Education in Futility: WarpWallet Brute Forcing

So, WarpWallet is a so-called brain wallet for Bitcoin. That is, you only have to remember a relatively short password and it generates the corresponding private key for use. It uses a memory and CPU hard set of cryptographic algorithms to ensure that brute-forcing is slowed way down. That is, when generating the private key, it takes considerable time. Their Javascript implementation takes over 10 seconds on my machine.

So the makers of it had challenges setup. By the time I stumbled on it, only the last challenge was left, with 6 months remaining. For that challenge, the reward for cracking an 8-character alphanumeric password was 20 BTC (and BCH and BTG!), which was worth over $100,000 USD at the time of the challenge end date.

Since their Javascript implementation is terribly slow I wondered if anyone had ported it to any other language, and found a Go version–but it was outdated and would not compile. So, as my first exercise in Go, I updated it and got it compiling. Instead of 10+ seconds per keypair generated, it took about 1 second. But, it took input from the command line, so I decided to make a brute forcer that used this newly updated generator. It would feed it the passphrase and salt and store the result (the private key and public key) and then I could parse these results later.

So the basic design was this:
My WarpWallet Brute Forcer (using Go WarpWallet implementation) -> SQL Database

The brute-forcer underwent many revisions. First it checked the history of passphrases to ensure no duplicates were stored, but this eventually took longer than the time to generate private keys, slowing the whole processes down. So it was eliminated (and there was virtually no chance of generating the same passphrase twice, the same odds as finding the correct passphrase).

It also did not store anything at first besides the date and the passphrase. The client checked each public key against the target one and discarded the result. This meant if the client was killed before I could check the output, I was out of luck! Later improvements added the private key, public key, and the hostname of the computer that generated it (as I used all available idle personal computers to do so).

Another misstep was having the Go pipeline switch sleep. First it slept 100 ms if no channel had data or their buffers were full, then I increased it to 250 ms inexplicably, then realized it waits by default. So this was leaving processing power on the table. Removing the sleep command on my main desktop gave a ~20% improvement in performance (from 5.12 to 6.14 keypairs/s on an i7). Below are the contributions from various machines. The IPs at the end are AWS servers, the largest chunk of which was from a c4.xlarge machine over a single day!

 

And then on January 1st, 2018 the challenge expired. There’re just over 24 million rows, 4.5GB data. It takes a few seconds to test any result. I investigated testing each public address to see if they had a balance but on my local Bitcoin node it takes minutes to scan the blockchain for transactions for newly added addresses. And web APIs rate limit you to where it would take a year or so to test each one. Less if I spread requests out across API providers. So, in the end, I just deleted all the results. It was fun, I learned a lot about Go, cryptocurrency nodes, and I’m ready for the next, hopefully more fruitful, project.

 

Sync login/lock screen wallpaper to current desktop background

For Windows 7, this turned out to be pretty easy to do via PowerShell. I just had to look for a native image resizing library since the lock screen for some odd reason, only supports JPEGs up to 256KB in size. Probably one of those legacy items left over from NT, like the file system permissions dialogs, and the built-in environment variables editor…

I ended up using WIA’s ImageProcess COM library which worked surprisingly well. It just resizes whatever you give it to the primary desktop resolution, so that’s not guaranteed to be less than 256KB, but it works more often than not so it was good enough for my purposes.

https://github.com/nearwood/wallsync

Windmill – Windows Window unclobberer

I noticed during the (many) meetings I attend that disconnecting and reconnecting my laptop from the dock reorganizes all my windows to the laptop’s display. This got annoying to have to drag and resize everything when returning to my desk, which has a 3 monitor setup. So, I wrote this small Win32 application to allow you to save the positioning and size of all windows and then restore them at a later time.

https://github.com/nearwood/windmill

There are binaries in the releases tab.

There doesn’t seem to be an API to detect when removed or added from a dock, so a futher enhancement I’d like to do is to detect when (the same) monitors are re-connected and then automatically move all the windows back. But, it works really well as it is.

Msqur 1.0 update

I added an update to msqur today. Just a small update to the landing page since it was kind of blank. Moved the settings icon to the view page instead of every page. Also fixed the readme and license files for formatting.

I get a lot of hits from Russia on that site. Actually, I get a lot of hits from Russia on all my sites. I imagine most of them are bots probing for weaknesses. A bunch are trying to manipulate GET requests, but there’s not much you can do. Surprisingly little abuse to the upload function, which I thought would have been the first thing to be attacked. Msqur receives quite more hits than my other sites. Nothing’s happened so far, but I make backups so I’m not too worried.

Anyway, some thoughts for future updates are browse filters (by engine size, compression, etc.), a search function (not sure how to distinguish it from browsing since there isn’t much plain text to search for at the moment), and pagination to the browse index. But again, it’s on the back burner so not a huge priority for me.

Find videos by FPS

I produced some videos in 60 FPS, but couldn’t remember which ones. Since, of course, I didn’t label their FPS at the time, I needed to find them in vast sea of 30 FPS videos. Rather than just use a simple grep with ffmpeg to find which ones, I thought it might be more useful to find all videos that have a certain FPS threshold.

Usage: ./60fps.sh [directory]

#!/bin/bash

SAVEIFS=$IFS
IFS=$'\n'

function fpscheck
{
  FPS=$(ffmpeg -i "$1" 2>&1 | egrep -o '([0-9]*[.])?[0-9]+ fps' | egrep -o '([0-9]*[.])?[0-9]+')
  if [ $? -eq 0 ]
  then
    TEST=$(echo "$FPS"'>'50 | bc -l)

    if [ "$TEST" -eq 1 ]
    then
      echo "$FPS: $1"
#    else
#      echo "$FPS: $1"
    fi
#  else
#    echo "Could not get fps from: $1" >&2
  fi
}

for FILE in $(find "$1" -type f -name '*')
do
#  echo "trying: $FILE..."
  fpscheck "$FILE"
done

IFS=$SAVEIFS

If I thought I’d use it more, I’d move the hardcoded FPS test value to an optional argument for the script. Instead, I’ll leave that as an exercise for the reader.

Msqur 1.0 released

As mentioned previously, I wanted to open the source to msqur up and put development on the backburner. I have added an appropriate license for it (although I do need to add library licenses/notices in there as well). It is now GPL licensed, and I have made the repository public.

Some things I added:

  • Added basic charts for the 2D tables
  • Added table header text to tables
  • Added reingest script to allow for easier MSQ cache updates
  • Fixed some of the documentation up

Known issues, mostly the same as before:

  • MS3 file support is poor
  • Constants are just blurted out without any organization
  • INI Parsing of formulas and directives not implemented yet
  • API documentation is still in infancy

I want to move on to other projects, but I may come back from time to time to update things. I intend for the near future, at least, to leave msqur.com up and keep it updated.

Msqur Update v0.72b

I dug in this past weekend and updated a few things:

  • INI Parsing revamp. Support for more tables and curves.
  • UI Update so that all this new information is somewhat organized
  • A few minor bug fixes and enhancements

Known issues:

  • MS3 file support is poor
  • Constants are just blurted out without any organization
  • INI Parsing of formulas and directives not implemented yet

I plan on opening the source code up under some kind of OSS license, after fixing a few more issues and updating the documentation.

Msqur Update v0.60b

A little while ago I updated msqur.com to 0.60b. Changes include:

  • Added engine make/code fields for uploads
  • Added view count and increment

And less visibly:

  • Finished OO refactor
  • Update API documentation (not public yet)
  • Added deployment scripts

I still haven’t finished INI file parsing 100%. There’s a bit more to do, but I’ve been busy with work and other projects. I’m thinking of releasing the project under an appropriate open-source license once I finish that, so hopefully others can join in on the fun.

Msqur Update v0.53b

I’ve rolled out the update 0.53b to msqur.com. This includes:

  • INI Parsing (i.e. better MSQ support)
  • Bug fixes and better error handling

So now it is a bit more usable. The INI Parsing turns out to be a bit more complex than I anticipated, but I rolled out a decent intermediate update in the meantime.

Before completing the INI parsing (or anything else for that matter), I’ve decided to overhaul the entire codebase. This is because I wrote the first version off the cuff, but I’ve been receiving a few feature requests and it’s turned into something that merits proper design considerations. So, I’ll be adding a much needed OO and configuration revamp to it.