Main discussion about vulnerability #12
Replies: 7 comments 7 replies
-
|
More about mwc1616, I found blog-post about how to predict Math.random(): https://ifsec.blogspot.com/2012/05/cross-domain-mathrandom-prediction.html |
Beta Was this translation helpful? Give feedback.
-
|
Btw, I am in the process of building a lab and testing the old Math.random() if it actually is working (Windows 7 VM) |
Beta Was this translation helpful? Give feedback.
-
|
I got this working to predict all the next values of Math.random https://github.com/PwnFunction/v8-randomness-predictor/tree/main |
Beta Was this translation helpful? Give feedback.
-
|
I also saw that one, but what I'm concerning is that V8 changed it's algo in 2016 from mvc1616 to xorshift128+. You can check it out by searching it on Google. I am testing one js algo that tries to replicate mwc1616, it's not fully working, it was able to find the first case, but the next generated values are not correct. Will upload the screenshot later. |
Beta Was this translation helpful? Give feedback.
-
|
Also, there will be hell of a problem due to different browsers implemented different kind of algos before 2016. That means we have to specifically target one browser first to try it out, then move on to others. In 2012-2013 timeline IE was declining rapidly but it was being used the most after Chrome. |
Beta Was this translation helpful? Give feedback.
-
|
Btw, haven't u checked Brainwallet's code out, they were using that vulnerable version but I'm not sure how were they using it |
Beta Was this translation helpful? Give feedback.
-
|
I looked at Brainwallet's code. Even the really old versions gathered entropy from mouse movements when you load the page. I found many projects from 2010 - 2014 like this that generate the paper wallet using the math.random implementation https://github.com/CryptoStories/storiespaperwallet/blob/master/generate-wallet.html Although new versions use this for additional entropy: There are other ways to predict Math.Random values based on different browsers. Even if you could predict every future and past value, I am still not sure how to take the this.seedTime() and figure out the BTC public / private key. Then you have to take the output from math.random and use seedTime(), in this case 1294200190000 for example and run it through the Arcfour PRNG. If the same seedTime() is used the PRNG always returns the same value. But the Math.Random values are usually always different. |
Beta Was this translation helpful? Give feedback.
-
|
Hi Karl thanks for the ongoing support into this project lots of positive advances have been made. I’ve created a randstorm group on telegram if you and anyone else involved in the this project wants to join. I think we can share information and have discussions more easily on there. |
Beta Was this translation helpful? Give feedback.
-
|
Sure we could use all the people we could get. I added some debugging output to the function to get a better idea what's happening: https://github.com/RandstormBTC/randstorm/blob/main/debug.txt |
Beta Was this translation helpful? Give feedback.
-
|
Karl hope u are also in group chat. I will help too as much I as I can. Hope we can figure that one together |
Beta Was this translation helpful? Give feedback.
-
|
If anyone wants to join |
Beta Was this translation helpful? Give feedback.
-
|
I have been playing around with this and it's working very well: https://github.com/d0nutptr/v8_rand_buster/tree/master With about 20 inputs it can find all future values of the 16-bit integers generated in Math.random |
Beta Was this translation helpful? Give feedback.
-
|
bro it would be great if you join us on telegram... |
Beta Was this translation helpful? Give feedback.
-
|
Hi Karl are you still working on this project? |
Beta Was this translation helpful? Give feedback.
-
Hi, sorry for not opening discussion in here for the first time
This is for discussing about the vulnerability
Beta Was this translation helpful? Give feedback.
All reactions