Author

Topic: wallet.dat (hex code) in 2009 (Read 1424 times)

legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
May 11, 2022, 06:09:26 AM
#21
I was wondering if it's possible to find the wallet with keys if that wallet was an encrpted?
I have the old drive and forensics shows data but i can't find the wallet with hex and the mentioned sequence. is there a differenet sig for an encrpted wallet? or is it truely lost?

It's possible, tools such as pywallet can do it even if the file is marked as deleted. Most magic bytes applicable for both unencrypted and encrypted wallet. You might want to check few magic bytes/signature at https://bitcoin.stackexchange.com/a/41450.

I may have been decieved or scammed? but this was a first year wallet with the first qt client and had what i think I rememeber was 1000 coins?

By any chance, did you buy wallet.dat file online?
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
May 11, 2022, 03:25:22 AM
#20
I know this is a very old thread but i'm coming up short on all my google searches.
I was wondering if it's possible to find the wallet with keys if that wallet was an encrpted?
I have the old drive and forensics shows data but i can't find the wallet with hex and the mentioned sequence. is there a differenet sig for an encrpted wallet? or is it truely lost?
I may have been decieved or scammed? but this was a first year wallet with the first qt client and had what i think I rememeber was 1000 coins?

 Huh

Imho your best choice is to make your own separate topic explaining (much) more clearly your situation and asking for help.
Asking in such old topics will get no answers from the original user(s) anyway, since those people are usually inactive for years already.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
May 11, 2022, 03:17:07 AM
#19
I was wondering if it's possible to find the wallet with keys if that wallet was an encrpted?
I have the old drive and forensics shows data but i can't find the wallet with hex and the mentioned sequence. is there a differenet sig for an encrpted wallet? or is it truely lost?

I believe it uses the same signature bytes. According to my memory, I saw berkeley db entries for "key" and "ckey" (unencrypted and encrypted it stands for, I believe), having a common byte sequence like that one.

Quote
I may have been decieved or scammed? but this was a first year wallet with the first qt client and had what i think I rememeber was 1000 coins?

 Huh

Please explain your situation more, because we have no idea how you would've been scammed like this.
newbie
Activity: 1
Merit: 0
May 11, 2022, 03:02:49 AM
#18
 I know this is a very old thread but i'm coming up short on all my google searches.
I was wondering if it's possible to find the wallet with keys if that wallet was an encrpted?
I have the old drive and forensics shows data but i can't find the wallet with hex and the mentioned sequence. is there a differenet sig for an encrpted wallet? or is it truely lost?
I may have been decieved or scammed? but this was a first year wallet with the first qt client and had what i think I rememeber was 1000 coins?

 Huh
jr. member
Activity: 184
Merit: 3
June 10, 2018, 03:20:48 AM
#17
Nothing works, it's dull. some kind of sadomasochism (linux). pywallet < this just install the whole attraction. Assembler with dos is no longer relevant?..))
legendary
Activity: 2128
Merit: 1073
June 09, 2018, 09:17:11 PM
#16
Linux: ./keyhunter.py /dev/sdc

/dev/sdc is a "device" like a harddisk... unfortunately, you can't do this in Windows. It doesn't work that way.
It does work just fine on Windows. The syntax is something like keyhunter.py \\.\PhysicalDisk2 . Of course one does have to use "elevated command prompt" a.k.a. "run as administrator".
HCP
legendary
Activity: 2086
Merit: 4361
June 09, 2018, 09:08:52 PM
#15
It will only scan the entire disk if you're using Linux... as you can pass a "device" name to the keyhunter.py script in Linux and keyhunter.py will attempt to treat it like a "file" and start reading through it.

Linux: ./keyhunter.py /dev/sdc

/dev/sdc is a "device" like a harddisk... EDIT: unfortunately, you can't do this in Windows. It doesn't work that way. So, you'd need to create an image file of your disk using some sort of disk imaging tool and then pass that image file to the script.

For windows you need to use \\.\PhysicalDiskN where N is the number of the disk you are trying to read (Credit to 2112):
Code:
C:\Python27\python.exe C:\Python27\keyhunter.py \\.\PhysicalDisk2

Otherwise, your best bet is to forget about keyhunter... and use pywallet. It has a recover mode for scanning whole disks/images.
jr. member
Activity: 184
Merit: 3
June 09, 2018, 01:02:53 AM
#14
As if he quickly works out if he ran all the hard and did not write anything and then immediately gives out. For the test set, core 0.4.0., v0.1 Well, how do I check the CDs for them?

Created wallet.dat in v0.1 version the same. ./C: \ Python27\keyhunter.py

It should scan the entire disk, and not on the way to watch AppData\Roaming\Bitcoin
HCP
legendary
Activity: 2086
Merit: 4361
June 08, 2018, 08:14:55 PM
#13
Looking at the code for keyhunter.py, it only prints output if it finds keys in the file. If you are getting no output, then the script was unable to find any keys.

It basically just opens the file and starts reading bytes looking for the sequence: '\x01\x30\x82\x01\x13\x02\x01\x01\x04\x20'

So, if that sequence of bytes is not detected anywhere in the file, it will return empty.

Have you tried testing it with a known good file? Ie. A new empty wallet.dat to make sure that the script actually works? I'd suggest using an encrypted and an unencrypted wallet.dat

Once you have confirmed that the script works on a known good wallet file, you can try it on the old file.
jr. member
Activity: 184
Merit: 3
June 08, 2018, 11:42:16 AM
#12
Quote
Are you trying to run the script from the command line? Or are you simply double clicking it? Huh
Edit with IDLE \ Run \ Run module

Quote
C:\Python27\python.exe C:\Python27\keyhunter.py
I get it ./C:\Python27\keyhunter.py


If you add a filename C:\Python27\python.exe C:\Python27\keyhunter.py aaa.txt nothing happens.



HCP
legendary
Activity: 2086
Merit: 4361
June 08, 2018, 10:02:10 AM
#11
Are you trying to run the script from the command line? Or are you simply double clicking it? Huh

Python and Python scripts run OK when using Windows 10... I write and run them all the time.

However, you cannot just double click on the file,a you need to run it from a "command" window...

Code:
C:\Python27\python.exe path\to\keyhunter.py

So, if keyhunter.py is in the C:\Python27 directory like your post suggests... Try opening a command prompt (WINDOWS+R, type cmd and press enter):
Code:
C:\Python27\python.exe C:\Python27\keyhunter.py
jr. member
Activity: 184
Merit: 3
June 07, 2018, 11:26:03 PM
#10
Quote
if you don't find a key, maybe at some point you zipped the file to move from machine to machine. a zipped file will not have the same signature.
you can use recovery tools to find all old zip files ( this is really tedious, and a external drive will shine here ) unzip them, and search using keyhunter.py
And if wallet.dat was renamed for disguise in something.rar? How does this keyhunter.py run under windows 10? To me write this and proposes to kill the program

Quote
Python 2.7.15 (v2.7.15:ca079a3ea3, Apr 30 2018, 16:30:26) [MSC v.1500 64 bit (AMD64)] on win32
Type "copyright", "credits" or "license()" for more information.
>>>
===================== RESTART: C:\Python27\keyhunter.py =====================
./C:\Python27\keyhunter.py
>>>
HCP
legendary
Activity: 2086
Merit: 4361
February 18, 2018, 09:24:43 PM
#9
Will the WINHEX method work with the encrypted Litecoin qt wallet?
Honestly no idea... I'd probably use Pywallet... it can be made to work with coins other than Bitcoin by using the appropriate "--otherversion" parameter.

It has a "recover" mode which scans disks looking for wallets/keys etc.

refer: https://bitcointalksearch.org/topic/guide-recover-your-deleted-keys-38004
newbie
Activity: 2
Merit: 0
February 17, 2018, 01:48:55 PM
#8
Can someone tell me if the WINHEX method also works as detailed if the wallet.dat was encrypted (with Multibit Classic in early 2014)?
MultiBit Classic doesn't use "wallet.dat"... it uses a completely different wallet file format... and defaulted to calling those files "multibit.wallet".

You will NOT be able to use the WINHEX method outlined above due to the different wallet formats.

Ok thanks, I'm looking to recover two different wallets. The first one being a Multibit Classic Bitcoin wallet and the second being a Litecoin-qt core Litecoin Wallet.

Will the WINHEX method work with the encrypted Litecoin qt wallet?
HCP
legendary
Activity: 2086
Merit: 4361
February 17, 2018, 03:57:18 AM
#7
Can someone tell me if the WINHEX method also works as detailed if the wallet.dat was encrypted (with Multibit Classic in early 2014)?
MultiBit Classic doesn't use "wallet.dat"... it uses a completely different wallet file format... and defaulted to calling those files "multibit.wallet".

You will NOT be able to use the WINHEX method outlined above due to the different wallet formats.
newbie
Activity: 2
Merit: 0
February 16, 2018, 10:58:04 PM
#6
Hi,

Can someone tell me if the WINHEX method also works as detailed if the wallet.dat was encrypted (with Multibit Classic in early 2014)?

Many thanks,
legendary
Activity: 1624
Merit: 2481
February 10, 2018, 06:35:35 AM
#5
I just recover my old HDD to find wallet.dat but many files are corrupted.
Also, I cannot recognize name and date of most of files.
~snip~

joel.from.minnesota pretty much gave you a good 'tutorial' on how to recover (or at least try to recover) those files.

But i want to say one ahead:
Do not access/use this hard drive until you have made an (forensic) image of it!
Every access to your hard drive can damage those files you are looking for.

Additionally, if you have larger amounts on your hard drive (which you really cant afford to lose), then you should consider
using a writeblocker [1] (to be on the sure side).

If you need help with the tutorial from joel feel free to PM here / awnser in this thread.


[1] http://www.forensicswiki.org/wiki/Write_Blockers
newbie
Activity: 2
Merit: 0
February 09, 2018, 08:36:56 PM
#4
I am going through this now. I mined coins in Feb 2009 and am either mourning or recovering them, not sure which.

I have confirmed this approach using a 2009 0.1.3 bitcoin client which I recently downloaded.
I ran the client in a windows VM, and deleted the VM.
this method found the private key.

stop using all media until you image them.

you can image the media from any system.

back up all media to a large external drive, you really want to do this
I use a western digital 6tb my book ($140) , its very fast for going through multiple images.
when you search images you don't have to worry about overwriting the file in deleted sectors when you are installing search tools..
do this to all your media, especially any thumb drives you have.

buy some thumb drives.

search your trash for things you might have thrown away ( I threw away a floppy disk containing my 2009 wallet.dat )

If media is broken, including hard drives, Kroll Ontrack is the best in the world, and can usually recover them, hard drives are about $1500

back up with the unix tools
dd or ddrescue

or install ddrescue with OS X homebrew
this program will image corrupt media, save the image to the external drive, I
brew install ddrescue

or make a disk image using OS X disk utility
or use a tool like "disk drill" on the Mac, which can create images as well.

bitcoin wallets do not show in traditional file recovery software, they don't have definite boundaries in the file, so the tools don't like them.
A signature based recover works best, signature meaning it searches for hex code immediately preceding the private key. some recovery software can retrieve them if they were JUST deleted.

my solution is to use the python program keyhunter.py

https://github.com/pierce403/keyhunter

download the repo from GitHub, using either git or just download it.
make the keyhunter.py executable
install python
move the .py executable to the directory whose images you want to search.
run it.

if you're on a Mac,

diskutil list

 to find the hard disk to attack

usually /dev/disk0

if it's file vault encrypted its
/dev/rdisk1

if your on linux

lsblk

copy the device path



run the program thusly
./keyhunter.py /dev/disk0

if is searching an image.
./keyhunter.py IMAGENAME

if your searching a whole directory of images

for x in *.img; do ./keyhunter.py $x;done;


then wait a really really long time, it searches the entire drive, 10 megs at a time for the offending hex keys. it searches deleted sections, it searches old vm's in deleted sections as well as current vm's, it's good. when it finds a match it returns the private key in base58 format.

if you find a key, GREAT.

if you don't find a key, maybe at some point you zipped the file to move from machine to machine. a zipped file will not have the same signature.
you can use recovery tools to find all old zip files ( this is really tedious, and a external drive will shine here ) unzip them, and search using keyhunter.py


now download an run the tool pycoin. Use the python program pip to install it.
https://github.com/richardkiss/pycoin


pycoin installs the tool 'ku'

run

ku YOUR_PRIVATE_KEY


if the key starts with a  5 this indicates whether the base58 key is uncompressed , it will correspond only to a uncompressed address.
see
https://en.bitcoin.it/wiki/Private_key

it will return a bunch of info about it.
look for the compressed and uncompressed address.
each key corresponds to exactly one address, either uncompressed address or compressed address, but not both.

check blockchain.info for the address. DO NOT ENTER YOUR PRIVATE KEY IN THE SEARCH FIELD ON WEBPAGES.


if you find a hit, run ku again, get the either compressed or uncompressed wif key, import that to a modern electrum wallet.


If you want to see how many coins you might have.
https://www.reddit.com/r/Bitcoin/comments/2twrs7/all_42400_dormant_bitcoin_addresses_with_a/

The minimum in 2009 was 50 coins. it initially took about 20 minutes on a fast machine to generate this many. Mine was 10 years old, and really slow.


newbie
Activity: 5
Merit: 0
January 31, 2018, 06:31:39 PM
#3
Are you on Windows? Or Mac?
I'm going to assume Windows.
Download WinHex: https://www.x-ways.net/winhex/
Unzip it. (If you don't know how to do this, tell us which version of Windows you're running. It could be Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP... The process changes slightly depending.)
Right Click WinHex.exe. (It may just be called WinHex. The icon will look like this:
https://i.imgur.com/RdWDVSZ.png
Run it as administrator. (Needed to do a raw byte search of the disk.)
https://i.imgur.com/HuEkazY.png
You then may have to allow it which again will vary slightly depending on which Windows you're running.
Go to tools, open disk.
https://i.imgur.com/OPTT0mG.png
Select your recovered drive and click OK.
It will begin traversing the drive:
https://i.imgur.com/G1BZjLG.png
You can click the x. It will ask if you want to abort. Click yes.
Go to search, find hex values. You will get a window that looks like this:
https://i.imgur.com/xPhKBf9.png
Type 0420 into it exactly as shown.
Click OK. After some amount of time, the window should find an instance of it. There will be a blinking cursor highlighting it on the window.
https://i.imgur.com/bKMkS8N.png
This is (probably) not the start of your private key. It's just to make sure your hard drive isn't totally messed up. (It's pretty unlikely any given two bytes would not be found on a used hard drive. If it's really not found as you claim, you're probably out of luck.)
If it found something, go to search, find hex values again. Enter this value:
308201130201010420
https://i.imgur.com/nKojITh.png
Click OK. This search could take a LONG time depending on the size of the harddrive. Expect to wait at least a few hours.

If it finds a result, just as before, the cursor will be blinking at the start of the result. Your private key is (probably) after the 0420 after the cursor. Write down the 64 digits following 0420 (including the letters) and show no one anything related to these 64 digits. It will allow them to steal your money.

Edit: After you have written down the digits, go to search, continue search. If another result is found, once again, write down the 64 digits after the 0420 again. Then go to search, continue search again. (Unless the digits are identical.)

If you see this instead:
https://i.imgur.com/GNh1Xmd.png
You're probably out of luck. But I could write similar step by step instructions for PyWallet. (I probably should have done that in the first place that you mentioned searching for 0420 locked my mind into this hex search method.)
newbie
Activity: 20
Merit: 0
January 31, 2018, 01:24:00 PM
#2
 Roll Eyes So you lost your keys and now you're having trouble finding 420?
newbie
Activity: 3
Merit: 0
January 31, 2018, 12:54:19 PM
#1
I just recover my old HDD to find wallet.dat but many files are corrupted.
Also, I cannot recognize name and date of most of files.
I was try to find binary(hex code?) there is too many files with "6b 65 79" but I could not find with "04 20".
Actually, I am not computer expert and I have no idea how to recover those corrupted files.
If there was not "04 20" in 2009, please help me how to find private key.
Appreciate.
Jump to: