05-14-2021, 12:07 PM
(05-14-2021, 08:56 AM)philsmd Wrote: answer 1: I guess that many users already tried to reproduce problems with certain specific versions of mist+geth, but realized that when installing the software versions freshly (even on a new PC etc), they didn't see any wrong or strange behaviour and everything was working as expected. (no automatic account creation, no locked up accounts, password was working etc etc etc).
So I guess many affected users tried to reproduce a bug (I don't have any exact number or stats, you could even ask the mist team, they even collected some "affected users" anonymized data on google forms back then), but always failed to make any clear conclusion about what could have gone wrong or at least weren't able to proof that there is/was some obvious bug. Could just be many users that don't remember the password (and some even don't remember that they had to insert a password ! ) . Again, all this can also turn out to be a wrong conclusion or a false statement, but only when a software bug was detected and the facts about the bug are sorted out.
answer 2: you stated above that you gave the private key to somebody. My guess/hope is that you only gave the encrypted keystore to a professional and trusted wallet recovery service... So please make sure first that your ethereum address still has some funds in it etc... otherwise all your work you put in to unlock the account is wasted if there are no more funds.
We have already stated a couple of times here, that it depends a lot on the wallet version and hash type, whether the GPU cracking should be done or if it would be better to crack the hashes with CPU only (scrypt based algorithms are better suited for CPU cracking, no GPU needed, because the scrypt algorithm itself is GPU-resistent). Just try to convince yourself by testing the speeds of different device/hardware types with --opencl-device-types (short -D, uppercase D).
I can't really remember if there were users that were able to unlock the account after some rule-based attacks (or in general mangled passwords) against an scrypt-based ethereum wallet, but I'm pretty sure these cases exist (not everybody posts their success story after a successful cracking attack). In general, rule-based attacks are very efficient and crack a lot of hashes... but of course this hash algorithm is very heavy compared to other (non-slow i.e. *fast*) hash types that hashcat supports and therefore it's much more difficult to run a huge amount of rules against a large dictionary file.
That said, the rule-based attack (or any non-brute-force attack or any non-mask attack), as you probably already guessed, could still be much more efficient and with a much better success rate than other attacks. This of course depends on the randomness of the password itself, but in general even if for some fast hash types mask attacks are much faster, the efficiency and success rate of rule-based attacks (or combinator, hybrid attacks etc) is often much better and the only clever approach.
Yeah, think about the possible password candidates and patterns, create a middle to huge password list of several megabytes of candidates.... try to learn rule-based attacks (and other non-brute-force attack, https://hashcat.net/wiki/#core_attack_modes) and create your own specific rule file and run your CPU-based rig against the scrypt-based ethereum hash. Good luck
I think what's missing is some sort of wiki dedicated to the issue. As it stands, you have to wade through many pages of heated arguments to extract some information. Would anyone be interested in contributing to something like that? Gather evidence, contact original developers, describe various theories and their pros/cons, maybe even set up some bounty scheme...
The service has both the key and the password, and the funds are still there. The password is 20 chars random upper/lowercase and digits and I think I didn't provide them with other passwords, so I think they gave up rather quickly. Their website still exists and looking around they seem to have a good reputation.
I think it was scrypt, so maybe they just don't have a lot of CPU resources, and cases where users provide a lot of password fragments + the wallet is GPU-friendly are probably more profitable. Which I'm hoping, because that means I can take your advice and then try some attacks and run it for longer.