I hacked time to recover $3 million from a Bitcoin software wallet

14th Jun 2024 Gemini 1.5 Pro

This podcast details an extraordinary project undertaken by Joe Grand, a renowned hardware hacker, and Bruno, a brilliant software hacker, to help Michael, a man who lost access to a software wallet containing a significant amount of Bitcoin. The podcast narrates their journey, highlighting the technical challenges, emotional rollercoaster, and the innovative solutions employed in their quest to unlock the inaccessible cryptocurrency.

The Locked Fortune

Michael, an early adopter of Bitcoin, used a password generator called RoboForm to create a highly secure password for his software wallet back in 2013. However, a corrupted hard drive led to the loss of this password, locking him out of his own wallet. What was initially a minor financial setback transformed into a major predicament as the value of Bitcoin skyrocketed over the years. Michael was now staring at a locked fortune of 1.6 million dollars worth of Bitcoin, a tantalizing prize he had no way of accessing.

I have this fortune. I can see it, but yeah, I cannot use it because I don't have the password.

Despondent but hopeful, Michael reached out to Joe Grand, inspired by his previous work on hacking hardware wallets. While the sheer complexity of brute-forcing a 20-character password with multiple character types seemed insurmountable, the prospect of recovering such a significant sum fueled their determination.

A Glimmer of Hope: Exploiting RoboForm

Initially, Joe and Bruno were skeptical due to the immense computational power required to brute-force such a complex password.

Nobody would take on a brute forcing project of this scale, no matter how many computers they had, it just isn't feasible.

However, Bruno's prior experience with reverse engineering a different password generator offered a glimmer of hope. They shifted their focus from brute-forcing the password itself to analyzing RoboForm for potential vulnerabilities. Their hope lay in finding a weakness in the software that would allow them to circumvent the need for a brute-force attack altogether.

Reverse Engineering and the Quest for the Password Generator

The team initiated the painstaking process of reverse engineering RoboForm. This involved dissecting the software to understand its inner workings and locate the specific code responsible for password generation. Using tools like Cheat Engine and Ghidra, they meticulously examined the software's memory and code.

The RoboForm software is known as what's called closed source. This basically is a black box, like you don't know what's going on inside.

The process was akin to finding a needle in a haystack, requiring immense patience and meticulous attention to detail. Hours were spent sifting through lines of code, gradually piecing together the software's logic. Their efforts finally yielded a breakthrough when they identified the password generator function and, crucially, its reliance on the system time for generating random values.

Hacking Time: Manipulating Randomness

Delving deeper into the password generator, they discovered a critical flaw. RoboForm's randomness, the foundation of its password security, wasn't truly random. Instead, it depended on the system time for generating "random" values. This discovery was their Eureka moment, as it meant that controlling the system time could potentially allow them to predict and replicate the generated passwords.

With the older versions of this software, if we can control the time, we can control the password.

This realization marked a turning point in the project. By manipulating the system time, they could essentially "hack time" and force RoboForm to generate passwords corresponding to a specific time in the past – ideally, the time when Michael created his wallet.

The Final Sprint and Unexpected Twists

Excitement filled the air as they wrote a program to control the password generator, setting it to generate passwords corresponding to the date range Michael provided. They were effectively traveling back in time, generating millions of passwords from that period.

It's just so satisfying. It's like we're traveling through time. I know it's like, it sounds super cheesy, but it is really fun.

However, their initial attempts resulted in repeated crashes, forcing them back to the drawing board. After days of relentless debugging, they finally achieved a breakthrough, successfully generating a massive list of potential passwords. The anticipation was palpable as they ran this list through their password cracking tool, hoping for a match. Disappointment followed, as the initial attempt yielded no results.

Doubts began to creep in. Had they miscalculated the date range? Were Michael's recollections of the password parameters accurate? The pressure intensified, pushing them to re-evaluate their assumptions.

We then started questioning everything. Were we even hacking the right password generator.

In a stroke of luck, while reviewing Michael’s information, they noticed a discrepancy. A list of Michael’s past passwords hinted at a possible deviation from his initial recollection of the password complexity. Armed with this new insight, they generated a new set of passwords, hoping this time, luck would be on their side.

To their relief, Bruno received a notification - a match! After weeks of tireless effort, they had cracked the code, successfully recovering Michael's long-lost Bitcoin fortune.