Brainflayer

Brainflayer is a Proof-of-Concept brainwallet cracking tool that useslibsecp256k1 for pubkey generation.It was originally released as part of my DEFCON talk about cracking brainwallets(slides, video, why).

The name is a reference to Mind Flayers,a race of monsters from the Dungeons & Dragons role-playing game. They eatbrains, psionically enslave people and look like lovecraftian horrors.

The current release is more than four times faster than the DEFCON release, andmany features have been added.

If brainflayer is useful to you, please get in touch to let me know. I'm veryinterested in any research it's being used for, and I'm generally happy tocollaborate with academic groups.

Disclaimer

Just because you can steal someone's money doesn't mean you should.Stealing would make you a jerk. Don't be a jerk.

No support will be provided at this time, and I may ignore or close issuesrequesting support without responding.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BELIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OFSUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESSINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER INCONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE.

Usage

Basic

Precompute the bloom filter:

hex2blf example.hex example.blf

Run Brainflayer against it:

brainflayer -v -b example.blf -i phraselist.txt

or

your_generator | brainflayer -v -b example.blf

Advanced

Brainflayer's design is heavily influenced by Unix philosophy.It (mostly) does one thing: hunt for tasty brainwallets. A major feature itdoes not have is generating candidate passwords/passphrases. There are plentyof other great tools that do that, and brainflayer is happy to have you pipetheir output to it.

Unfortunately, brainflayer is not currently multithreaded. If you want to haveit keep multiple cores busy, you'll have to come up with a way to distributethe work yourself (brainflayer's -n and -k options may help). In my testing,brainflayer benefits significantly from hyperthreading, so you may want torun two copies per physical core. Also worth noting is that brainflayer mmapsits data files in shared memory, so additional brainflayer processes do notuse up that much additional RAM.

While not strictly required, it is highly recommended to use the followingoptions:

• -m FILE Load the ecmult table from FILE (generated with ecmtabgen)rather than computing it on startup. This will allow multiplebrainflayer processes to share the same table in memory, andsignifigantly reduce startup time when using a large table.

• -f FILE Verify check bloom filter matches against FILE, a list of allhash160s generated withsort -u example.hex | xxd -r -p > example.binEnough addresses exist on the Bitcoin network to cause falsepositives in the bloom filter, this option will suppress them.

Brainflayer supports a few other types of input via the -t option:

• -t keccak passphrases to be hashed with keccak256 (some ethereum tools)

• -t priv raw private keys - this can be used to support arbitrarydeterministic wallet schemes via an external program. Any trailingdata after the hex encoded private key will be included inbrainflayer's output as well, for reference. See also the -Ioption if you want to crack a bunch of sequential keys, which hasspecial speed optimizations.

• -t warp salts or passwords/passphrases for WarpWallet

• -t bwio salts or passwords/passphrases for brainwallet.io

• -t bv2 salts or passwords/passphrases for brainv2 - this one is very slowon CPU, however the parameter choices make it a great target for GPUsand FPGAs.

• -t rush passwords for password-protected rushwallets - pass the fragment (thepart of the url after the #) using -r. Almost all wrong passwordswill be rejected even without a bloom filter.

Address types can be specified with the -c option:

• -c u uncompressed addresses

• -c c compressed addresses

• -c e ethereum addresses

• -c x most signifigant bits of public point's x coordinate

It's possible to combine two or more of these, e.g. the default is -c uc.

An incremental private key brute force mode is available for fans ofdirectory.io, try

brainflayer -v -I 0000000000000000000000000000000000000000000000000000000000000001 -b example.blf

See the output of brainflayer -h for more detailed usage info.

Also included is blfchk - you can pipe it hex encoded hash160 to check abloom filter file for. It's very fast - it can easily check millions ofhash160s per second. Not entirely sure what this is good for but I'm sureyou'll come up with something.

Building

Should compile on Linux with make provided you have the required devel libsinstalled (at least openssl and gmp are required along with libsecp256k1'sbuild dependencies). I really need to learn autotools. If you file an issueabout a build failure in libsecp256k1 I will close it.

Dependencies should install with

apt install build-essential libgmp-dev libssl-dev

Supported build target is currently Ubuntu 20.04 on amd64/x86_64. Issues withbuilding for other platforms probably won’t be fixed. In particular, Kali Linuxis not supported. Support for operating systems other than Linux would requireextensive refactoring of Brainflayer's memory optimizations and is not happening.

Redistribution of compiled brainflayer binaries is prohibited, andunauthorized binaries probably contain malware.

Authors

The bulk of Brainflayer was written by Ryan Castellucci. Nicolas Courtois andGuangyan Song contributed the code in ec_pubkey_fast.c which more thandoubles the speed of public key computations compared with the stock secp256k1library from Bitcoin. This code uses a much larger table for ec multiplicationand optimized routines for ec addition and doubling.