
for address in addressess:
sent = sock.sendto(message, address)
else:
# Normally this would be whether the work is
# the correct address or not but here we just
# insert a dummy
message = "NOTMATCH {} {} {}" .format(address, pubkey, prvkey);
sent = sock.sendto(data, address)
if __name__ == '__main__':
parser = argparse.ArgumentParser
(description='Seedshifter Cracker Server')
parser.add_argument('--port', action="store", dest="port", type=int, required=True)
given_args = parser.parse_args()
port = given_args.port
echo_server(port)
Client:
Code:
#!/usr/bin/env python
# Python Network Programming Cookbook, Second Edition -- Chapter - 1
# This program is optimized for Python 2.7.12 and Python 3.5.2.
# It may run on any other version with/without modifications.
import socket
import sys
import argparse
host = 'localhost'
data_payload = 2048
def echo_client(port):
""" A simple echo client """
# Create a UDP socket
sock = socket.socket(socket.AF_INET,
socket.SOCK_DGRAM)
server_address = (host, port)
while true:
try:
# Send data
message = "GETWORK"
sent = sock.sendto(message.encode
('utf-8'), server_address)
# Receive response
message, server = sock.recvfrom(data_payload)
# get head of message
if message == "WORK"
# perform work on GPU
elif message == "FOUND"
# record private key, public key and address and break
break
else:
# ignore all unrecognized commands
except Exception as e:
break
print ("Closing connection to the server")
sock.close()
if __name__ == '__main__':
parser = argparse.ArgumentParser
(description='Seedshifter Cracker Client')
parser.add_argument('--port', action="store", dest="port", type=int, required=True)
given_args = parser.parse_args()
port = given_args.port
echo_client(port)
It won't run as is though because this is just a skeleton I found in a book and slightly adapted to act as a PoW server, similar to the stratum servers used in mining.
EDIT:
I just tried querying Blockchair's API, it limits me to 10 records per call, ironically I went to buy an API key but their only payment processor is PayPal (!) I mean, not even CC, much less crypto.
So this means unless someone already has an API key it is technically infeasible to gather a large number of addresses.
I think this highlights one of the big problems with the current state of APIs, namely, there is no easy way to [pay to] query them in bulk, if you can even query them at all - and Blockchair is pretty much the only one with this feature (blockchain.info has a very very limited set of endpoints).
August 01, 2021, 12:53:14 PM
I have a working solution - knowing address would make it much easier (faster), now I am stuck on creating list of addresses and checking them against addresses with balance (I must transfer file between machines etc.).
August 01, 2021, 12:27:51 PM
748016^3 combinations of dates if we use years from 0-2048 and all months/days and ignore 1900-2021 range.
OP, which timezone/country are you in?
Did you move the coins in the address before or after you posted this challenge?
Timezone/country doesn't matter and I put the coins there before the challenge. The 2 dates I used are in 1900-2021 range, shifted in YYYY-MM-DD format from oldest to youngest date, so knowing that, the number of possible combinations lowers, because the 1st date you shift should always be older than the second. OP, which timezone/country are you in?
Did you move the coins in the address before or after you posted this challenge?
August 01, 2021, 11:54:36 AM
Doable...
Could you at least say which address we should check (first?) and if it is BIP32 or BIP84 or... ?
Could you at least say which address we should check (first?) and if it is BIP32 or BIP84 or... ?
748016^3 combinations of dates if we use years from 0-2048 and all months/days and ignore 1900-2021 range.
OP, which timezone/country are you in?
Did you move the coins in the address before or after you posted this challenge?
UPDATE:
using python datetime() + timedelta of 693595 gives 1900-01-01 and + 738154 gives 2021-21-31, so that is our range, and the difficulty is:
Code:
minv=693595
maxv=738154
print(maxv-minv)
print(pow(maxv-minv,3))
import math
print(math.log(pow(maxv-minv,3),2))
44559
88472094168879
46.330287706213426
i.e. unless you have hundreds of CPUs then it's not doable on CPU. However 2^46 can be tackled by one GPU.
August 01, 2021, 11:23:48 AM
BIP44, and some more clues from Reddit: I used 2 dates from 1900-2021.
August 01, 2021, 10:28:32 AM
Doable...
Could you at least say which address we should check (first?) and if it is BIP32 or BIP84 or... ?
Could you at least say which address we should check (first?) and if it is BIP32 or BIP84 or... ?
August 01, 2021, 10:09:01 AM
you should also include the address containing the funds and the amount of it. this puzzle may not even be worth the time for example if it contains some small amount of a shitcoin.
It's not a shitcoin wallet, and you wouldn't know how much (and of what) an encrypted wallet you found/stole contained either until you cracked it.I'll just say it has more than $10.
August 01, 2021, 10:00:42 AM
Put 0,5 btc to adders, send from this adress 0.0000000001 btc to any address, wait and you see result.
August 01, 2021, 09:44:12 AM
Quote
x amount of crypto
you should also include the address containing the funds and the amount of it. this puzzle may not even be worth the time for example if it contains some small amount of a shitcoin.
August 01, 2021, 09:01:11 AM
I saw this thread of "don't do's" on Reddit and decided to do the opposite; I will write down and post my mnemonic seed words for everyone to see:
There is an x amount of crypto I put there as an award for whomever manages to get ahold of it. It is encrypted with a date shift cipher using this script I wrote: Seedshift. I basically used 1-4 dates in YYYY-MM-DD format to shift the mnemonic words (modulo 2048 to wrap around the wordlist, you can do it manually without the script).
Basically you can brute-force my encrypted seed words by trying date combinations until you find the correct x ones I used and get the crypto prize.
This in itself could also be considered a real-time simulation of how long it would take for a potential thief (with programming background and who also magically knows it is encrypted with a date shift cipher) to steal my crypto before I manage to transfer it somewhere safe (and also to validate how safe and secure my method of storing my mnemonic seed words is).
So anyway, good luck to everyone and get crackin'!
Edit:
The puzzle got solved. See the write-up here: https://www.reddit.com/r/CryptoCurrency/comments/p2jkh3/how_i_solved_utoshiromiballzas_puzzle_in_just/
Code:
bacon bitter goddess sheriff differ kit sock stomach rhythm skill trade drastic
There is an x amount of crypto I put there as an award for whomever manages to get ahold of it. It is encrypted with a date shift cipher using this script I wrote: Seedshift. I basically used 1-4 dates in YYYY-MM-DD format to shift the mnemonic words (modulo 2048 to wrap around the wordlist, you can do it manually without the script).
Basically you can brute-force my encrypted seed words by trying date combinations until you find the correct x ones I used and get the crypto prize.
This in itself could also be considered a real-time simulation of how long it would take for a potential thief (with programming background and who also magically knows it is encrypted with a date shift cipher) to steal my crypto before I manage to transfer it somewhere safe (and also to validate how safe and secure my method of storing my mnemonic seed words is).
So anyway, good luck to everyone and get crackin'!
Edit:
The puzzle got solved. See the write-up here: https://www.reddit.com/r/CryptoCurrency/comments/p2jkh3/how_i_solved_utoshiromiballzas_puzzle_in_just/
Jump to: