Decrypt private key by passphrase alone, possible?

HCP

legendary

Activity: 2086

Merit: 4361

Quote from: morbius55 on March 29, 2021, 02:44:17 PM

I have already used dumpwallet with pywallet on the recovered wallets I found with a full drive scan. This is a wallet.dat I found in a lost partition by using recovery software. The file won't dump like the other wallets, as I think it is corrupted, and shows as 96kb before using pywallets dumpwallet command. The resulting dumped wallet is only 32kb and says "wallet is encrypted passphrase is correct" but unlike the others it shows only one encrypted private key and nothing else apart from salt and a number. The one encrypted key is a different alphanumeric number to any of the other encrypted private keys I have recovered, so obviously it could be the one I'm after. None of the wallets are usable in the normal way in bitcoin core no matter what command you use as they are corrupted. I have used the passphrase on the other recovered wallet.dats and it shows all the addresses, private keys, mkey etc ie it decrypts the wallets.

Using the --dumpwallet command with PyWallet should simply output straight plaintext that shows addresses, public and private keys etc...

So the file sizes of the actual recovered wallet.dat and the Pywallet "dumpwallet" output may not necessarily be related. So, I would not get hung up on the 96kb vs 32 kb thing.

If however, after you use --dumpwallet and give it the --passphrase parameter and it outputs garbage (ie. the "sec" or "secret" fields are not valid WIF private keys), then there is a very good chance that either the wallet.dat is not a BTC wallet.dat... or that the file contents is indeed corrupted beyond repair. Undecided

rterwedo

newbie

Activity: 11

Merit: 2

Quote from: morbius55 on March 29, 2021, 02:44:17 PM

Quote from: Chikito on March 28, 2021, 08:56:24 PM

Quote from: morbius55 on March 28, 2021, 03:29:26 PM

I have a wallet.dat file that I recovered from a hard drive using recovery software. I ran pywallet through it, and all it showed was one encrypted private key and a salt and I knew the correct passphrase, which I used . I have also used pywallet on the full 400G drive, and all those recovered files found by that method have included address, public key, master key etc. The lone encrypted private key is different to any of the ones found by doing the full drive search.

why make it so hard?, you have a wallet.dat file, if you have that password, you can easily get the private key by dumpwallet command on the console. You also don't need to sync network or download the full blockchain for that.

Quote from: morbius55 on March 28, 2021, 03:29:26 PM

The lone encrypted private key is different to any of the ones found by doing the full drive search.

I guess it's not bitcoin's private key.

I have already used dumpwallet with pywallet on the recovered wallets I found with a full drive scan. This is a wallet.dat I found in a lost partition by using recovery software. The file won't dump like the other wallets, as I think it is corrupted, and shows as 96kb before using pywallets dumpwallet command. The resulting dumped wallet is only 32kb and says "wallet is encrypted passphrase is correct" but unlike the others it shows only one encrypted private key and nothing else apart from salt and a number. The one encrypted key is a different alphanumeric number to any of the other encrypted private keys I have recovered, so obviously it could be the one I'm after. None of the wallets are usable in the normal way in bitcoin core no matter what command you use as they are corrupted. I have used the passphrase on the other recovered wallet.dats and it shows all the addresses, private keys, mkey etc ie it decrypts the wallets.

The old encryption actually consists of 2 parts. A master key is hardened and encrypted with your passphrase. This is what you lock/unlock when entering it. The private key is then encrypted with the plaintext of the master key + 2xSHA256(public_key) as the IV. In order to decrypt a private key you need the plaintext of the master key + public key (which is typically stored in plaintext in the wallet).

If I had to guess - you either have an unencrypted private key already, just in a different format OR the tools errored when trying to process the wallet file because its corrupted.

Since you are dealing with corrupt data you need to do byte by byte computations/comparisons and work through the file. Assume X bytes are the public key, sha256 this twice, assume X bytes are the encrypted master key (you only need the first part as the IV is XOR with first block). Take the outputs and covert to addresses and see if there is a balance (or compare to a known address with a balance).

FYI there are byte sequences to look for for pub and private keys.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

If you have Ruby programming language on your system you can try installing this https://github.com/Gurpartap/aescrypt and then in its command prompt run something like:

Code:

message = AESCrypt.decrypt("the encrypted private key" + "salt", "password")
puts message

It may not work but it's worth a shot.

Similar library for PHP, that may or may not work depending on whether Bitcoin Core uses a fixed IV (a third string that's used in encryption): https://github.com/shetabit/AES

Code:

require "AES.php";

$aes = new AES(
# This argument will be a problem because Bitcoin Core uses a random cipher
# and not this, it may also be in the wallet.dat file
	'WR7rLKlVvJdEAIzHUMpt4dcEKsXPinIU2KiWzm++bhg=',
	'AES-256-CBC',
);

$encrypted = "encrypted key followed by salt"

$decrypted = $aes->decrypt($encrypted);

echo "Decrypted : {$decrypted}
";

There's no field for password though and I'm not sure where you'd put that.
This can also be ran in a local command line.

BitMaxz

legendary

Activity: 3374

Merit: 3095

BTC price road to $80k

Quote from: morbius55 on March 29, 2021, 02:44:17 PM

I have already used dumpwallet with pywallet on the recovered wallets I found with a full drive scan. This is a wallet.dat I found in a lost partition by using recovery software. The file won't dump like the other wallets, as I think it is corrupted, and shows as 96kb before using pywallets dumpwallet command. The resulting dumped wallet is only 32kb and says "wallet is encrypted passphrase is correct" but unlike the others it shows only one encrypted private key and nothing else apart from salt and a number. The one encrypted key is a different alphanumeric number to any of the other encrypted private keys I have recovered, so obviously it could be the one I'm after. None of the wallets are usable in the normal way in bitcoin core no matter what command you use as they are corrupted. I have used the passphrase on the other recovered wallet.dats and it shows all the addresses, private keys, mkey etc ie it decrypts the wallets.

Do you get error when importing it with bitcoin core? something like "Your wallet file may be corrupt"

Can you try the method from the link below?

- How to recover your corrupt or deleted Bitcoin Core wallet

Check the 2nd method under "Corrupt wallets" it's the other way to decrypt the wallet.dat file using OpenSSL and BitcoinJ and try it and maybe it can decrypt the wallet file and shows the decrypted private key.

morbius55

full member

Activity: 217

Merit: 109

Quote from: Chikito on March 28, 2021, 08:56:24 PM

Quote from: morbius55 on March 28, 2021, 03:29:26 PM

I have a wallet.dat file that I recovered from a hard drive using recovery software. I ran pywallet through it, and all it showed was one encrypted private key and a salt and I knew the correct passphrase, which I used . I have also used pywallet on the full 400G drive, and all those recovered files found by that method have included address, public key, master key etc. The lone encrypted private key is different to any of the ones found by doing the full drive search.

why make it so hard?, you have a wallet.dat file, if you have that password, you can easily get the private key by dumpwallet command on the console. You also don't need to sync network or download the full blockchain for that.

Quote from: morbius55 on March 28, 2021, 03:29:26 PM

The lone encrypted private key is different to any of the ones found by doing the full drive search.

I guess it's not bitcoin's private key.

I have already used dumpwallet with pywallet on the recovered wallets I found with a full drive scan. This is a wallet.dat I found in a lost partition by using recovery software. The file won't dump like the other wallets, as I think it is corrupted, and shows as 96kb before using pywallets dumpwallet command. The resulting dumped wallet is only 32kb and says "wallet is encrypted passphrase is correct" but unlike the others it shows only one encrypted private key and nothing else apart from salt and a number. The one encrypted key is a different alphanumeric number to any of the other encrypted private keys I have recovered, so obviously it could be the one I'm after. None of the wallets are usable in the normal way in bitcoin core no matter what command you use as they are corrupted. I have used the passphrase on the other recovered wallet.dats and it shows all the addresses, private keys, mkey etc ie it decrypts the wallets.

PawGo

legendary

Activity: 952

Merit: 1385

What about https://bitcointalksearch.org/topic/m.55565382 ?

Chikito

legendary

Activity: 2366

Merit: 2054

Quote from: morbius55 on March 28, 2021, 03:29:26 PM

I have a wallet.dat file that I recovered from a hard drive using recovery software. I ran pywallet through it, and all it showed was one encrypted private key and a salt and I knew the correct passphrase, which I used . I have also used pywallet on the full 400G drive, and all those recovered files found by that method have included address, public key, master key etc. The lone encrypted private key is different to any of the ones found by doing the full drive search.

why make it so hard?, you have a wallet.dat file, if you have that password, you can easily get the private key by dumpwallet command on the console. You also don't need to sync network or download the full blockchain for that.

Quote from: morbius55 on March 28, 2021, 03:29:26 PM

The lone encrypted private key is different to any of the ones found by doing the full drive search.

I guess it's not bitcoin's private key.

morbius55

full member

Activity: 217

Merit: 109

Quote from: math09183 on March 28, 2021, 03:09:22 PM

Quote from: morbius55 on March 28, 2021, 01:51:25 PM

I have an encrypted private key and I know the passphrase, plus I have a salt. Is It possible to get the private key? It is from an old Bitcoin core wallet. Thanks for any help.

I do not understand. What do you have? Wallet file? Or private key exported?
Usually when you export from Bitcoin Core (dumpprivkey) it exports key to WIF format, which is not encrypted. (starting with 5.... 51 characters or starting with K or L... 52 characters).

I have a wallet.dat file that I recovered from a hard drive using recovery software. I ran pywallet through it, and all it showed was one encrypted private key and a salt and I knew the correct passphrase, which I used . I have also used pywallet on the full 400G drive, and all those recovered files found by that method have included address, public key, master key etc. The lone encrypted private key is different to any of the ones found by doing the full drive search.

math09183

member

Activity: 170

Merit: 58

Quote from: morbius55 on March 28, 2021, 01:51:25 PM

I have an encrypted private key and I know the passphrase, plus I have a salt. Is It possible to get the private key? It is from an old Bitcoin core wallet. Thanks for any help.

I do not understand. What do you have? Wallet file? Or private key exported?
Usually when you export from Bitcoin Core (dumpprivkey) it exports key to WIF format, which is not encrypted. (starting with 5.... 51 characters or starting with K or L... 52 characters).

morbius55

full member

Activity: 217

Merit: 109

I have an encrypted private key and I know the passphrase, plus I have a salt. Is It possible to get the private key? It is from an old Bitcoin core wallet. Thanks for any help.

Topic: Decrypt private key by passphrase alone, possible? (Read 232 times)