Enter the realm of regular expressions

We all have a love-hate relationship with regular expressions but the only way of parsing through 8 million lines of RAM with any sort of efficiency was to follow pattern searching and not literally looking for random strings. To do this, I found an app called SlickEditPro and used their 14-day trial. I would recommend it to anyone in a similar situation, it has its learning curve and peculiarities but it handled the job so well, I can’t complain.

The first regular expression I used was simply S[A-Z0–9]{55} which will look for a 56 character long alphanumeric string, all caps, starting with S . This gave me most of my test keys but not the ones most closely resembling the process described by the user.

It also gave me something in the order of 800.000 matches, which is way too much. I tried several other regular expressions for lowercase matches, partial matches, keys enclosed in html tags, you name it… I tried it.

Mandatory strip https://xkcd.com/208/

After many tries I started noticing something. Sometimes, the private and public keys were present but not in an obvious and evident manner, they were there… but mixed with other characters, separated by what seemed to be spaces, taunting us with “We are here, we are here” chants. Instead of it appearing like SBO7RIMY3RDQGBDONNSO6KE37FY6GXXDDYGN5CE467AYCP2NOHLHYCQY

It appeared like:

S<NUL>B<NUL>O<NUL>7<NUL>R<NUL>I<NUL>M<NUL>Y<NUL>3<NUL>R<NUL>D<NUL>Q<NUL>G<NUL>B<NUL>D<NUL>O<NUL>N<NUL>N<NUL>S<NUL>O<NUL>6<NUL>K<NUL>E<NUL>3<NUL>7<NUL>F<NUL>Y<NUL>6<NUL>G<NUL>X<NUL>X<NUL>D<NUL>D<NUL>Y<NUL>G<NUL>N<NUL>5<NUL>C<NUL>E<NUL>4<NUL>6<NUL>7<NUL>A<NUL>Y<NUL>C<NUL>P<NUL>2<NUL>N<NUL>O<NUL>H<NUL>L<NUL>H<NUL>Y<NUL>C<NUL>Q<NUL>Y<NUL>

I later learnt from a comment in reddit that it was null separated because its in UTF-16 encoding which also probably means it comes from the java script section of the RAM instead of HTML.

There is a great read called What Every Programmer Absolutely, Positively Needs To Know About Encodings And Character Sets To Work With Text that explains the difference between encodings and explains what is happening up the apparently gibberish laden private key sample.

That was the epiphany moment, the “Wait a minute here”. I wrote a quick regular expression which turned out to be the winner. Keep in mind that all those tests were performed initially by me but had to be performed again on the actual RAM dump by the user, so I had to patiently wait until he tested it to reject or insist on that approach. I didn’t want to have access to someone else’s RAM dump, I’m too curious not snoop around so this was the only way.

There it is in all it’s glory

I think it can be simplified a lot, it could be written more succinctly and probably perform better but the fact of the matter is that this saved the day and helped the user recover his wallet. It also resulted in me getting the reward and some people even tipped me on reddit!, but that’s not the point.

Queue the excitement, the “Oh my f***ing god we did it”, the praising, the adrenaline rush that must come from recovering what is not a small amount of money, the smiles on both sides of the screen and then, just like that, it was over.

Conclusions

If you are in a similar situation and were lucky enough to make a RAM dump or are still suitable for making one (haven’t rebooted the computer for example) give it a try. Don’t let the Internet replies bring you down, perhaps there is still a light to pursue.

I’m also left without my after-work hobby so I’ll need to find something else.

If you are like /u/badusernam and feel you want to move out of your exchange please first do your research and if you are convinced you want to be in charge of your keys, I would suggest you get one of those fancy Ledger Nano S hardware wallets which have proven work astoundingly well.

I wrote a story about the hardware wallets here