Share this page!

Brendan Dolan-Gavitt Profile picture
Twitter logo
1 Sep, 4 tweets, 1 min read
TFW you're happy that your GPU-accelerated hash finder gets 24 million hashes/sec but then you remember hashcat can do ~65 BILLION MD5 hashes/sec on the same device...
If anyone would like to tell me how hashcat manages to pull off this feat I'd be super curious, 3000X faster is a LOT (and MD5 is more complex than the function I'm trying to compute!)
Current code if anyone wants to take a look gist.github.com/moyix/f78e0b0d…
It's trying to cover the space [a-z]{11} so each thread gets a slice of that space, converts the start index into a base-26 number, and then increments the base-26 number and checks its hash (assuming I did it right :p).

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Brendan Dolan-Gavitt

Brendan Dolan-Gavitt Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @moyix

Brendan Dolan-Gavitt Profile picture
2 Sep
While I wait for the GPU to churn through 2*26^11 possibilities, a brief recap of how we got here. It started when I noticed this bit of code in the @GitHubCopilot Visual Studio Code extension that detects naughty words in either the prompt or the suggestions. Screenshot of the Github Co...
Because the words are hashed, we have to guess what words might be in the list, compute the hash of each, and then check to see if it's in the list (just like cracking password hashes).
This managed to decode about 75% of the list right off the bat, and turned up some weird entries, like "israel" and "communist"
Read 21 tweets
Brendan Dolan-Gavitt Profile picture
2 Sep
After scoring the 854,653 solutions found by the CUDA hash cracker using GPT-2, I believe we have solved another two of the remaining slurs - the highlighted word and its plural! (The scores here are log-probabilities) whartinkala -38.659 jfraskeride -38.49 actnopathik
Only two hashes are left uncracked:

272617466 and 867567715

Good thing I have two GPUs 😎
(To be scrupulously fair I suspect a couple of the "decoded" entries on the list, like "w00se" and "jui ch", are collisions. But I have to draw the line somewhere.)
Read 5 tweets
Brendan Dolan-Gavitt Profile picture
1 Sep
I feel like I always get tripped up on silly things with CUDA – like: I can compute all these results very fast, but actually saving and reporting them somewhere is a huge pain.
Either I just call printf() device-side and tank performance or I have to manage parallel host and device buffers, synchronize between GPU threads for adding things to the result list and lose the ability to see results as they come in.
Here's what I'm trying to implement now but it seems more complex than it ought to be... stackoverflow.com/questions/2034…
Read 5 tweets
Brendan Dolan-Gavitt Profile picture
30 Aug
Question for Z3Py experts: my model has an Array assignment like this:

[word0 = Store(Store(Store(Store(Store(K(BitVec(32), 107), 3, 110), 6, 0), 0, 115), 2, 97), 4, 99)]

How can I add its negation (Or(word0[i] != model[word0[i]]) for i in range(arraylen)) to the constraints?
Unfortunately since the constraints were loaded in from an SMT file I don't have the original Array, nor do I know how to retrieve it from the constraint object or model...
Ok this just feels cheeky: I asked Z3 for an array word0 where word0 != FirstSolution. It happily provided me with such an array: FirstSolution but with array index 1073741824 set to 64. This is how I learned Z3 has no concept of array length.
Read 7 tweets
Brendan Dolan-Gavitt Profile picture
30 Aug
Copilot's slur detector uses the following "hash" function:

function obfuscateWord(e) {
let t = 0x17ed2e7f1ccbb000;
for (let n = 0; n < e.length; n++) t = 33 * t ^ e.charCodeAt(n);
return t
}

What can we learn about a word from its hash?
One thing I noticed is that if two words differ only in their last letter, we have:

hash(w1) ^ hash(w2) =
(t1*33 ^ w1[-1]) ^ (t2*33 ^ w2[-1]) =
w1[-1] ^ w2[-1]

So by looking at XOR of two hashes we can learn what the XOR of the last two letters to narrow down the possibilities.
Can you figure out the length of the string? Maybe... the multiplication by 33 dominates, but for longer strings the amount of error in your guess gets bigger and bigger.
Read 9 tweets
Brendan Dolan-Gavitt Profile picture
5 Aug
A VQGAN+CLIP interpretation of Kubla Khan (Or, a vision in a dream. A Fragment.) by Coleridge, style by @GurneyJourney [inspired by @moultano's Sacred Library]
________
In Xanadu did Kubla Khan
A stately pleasure-dome decree:
Where Alph, the sacred river, ran
Through caverns measureless to man
Down to a sunless sea.
Read 31 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @moyix has new unrolls!

Check out other threads from @moyix!

Read all threads by @moyix

:(