Bitcoin Forum

Hi,
So I have a paper wallet with an encrypted private key with 54 entries starting with for example rgHM7 or wTdev, so it doesn't seem to be a bip38 encryption. What kind of encryption can it be and how can I go about to decrypt it. The paper wallet was generated at bitaddress.org. And oh how I regret encrypting it :)
Could someone please help?

If it was generated from bitaddress.org why not try to decrypt it there if you still know the passphrase?

If not, and if you forgot some parts of the passphrase you can use the bitcoin recovery tool from FinderOuter (https://bitcointalk.org/index.php?topic=5214021.0)
or if you totally forgot them then you can try to brute force your encrypted private key you can use this https://github.com/3rdIteration/btcrecover
I'm sure brute-forcing your encrypted private key to decrypt it would be a long journey if you have a long passphrase.

The characters resembles the Base64 format, but the number of characters doesn't match.
I tried the earliest release (v2.8.1), the earliest tag (v1.6) and the latest version (web) of bitaddress and all don't output any 54-character string.

When did you create this paper wallet? You may be able to find a version of Bitaddress from around that time. See if you can create a similar wallet, it might help determine what happened.
Also: did you print the wallet, or did you write it down? I've seen people make mistakes writing down keys.

Do you mean the strings have 54 characters each, or you have 54 strings? Can you elaborate on what character set the strings are using? Do they end with a "=" symbol?

The only thing which bitaddress generates which fits that character set are private keys in Base64 format. These should be 44 characters long.

Are you sure you used bitaddress? Did you download and verify the latest release and run it offline?

It could be AES encryption encoded in Base58. Check the paper wallet to see if there is any design identifying what we are it came from.

http://
I have printed the wallet and I am all sure it is from bitaddress.org from maj 2020.
I would put in a photo here but it looks like I am not able to. The encrypted key of a similar adress is

rgHM7eKVe37vCGtGQRVNRcN6pfa2gRAzaxdsG86RSmKdnMAEkPZnHJ

This waller is 100% empty so no worries  8)
Anyone any clue how to decrypt this shit?

I haven't seen this format on Bitaddress.org.
Feel free to email (LoyceVswitzerland@protonmail.com) me the picture (the one that isn't funded, obviously), I'll post it here.

I haven't seen this format on Bitaddress.org.
Feel free to email (LoyceVswitzerland@protonmail.com) me the picture (the one that isn't funded, obviously), I'll post it here.
[/quote]

Thanks, I just sent it.

This is the picture I received:
https://loyce.club/other/pateyway.jpg

This indeed looks like Bitaddress.org's Paper Wallet with "Hide Art?" ticked. And it shows what I've seen myself too: the printer (driver) messed up the page. It looks like a few characters are missing, you're supposed to have 58 characters, and the first 2 are supposed to be "6P" That still leaves a lot of options, and BIP38 is heavy encryption, but it should be possible to brute-force the missing characters.
Or, since you have a QR-code, you can try that. It's partially covered with text, but it might still work. Be careful though: several QR-decoders steal any Bitcoin they can.
Mycelium (on Android) supports BIP38. Be careful what you're using, especially if a large amount is at risk.

The BIP38 encrypted private key will be right aligned with the line of text above it which should say "Encrypted Private Key (Password required)". If you can read all of that line (I can't quite make out whether you can see "required)" under the QR code from the small image you have attached), then you should also therefore have the end of the private key.

This would mean that OP's printer has cut off the the first 4 characters, the first 2 of which will be "6P", meaning he just has to brute force 2 characters in a known position, which will be relatively easy to do provided he knows the decryption password.

Edit: Actually, I've been able to recreate this by trying to print my own page of paper wallets from bitaddress and messing with the scaling factor up to around ~150%. It does indeed only cut characters off from the start. And actually, bitaddress only generates EC multiplied compressed keys, meaning all the keys will have the prefix "6Pn". So OP is only missing a single character from each key, in the 4th position, which will be between the characters "M" and "Z". Given that "O" isn't used in Base58Check, then that only leaves 13 possibilities for each key.

Wow! Thank you so much guy. I now see that the first ones are cut of. I didn't realize it before ok. I will try to use bitaddress now to decrypt the key. Thanks so much for your brightness.

Hey so I still have problems with the private key. I've tried to start with 6Pn(A-Z) but it says that all of those are invalid keys. It is the key and not the pass phrase because I made a new wallet and put in the wrong phrase and I got a different message. Could it be that the third digit "n" could be different as well. I made the wallet in 2020 if that has any meaning. Any bright ideas :) ?

Have you tried the QR-code?

Otherwise, The FinderOuter (https://bitcointalk.org/index.php?topic=5214021.0) may work for brute-forcing, although I'm not sure if it can brute-force missing characters in a BIP-38 key with known password. If it can't, @Coding Enthusiast may be willing to add this feature.

It could be, but it's unlikely. bitaddress's source code hasn't changed for 6 years. Are you 100% sure all the other characters are correct?

It can, and indeed, knowledge of the password is unnecessary. BIP38 keys use Base58Check, so it can brute force a few missing characters until it finds those that match with the checksum.

Edit:

I've tested the string you shared above: rgHM7eKVe37vCGtGQRVNRcN6pfa2gRAzaxdsG86RSmKdnMAEkPZnHJ

I'm unable to find any combination of 6P** (or 6P*string* or 6Pstring**) which creates a valid key. Again, are you sure you have the right characters?

Oh so you tested one of the other private keys and were not able to get a private key either? If they are correct? Well I double checked if I wrote down the other characters correctly, if they are not correct then why would they not be?

bitaddress really should be more careful about how it prints things out. either print it out correctly and fully or don't print anything

Correct. Hence me asking if you are sure the characters you have posted here are accurate. If I go to bitaddress and create a page of encrypted paper wallets, I can brute force missing characters with 100% accuracy. So either the string you have shared above has incorrect characters or is not a BIP38 key at all.

Are you able to share a high resolution picture of the key you have shared above (the one you said has no funds on it)? You can crop out the other keys. And you can share it privately if you prefer.

There is nothing it can do stop people from locally scaling the page it produces, so much that it is too large for a single piece of paper, which is what has happened here.

Have you tried the QR-code?

I don't think they can help it much when printing from a browser. This is one of the many reasons I test my backup before funding it. By manually typing the key and decrypting it with different software than you used to create it, you know you can decrypt it later. If your test fails, you know not to fund it. (of course, all this should be done off-line, running a Live Linux from RAM).

that's a pretty good idea but why does it need to be different software than you used to create it? you can generate a private key in bitaddress and then go and verify it within bitaddress too.  so u don't need another different software.

I like being thorough :) What if the software I used uses a non-standard encryption and it turns out I can only decrypt it with that software? Then, 20 years later, I can't find it anymore.
I've already seen many people who had a hard time recovering their old storage format. I even created [overview] Recover Bitcoin from any old storage format (https://bitcointalk.org/index.php?topic=4959742.0) for it, but it's far from complete.

There is already precedence for this. Blockchain.com, for example, used to give out recovery phrases which were not BIP39 phrases, but rather simply to recover access to wallet files on their platform if uses had forgotten their passwords. Now, many years later, although they claim to still support these phrases many users find themselves unable to recover their wallets. Another example is Coinbase, which used to run multi-sig vaults, have discontinued their support of them, and users can no longer recover access to their funds (https://bitcointalk.org/index.php?topic=5381583.0) despite possessing the necessary back ups. Even something as simple as a wallet using a non-standard derivation path is enough to cause huge amounts of problems (https://bitcointalk.org/index.php?topic=5391541.msg59661227#msg59661227) trying to recover your coins. And that's without even mentioning bugged, flawed, or malicious software, which might not derive the correct keys like you think it is doing.

It is always smart to test your back up or private keys with different software.

The examples you give below of blockchain.com and coinbase are poor examples since they are not software, rather they are services. To really make the point, we should be sticking to software that one runs on one's computer to generate bitcoin addresses not services they log into and use. There is a distinction between the two things which should not be overlooked or glossed over.

they were relying upon a black box. when the black box went out of service or had bugs or whatnot there was no way to fix it. different situation than software you were supposed to be able to run on your own independently of anyone.

well, the link you provided has to do with the breadwallet to coinbase migration situation. if someone doesn't keep track of the derivation path their funds are on then that is a big mistake on their part. but it doesn't mean the software doesn't work.

well yeah that can happen but with bitaddress? how about some links.

but once you tested it once, you don't need to test it again right? as long as nothing changes like upgrading the software.

hopefully these day people are only using standard bitcoin formats not proprietary. there's really no reason for using proprietary formats otherwise they might end up being an avid reader of your thread there. :o

Correct. One of the reasons for testing in the first place is peace of mind: I know I can decrypt it.

I'm not as optimistic as you are ;)

The example I gave of Bread wallet is absolutely software which runs on your own device. Another example would maybe be Schildbach's bitcoin wallet, which does not use seed phrases but its own unique encrypted back ups which can only be recovered using the same software.

The point here is that Bread wallet didn't tell its users what derivation path was being used. Many wrongly assumed it was the standard BIP 44/49/84 paths, but because they never tested their recovery using independent software (as we are advocating here), they never found out they were wrong until they couldn't access their coins.

Not only are plenty of people still using non-standard formats, but there are plenty more still in development, such as Block's new hardware device (https://wallet.build/), which will not use seed phrases and be completely dependent on Block for recovery.

I even tested my recovering my hardware wallet before funding it: I used Ian Coleman's site (https://iancoleman.io/bip39/) (obviously on an air-gapped system, running live Linux from RAM) to see if I could reproduce the same addresses as my hardware wallet showed.
For what it's worth: so far, all my testing always confirmed what I was hoping to see. But without testing, I wouldn't know that for sure.

Surely there are android bitcoin wallets that adhere to standards like bip39. and are open source but the best bet is dont use android wallets period. you can't really trust them.

what kind of person puts their money into some wallet without knowing what derivation path is being used though?


you have to ask yourself why you would use something other than a trezor or nano though. as far as I have seen most of these new hardware wallets that come out are overpriced and not nearly as well tested as trezor or nano, how could they be ? they are new! only way i would use one of this things is if they gave it to me for free but no way am i buying one.  8)

So if you tested it with a particular address and it worked, then you can generate new addresses and not need to test those right? because you trust the software works since it worked with that one particular address that one time. just trying to clarify.

So you test every single address or just one address and if that one works, you consider it "good to go" for any further addresses without checking them.

If I have to guess: 98% of all Bitcoin users who don't keep their coins on an exchange.

I checked only the first few addresses indeed. You now make me feel sloppy for not testing the first 100.

Of course, but the point we are making is that some people don't do that. And even if you do only use reputable, open source wallets, have you scanned every single line of code to make sure it is doing what you think it is doing? Doubtful. And even if you do, you cannot be 100% sure that you have not made a mistake when writing down your seed phrase or similar unless you test your back ups. There is literally no reason to not test your back ups before you fund the wallet.

I would wager that the majority of people don't even know what a derivation path is.

Again, I won't, but lots of people do.

Checking the first address matches is sufficient. The chance of a different seed phrase or incorrect back up generating the same first address is essentially zero.

I would love to put their funds on some derivation path 240 levels deep and see how they felt about it then. They would probably never find their funds. Then they would realize that knowing their derivation path is just as important as knowing their seed phrase - well almost. Just like you need an ID to make a withdrawal at your bank, you need your derivation path...well you MIGHT need it sometime. If you ever go to the bank that is!


If you really feel you need to check the first 100 then I would humbly suggest you have a trust issue with whatever software you are using and probably should ask yourself why you distrust it so much. Software that works shouldn't need to be doublechecked all the time. Unless you wrote it yourself, then you might want to run more extensive tests. But not every time you generate an address. There should be some level of trust in the functionality that you say " i know it worked because i did unit tests with 100 different addresses so I'll trust what it generates for me going forward". otherwise it's not software, it is just a crutch. using it as a crutch with something else. >:(

No. They would realize letting larry_vw_1955 touch their wallet was a big mistake :D
I've seen problems caused by weird derivation paths, but as long as it's created by known software, you can probably find the derivation path by searching the internet.
If you use Electrum, you can be pretty sure you can recover the funds from your seed words without understanding anything else.

Example: you use a hardware wallet, with Electrum. When you create a new deposit address, you should confirm the address on the hardware wallet. It's not about trusting Electrum, you're using a hardware wallet so that you don't have to. Whatever happens to your software, you want to know for sure your funds are going to your own address.

Absolutely. Which goes back to the original point of testing your back up with different software. What if you accidentally, either through user error or bugged software, created a wallet using some crazy derivation path with 200+ levels, did not test your recovery, and then loaded it with funds? You now have a useless seed phrase back up securing coins in a derivation path you would never find again, all while being completely unaware of that fact.

This is a slightly different issue. When I check my back ups, I only ever check the first addresses. That is enough for me to be sure that I am using the right seed phrase at the right derivation path with the right script type to reproduce the wallet again in the future. When I check each new Electrum address on the screen of my hardware wallet, I am checking that my computer or my Electrum install has not been infected with malware or subjected to some other malicious attack which results in it displaying an incorrect address.

letting anyone touch their wallet might be a big mistake  ;D

yeah that's a different useage scenario but consider this: i got a cheap hardware wallet long time ago (or rather, a hardware wallet that was on sale for very cheap, how about that?) but never trusted it enough to actually want to use it. i'd rather use software or paper wallets than use something that I don't fully understand. i tried to understand it but it seemed very confusing and i wasn't sure what it relied on like what company's servers to send and receive transactions and what software would need to be installed on my computer,etc etc not really worth the time and effort to try and figure it out.



Well, maybe my initial question was misunderstood. What I'm talking about is someone that generates paper wallets using something like bitaddress. Do they need to check every single address or just a few of them and then as long as those check out, they can assume bitaddress works correctly so there is no further need to keep checking newly generated addresses. I would think "yes" with a few caveats but in general "yes".

Up to the individual, probably. You need to differentiate between whether you are checking for accuracy or checking for maliciousness. If your copy of bitaddress generates one address accurately, then you can be pretty sure if it is non-malicious then it will generate all addresses accurately. However, a malicious piece of software may generate one or two addresses accurately and then start generating fake addresses.

However, given that any malicious software could generate addresses from predetermined seed phrases or private keys which are known to an attacker, then testing them in this manner does not protect against attack. That can only be done by reviewing the source code.

Yeah I think we were talking about the former situation, not the latter. Detecting maliciousness is a whole different thing that you can't do by just comparing outputs.


or maybe there's a software that you could run on a piece of other software to detect if it was malicious or not. it seems plausible that this would be a reasonable thing to want to do. because reviewing by hand not everyone has that type of expertise.

There would be no way to write a piece of software which could detect every possible way a wallet could be malicious, and even if someone attempted such a piece of software, then an attacker could also download it and find a work around.

If you are completely paranoid about how your seed phrase was generated and do not trust any piece of software, then the best option would be to do it manually, using 128 coin flips and an airgapped Linux machine to calculate the checksum.

what you do is make a list of all the possible ways. then you have to have subroutines that check each way. the program will run the software through each subroutine.



if someone did that and somehow found a loophole, then you patch it by adding their workaround as another item in your list. but at some point they would have to really be clever to find more workarounds. at some point there might not be anymore.

thats better than using the random number generator on your computer?  :o

That sounds a lot like virus scanners, where companies make a living of selling updates for dozens of new virusses per day. It will never be secure.

Yes! It's very difficult to verify the randomness of your computer, but it's very easy to verify that a coin flip is random. It's not perfect, but it's not something anyone else can reproduce.

I've seen people lose their Bitcoins because a once trusted paper wallet website got sold and turned into a scam. Even offline, it creates compromised paper wallets because it doesn't create random private keys. That won't happen with coin flips. You should still make sure the software you use to create a private key out of it isn't compromised.

If this were true, then malware would no longer exist because every possible workaround had been patched. There will also be a new workaround.

Depends on the random number generator on your computer. Is it better than some javascript RNG? Yes. Is it better than /dev/urandom? Probably not. However, it is also harder to do, easier to make a mistake, and easier to do in an insecure manner, so I wouldn't generally recommend it to most people.

well viruses are different since computers have to connect to the internet and be forced to interact with all different types of software that a user might decide to install. you can't just lock them down too much or else the user wouldn't be able to do anything.

so they took the website offline then once it became a scam right? they can't allow a provable scam to continue operating and stealing peoples' money.
imagine that website still existing on the internet and someone downloaded it before it became a scam and used it with no ill affects but then they decided to "upgrade" by downloading the latest version and then got scammed. that would really throw them for a loop  :o and it would be their fault though for not monitoring the situation.



the validity checker could publish a list of methods that were allowed and then inside each method it would inspect to make sure that the only things that were happening were the standard bitcoin address generation process. anything that was there that did not belong would mean "invalid program". simple as that. a seed phrase inside the random number generator? invalid. some unknown decimal or hex number just being defined somewhere? invalid. an attempt to connect to the internet? invalid. anything unknown? need to write better code. invalid!


i would think rolling dice or flipping coins is better than any algorithm that produces pseudo random numbers. now if you're talking about true random like linux /dev/random maybe that's different. windows doesn't have that though.

Your quotes are all messed up.

No, it is still running today. The original owner (who was honest) sold the site, and the new owner turned it in to a malicious scam, which people continued (and continue) to use without realizing it due to the original site's good reputation.

There is no way your validity checker could be accurate enough to guarantee safety without also declaring a lot of perfectly safe code invalid. If you are going to write a program that locks down your wallet software to only doing the absolute minimum with no deviation allowed, then better to just write minimalist wallet software in the first place, which even someone with a low amount of coding knowledge could verify themselves.

Not necessarily. There are lot of things to consider when trying to extract entropy from a physical process, things which most people don't even know exist and so make the mistake of thinking it is a straightforward process. I've spoken about this before: https://bitcointalk.org/index.php?topic=5395587.msg59983088#msg59983088

sorry about that. but i fixed it, they should make it easier to quote people without having to type in "quote" blocks manually.

i know it's still running today. the question is how and why? can i prove to myself somehow that the site is a scam? maybe that's why it never got took offline because they can't prove it 100%.


which is why i like simple code minimal code. code that i can understand. code that isn't thousands of lines long when it doesn't need to be.


i replied on that thread.

I mean, it is a well known scam based on how many reports we have of people losing money on it, and reports of it generating addresses which have already been used. I suppose you could try to examine the back end (although since being sold and turning in to a scam then obviously the source code is no longer available on Github), or use it to generate some addresses to fund and watch your coins being stolen.

Being a scam is rarely enough to get a site taken down altogether, though.

The thousands of lines of extra code are to program additional functions like a GUI, coin control, being able to choose a fee, different address types, multi-sig, Lightning support, and so on. The code usually isn't there for no good reason. Perhaps there is a market for a bare bones wallet which can only generate segwit addresses, sign transactions, and nothing else, but I can't imagine it would be a very big market.

Scammers make a living by scamming people, of course they don't take their site offline.
What might work, is going through their registrar (https://bitcointalk.org/index.php?topic=4469056.msg40875827#msg40875827) of web host, but in the latter case they'll just move somewhere else.

Hard-core CLI transaction creation? I think you're right, there's not much of a market for that.

I was picturing a very minimal GUI, as presumably most people who are able to navigate CLI transaction creation from scratch would also be able to read code well enough to vet a wallet like Electrum.

I love CLI, but I can't read Electrum's code. I would guess that applies to more people, thoroughly checking a lot of code is much more work (and more complicated) than following CLI-instructions.

 You must be new to the internet :P

Seriously tho, it's actually really difficult to get scam sites taken down a lot of the time... even 100% proven scams. Based on personal experience, about the only recourse you have is to complain to the DNS provider and/or webhost and hope that their complaints/abuse team care enough to do something about it :-\

maybe but maybe it just means its not a proven scam. not 100%. you can't just go taking sites off line because you THINK they are a scam. and if you can't prove it then all you really got is anecdotal stories. not saying there isn't something to them but i think almost every software for bitcoin has some people that lose funds due to something they can't explain. some things have more complaints then others but does that mean some of them are scam and some arent?

now with that said, would i use some software to generate addresses that was not open source that had complaints about people saying they lost their funds? probably not.

I do like and support this idea! My main question would be how to handle the cryptography. Use existing ('tried & tested') crypto-libraries that have been around forever and avoid relatively hard to verify (the whole purpose of the project) code segments completely or attempt rewriting just the parts of the cryptography that are required, but make the code less trivial to understand and verify, thus allowing to verify the whole, compact, codebase, but making it a bit larger and a bit harder to understand in the process?

There are literally millions of sites out there which are 100% scams. Not just in bitcoin, but in general. Malicious clones of exchanges, platforms, mixers, wallets, shops, etc. MLM schemes. Fake charities, casinos, lotteries, marketplaces, etc. Fake investment companies. Fake employment companies. Fake companies in general. The list is endless.

You can report these sites if you want, but what incentive do web hosts have to take down these sites? Scammers pay them, and they don't take a hit to their reputation by continuing to host scammers because almost nobody even bothers to find out who is hosting these scams in the first place. Register themselves to the Seychelles or similar and they can pretty much do what they like. And even if you succeed in taking down a scam site, it will be re-hosted at a different address within hours.

Hello guys, I'm a newbie. I'll love to know if it can be possible to rewrite the program of a Bitcoin wallet application software that has bitcoins in it?
Thanks

Please explain. What do you mean by "rewrite the program"?

If you have some programming skill, then it is possible to "rewrite" Bitcoin Core source code and make a clone of the program that can do everything that original program does and more. But there is no real benefit to doing so, because nobody will care about your clone. What exactly do you want to achieve?

By the way, bitcoins are not in the program but on the blockchain.

Thank you stalker22, that's the answer I needed. I thought the cloning could have an effect the Bitcoins. There's no telling what hackers and scammers are capable of.

It doesn't work like this.

The bitcoin themselves are never "in" your wallet or "on" your computer. The bitcoin never leave the blockchain. All that your wallet stores are the private keys necessary to allow you to tell the network how you want to spend or move those bitcoin. If you copy your wallet file, then you will have two wallet files containing the same private keys which will both have access to the same bitcoin on the blockchain, but the bitcoin themselves are not cloned.

Think of it like if an attacker cloned your bank card. Both the original and the clone can spend the same money from the same account, but the actual money in your account is not cloned.