Solve a riddle, guess a 4 char password and add 10 BTC to your xmas... SOLVED!!

[K1773R]

after reading 10 pages, I guess I'll keep on reading instead of trying to solve the "riddle"... :-"

just in case ur interested:

For those who dont have enough hashing power, u can send me patterns per PM and il test em, if they match u get a portion of the 10BTC (going to distribute it fair to all who helped, including me).

[franky1]

i bet the 4 digit code will end up being

xmas or XM45

[btctalk]

after reading 10 pages, I guess I'll keep on reading instead of trying to solve the "riddle"... :-"

just in case ur interested:

For those who dont have enough hashing power, u can send me patterns per PM and il test em, if they match u get a portion of the 10BTC (going to distribute it fair to all who helped, including me).

lol, I have to sleep on it first

[Red Emerald]

Well no luck so far.  Here's the basics of my script for generating the dictionary.

Code:

#!/usr/bin/env python
import itertools
import hashlib
import string

dict_name = 'dict.txt'

with open(dict_name, 'a') as f:
    for pw in itertools.product(string.ascii_letters + string.digits, repeat=4):
        pw = ''.join(pw)
        for p in [
            '+'.join([pw]*2) + '=' + pw * 2,
            # you can put a bunch of different patterns here
        ]:
            hashed = hashlib.sha256(p).hexdigest()
            f.write(hashed+'\n')

print '~/src/JohnTheRipper/run/john --wordlist=%s hash' % dict_name

At first I was printing the hashes and then piping it to john, but it wasn't using all of my cores.  I need to get CUDA running on this, or maybe play with it for a few minutes on my GPU miner.

[CIYAM]

Well the next hint isn't due for a while so you probably still have time.

[cedivad]

Well the next hint isn't due for a while so you probably still have time.

Can we know the exact length of the string and how many times was the password repeated?

[CIYAM]

Can we know the exact length of the string and how many times was the password repeated?

The next hint should definitely help with this (but please remember that the point is that it is a riddle/puzzle - I will only give out the information you have requested in the *last* hint as I think it should be cracked within minutes after that).

Whist waiting for someone to solve this (IMO not so hard to solve) problem I have come up with an even better idea (more on this to come) and I have now added a "bcrypt" call to the script that I will be publishing in the distro I am creating for the purposes of doing the same thing I have done here (if starting with a 4 char password and a very simple math equation has proven so difficult the you can imagine how much harder the *real thing* will be).

[phr33]

Whist waiting for someone to solve this (IMO not so hard to solve) problem I have come up with an even better idea (more on this to come) and I have now added a "bcrypt" call to the script that I will be publishing in the distro I am creating for the purposes of doing the same thing I have done here (if starting with a 4 char password and a very simple math equation has proven so difficult the you can imagine how much harder the *real thing* will be).

The security still relies on the secrecy of your script. The script that will add most entropy relative to the script size is one that just XOR the silly 4 char password with some true random number. This random number could be selected to be of any size, but there would of course not be any point in selecting longer than the strength of the crypto it will be used in later (e.g. 256 bits).

You have just split the key in two. A small part that you choose to remember, and a longer part that you store on your computer. The drawback of your custom code is that it always will add less entropy than a simple true random number. The fact that you peraps easily can remember the "algorithm" is a sign that it does not add much entropy.

I'm really trying to explain why this is not such a good idea as it might seem at first sight. But it's difficult

[CIYAM]

after reading 10 pages, I guess I'll keep on reading instead of trying to solve the "riddle"... :-"

Actually believe or not that is the only thing that has prevented such a weak password from being cracked already (am almost tempted to release the weak password but won't do that until after the last hint).

[CIYAM]

I'm really trying to explain why this is not such a good idea as it might seem at first sight. But it's difficult

I really do *get* your point - but when you see how little I changed (and not randomly at all) I do think you might be forced to change your mind (after people have been hacking at it for days and have so far been unable to guess basically just a couple of minor changes to a very simple equation).



BTW - I am up for at least a 50 BTC challenge (open ended with no clues but you will be giving the GPG encrypted private key and the message that contains the Bitcoin private key out) with a new bash script (which I will publish) based upon the same idea (but I will use a 6 character initial password for that challenge - it's my money after all).

This is the Bitcoin way to build open source after all!

[CIYAM]

Just to check I didn't fuck up I have recovered the private key (using the exact script posted along with my changed line) and sent 10 BTC.

EDIT: Oops I thought that would add to the bounty but apparently it didn't (I guess Bitcoin sent the output to the input) - will look at that tomorrow (have to sleep now).

[dooglus]

EDIT: Oops I thought that would add to the bounty but apparently it didn't (I guess Bitcoin sent the output to the input)

Yes, the client chose the best-fitting output for your new payment and it just so happened that the same 10 BTC you sent the first time was the best fit for the second payment, so it re-sent the same 10 BTC output again.

[CIYAM]

Well - we are not far off 350 confirmations and so well before we get to 400 I will just check whether those competing would rather:

1) I give a hint that will finish this in the next 10 hours or,

2) I add another 10 BTC and make the hint a little more vague.

[OpenYourEyes]

I've pretty much worked on this for 2 days straight since I've had a pretty lonely Christmas with a lot of time on my hands, but I think I'm going to throw in the towel as I think I must be doing something wrong. I'm very computer literate, but I think it's just a bit too much for me (I'm no crypto/gpg expert).
Thanks for your posting guys, I've learnt a thing or two.

[CIYAM]

Well it seems like option (1) is going to be what we'll go with so if you can hang in there for another few hours you could still get lucky!

[OpenYourEyes]

Well it seems like option (1) is going to be what we'll go with so if you can hang in there for another few hours you could still get lucky!

Ok, I'll try.

Unlike others, I've been trying each key manually as I've not been able to get any of the bruteforce programs working. (Arch Linux/CPU issue maybe)
I think I've managed to solve your first clue though.

[K1773R]

Well it seems like option (1) is going to be what we'll go with so if you can hang in there for another few hours you could still get lucky!

Ok, I'll try.

Unlike others, I've been trying each key manually as I've not been able to get any of the bruteforce programs working. (Arch Linux/CPU issue maybe)
I think I've managed to solve your first clue though.

JohnTheRipper works everywhere, i even explained how to use JohnTheRipper with ur GPU!

[OpenYourEyes]

Well it seems like option (1) is going to be what we'll go with so if you can hang in there for another few hours you could still get lucky!

Ok, I'll try.

Unlike others, I've been trying each key manually as I've not been able to get any of the bruteforce programs working. (Arch Linux/CPU issue maybe)
I think I've managed to solve your first clue though.

JohnTheRipper works everywhere, i even explained how to use JohnTheRipper with ur GPU!

I know I've read your post. I don't have a GPU, just a laptop.
Everytime I try JTR, I just stays at: "Guesses 0"

currently trying nasty on a budget server I'm renting out.

EDIT: nasty fails also. Oh well.

With your first clue "at least" I was taking a stab that it might be >=
as in "greater than or equal to" "at least"

[K1773R]

Well it seems like option (1) is going to be what we'll go with so if you can hang in there for another few hours you could still get lucky!

Ok, I'll try.

Unlike others, I've been trying each key manually as I've not been able to get any of the bruteforce programs working. (Arch Linux/CPU issue maybe)
I think I've managed to solve your first clue though.

JohnTheRipper works everywhere, i even explained how to use JohnTheRipper with ur GPU!

I know I've read your post. I don't have a GPU, just a laptop.
Everytime I try JTR, I just stays at: "Guesses 0"

currently trying nasty on a budget server I'm renting out.

EDIT: nasty fails also. Oh well.

With your first clue "at least" I was taking a stab that it might be >=
as in "greater than or equal to" "at least"

Guesses 0 means 0 valid passwords found, as soon u see Guesses 1 u cracked it!

[OpenYourEyes]

Ah, ok. I thought guesses would be the amount of attempts it has made.

The fact the OP generated the bitcoin address with vanity gen seems a bit odd to me, so maybe the address has something to do with it.
Seeing as generating address past the 6 character mark is rather time consuming, I've been looking at the first few characters.
Why would he deliberately generate 1Cpu?

I've tried that with various salts but nothing yet.