Transcription

What if I told you that we could hack time to recover over $3 million of Bitcoin from a software wallet that's been locked since 2013? I know it sounds crazy, but it's true. I just landed in Frankfurt and finally am able to create another video. This is a project unlike anything I've worked on before, and I can't wait to share it. A lot of people have been asking, is Joe Grand still alive? Yes, I'm still alive. It's been a really busy year with a lot of projects, and I just haven't really had a lot of time to interact online. I've been on Zoom calls for hours, talking to people, trying to figure out if their projects are real. A lot of times they're not. Sometimes the value's not there. This is the money shot. Point 003. The bar. A lot of times we run into really interesting projects that we can help with. There was one guy that actually threw his Ledger wallet into the water for some reason, and it sat submerged for seven months. He had to hire a dive crew to go down and pick it up, and they sent it to me, opened it up. Nastiness. Removed all of the corrosion, ended up repairing the device. Your pin, oh, that's a good sign. And could access his funds. There was a family who unfortunately had a son who passed away. Right before he died, he told his brother that he thought the password for his software wallet was the name of his grandmother. We were able to do some brute forcing and try some different combinations of passwords, and we were able to get it. On rare occasions, I'll even leave the safety of my lab to meet with people in person. The stories that we feel have some interesting element, we feel like those are cool to show to the world. A lot of them have a personal story connected to their cryptocurrency. This project is a software wallet with $1.6 million, and the story begins with my friend Bruno. Hey, I made it. How are you? Good to see you. I'm really excited. Good, yeah. I first met Bruno when he saw one of my earlier videos, and he reached out to me for help with the project. It turns out that Bruno is also a hacker and has a lot of experience with the software side of things. But first, we should get caffeine. We became good friends and worked on a lot of really interesting stuff together. Bruno's one of these guys where he's just really low-key, but he's probably the smartest person in the room. He grew up as a hacker and has some really fun stories to tell. He's also a hacker. He's also a hacker. He's also a hacker. He's also a hacker. He's also a hacker. He's also a hacker. He's also a hacker. He's also a hacker. He's also a hacker. There are some funny stories about what he did when he was growing up. I think it was when I was 12, 13, I found out about cryptocurrency and back then with my school friends, we already started mining on the computers in the school, so we had like a mining operation there. We hacked into the school system, so we had access to the servers, stored all the mining software. We didn't earn much coins but we just liked the concept of earning like digital money just by running a PC. It's not often to find somebody that you actually can work well with together and when you do, it can be really great. I can't wait to see his reaction. Michael had emailed me a little over a year ago and he basically said, I have a password that I had set on a software wallet back in 2013, created a password for that wallet with a password generator called RoboForm. I used a program called RoboForm for managing all my passwords. I wanted to make it very secure, 20 signs with special characters. Password generators are commonly used to create complex passwords because humans are very predictable and they'll use the same passwords over and over again and that's just not secure. He said he used a 20 character password with uppercase and lowercase letters, numbers, special characters. Then he generated the password, I copied it, put it in the passphrase of the wallet and also in a text file that I then encrypted. The way he saved the password back then was by saving it in a TrueCrypt container. An encrypted partition on his computer. That partition, basically a holder of data, got corrupted, which caused him to lose his password. And at this time I was like, okay, crap, a couple of thousand euros, which was painful, but okay. But then... That's when we found out what's the price tag involved. The Bitcoin price, right. This crazy amount of money where it's 43 Bitcoin. 1.6 million. I have this fortune. I can see it, but yeah, I can't use it because I don't have the password. He had only seen the actual password for about 10 seconds. So he really has no recollection at all of what that password could actually be. Then I saw Joe's video, how he hacked the hard wallet and that gave me confidence. Maybe these guys have a clue how to help. I remember my response to him was, this is not going to work unless there's a bug in RoboForm that we can take advantage of. So we turned down the project. It's a really hard problem to have because like from brute forcing, it's not possible. Brute forcing a password is basically where you generate a huge list of every possible password based on your assumed parameters and try those one by one to see if you can access the system that's being protected by that password. Usually when you're brute forcing a password, somebody has some idea of what the password was. But if you don't have any prior information, you're doing an exhaustive search of the entire key space. And that's a massive problem. If we had to try every possible password combination, that's more than 100 trillion times the number of water drops in the entire world. If we think of one password being one water drop and we have to find that, it might be flowing under the river, it might be falling from the sky, it could be in any ocean, anywhere in the world. If we're able to reduce that somehow, then we can turn this insurmountable problem into maybe something that we can succeed with. The reason we turned down Michael's project is we thought we would have to brute force this massive amount of possible passwords because he used such a huge password. Nobody would take on a brute forcing project of this scale, no matter how many computers they had, it just isn't feasible. I already thought also that I can give it further to my child. One day he can use it and take it. I think there's no real way right now to solve this problem. So a year later, just a couple months ago, Michael reached back out and said, hey, do you want to reconsider doing this project? And within that timeframe, Bruno had actually done some work reverse engineering a different type of password generator for a different project. Sometimes it's possible when the software isn't written in a secure way, even though it's 20 characters, you find a way around it. Bruno was like, well, maybe we can actually try to attack the RoboForm program itself instead of needing to brute force the actual password. If you find a way, there's still a possibility. So we decided now to take on the project, start exploring that avenue. And that's when we started doing some of this preliminary analysis to see if that was possible. There was a new approach, hacking RoboForm. Now maybe we're back in the game. In the world of software, and actually the world at large, creating random numbers is very, very hard. Some people might even say, well, a coin flip is random. If you know the velocity of the flip, what side of the coin you're starting on, and airflow and other parameters, you might be able to actually reduce the randomness. That's kind of what we're doing to identify how RoboForm creates the password. If we can manipulate that randomness, we might be able to create a predictable output that we could use to try to crack Michael's wallet. They asked me now about which version I used, when I created the password. He created his wallet in 2013, after the first payments into the wallet. So we went through on the RoboForm website, looking for what version of that software was available in 2013. Get all the versions I could find. It was pretty cool, where he basically was like, here are the potential versions. Then we found the changelog of RoboForm. On the RoboForm website, they basically have a changelog, which lists out the different changes they have as they change their software over time. This is the changelog, currently at version 9.5.6, the version that he used June 26, 2013. There was something interesting that we found in that changelog, where a couple years later, a small comment increased randomness. Why should they increase the randomness if the generator is generating secure passwords? Does that mean that earlier versions of this program were vulnerable to something? Maybe they fixed the problem later on, but it just so happens that Michael was using this earlier version, where randomness of the password had not been fixed yet. It's a pretty complicated thing to explain. This is not a normal process. This is really crazy. Okay. Yeah, I can't believe that we're actually going to do this. It's so ridiculous. The RoboForm password generator is a pretty big piece of software. But within this large program, we want to try to find the one piece of code where the password generation is happening, see if we can kind of create some code to communicate directly to that to generate the passwords that we want. The RoboForm software is known as what's called closed source. This basically is a black box. You don't know what's going on inside. That's why we need to use a lot of these software reverse engineering tools to even peek inside. We started to reverse engineer the software. The first step was to understand if the generated password from the graphical user interface was stored somewhere in memory. We use a tool called Cheat Engine. What this does is let you search through different areas of memory while a program is running. We could at least narrow down which pieces of that program were being used. That's going to prove to us that we've attached to the correct piece of the RoboForm program. Now I can search through system memory to actually try to find that generated password. Then I'll click on scan. Yes, now we actually see there's two results for that password stored in system memory. And that gave us really good confidence that the password generator was happening within that program. So untypical. Do you think it's going to fit on the plane? Then we used a tool called Ghidra, a reverse engineering tool created actually by the United States National Security Agency. You can use the software to look at the machine code. To let you basically reverse engineer and disassemble pieces of code. The process of using Ghidra is to help us search for that needle in a haystack. Try to figure out where in this piece of code is the password generator function. This piece of software was really like Russian dolls. Our target was like the little doll in the middle that was generating the password. Then you have these different pieces of code on top of that. Kind of have to break through these different layers until we get to the one that we want. It helps you to reverse the machine code to humanly readable code. Ghidra luckily gives you what's called a decompilation view of a higher level human readable view. But it's still really difficult, especially if you have a really complex software. This is a massive amount of code. Hours and hours and hours of work. We're definitely on the right track now. We're seeing references to a password generator within this code. We were able to actually narrow down where the password generator function was, number of characters for your password length, the minimum number of digits. Sounds like a password generator to me. This seems to be the candidate for the actual password generator routine that we're targeting. One of the pieces of the code that we found was really interesting is this reference to calling the system time. A reference in the assembly language, we can actually see that after it calls the time, it does some manipulation to that time value. And then it calls the function that initializes the pseudo random number generator with some seed value. That's when we really got excited because we knew, okay, we were on the right track. That's what we were looking for. That's the key to this whole thing. If we can change the system time, that might mean that we can actually control what the output passwords are. We moved to something called dynamic analysis. In a perfect world, when you generate a password with a password generator, you expect to get a unique random output each time that no one else has. In this version of RoboForm, that's not the case. While RoboForm passwords appear to be randomly generated, they're not. With the older versions of this software, if we can control the time, we can control the password. Imagine that these cars represent my password, and every time I snap my fingers, I can generate a new password. If I wanted to control what my password would be, I could control the cars to give a predictable result. We can do the same thing to control RoboForm to get a predictable password. Good luck. Bruno, look, I'm controlling my password. We wanted to understand if we could control the input parameters, would that let us control the output? What we really wanted to know is, can we generate the same password twice? We want to see if we can actually change the value of time to generate a known, expected password. Dynamic analysis is sort of like controlling time, where you can freeze and then go in slow motion to get a better sense of how things are operating. Halt the execution at the right point, and then start changing the time values and seeing if that gives us the result that we want. We use a tool called X64 Debug. That basically loads in the program and then lets us control every single step. I have my breakpoint set at the location right before the generator gets initialized. Every time I click the generate new button, we're going to stop execution at that spot. The time value is stored in a register, EAX. We can actually see EAX right now, basically a text representation of a binary number. So we can rerun the program over and over again, and we'll see that value increment because it's time incrementing, because time has increased since we last generated a password. This is where hacking time comes into play. We can go ahead and actually try to change that time value to go back in time and make it match a password that we've already generated. What I'm going to do is note the current EAX value, which is the last one that we just ran. That EAX value ends up generating a password of the 03 blah, blah, blah ZBM. Let's generate a new password on the screen. Now the EAX value has changed because time has increased since the last time I generated the password. But this is where I can actually patch the memory and hack the time. Double click on EAX and change that value to the one that we've recorded previously. The EAX register has been updated. The RoboForm software is going to think the date is in the past, regenerate the same password that we already know. So here we go. Three, two, one, and here it is. So we basically proved that we can generate the same password multiple times in a row. With a password generator that generates random passwords, we shouldn't be able to do something like that. This was the first moment we knew that there's a good chance that we can generate his password. So we can actually go and trick the system into thinking that we're back in 2013 and generate all the possible passwords within that timeframe where we thought Michael had generated his password. We thought we were good to go. We thought the rest of it was going to be smooth sailing. All we had to do is write some code to control that password generator. But yeah, we were wrong. Be on the lookout for frankfurters. Oh, I bet you that place sells them. We're going to see if they have a vegan one. Do you have any vegan frankfurters? No. No visit to Frankfurt would be complete without a frankfurter. So the next step was to write this wrapper code. Build a code around a certain function. To basically let us control the password generator function. Take this frankfurter for example. If this is the entire RoboForm program, the password generator is just a small portion of that. So we wrote some code to wrap around that function to control it. Kind of like how this bun wraps around the frankfurter. That's stupid. This is the code that does it all. Changes the system time and saves the output every single second. Michael gave us a date range of when he thought he generated his password. These are the dates of the range that we generated the password. And that ends up being like millions of potential passwords. There's always the possibility that this whole thing isn't possible. We're going to need to generate way more passwords to effectively check the entire time frame. This is the wrapper. Like this assembly language really is the wrapper code. But then things started crashing. We were just getting crash after crash. The system wasn't working. Crashing and crashing again. We were working on the wrapper code all day. We had this late night session. Now it's like two in the morning. It was killing me to know that we were that close. My notes from last night and today. We continued working on it. Things that were crashing and trying to figure out why it was crashing. Hours and hours and hours of debugging. We were so close, but it just wasn't working. But I just couldn't, I couldn't help myself. I just had to keep going. Then the next day he sent me a message that, guys, I did it. I cracked the code. We eventually realized that we had to set certain memory locations to other values before we called that function. We can now generate the whole time span of passwords. Now we can actually run this code and let it start generating passwords. Here we go. Generating about 100 passwords per second. And we can actually see down at the bottom of the screen, our time is increasing. It's just so satisfying. It's like we're traveling through time. I know it's like, it sounds super cheesy, but it is really fun. So we basically generated the millions of passwords for that date range. He sent those over. He put it into his password cracking tool and we got nothing. It didn't work. So. Oh man. You know, the date range could have been wrong. Michael did say that he set up his software wallet to buy some Bitcoin, but didn't actually set a password until later on. So we could be off with the date range and we could be off with the parameters. Was he using uppercase and lowercase? Was he using numbers? Was he using special characters? We then started questioning everything. Were we even hacking the right password generator? I've learned that people's memories can be incorrect. This is from 2016. I thought it was 13, 14. This got us really, really nervous. Right when we thought we were so close. Now the number of possibilities is just completely open. So we started talking with Michael about the password configuration. A couple of days ago, I got a call. Bruno asked me about some parameters and I think like, oh, come on, guys, I gave you all the parameters. He said to us, he's like 90% sure that this is the configuration he has used, which made us even more worried. It's 10 years ago. About what are you sure that you did 10 years ago? And Michael had even sent us a message saying, you know, I'm thinking of going to a hypnotist. Maybe the password is still stored in my subconscious brain. And I was like, oh, this can't be happening. Michael had sent us a list of passwords that he had generated with RoboForm for other things. But there was just one that was 20 characters in length that was just numbers and letters, no special characters. But he had told us that he had used 20 signs with special characters. So we decided, well, hey, let's just try this new range of passwords using these different parameters, generated those, sent them to Bruno. I started the script. I looked at the screen and I wasn't really sure, like it was showing something. And then I looked closer. And it was actually showing the password. I wouldn't have suspected this. Oh my God. Within like 20 minutes, Bruno sent me a message. Just got this message from Bruno, success, 20 characters long, but no special characters. Oh, finally, after all of this work and the ups and downs of it, now we can go free these coins. He's going to be very surprised. We were finally able to access Michael's Bitcoin. Joe had this crazy idea, really excited. This is completely ridiculous. Like, I can't actually believe that we're doing this. I don't even know if it's going to fit on the airplane. Wait, hold on. Okay. Nice. What would I do with the assets if they could hack it? This might be a little big for your car. Pay debts from apartment. Oh my God. Founding a new company. That's not going anywhere. That's a nice view. Securing the future life of my son, right? We're off. I don't know. There are plenty of ideas that you can have. We have an hour and 10 minutes. So this size is okay. It's good enough. We did it. Checked. I hope it's doing okay down there. If I want to make fun of myself, I tell this story. Everyone in my family, every close friend knows it. We're on La Rambla, the most famous street in Barcelona. In the end, it's a fun story and still, I mean, there's still hope one day I can solve it. $1.6 billion. Just joking. We did it. Your parameters were wrong. No, guys, come on. For real. That is so cool. Well, it's not official until we sign the check. This project was really special to be able to work with Bruno and have so much fun achieving this goal together. I'm going to keep on working on different hacking projects. Thank you, guys. I run. And continue to help people recover cryptocurrency that they've been locked out of. We know RoboForm has fixed this problem in future versions of their software. So really, it's only a problem if you're using passwords that were generated prior to that fix in 2015. Looking forward to working with Joe together on hacking more software wallets in the future. If this project required hacking time, what dimension are we going to have to hack next?