Solve a riddle, guess a 4 char password and add 10 BTC to your xmas... SOLVED!! - page 3.

OpenYourEyes

full member

Activity: 238

Merit: 100

Quote from: vampire on December 28, 2012, 12:44:26 AM

I think the password is 1Cpu

But since the logic of generating the hash isn't clear, it's hard to figure out the hash.

From his post above:

Quote

that address was just a complete fluke

Hmm, seems to be more of a challenge aimed at programmers with the highest spec machinery, which I am not, than a riddle.
I'll keep at it any way in case I get lucky.

vampire

hero member

Activity: 574

Merit: 500

I think the password is 1Cpu

But since the logic of generating the hash isn't clear, it's hard to figure out the hash. And even if we know the password, without the clear logic of generating this hash its hard to crack the gpg priv key.

CIYAM

legendary

Activity: 1890

Merit: 1078

Ian Knowles - CIYAM Lead Developer

Quote from: OpenYourEyes on December 27, 2012, 11:09:57 PM

Why would he deliberately generate 1Cpu?

Actually I didn't - that address was just a complete fluke (used ./vanitygen 1) - but good try - final hint not far off.

OpenYourEyes

full member

Activity: 238

Merit: 100

Ah, ok. I thought guesses would be the amount of attempts it has made.

The fact the OP generated the bitcoin address with vanity gen seems a bit odd to me, so maybe the address has something to do with it.
Seeing as generating address past the 6 character mark is rather time consuming, I've been looking at the first few characters.
Why would he deliberately generate 1Cpu?

I've tried that with various salts but nothing yet.

K1773R

legendary

Activity: 1792

Merit: 1008

/dev/null

Quote from: OpenYourEyes on December 27, 2012, 07:52:07 PM

Quote from: K1773R on December 27, 2012, 07:36:06 PM

Quote from: OpenYourEyes on December 27, 2012, 07:08:22 PM

Quote from: CIYAM on December 27, 2012, 06:58:55 PM

Well it seems like option (1) is going to be what we'll go with so if you can hang in there for another few hours you could still get lucky!

Ok, I'll try.

Unlike others, I've been trying each key manually as I've not been able to get any of the bruteforce programs working. (Arch Linux/CPU issue maybe)
I think I've managed to solve your first clue though.

JohnTheRipper works everywhere, i even explained how to use JohnTheRipper with ur GPU!

I know I've read your post. I don't have a GPU, just a laptop.
Everytime I try JTR, I just stays at: "Guesses 0"

currently trying nasty on a budget server I'm renting out.

EDIT: nasty fails also. Oh well.

With your first clue "at least" I was taking a stab that it might be >=
as in "greater than or equal to" "at least"

Guesses 0 means 0 valid passwords found, as soon u see Guesses 1 u cracked it!

OpenYourEyes

full member

Activity: 238

Merit: 100

Quote from: K1773R on December 27, 2012, 07:36:06 PM

Quote from: OpenYourEyes on December 27, 2012, 07:08:22 PM

Quote from: CIYAM on December 27, 2012, 06:58:55 PM

Well it seems like option (1) is going to be what we'll go with so if you can hang in there for another few hours you could still get lucky!

Ok, I'll try.

Unlike others, I've been trying each key manually as I've not been able to get any of the bruteforce programs working. (Arch Linux/CPU issue maybe)
I think I've managed to solve your first clue though.

JohnTheRipper works everywhere, i even explained how to use JohnTheRipper with ur GPU!

I know I've read your post. I don't have a GPU, just a laptop.
Everytime I try JTR, I just stays at: "Guesses 0"

currently trying nasty on a budget server I'm renting out.

EDIT: nasty fails also. Oh well.

With your first clue "at least" I was taking a stab that it might be >=
as in "greater than or equal to" "at least"

K1773R

legendary

Activity: 1792

Merit: 1008

/dev/null

Quote from: OpenYourEyes on December 27, 2012, 07:08:22 PM

Quote from: CIYAM on December 27, 2012, 06:58:55 PM

Well it seems like option (1) is going to be what we'll go with so if you can hang in there for another few hours you could still get lucky!

Ok, I'll try.

Unlike others, I've been trying each key manually as I've not been able to get any of the bruteforce programs working. (Arch Linux/CPU issue maybe)
I think I've managed to solve your first clue though.

JohnTheRipper works everywhere, i even explained how to use JohnTheRipper with ur GPU!

OpenYourEyes

full member

Activity: 238

Merit: 100

Quote from: CIYAM on December 27, 2012, 06:58:55 PM

Well it seems like option (1) is going to be what we'll go with so if you can hang in there for another few hours you could still get lucky!

Ok, I'll try.

Unlike others, I've been trying each key manually as I've not been able to get any of the bruteforce programs working. (Arch Linux/CPU issue maybe)
I think I've managed to solve your first clue though.

CIYAM

legendary

Activity: 1890

Merit: 1078

Ian Knowles - CIYAM Lead Developer

Well it seems like option (1) is going to be what we'll go with so if you can hang in there for another few hours you could still get lucky!

OpenYourEyes

full member

Activity: 238

Merit: 100

I've pretty much worked on this for 2 days straight since I've had a pretty lonely Christmas with a lot of time on my hands, but I think I'm going to throw in the towel as I think I must be doing something wrong. I'm very computer literate, but I think it's just a bit too much for me (I'm no crypto/gpg expert).
Thanks for your posting guys, I've learnt a thing or two.

CIYAM

legendary

Activity: 1890

Merit: 1078

Ian Knowles - CIYAM Lead Developer

Well - we are not far off 350 confirmations and so well before we get to 400 I will just check whether those competing would rather:

1) I give a hint that will finish this in the next 10 hours or,

2) I add another 10 BTC and make the hint a little more vague.

dooglus

legendary

Activity: 2940

Merit: 1330

Quote from: CIYAM on December 27, 2012, 11:29:22 AM

EDIT: Oops I thought that would add to the bounty but apparently it didn't (I guess Bitcoin sent the output to the input)

Yes, the client chose the best-fitting output for your new payment and it just so happened that the same 10 BTC you sent the first time was the best fit for the second payment, so it re-sent the same 10 BTC output again.

CIYAM

legendary

Activity: 1890

Merit: 1078

Ian Knowles - CIYAM Lead Developer

Just to check I didn't fuck up I have recovered the private key (using the exact script posted along with my changed line) and sent 10 BTC.

EDIT: Oops I thought that would add to the bounty but apparently it didn't (I guess Bitcoin sent the output to the input) - will look at that tomorrow (have to sleep now).

CIYAM

legendary

Activity: 1890

Merit: 1078

Ian Knowles - CIYAM Lead Developer

Quote from: phr33 on December 27, 2012, 10:04:11 AM

I'm really trying to explain why this is not such a good idea as it might seem at first sight. But it's difficult

I really do *get* your point - but when you see how little I changed (and not randomly at all) I do think you might be forced to change your mind (after people have been hacking at it for days and have so far been unable to guess basically just a couple of minor changes to a very simple equation).

BTW - I am up for at least a 50 BTC challenge (open ended with no clues but you will be giving the GPG encrypted private key and the message that contains the Bitcoin private key out) with a new bash script (which I will publish) based upon the same idea (but I will use a 6 character initial password for that challenge - it's my money after all).

This is the Bitcoin way to build open source after all!

CIYAM

legendary

Activity: 1890

Merit: 1078

Ian Knowles - CIYAM Lead Developer

Quote from: btctalk on December 27, 2012, 04:42:34 AM

after reading 10 pages, I guess I'll keep on reading instead of trying to solve the "riddle"... :-"

Actually believe or not that is the only thing that has prevented such a weak password from being cracked already (am almost tempted to release the weak password but won't do that until after the last hint).

phr33

full member

Activity: 226

Merit: 100

Quote from: CIYAM on December 27, 2012, 09:20:29 AM

Whist waiting for someone to solve this (IMO not so hard to solve) problem I have come up with an even better idea (more on this to come) and I have now added a "bcrypt" call to the script that I will be publishing in the distro I am creating for the purposes of doing the same thing I have done here (if starting with a 4 char password and a very simple math equation has proven so difficult the you can imagine how much harder the *real thing* will be).

The security still relies on the secrecy of your script. The script that will add most entropy relative to the script size is one that just XOR the silly 4 char password with some true random number. This random number could be selected to be of any size, but there would of course not be any point in selecting longer than the strength of the crypto it will be used in later (e.g. 256 bits).

You have just split the key in two. A small part that you choose to remember, and a longer part that you store on your computer. The drawback of your custom code is that it always will add less entropy than a simple true random number. The fact that you peraps easily can remember the "algorithm" is a sign that it does not add much entropy.

I'm really trying to explain why this is not such a good idea as it might seem at first sight. But it's difficult

CIYAM

legendary

Activity: 1890

Merit: 1078

Ian Knowles - CIYAM Lead Developer

Quote from: cedivad on December 27, 2012, 09:15:25 AM

Can we know the exact length of the string and how many times was the password repeated?

The next hint should definitely help with this (but please remember that the point is that it is a riddle/puzzle - I will only give out the information you have requested in the *last* hint as I think it should be cracked within minutes after that).

Whist waiting for someone to solve this (IMO not so hard to solve) problem I have come up with an even better idea (more on this to come) and I have now added a "bcrypt" call to the script that I will be publishing in the distro I am creating for the purposes of doing the same thing I have done here (if starting with a 4 char password and a very simple math equation has proven so difficult the you can imagine how much harder the *real thing* will be).

cedivad

legendary

Activity: 1176

Merit: 1001

Quote from: CIYAM on December 27, 2012, 09:08:55 AM

Well the next hint isn't due for a while so you probably still have time.

Can we know the exact length of the string and how many times was the password repeated?

CIYAM

legendary

Activity: 1890

Merit: 1078

Ian Knowles - CIYAM Lead Developer

Well the next hint isn't due for a while so you probably still have time.

Red Emerald

hero member

Activity: 742

Merit: 500

Well no luck so far. Here's the basics of my script for generating the dictionary.

Code:

#!/usr/bin/env python
import itertools
import hashlib
import string

dict_name = 'dict.txt'

with open(dict_name, 'a') as f:
    for pw in itertools.product(string.ascii_letters + string.digits, repeat=4):
        pw = ''.join(pw)
        for p in [
            '+'.join([pw]*2) + '=' + pw * 2,
            # you can put a bunch of different patterns here
        ]:
            hashed = hashlib.sha256(p).hexdigest()
            f.write(hashed+'\n')

print '~/src/JohnTheRipper/run/john --wordlist=%s hash' % dict_name

At first I was printing the hashes and then piping it to john, but it wasn't using all of my cores. I need to get CUDA running on this, or maybe play with it for a few minutes on my GPU miner.

Topic: Solve a riddle, guess a 4 char password and add 10 BTC to your xmas... SOLVED!! - page 3. (Read 13586 times)