 Show Posts
|
|
Pages: [1]
|
Pywallet requires ton of plugins, you dont want to be connecting to the internet while sandboxed just to get that script working properly, (just a millisecond can leak keys) to some hacker i suggest first just searching for the berkeley database file headers, you can then use some software to extract the files. but first make a disk image using a ubuntu live usb or something. go to gnome disks, (if using windows make sure the computer isnt hibernating and shut down correctly or not i dunno maybe that might overwrite some data if you do make 3 disk images i guess, do sudo gnome-disks if your noob and select disk and create an image of it on a m2ssd or something) #!/usr/bin/env python
"""
searchbin.py -t PATTERN [FILE [FILE...]]
searchbin.py -p PATTERN [FILE [FILE...]]
searchbin.py -f FILE [FILE [FILE...]]
examples:
./searchbin.py -t "hello" myfile.exe
Searches for the text "hello" in myfile.exe.
./searchbin.py -p "CCDDFF" myfile.exe
Searches for the hexidecimal pattern "CCDDFF" in myfile.exe.
./searchbin.py -f pattern.bin myfile.exe
Reads the file pattern.bin, and searches for a binary match within myfile.exe.
Many more capabilites, just run ./searchbin.py --help
+Features: no compiling, fast, small file, wild card matches, search multiple files of unlimited size, all operating systems
+Minimum Py2.7 required for argparse library
+keywords binary grep search seek find fast
license: BSD 2-Clause License, 2012, Sepero
license: http://www.opensource.org/licenses/BSD-2-Clause
"""
from __future__ import unicode_literals
import re
import signal
import sys
# Global variables.
CONTACT=("sepero 111 @ gmx . com\n"
"https://bitbucket.org/Sepero/searchbin/issues/new\n"
"http://seperohacker.blogspot.com/2012/04/binary-grep-program-searchbin.html")
VERSION="1.00"
DEBUG = False
STDOUT = sys.stdout
try: # Python 3 modifications.
STDIN = sys.stdin.buffer
except: # Python 2 modifications.
STDIN = sys.stdin
range = xrange
def _exit_error(code, option="", err=None):
"""
Error information is kept here for the purposes of easier management and possibly language tranlation.
Returns nothing. All calls exit the program, error status 128.
"""
error_codes = {
"Xpatterns":
"Cannot search for multiple patterns. '-t -p -f'",
"0patterns":
"No pattern to search for was supplied. '-t -p -f'",
"decode":
"The pattern string is invalid.\n" + str(option),
"bsize":
"The buffer size must be at least %s bytes." % str(option),
"sizes":
"Size parameters (-b -s -e -m) must be in decimal format.",
"fpattern":
"No pattern file found named: %s" % option,
"startend":
"The start of search must come before the end.",
"openfile":
"Failed opening file: %s" % option,
"logwrite":
"Could not write to the log file: %s" % option,
"read":
"Failed reading from file: %s" % option,
}
import traceback
sys.stderr.write(traceback.format_exc() + "\n")
if not DEBUG:
sys.stderr.write("version: %s\n" % VERSION)
sys.stderr.write("Please Report issues to: %s\n" % CONTACT)
if err: sys.stderr.write("%s\n" % str(err))
sys.stderr.write("Error <%s>: %s\n\n" % (code, error_codes[code]))
if __name__ == "__main__":
sys.exit(128) # Exit under normal operation.
raise # Raise error on unittest or other execution.
def get_args():
"""
Parse all arguments from the command line using ArgumentParser.
Returns an args object with attributes representing all arguments.
"""
from argparse import ArgumentParser
description = CONTACT + """
An argument -t or -p or -f is required. The -p argument accepts a
hexidecimal pattern string and allows for missing characters,
such as 'FF??FF'. When using -f argument, the pattern file will
be read as a binary file (not hex strings). If no search files are
specified, %prog will read from standard input. The minimum memory
required is about 3 times the size of the pattern byte length.
Increasing buffer-size will increase program search speed for
large search files. All size arguments (-b -s -e) are read in decimal
format, for example: '-s 1024' will start searching after 1kilobyte.
format, for example: '-s 1024' will start searching after 1kilobyte.
Reported finds are 0-based offset.
"""
p = ArgumentParser(description=description)
def add(s, **kwargs):
args = s.split(':')
value = args.pop(2) # Pop item at index 2 (argument type).
if value: kwargs['type'] = eval(value) #(type)(value) # str(value) or long(value).
value = args.pop(2) # Pop item at index 2 (argument metavar).
if value: kwargs['metavar'] = value
value = args.pop(2) # Pop item at index 2 (argument name/destination).
if value: kwargs['dest'] = value
p.add_argument(*args, **kwargs)
p.add_argument('-f', '--file', type=str,
metavar='FILE', dest='fpattern',
help='file to read search pattern from')
p.add_argument('-t', '--text', type=str,
metavar='PATTERN', dest='tpattern',
help='a (utf-8 case-sensitive) text string to search for')
p.add_argument('-p', '--pattern', type=str, # I would use -h for hex, but that's used for help output.
metavar='PATTERN', dest='ppattern',
help='a hexidecimal pattern to search for')
try: # Python 3.
p.add_argument('-b', '--buffer-size', type=int,
metavar='NUM', dest='bsize',
help='read buffer size (in bytes). 8MB default')
p.add_argument('-s', '--start', type=int,
metavar='NUM', dest='start',
help='starting position in file to begin searching, as bytes')
p.add_argument('-e', '--end', type=int,
metavar='NUM', dest='end',
help='end search at this position, measuring from beginning of file')
p.add_argument('-m', '--max-matches', type=int,
metavar='NUM', dest='max_matches',
help='maximum number of matches to find (0=infinite)')
except: # Python 2.
p.add_argument('-b', '--buffer-size', type=long,
metavar='NUM', dest='bsize',
help='read buffer size (in bytes). default is 8388608 (8MB)')
p.add_argument('-s', '--start', type=long,
metavar='NUM', dest='start',
help='starting position in file to begin searching, as bytes')
p.add_argument('-e', '--end', type=long,
metavar='NUM', dest='end',
help='end search at this position, measuring from beginning of file')
p.add_argument('-m', '--max-matches', type=long,
metavar='NUM', dest='max_matches',
help='maximum number of matches to find (0=infinite)')
p.add_argument('-l', '--log', type=str,
metavar='FILE', dest='log',
help='write matched offsets to FILE, instead of standard output')
p.add_argument(type=str,
metavar='FILE', dest='fsearch', nargs='*',
help='files to search within')
p.add_argument('-v', '--verbose',
dest='verbose', action='store_true',
help='verbose, output the number of bytes searched after each buffer read')
p.add_argument('-V', '--version',
action='version', version='%(prog)s ' + VERSION)
p.add_argument('-d', '--debug',
dest='debug', action='store_true',
help='debugging (don\'t use this)')
return p.parse_args()
"""
=Patterns=
A pattern is a list. It represents the division between known and unknown
bytes to search for. All hex/text/file input is converted to a pattern.
Examples of conversions:
hex "31??33" becomes ['A', 'C'] # Everything is converted internally to strings, even though they may not be printable characters.
text "A?C" becomes ['A', 'C']
text "A??C" becomes ['A', '', 'C']
"""
def hex_to_pattern(hex):
""" Converts a hex string into a pattern. """
ret = []
pattern = hex
if hex[:2] == "0x": # Remove "0x" from start if it exists.
pattern = hex[2:]
try:
ret = [ p for p in pattern.split("??") ]
try: # Python 3.
return [ bytes.fromhex(p) for p in ret ]
except AttributeError: # Python 2.
return [ p.decode("hex") for p in ret ]
except(TypeError, ValueError):
e = sys.exc_info()[1]
_exit_error("decode", hex, e)
def text_to_pattern(text):
""" Converts a text string into a pattern. """
try: # Python 3.
return [ t.encode('utf-8') for t in text.split("?") ]
except TypeError: # Python 2.
return [ t for t in text.split("?") ]
def file_to_pattern(fname):
""" Converts a file into a pattern. """
try: # If file specified, read it into memory.
with open(fname, "rb") as f:
return [f.read()]
except IOError:
e = sys.exc_info()[1]
_exit_error("fpattern", fname, e)
# We will be keeping the parsed args object and editing its attributes!
def verify_args(ar):
"""
Verify that all the parsed args are correct and work well together.
Returns the modified args object.
"""
DEBUG = ar.debug
# Make sure that exactly 1 pattern argument was given.
all_patterns = list(filter(None, [ar.fpattern, ar.ppattern, ar.tpattern]))
if len(all_patterns) > 1:
_exit_error("Xpatterns")
if len(all_patterns) == 0:
_exit_error("0patterns")
# Create a new variable ar.pattern, and fill it with
# whichever pattern we have -t -f -p. ar.pattern will be a list.
if ar.fpattern:
ar.pattern = file_to_pattern(ar.fpattern)
elif ar.tpattern:
ar.pattern = text_to_pattern(ar.tpattern)
else:
ar.pattern = hex_to_pattern(ar.ppattern)
# Convert all number args from strings into long integers.
try:
for attr in [ "bsize", "max_matches", "start", "end" ]:
if getattr(ar, attr):
setattr(ar, attr, long(getattr(ar, attr)))
except ValueError:
e = sys.exc_info()[1]
_exit_error("sizes", err=e)
# Buffer size must be at least double maximum pattern size.
if ar.bsize:
if ar.bsize < len("?".join(ar.pattern)) * 2:
_exit_error("bsize", len("?".join(ar.pattern)) * 2)
else:
ar.bsize = len(b"".join(ar.pattern)) * 2
ar.bsize = max(ar.bsize, 2**23) # If bsize is < default, set to default.
# Set start and end values to 0 if not set.
ar.start = ar.start or 0
ar.end = ar.end or 0
# End must be after start. :)
if ar.end and ar.start >= ar.end:
_exit_error("startend")
# If log file is True, open it and replace ar.log with the file handler.
if ar.log:
try:
ar.log = open(ar.log, "w")
except IOError:
e = sys.exc_info()[1]
_exit_error("openfile", ar.log, e)
return ar
def search(ar, fh):
"""
This function is simply a wrapper to forward needed variables in a way
to make them all local variables. Accessing local variables is faster than
accessing object.attribute variables.
Returns nothing.
"""
if not DEBUG:
_search_loop(ar.start, ar.end, ar.bsize, ar.pattern,
ar.max_matches, ar.log, ar.verbose, fh.name,
fh.read, fh.seek)
else:
_debug_search(ar.pattern, fh.name, fh.read)
def _debug_search(pattern, fh_name, fh_read):
"""
Slower, less functional, but less error prone simple search.
For debugging purposes.
Returns nothing.
"""
len_pattern = len(b"?".join(pattern))
read_size = 2**24 - len_pattern # Amount to read each loop.
pattern = [ re.escape(p) for p in pattern ]
pattern = b".".join(pattern)
regex = re.compile(pattern, re.DOTALL+re.MULTILINE)
try:
buffer = fh_read(len_pattern + read_size)
offset = 0
match = regex.search(buffer)
while True:
if not match:
offset += read_size
buffer = buffer[read_size:] # Erase front portion of buffer.
buffer += fh_read(read_size)
match = regex.search(buffer)
else:
STDOUT.write("Match at offset: %14d %12X in %s\n" % (
offset+match.start(), offset+match.start(), fh_name))
match = regex.search(buffer, match.start()+1)
if len(buffer) <= len_pattern:
return
except IOError:
e = sys.exc_info()[1]
_exit_error("read", fh_name, e)
def _search_loop(start, end, bsize, pattern, max_matches,
log, verbose, fh_name, fh_read, fh_seek):
"""
Primary search function.
Returns nothing.
"""
len_pattern = len(b"?".join(pattern)) # Byte length of pattern.
read_size = bsize - len_pattern # Amount to read each loop.
# Convert pattern into a regular expression for insane fast searching.
pattern = [ re.escape(p) for p in pattern ]
pattern = b".".join(pattern)
# Grab regex search function directly to speed up function calls.
regex_search = re.compile(pattern, re.DOTALL+re.MULTILINE).search
offset = start or 0
# Set start reading position in file.
try:
if offset:
fh_seek(offset)
except IOError:
e = sys.exc_info()[1]
_exit_error("read", fh_name, err=e)
try:
buffer = fh_read(len_pattern + read_size) # Get initial buffer amount.
match = regex_search(buffer) # Search for a match in the buffer.
# Set match to -1 if no match, else set it to the match position.
match = -1 if match == None else match.start()
while True: # Begin main loop for searching through a file.
if match == -1: # No match.
offset += read_size
# If end exists and we are beyond end, finish search.
if end and offset > end:
return
buffer = buffer[read_size:] # Erase front portion of buffer.
buffer += fh_read(read_size) # Read more into the buffer.
match = regex_search(buffer) # Search for next match in the buffer.
# If there is no match set match to -1, else the matching position.
match = -1 if match == None else match.start()
if verbose: # Print each loop offset if verbose is on.
STDOUT.write("Passing offset: %14d %12X\n" % (offset, offset))
else: # Else- there was a match.
# If end exists and we are beyond end, finish search.
if match == -1 and offset + match > end:
return
# Print matched offset.
find_offset = offset + match
STDOUT.write("Match at offset: %14d %12X in %s\n" % (
find_offset, find_offset, fh_name))
if max_matches:
max_matches -= 1
if max_matches == 0: # If maximum matches are found, then end.
STDOUT.write("Found maximum number of matches.\n")
return
# Search for next match in the buffer.
match = regex_search(buffer, match+1)
match = -1 if match == None else match.start()
if len(buffer) <= len_pattern: # If finished reading input then end.
return
# Main loop closes here.
except IOError:
e = sys.exc_info()[1]
_exit_error("read", fh_name, e)
def main():
args = get_args() # Get commandline arguments.
args = verify_args(args) # Check arguments for sanity, and edit them a bit.
if args.fsearch: # If filenames were given on the commandline, process them.
while args.fsearch: # List of files to search inside.
try: # Open a filehandler for the filename.
filehandler = open(args.fsearch[0], "rb")
except IOError:
e = sys.exc_info()[1]
_exit_error("openfile", args.fsearch[0], e)
search(args, filehandler)
filehandler.close()
args.fsearch.pop(0) # Remove each file after search.
else: # If no files were given, search using stdin.
search(args, STDIN)
sys.exit(0)
if __name__ == "__main__":
# This allows the program to exit quickly when pressing ctrl+c.
signal.signal(signal.SIGINT, signal.SIG_DFL)
main() source: https://github.com/Sepero/SearchBin/blob/master/searchbin.pyis useful works out fo the box without dependencies, might need to chmod +x searchbin.py if it dont execute on terminal after changing into the directory with the searchbin.py file i cant explain how ot run this maybe pay someone to support you in person if you have no tech skills. searchbin -p 01010420 "path to disk image of .img" file,
searchbin -p 01010420 /dev/whicheverpath its on might work too if you want to go cowboy mode. it probably will miss it, so try if it doesnt work, some keys have this preseeding, i noticed half the old wallets i extracted keys from using raw extraction 10141f found mroe keys, they are just 31 bytes after instead of 32 but they start with 00 i think it will start outputting offsets of whereveer private keys are stored on the drive. and you can then run pywallet or if you want to be pressie locate the wallet file. also a bonus, searchbin.py -p 6231050009000000 "path to disk image" will output offsets to wallet files. i mean its not guaranteed to, but it should help you get closer to recovering it. if you get rich please ask me for my wallet address. thanks  also if you find any hits let me know i can give more advice, im learning the shit out of recovering wallets as i still cant recover mine.[/code] If I find 6231050009000000 and 10141f while looking for a deleted wallet.... how do I get a private key from that? Fell free to message me Is Usually 20 is hexadecimal. If you go to https://www.rapidtables.com/convert/number/hex-to-decimal.html?x=20 you can see the number is 32. 32 sort of represents the amount of characters to read to to get the private keynow when it says 1f instead of 20 it if we go to https://www.rapidtables.com/convert/number/hex-to-decimal.html?x=1f you can see the number is 31 so we only read 31 characters after. the private key is 31 characters long (in hex format). it could even be 1e, that will be 30 characters long. whatever the case, lets say you have a key that starts with 10141f, you read the 31 characters following for the private key. You can turn it into a private key with a tool such as https://brainwalletx.github.io/ and paste the hex into the "Secret Exponent" section, be sure to select compressed/uncompressed format or the right crypto network. not sure if that answers. Also don't use https://brainwalletx.github.io/ without downloading it first/inspecting the code if possible from Usually people just add padding with 0's on the key it all depends on how you use the key. Can I offline with you on this? I want to make sure I am going in the right order. |
|
|
|
wallet.dat is Bitcoin Core.
It depends on what data you have and how intact you think the data is. Is it a bunch of unnamed files and you're trying to figure out which may be a wallet? Or are you looking at raw data from the drive directly (e.g. in an image file)? Or something else?
I am using winhex. I have the drives and made images out of them. I had the file on a flash drive and probably in several time machine backups. I since deleted the backups. I figure scanning the drive images for those magic numbers I have been reading about might help me find those private keys. |
|
|
|
It depends on the software that you think you were using.
Also, that sequence is not specific enough. It's part of a larger standard called DER encoding which a lot of other software may be using. That sequence could show up in anything that's been DER encoded.
I am 99.99 % the name of the file is wallet.dat. That would make it bitcoin core right? Do you which numbers I would need to scrub my drive for? |
|
|
|
What makes you think that that string is relevant for a wallet?
From what I've understood reading through some posts, those are a set of magic numbers and the next 64 characters should have a bitcoin key. Is this wrong? I'm afraid I don't totally understand. |
|
|
|
|
Hello, I am looking for a wallet I think I had back a few years ago. Looking for those magic numbers and I found a couple of hundred. I am copying the 64 characters after these numbers I noticed that hundreds of them have code beginning with D03 and ending in 47. Is this normal for a wallet? Or is it a macbook thing?
|
|
|
|
Pywallet requires ton of plugins, you dont want to be connecting to the internet while sandboxed just to get that script working properly, (just a millisecond can leak keys) to some hacker i suggest first just searching for the berkeley database file headers, you can then use some software to extract the files. but first make a disk image using a ubuntu live usb or something. go to gnome disks, (if using windows make sure the computer isnt hibernating and shut down correctly or not i dunno maybe that might overwrite some data if you do make 3 disk images i guess, do sudo gnome-disks if your noob and select disk and create an image of it on a m2ssd or something) #!/usr/bin/env python
"""
searchbin.py -t PATTERN [FILE [FILE...]]
searchbin.py -p PATTERN [FILE [FILE...]]
searchbin.py -f FILE [FILE [FILE...]]
examples:
./searchbin.py -t "hello" myfile.exe
Searches for the text "hello" in myfile.exe.
./searchbin.py -p "CCDDFF" myfile.exe
Searches for the hexidecimal pattern "CCDDFF" in myfile.exe.
./searchbin.py -f pattern.bin myfile.exe
Reads the file pattern.bin, and searches for a binary match within myfile.exe.
Many more capabilites, just run ./searchbin.py --help
+Features: no compiling, fast, small file, wild card matches, search multiple files of unlimited size, all operating systems
+Minimum Py2.7 required for argparse library
+keywords binary grep search seek find fast
license: BSD 2-Clause License, 2012, Sepero
license: http://www.opensource.org/licenses/BSD-2-Clause
"""
from __future__ import unicode_literals
import re
import signal
import sys
# Global variables.
CONTACT=("sepero 111 @ gmx . com\n"
"https://bitbucket.org/Sepero/searchbin/issues/new\n"
"http://seperohacker.blogspot.com/2012/04/binary-grep-program-searchbin.html")
VERSION="1.00"
DEBUG = False
STDOUT = sys.stdout
try: # Python 3 modifications.
STDIN = sys.stdin.buffer
except: # Python 2 modifications.
STDIN = sys.stdin
range = xrange
def _exit_error(code, option="", err=None):
"""
Error information is kept here for the purposes of easier management and possibly language tranlation.
Returns nothing. All calls exit the program, error status 128.
"""
error_codes = {
"Xpatterns":
"Cannot search for multiple patterns. '-t -p -f'",
"0patterns":
"No pattern to search for was supplied. '-t -p -f'",
"decode":
"The pattern string is invalid.\n" + str(option),
"bsize":
"The buffer size must be at least %s bytes." % str(option),
"sizes":
"Size parameters (-b -s -e -m) must be in decimal format.",
"fpattern":
"No pattern file found named: %s" % option,
"startend":
"The start of search must come before the end.",
"openfile":
"Failed opening file: %s" % option,
"logwrite":
"Could not write to the log file: %s" % option,
"read":
"Failed reading from file: %s" % option,
}
import traceback
sys.stderr.write(traceback.format_exc() + "\n")
if not DEBUG:
sys.stderr.write("version: %s\n" % VERSION)
sys.stderr.write("Please Report issues to: %s\n" % CONTACT)
if err: sys.stderr.write("%s\n" % str(err))
sys.stderr.write("Error <%s>: %s\n\n" % (code, error_codes[code]))
if __name__ == "__main__":
sys.exit(128) # Exit under normal operation.
raise # Raise error on unittest or other execution.
def get_args():
"""
Parse all arguments from the command line using ArgumentParser.
Returns an args object with attributes representing all arguments.
"""
from argparse import ArgumentParser
description = CONTACT + """
An argument -t or -p or -f is required. The -p argument accepts a
hexidecimal pattern string and allows for missing characters,
such as 'FF??FF'. When using -f argument, the pattern file will
be read as a binary file (not hex strings). If no search files are
specified, %prog will read from standard input. The minimum memory
required is about 3 times the size of the pattern byte length.
Increasing buffer-size will increase program search speed for
large search files. All size arguments (-b -s -e) are read in decimal
format, for example: '-s 1024' will start searching after 1kilobyte.
format, for example: '-s 1024' will start searching after 1kilobyte.
Reported finds are 0-based offset.
"""
p = ArgumentParser(description=description)
def add(s, **kwargs):
args = s.split(':')
value = args.pop(2) # Pop item at index 2 (argument type).
if value: kwargs['type'] = eval(value) #(type)(value) # str(value) or long(value).
value = args.pop(2) # Pop item at index 2 (argument metavar).
if value: kwargs['metavar'] = value
value = args.pop(2) # Pop item at index 2 (argument name/destination).
if value: kwargs['dest'] = value
p.add_argument(*args, **kwargs)
p.add_argument('-f', '--file', type=str,
metavar='FILE', dest='fpattern',
help='file to read search pattern from')
p.add_argument('-t', '--text', type=str,
metavar='PATTERN', dest='tpattern',
help='a (utf-8 case-sensitive) text string to search for')
p.add_argument('-p', '--pattern', type=str, # I would use -h for hex, but that's used for help output.
metavar='PATTERN', dest='ppattern',
help='a hexidecimal pattern to search for')
try: # Python 3.
p.add_argument('-b', '--buffer-size', type=int,
metavar='NUM', dest='bsize',
help='read buffer size (in bytes). 8MB default')
p.add_argument('-s', '--start', type=int,
metavar='NUM', dest='start',
help='starting position in file to begin searching, as bytes')
p.add_argument('-e', '--end', type=int,
metavar='NUM', dest='end',
help='end search at this position, measuring from beginning of file')
p.add_argument('-m', '--max-matches', type=int,
metavar='NUM', dest='max_matches',
help='maximum number of matches to find (0=infinite)')
except: # Python 2.
p.add_argument('-b', '--buffer-size', type=long,
metavar='NUM', dest='bsize',
help='read buffer size (in bytes). default is 8388608 (8MB)')
p.add_argument('-s', '--start', type=long,
metavar='NUM', dest='start',
help='starting position in file to begin searching, as bytes')
p.add_argument('-e', '--end', type=long,
metavar='NUM', dest='end',
help='end search at this position, measuring from beginning of file')
p.add_argument('-m', '--max-matches', type=long,
metavar='NUM', dest='max_matches',
help='maximum number of matches to find (0=infinite)')
p.add_argument('-l', '--log', type=str,
metavar='FILE', dest='log',
help='write matched offsets to FILE, instead of standard output')
p.add_argument(type=str,
metavar='FILE', dest='fsearch', nargs='*',
help='files to search within')
p.add_argument('-v', '--verbose',
dest='verbose', action='store_true',
help='verbose, output the number of bytes searched after each buffer read')
p.add_argument('-V', '--version',
action='version', version='%(prog)s ' + VERSION)
p.add_argument('-d', '--debug',
dest='debug', action='store_true',
help='debugging (don\'t use this)')
return p.parse_args()
"""
=Patterns=
A pattern is a list. It represents the division between known and unknown
bytes to search for. All hex/text/file input is converted to a pattern.
Examples of conversions:
hex "31??33" becomes ['A', 'C'] # Everything is converted internally to strings, even though they may not be printable characters.
text "A?C" becomes ['A', 'C']
text "A??C" becomes ['A', '', 'C']
"""
def hex_to_pattern(hex):
""" Converts a hex string into a pattern. """
ret = []
pattern = hex
if hex[:2] == "0x": # Remove "0x" from start if it exists.
pattern = hex[2:]
try:
ret = [ p for p in pattern.split("??") ]
try: # Python 3.
return [ bytes.fromhex(p) for p in ret ]
except AttributeError: # Python 2.
return [ p.decode("hex") for p in ret ]
except(TypeError, ValueError):
e = sys.exc_info()[1]
_exit_error("decode", hex, e)
def text_to_pattern(text):
""" Converts a text string into a pattern. """
try: # Python 3.
return [ t.encode('utf-8') for t in text.split("?") ]
except TypeError: # Python 2.
return [ t for t in text.split("?") ]
def file_to_pattern(fname):
""" Converts a file into a pattern. """
try: # If file specified, read it into memory.
with open(fname, "rb") as f:
return [f.read()]
except IOError:
e = sys.exc_info()[1]
_exit_error("fpattern", fname, e)
# We will be keeping the parsed args object and editing its attributes!
def verify_args(ar):
"""
Verify that all the parsed args are correct and work well together.
Returns the modified args object.
"""
DEBUG = ar.debug
# Make sure that exactly 1 pattern argument was given.
all_patterns = list(filter(None, [ar.fpattern, ar.ppattern, ar.tpattern]))
if len(all_patterns) > 1:
_exit_error("Xpatterns")
if len(all_patterns) == 0:
_exit_error("0patterns")
# Create a new variable ar.pattern, and fill it with
# whichever pattern we have -t -f -p. ar.pattern will be a list.
if ar.fpattern:
ar.pattern = file_to_pattern(ar.fpattern)
elif ar.tpattern:
ar.pattern = text_to_pattern(ar.tpattern)
else:
ar.pattern = hex_to_pattern(ar.ppattern)
# Convert all number args from strings into long integers.
try:
for attr in [ "bsize", "max_matches", "start", "end" ]:
if getattr(ar, attr):
setattr(ar, attr, long(getattr(ar, attr)))
except ValueError:
e = sys.exc_info()[1]
_exit_error("sizes", err=e)
# Buffer size must be at least double maximum pattern size.
if ar.bsize:
if ar.bsize < len("?".join(ar.pattern)) * 2:
_exit_error("bsize", len("?".join(ar.pattern)) * 2)
else:
ar.bsize = len(b"".join(ar.pattern)) * 2
ar.bsize = max(ar.bsize, 2**23) # If bsize is < default, set to default.
# Set start and end values to 0 if not set.
ar.start = ar.start or 0
ar.end = ar.end or 0
# End must be after start. :)
if ar.end and ar.start >= ar.end:
_exit_error("startend")
# If log file is True, open it and replace ar.log with the file handler.
if ar.log:
try:
ar.log = open(ar.log, "w")
except IOError:
e = sys.exc_info()[1]
_exit_error("openfile", ar.log, e)
return ar
def search(ar, fh):
"""
This function is simply a wrapper to forward needed variables in a way
to make them all local variables. Accessing local variables is faster than
accessing object.attribute variables.
Returns nothing.
"""
if not DEBUG:
_search_loop(ar.start, ar.end, ar.bsize, ar.pattern,
ar.max_matches, ar.log, ar.verbose, fh.name,
fh.read, fh.seek)
else:
_debug_search(ar.pattern, fh.name, fh.read)
def _debug_search(pattern, fh_name, fh_read):
"""
Slower, less functional, but less error prone simple search.
For debugging purposes.
Returns nothing.
"""
len_pattern = len(b"?".join(pattern))
read_size = 2**24 - len_pattern # Amount to read each loop.
pattern = [ re.escape(p) for p in pattern ]
pattern = b".".join(pattern)
regex = re.compile(pattern, re.DOTALL+re.MULTILINE)
try:
buffer = fh_read(len_pattern + read_size)
offset = 0
match = regex.search(buffer)
while True:
if not match:
offset += read_size
buffer = buffer[read_size:] # Erase front portion of buffer.
buffer += fh_read(read_size)
match = regex.search(buffer)
else:
STDOUT.write("Match at offset: %14d %12X in %s\n" % (
offset+match.start(), offset+match.start(), fh_name))
match = regex.search(buffer, match.start()+1)
if len(buffer) <= len_pattern:
return
except IOError:
e = sys.exc_info()[1]
_exit_error("read", fh_name, e)
def _search_loop(start, end, bsize, pattern, max_matches,
log, verbose, fh_name, fh_read, fh_seek):
"""
Primary search function.
Returns nothing.
"""
len_pattern = len(b"?".join(pattern)) # Byte length of pattern.
read_size = bsize - len_pattern # Amount to read each loop.
# Convert pattern into a regular expression for insane fast searching.
pattern = [ re.escape(p) for p in pattern ]
pattern = b".".join(pattern)
# Grab regex search function directly to speed up function calls.
regex_search = re.compile(pattern, re.DOTALL+re.MULTILINE).search
offset = start or 0
# Set start reading position in file.
try:
if offset:
fh_seek(offset)
except IOError:
e = sys.exc_info()[1]
_exit_error("read", fh_name, err=e)
try:
buffer = fh_read(len_pattern + read_size) # Get initial buffer amount.
match = regex_search(buffer) # Search for a match in the buffer.
# Set match to -1 if no match, else set it to the match position.
match = -1 if match == None else match.start()
while True: # Begin main loop for searching through a file.
if match == -1: # No match.
offset += read_size
# If end exists and we are beyond end, finish search.
if end and offset > end:
return
buffer = buffer[read_size:] # Erase front portion of buffer.
buffer += fh_read(read_size) # Read more into the buffer.
match = regex_search(buffer) # Search for next match in the buffer.
# If there is no match set match to -1, else the matching position.
match = -1 if match == None else match.start()
if verbose: # Print each loop offset if verbose is on.
STDOUT.write("Passing offset: %14d %12X\n" % (offset, offset))
else: # Else- there was a match.
# If end exists and we are beyond end, finish search.
if match == -1 and offset + match > end:
return
# Print matched offset.
find_offset = offset + match
STDOUT.write("Match at offset: %14d %12X in %s\n" % (
find_offset, find_offset, fh_name))
if max_matches:
max_matches -= 1
if max_matches == 0: # If maximum matches are found, then end.
STDOUT.write("Found maximum number of matches.\n")
return
# Search for next match in the buffer.
match = regex_search(buffer, match+1)
match = -1 if match == None else match.start()
if len(buffer) <= len_pattern: # If finished reading input then end.
return
# Main loop closes here.
except IOError:
e = sys.exc_info()[1]
_exit_error("read", fh_name, e)
def main():
args = get_args() # Get commandline arguments.
args = verify_args(args) # Check arguments for sanity, and edit them a bit.
if args.fsearch: # If filenames were given on the commandline, process them.
while args.fsearch: # List of files to search inside.
try: # Open a filehandler for the filename.
filehandler = open(args.fsearch[0], "rb")
except IOError:
e = sys.exc_info()[1]
_exit_error("openfile", args.fsearch[0], e)
search(args, filehandler)
filehandler.close()
args.fsearch.pop(0) # Remove each file after search.
else: # If no files were given, search using stdin.
search(args, STDIN)
sys.exit(0)
if __name__ == "__main__":
# This allows the program to exit quickly when pressing ctrl+c.
signal.signal(signal.SIGINT, signal.SIG_DFL)
main() source: https://github.com/Sepero/SearchBin/blob/master/searchbin.pyis useful works out fo the box without dependencies, might need to chmod +x searchbin.py if it dont execute on terminal after changing into the directory with the searchbin.py file i cant explain how ot run this maybe pay someone to support you in person if you have no tech skills. searchbin -p 01010420 "path to disk image of .img" file,
searchbin -p 01010420 /dev/whicheverpath its on might work too if you want to go cowboy mode. it probably will miss it, so try if it doesnt work, some keys have this preseeding, i noticed half the old wallets i extracted keys from using raw extraction 10141f found mroe keys, they are just 31 bytes after instead of 32 but they start with 00 i think it will start outputting offsets of whereveer private keys are stored on the drive. and you can then run pywallet or if you want to be pressie locate the wallet file. also a bonus, searchbin.py -p 6231050009000000 "path to disk image" will output offsets to wallet files. i mean its not guaranteed to, but it should help you get closer to recovering it. if you get rich please ask me for my wallet address. thanks also if you find any hits let me know i can give more advice, im learning the shit out of recovering wallets as i still cant recover mine.[/code] If I find 6231050009000000 and 10141f while looking for a deleted wallet.... how do I get a private key from that? Fell free to message me |
|
|
|
zsh: segmentation fault python2.7 pywallet.py --recover --recov_device='./thumb7.img'
If I'm not wrong, segmentation fault usually occurs when there are one or two missing libraries/not installed correctly. Some errors in the past also suggest this[1]. One of the users fixed it by installing pycrypto on his own. How do you install python and pywallet? Maybe experienced people can help you more if you also post the full logs and your installation steps. CMIIW. [1] https://github.com/jackjack-jj/pywallet/pull/13I will try this. Probably after I try looking for the magic numbers. Thank you |
|
|
|
(could not get pywallet to work for me) Have you read [GUIDE] Recover your deleted keys? It's in my bookmarks with the name "use pywallet to search entire partition". This should get you started. I tried the commands and get a segmentation fault like below: Found 0 possible wallets Found 0 possible encrypted keys Found 0 possible unencrypted keys zsh: segmentation fault python2.7 pywallet.py --recover --recov_device='./thumb7.img' |
|
|
|
It seems that 0000000062310500 matches to wallet.dat of Bitcoin Core. Next steps would be to extract and reconstruct that wallet file.
You can use WinHex to extract the data from the location. It may take some trys since it is not that easy to determine the length (atleast for me).
Save the data as a new .dat file and replace it with your wallet.dat on the Bitcoin Core data directory - before you do that: make sure to backup the file you are replacing (your current wallet)
If Bitcoin Core cannot read that new file you might want to start Bitcoin Core with the command line -salvagewallet which can fix the recovery attempt in a few cases.
How would I extract the data and how do I determine the length? |
|
|
|
|
Hello, I have about 6-7 hard drives to look for some bitcoin wallets I most likely deleted. I read through some posts and figured I could use winhex (could not get pywallet to work for me) and search for those magic numbers: magic = [
b'\x01\x30\x82\x01\x13\x02\x01\x01\x04\x20',
b'\x02\x42\x60\x8D\x10\x40\x01\x01\x00\x00',
b'\x00\x00\x00\x00\x62\x31\x05\x00', # Bitcoin Core wallet.dat
b'\x00\x00\x00\x00\x62\x32\x05\x00', # Bitcoin Core wallet.dat (testnet)
b'\x00\x00\x00\x00\x62\x33\x05\x00', # Bitcoin Core wallet.dat (regtest)
b'\x00\x00\x00\x00\x62\x34\x05\x00', # Bitcoin Core wallet.dat (signet)
b'ELECBUM', # Electrum wallet
b'BIE1\x00', # Bither wallet
b'Mini', # Mini private key format
b'passphrase', # Blockchain.info wallet (encrypted)
b'encpriv', # Blockchain.info wallet (encrypted)
b'pmtu', # MultiBit wallet
b'Extended Private Key', # Extended private key (xprv)
b'Extended Public Key', # Extended public key (xpub)
b'\x80', # WIF for mainnet
b'\xEF', # WIF for testnet
]
I am unsure as to what I am supposed to do if I find them. As an example, I found this "0000000062310500" on one hard drive but unsure of the next step. I am gathering information as I search each drive for any of these magic numbers. Any info is appreciated and will gladly share anything I find.
|
|
|
|
|
