Pages:
Author

Topic: Wallet recovery (contains over 250 BTC), reward offered (Read 3474 times)

brand new
Activity: 0
Merit: 0

I can provide recovery services. Please provide a copy. I will charge 20% after success. Please provide your old address in the email and the new address used to accept Bitcoins that can be successfully repaired. My email address is hdd202110@ gmail.com
donator
Activity: 826
Merit: 1060
Did the keys get recovered, or whats the status ?
There's nothing in the wallet.dat file that even remotely resembles the contents of a Bitcoin wallet. Presumably there has been filesystem corruption.

I told the owner I couldn't do any more with the wallet. I recommended to the owner that he uses low-level tools to scan his hard disk for the sequence of bytes that could indicate the presence of Bitcoin keys. I don't know whether this has been done. I didn't offer to do it myself because (a) I'm not in the same country, and (b) he uses Windows, with which I'm not familiar.
full member
Activity: 121
Merit: 100
Did the keys get recovered, or whats the status ?
legendary
Activity: 1288
Merit: 1227
Away on an extended break
Ask casacius. He has a long and proven track record of recovering stuff from a damaged wallet.
People trust him a lot as he sells those physical bitcoins, which he could screw people by keeping a copy of the private key.
sr. member
Activity: 476
Merit: 250
moOo
send me a copy, i'll fix it.
Thanks for the offer joulesbeef, but I prefer to wait a little while to see if I get an offer from someone with a visible track record of wallet support or troubleshooting. If no-one responds, I'll take you up on it in a day or two.


I actually do have such a record.. you might have to dig a bit in my comment history, but i have repaired several, including my own.

Anyways, I dont care either way.. right now it doesnt sound so good.

Even if you get it fixed and move the coin somewhere safe, i wouldnt mind a crack at the wallet. I enjoy fixing them and it is a good ability to have.
legendary
Activity: 1022
Merit: 1000
Freelance videographer
Can you send me a copy? I want to see if simple tools in my client (non standard bitcoin client) can recover wallet.
sr. member
Activity: 286
Merit: 251
No, its not (not simple, that is.) . And doing this type of thing there are in fact many traps for the unwary. This is why it actually could be more practical (though I HATE to say it) for him to take the disk out and mail it to someone. Its very important though that any normal activity on the computer is stopped right now, and it should be left in a corner switched off until this disk image has been made. A half-competant local computer shop could also probably do this, allowing him to use the computer *and* mail it off to someone. He could also take them the disk, since removing it is a purely mechanical thing.

donator
Activity: 826
Merit: 1060
Thanks mintymark, that makes sense.

It's not going to be easy to talk him through this remotely, when he has never used unix, dd, format, etc but I think it's the best way forwards.
sr. member
Activity: 286
Merit: 251
Here is what I would do:

1)  Prepare
     a) A usb key containing a live unix instalation boot image, for example, ubuntu would do.
     b) A new harddrive of similar size or bigger to the ones in the machine.

2)  Boot the machine being sure to use the keydrive.

3) Format the new disk, making sure not to accidentally format the windows drive(s).
    and mount it.

4) Use dd or its ofspring to make an image of the old disk(s) on the newly formatted disk.
   
5) Search for the byte patterns as described on this or another computer.

6) If unsuccessful consider sending a compressed version of the disk images to selected people here
    to see if more can be done. It will take time but a disk image can be sent, or it can be mailed as a dvd image.

Alternative is to have him mail the harddisk to some one you both trust to try to perform this. Perhaps yourself.
legendary
Activity: 1072
Merit: 1181
The 279-byte pattern for private keys is not used when the wallet is encrypted, so that could cause the problem. However, you would still expect to find certain strings inside...
donator
Activity: 826
Merit: 1060

What you need to do at this point is run pattern a finder directly on
his hard drive to look for private keys directly at the disk sector level.

Yes. This is what the "--recover" option of jackjack's version of pywallet does. It scans the disk at the sector level, looking for keys.

But the owner of the wallet runs Windows, which I haven't used since 1998. I have no idea how to install python on it, or even how to name the raw drive (as opposed to the formatted volume). Nor do I have physical access to the machine, or I'd just boot up a Linux rescue disk and scan from there.

If anyone does know how to do this on Windows, and is willing to patiently talk the guy through it by skype, I'll pay for their time in BTC whether successful or not.

Or maybe there's a simpler tool with fewer dependencies that will just scan the disk for a magic bitcoin pattern such as "30 82 01 13 02 01 01 04 20" (as posted by dayfall). If that's not present, I guess all hope of recovery is gone.
sr. member
Activity: 312
Merit: 250
It seems the only remaining possibility is to run the "--recover" option of jackjack's pywallet tool on the original hard disk.

I'd forget pywallet until you can find the 279 byte key.  Unless you don't actually have a copy of the wallet, I think the only hope is that the file size was truncated and the key is on unused space on the disk.  In which case he will have to run low level disk tools.

I say there needs to be a print wallet option in the client, that prints qrcodes of the private keys (encripted or not).  At least a "backup" menu option.  In your friend's defense, I can't find anywhere official that says "copy your wallet.dat to a usb key and store it securely.  The data in this file IS the access to your money!"
donator
Activity: 826
Merit: 1060
Byte        Length  Data
0 - 8       9       Always the same (see CONST 1).
...
CONST 1:
30 82 01 13 02 01 01 04 20
Thanks, but I searched with a hex editor, and that string (i.e. CONST 1) does not occur anywhere in the wallet file, nor does CONST 2. So it looks like wallet.dat is completely corrupt.

It seems the only remaining possibility is to run the "--recover" option of jackjack's pywallet tool on the original hard disk. However, the guy who lost the wallet runs Windows, which I haven't used since about 1998, so I wouldn't know where to begin.

Is there a trusted member who is familiar with pywallet's "--recover" option AND is prepared to talk the wallet owner through the process of installing python and scanning his hard disk (probably by skype)?

I'm prepared to pay a reasonable reward for the successful recovery of the wallet, based on time taken.
sr. member
Activity: 312
Merit: 250
214 - 279   65      Public key


Yes, I tried this and it works.  Input the 65 bytes into the second box on http://gobittest.appspot.com/Address and it should give you the corresponding public key hash (address).

I suppose there are python scripts to import those bytes into another wallet, but I remember having to modify them a while back so I could import the format I wanted.  I wanted to import the hex version and I think it only accepted base58 at the time.  What I have is really messy but you can have it if nothing else works.  Obviously you have to have the hex of the public key first.
sr. member
Activity: 312
Merit: 250
I don't know where I got this, but here is an explanation of the HEX data.  You should be able to get the private keys out easily.

"The 279-byte "private key" is a DER key which actually contains both the
private and public keys.
The private key on its own is 32 bytes. The public key is 65 bytes.

Both keys are contained in a fixed location in the DER key.
Let's break the DER key down:

Byte        Length  Data
0 - 8       9       Always the same (see CONST 1).
9 - 40      32      PEM private key
41 - 213    173     Always the same (see CONST 2).
214 - 279   65      Public key

CONST 1:
30 82 01 13 02 01 01 04 20

CONST 2:
a081a53081a2020101302c06072a8648ce3d0101022100ffffffffffffffffffffffffffffffff
fffffffffffffffffffffffefffffc2f300604010004010704410479be667ef9dcbbac55a06295
ce870b07029bfcdb2dce28d959f2815b16f81798483ada7726a3c4655da4fbfc0e1108a8fd17b4
48a68554199c47d08ffb10d4b8022100fffffffffffffffffffffffffffffffebaaedce6af48a0
3bbfd25e8cd0364141020101a144034200

Note that the first byte of the public key is always 04. This is apparently
followed by a 32-byte X coordinate and a 32-byte Y coordinate.

The above constants are also identical when simply calling EC_KEY_generate_key
without any configuration (so they must be the default values for OpenSSL)."
donator
Activity: 826
Merit: 1060
send me a copy, i'll fix it.
Thanks for the offer joulesbeef, but I prefer to wait a little while to see if I get an offer from someone with a visible track record of wallet support or troubleshooting. If no-one responds, I'll take you up on it in a day or two.
donator
Activity: 826
Merit: 1060
Maybe he has enabled wallet encryption by mistake?
My own encrypted wallet still has lots of NUL characters at the beginning. It's the database content that is encrypted, rather than the database file, so I don't think accidental wallet encryption would produce the observed symptoms (unless it works differently under Windows).
sr. member
Activity: 476
Merit: 250
moOo
send me a copy, i'll fix it.
hero member
Activity: 910
Merit: 1005
Maybe he has enabled wallet encryption by mistake?
legendary
Activity: 1896
Merit: 1353
[...] an influential blogger [...] he does know he should have had a backup system in place

I hope that he will be able to recover his coins.
if he is an influential blogger, perhaps he could use his power to educate people about deterministic wallets?
you know, those wallets that can be recovered by a seed, and that you do not need to backup more than once.
Pages:
Jump to: