Author

Topic: Hex pattern for electrum wallet (Read 198 times)

legendary
Activity: 2534
Merit: 6080
Self-proclaimed Genius
April 03, 2020, 12:31:53 AM
#6
One thing that I've noticed is every fully encrypted wallet mostly starts with "QklFMQ" when opened using a text editor.
Starts with "42 49 45 31" when converted the full base64 string into hex.

But it starts with "51 6B 6C 46 4D 51" if you directly convert the wallet file into HEX, not the contents.

Those are varying in length so it will be hard to pin-point what you're looking for if you just have a hex dump of your disk.
legendary
Activity: 3472
Merit: 10611
April 02, 2020, 10:45:26 PM
#5
with only the = its very common pattern

you are talking about base-64 encoding of an arbitrary length data (wallet file that has transactions inside that can be any size), so there really is no way to say which padding is the most common. most probably all 3 possibilities (2 pads, 1 pad, and no pad) are equally possible.
member
Activity: 74
Merit: 10
April 02, 2020, 03:27:58 PM
#4
That depends on whether or not a password was used and/or whether or not full file encryption was used.

Electrum supports THREE different options:

1. Unencrypted (wallet is stored in plaintext)
  - No password required

2. "Secrets only" encrypted (wallet is still plaintext, but the "secrets" (private keys/seeds etc) are encrypted)
  - Wallet will open without the password, but password required to send transactions/view seed and private keys etc

3. Full file encryption
  - Wallet will not even open without password


In any case, the file itself is just a simple text file... not sure you'll find a "standard" hex pattern that will guarantee identification of an Electrum wallet file.

In cases #1 & #2, a plaintext file search for: "wallet_type" should find those...

There is no hex pattern as its a hashed encrypted wallet. Only hint is that the hash ends with == so you could search for that
In case #3, I've some that end in == and some that end in = and some that don't... Undecided







with only the = its very common pattern
HCP
legendary
Activity: 2086
Merit: 4361
April 02, 2020, 03:04:18 PM
#3
That depends on whether or not a password was used and/or whether or not full file encryption was used.

Electrum supports THREE different options:

1. Unencrypted (wallet is stored in plaintext)
  - No password required

2. "Secrets only" encrypted (wallet is still plaintext, but the "secrets" (private keys/seeds etc) are encrypted)
  - Wallet will open without the password, but password required to send transactions/view seed and private keys etc

3. Full file encryption
  - Wallet will not even open without password


In any case, the file itself is just a simple text file... not sure you'll find a "standard" hex pattern that will guarantee identification of an Electrum wallet file.

In cases #1 & #2, a plaintext file search for: "wallet_type" should find those...

There is no hex pattern as its a hashed encrypted wallet. Only hint is that the hash ends with == so you could search for that
In case #3, I've some that end in == and some that end in = and some that don't... Undecided






member
Activity: 378
Merit: 53
Telegram @keychainX
April 02, 2020, 11:56:17 AM
#2
I'm trying to find an electrum wallet on a disk, it was saved without an extension - can anyone tell me what hex pattern I could search for to find the file?

Thanks a mill. Smiley

There is no hex pattern as its a hashed encrypted wallet. Only hint is that the hash ends with == so you could search for that
sr. member
Activity: 348
Merit: 251
April 02, 2020, 11:35:58 AM
#1
I'm trying to find an electrum wallet on a disk, it was saved without an extension - can anyone tell me what hex pattern I could search for to find the file?

Thanks a mill. Smiley
Jump to: