Pywallet requires ton of plugins, you dont want to be connecting to the internet while sandboxed just to get that script working properly, (just a millisecond can leak keys) to some hacker i suggest first just searching for the berkeley database file headers, you can then use some software to extract the files. but first make a disk image using a ubuntu live usb or something. go to gnome disks, (if using windows make sure the computer isnt hibernating and shut down correctly or not i dunno maybe that might overwrite some data if you do make 3 disk images i guess, do sudo gnome-disks if your noob and select disk and create an image of it on a m2ssd or something) #!/usr/bin/env python
"""
searchbin.py -t PATTERN [FILE [FILE...]]
searchbin.py -p PATTERN [FILE [FILE...]]
searchbin.py -f FILE [FILE [FILE...]]
examples:
./searchbin.py -t "hello" myfile.exe
Searches for the text "hello" in myfile.exe.
./searchbin.py -p "CCDDFF" myfile.exe
Searches for the hexidecimal pattern "CCDDFF" in myfile.exe.
./searchbin.py -f pattern.bin myfile.exe
Reads the file pattern.bin, and searches for a binary match within myfile.exe.
Many more capabilites, just run ./searchbin.py --help
+Features: no compiling, fast, small file, wild card matches, search multiple files of unlimited size, all operating systems
+Minimum Py2.7 required for argparse library
+keywords binary grep search seek find fast
license: BSD 2-Clause License, 2012, Sepero
license: http://www.opensource.org/licenses/BSD-2-Clause
"""
from __future__ import unicode_literals
import re
import signal
import sys
# Global variables.
CONTACT=("sepero 111 @ gmx . com\n"
"https://bitbucket.org/Sepero/searchbin/issues/new\n"
"http://seperohacker.blogspot.com/2012/04/binary-grep-program-searchbin.html")
VERSION="1.00"
DEBUG = False
STDOUT = sys.stdout
try: # Python 3 modifications.
STDIN = sys.stdin.buffer
except: # Python 2 modifications.
STDIN = sys.stdin
range = xrange
def _exit_error(code, option="", err=None):
"""
Error information is kept here for the purposes of easier management and possibly language tranlation.
Returns nothing. All calls exit the program, error status 128.
"""
error_codes = {
"Xpatterns":
"Cannot search for multiple patterns. '-t -p -f'",
"0patterns":
"No pattern to search for was supplied. '-t -p -f'",
"decode":
"The pattern string is invalid.\n" + str(option),
"bsize":
"The buffer size must be at least %s bytes." % str(option),
"sizes":
"Size parameters (-b -s -e -m) must be in decimal format.",
"fpattern":
"No pattern file found named: %s" % option,
"startend":
"The start of search must come before the end.",
"openfile":
"Failed opening file: %s" % option,
"logwrite":
"Could not write to the log file: %s" % option,
"read":
"Failed reading from file: %s" % option,
}
import traceback
sys.stderr.write(traceback.format_exc() + "\n")
if not DEBUG:
sys.stderr.write("version: %s\n" % VERSION)
sys.stderr.write("Please Report issues to: %s\n" % CONTACT)
if err: sys.stderr.write("%s\n" % str(err))
sys.stderr.write("Error <%s>: %s\n\n" % (code, error_codes[code]))
if __name__ == "__main__":
sys.exit(128) # Exit under normal operation.
raise # Raise error on unittest or other execution.
def get_args():
"""
Parse all arguments from the command line using ArgumentParser.
Returns an args object with attributes representing all arguments.
"""
from argparse import ArgumentParser
description = CONTACT + """
An argument -t or -p or -f is required. The -p argument accepts a
hexidecimal pattern string and allows for missing characters,
such as 'FF??FF'. When using -f argument, the pattern file will
be read as a binary file (not hex strings). If no search files are
specified, %prog will read from standard input. The minimum memory
required is about 3 times the size of the pattern byte length.
Increasing buffer-size will increase program search speed for
large search files. All size arguments (-b -s -e) are read in decimal
format, for example: '-s 1024' will start searching after 1kilobyte.
format, for example: '-s 1024' will start searching after 1kilobyte.
Reported finds are 0-based offset.
"""
p = ArgumentParser(description=description)
def add(s, **kwargs):
args = s.split(':')
value = args.pop(2) # Pop item at index 2 (argument type).
if value: kwargs['type'] = eval(value) #(type)(value) # str(value) or long(value).
value = args.pop(2) # Pop item at index 2 (argument metavar).
if value: kwargs['metavar'] = value
value = args.pop(2) # Pop item at index 2 (argument name/destination).
if value: kwargs['dest'] = value
p.add_argument(*args, **kwargs)
p.add_argument('-f', '--file', type=str,
metavar='FILE', dest='fpattern',
help='file to read search pattern from')
p.add_argument('-t', '--text', type=str,
metavar='PATTERN', dest='tpattern',
help='a (utf-8 case-sensitive) text string to search for')
p.add_argument('-p', '--pattern', type=str, # I would use -h for hex, but that's used for help output.
metavar='PATTERN', dest='ppattern',
help='a hexidecimal pattern to search for')
try: # Python 3.
p.add_argument('-b', '--buffer-size', type=int,
metavar='NUM', dest='bsize',
help='read buffer size (in bytes). 8MB default')
p.add_argument('-s', '--start', type=int,
metavar='NUM', dest='start',
help='starting position in file to begin searching, as bytes')
p.add_argument('-e', '--end', type=int,
metavar='NUM', dest='end',
help='end search at this position, measuring from beginning of file')
p.add_argument('-m', '--max-matches', type=int,
metavar='NUM', dest='max_matches',
help='maximum number of matches to find (0=infinite)')
except: # Python 2.
p.add_argument('-b', '--buffer-size', type=long,
metavar='NUM', dest='bsize',
help='read buffer size (in bytes). default is 8388608 (8MB)')
p.add_argument('-s', '--start', type=long,
metavar='NUM', dest='start',
help='starting position in file to begin searching, as bytes')
p.add_argument('-e', '--end', type=long,
metavar='NUM', dest='end',
help='end search at this position, measuring from beginning of file')
p.add_argument('-m', '--max-matches', type=long,
metavar='NUM', dest='max_matches',
help='maximum number of matches to find (0=infinite)')
p.add_argument('-l', '--log', type=str,
metavar='FILE', dest='log',
help='write matched offsets to FILE, instead of standard output')
p.add_argument(type=str,
metavar='FILE', dest='fsearch', nargs='*',
help='files to search within')
p.add_argument('-v', '--verbose',
dest='verbose', action='store_true',
help='verbose, output the number of bytes searched after each buffer read')
p.add_argument('-V', '--version',
action='version', version='%(prog)s ' + VERSION)
p.add_argument('-d', '--debug',
dest='debug', action='store_true',
help='debugging (don\'t use this)')
return p.parse_args()
"""
=Patterns=
A pattern is a list. It represents the division between known and unknown
bytes to search for. All hex/text/file input is converted to a pattern.
Examples of conversions:
hex "31??33" becomes ['A', 'C'] # Everything is converted internally to strings, even though they may not be printable characters.
text "A?C" becomes ['A', 'C']
text "A??C" becomes ['A', '', 'C']
"""
def hex_to_pattern(hex):
""" Converts a hex string into a pattern. """
ret = []
pattern = hex
if hex[:2] == "0x": # Remove "0x" from start if it exists.
pattern = hex[2:]
try:
ret = [ p for p in pattern.split("??") ]
try: # Python 3.
return [ bytes.fromhex(p) for p in ret ]
except AttributeError: # Python 2.
return [ p.decode("hex") for p in ret ]
except(TypeError, ValueError):
e = sys.exc_info()[1]
_exit_error("decode", hex, e)
def text_to_pattern(text):
""" Converts a text string into a pattern. """
try: # Python 3.
return [ t.encode('utf-8') for t in text.split("?") ]
except TypeError: # Python 2.
return [ t for t in text.split("?") ]
def file_to_pattern(fname):
""" Converts a file into a pattern. """
try: # If file specified, read it into memory.
with open(fname, "rb") as f:
return [f.read()]
except IOError:
e = sys.exc_info()[1]
_exit_error("fpattern", fname, e)
# We will be keeping the parsed args object and editing its attributes!
def verify_args(ar):
"""
Verify that all the parsed args are correct and work well together.
Returns the modified args object.
"""
DEBUG = ar.debug
# Make sure that exactly 1 pattern argument was given.
all_patterns = list(filter(None, [ar.fpattern, ar.ppattern, ar.tpattern]))
if len(all_patterns) > 1:
_exit_error("Xpatterns")
if len(all_patterns) == 0:
_exit_error("0patterns")
# Create a new variable ar.pattern, and fill it with
# whichever pattern we have -t -f -p. ar.pattern will be a list.
if ar.fpattern:
ar.pattern = file_to_pattern(ar.fpattern)
elif ar.tpattern:
ar.pattern = text_to_pattern(ar.tpattern)
else:
ar.pattern = hex_to_pattern(ar.ppattern)
# Convert all number args from strings into long integers.
try:
for attr in [ "bsize", "max_matches", "start", "end" ]:
if getattr(ar, attr):
setattr(ar, attr, long(getattr(ar, attr)))
except ValueError:
e = sys.exc_info()[1]
_exit_error("sizes", err=e)
# Buffer size must be at least double maximum pattern size.
if ar.bsize:
if ar.bsize < len("?".join(ar.pattern)) * 2:
_exit_error("bsize", len("?".join(ar.pattern)) * 2)
else:
ar.bsize = len(b"".join(ar.pattern)) * 2
ar.bsize = max(ar.bsize, 2**23) # If bsize is < default, set to default.
# Set start and end values to 0 if not set.
ar.start = ar.start or 0
ar.end = ar.end or 0
# End must be after start. :)
if ar.end and ar.start >= ar.end:
_exit_error("startend")
# If log file is True, open it and replace ar.log with the file handler.
if ar.log:
try:
ar.log = open(ar.log, "w")
except IOError:
e = sys.exc_info()[1]
_exit_error("openfile", ar.log, e)
return ar
def search(ar, fh):
"""
This function is simply a wrapper to forward needed variables in a way
to make them all local variables. Accessing local variables is faster than
accessing object.attribute variables.
Returns nothing.
"""
if not DEBUG:
_search_loop(ar.start, ar.end, ar.bsize, ar.pattern,
ar.max_matches, ar.log, ar.verbose, fh.name,
fh.read, fh.seek)
else:
_debug_search(ar.pattern, fh.name, fh.read)
def _debug_search(pattern, fh_name, fh_read):
"""
Slower, less functional, but less error prone simple search.
For debugging purposes.
Returns nothing.
"""
len_pattern = len(b"?".join(pattern))
read_size = 2**24 - len_pattern # Amount to read each loop.
pattern = [ re.escape(p) for p in pattern ]
pattern = b".".join(pattern)
regex = re.compile(pattern, re.DOTALL+re.MULTILINE)
try:
buffer = fh_read(len_pattern + read_size)
offset = 0
match = regex.search(buffer)
while True:
if not match:
offset += read_size
buffer = buffer[read_size:] # Erase front portion of buffer.
buffer += fh_read(read_size)
match = regex.search(buffer)
else:
STDOUT.write("Match at offset: %14d %12X in %s\n" % (
offset+match.start(), offset+match.start(), fh_name))
match = regex.search(buffer, match.start()+1)
if len(buffer) <= len_pattern:
return
except IOError:
e = sys.exc_info()[1]
_exit_error("read", fh_name, e)
def _search_loop(start, end, bsize, pattern, max_matches,
log, verbose, fh_name, fh_read, fh_seek):
"""
Primary search function.
Returns nothing.
"""
len_pattern = len(b"?".join(pattern)) # Byte length of pattern.
read_size = bsize - len_pattern # Amount to read each loop.
# Convert pattern into a regular expression for insane fast searching.
pattern = [ re.escape(p) for p in pattern ]
pattern = b".".join(pattern)
# Grab regex search function directly to speed up function calls.
regex_search = re.compile(pattern, re.DOTALL+re.MULTILINE).search
offset = start or 0
# Set start reading position in file.
try:
if offset:
fh_seek(offset)
except IOError:
e = sys.exc_info()[1]
_exit_error("read", fh_name, err=e)
try:
buffer = fh_read(len_pattern + read_size) # Get initial buffer amount.
match = regex_search(buffer) # Search for a match in the buffer.
# Set match to -1 if no match, else set it to the match position.
match = -1 if match == None else match.start()
while True: # Begin main loop for searching through a file.
if match == -1: # No match.
offset += read_size
# If end exists and we are beyond end, finish search.
if end and offset > end:
return
buffer = buffer[read_size:] # Erase front portion of buffer.
buffer += fh_read(read_size) # Read more into the buffer.
match = regex_search(buffer) # Search for next match in the buffer.
# If there is no match set match to -1, else the matching position.
match = -1 if match == None else match.start()
if verbose: # Print each loop offset if verbose is on.
STDOUT.write("Passing offset: %14d %12X\n" % (offset, offset))
else: # Else- there was a match.
# If end exists and we are beyond end, finish search.
if match == -1 and offset + match > end:
return
# Print matched offset.
find_offset = offset + match
STDOUT.write("Match at offset: %14d %12X in %s\n" % (
find_offset, find_offset, fh_name))
if max_matches:
max_matches -= 1
if max_matches == 0: # If maximum matches are found, then end.
STDOUT.write("Found maximum number of matches.\n")
return
# Search for next match in the buffer.
match = regex_search(buffer, match+1)
match = -1 if match == None else match.start()
if len(buffer) <= len_pattern: # If finished reading input then end.
return
# Main loop closes here.
except IOError:
e = sys.exc_info()[1]
_exit_error("read", fh_name, e)
def main():
args = get_args() # Get commandline arguments.
args = verify_args(args) # Check arguments for sanity, and edit them a bit.
if args.fsearch: # If filenames were given on the commandline, process them.
while args.fsearch: # List of files to search inside.
try: # Open a filehandler for the filename.
filehandler = open(args.fsearch[0], "rb")
except IOError:
e = sys.exc_info()[1]
_exit_error("openfile", args.fsearch[0], e)
search(args, filehandler)
filehandler.close()
args.fsearch.pop(0) # Remove each file after search.
else: # If no files were given, search using stdin.
search(args, STDIN)
sys.exit(0)
if __name__ == "__main__":
# This allows the program to exit quickly when pressing ctrl+c.
signal.signal(signal.SIGINT, signal.SIG_DFL)
main() source: https://github.com/Sepero/SearchBin/blob/master/searchbin.pyis useful works out fo the box without dependencies, might need to chmod +x searchbin.py if it dont execute on terminal after changing into the directory with the searchbin.py file i cant explain how ot run this maybe pay someone to support you in person if you have no tech skills. searchbin -p 01010420 "path to disk image of .img" file,
searchbin -p 01010420 /dev/whicheverpath its on might work too if you want to go cowboy mode. it probably will miss it, so try if it doesnt work, some keys have this preseeding, i noticed half the old wallets i extracted keys from using raw extraction 10141f found mroe keys, they are just 31 bytes after instead of 32 but they start with 00 i think it will start outputting offsets of whereveer private keys are stored on the drive. and you can then run pywallet or if you want to be pressie locate the wallet file. also a bonus, searchbin.py -p 6231050009000000 "path to disk image" will output offsets to wallet files. i mean its not guaranteed to, but it should help you get closer to recovering it. if you get rich please ask me for my wallet address. thanks  also if you find any hits let me know i can give more advice, im learning the shit out of recovering wallets as i still cant recover mine.[/code] If I find 6231050009000000 and 10141f while looking for a deleted wallet.... how do I get a private key from that? Fell free to message me Is Usually 20 is hexadecimal. If you go to https://www.rapidtables.com/convert/number/hex-to-decimal.html?x=20 you can see the number is 32. 32 sort of represents the amount of characters to read to to get the private keynow when it says 1f instead of 20 it if we go to https://www.rapidtables.com/convert/number/hex-to-decimal.html?x=1f you can see the number is 31 so we only read 31 characters after. the private key is 31 characters long (in hex format). it could even be 1e, that will be 30 characters long. whatever the case, lets say you have a key that starts with 10141f, you read the 31 characters following for the private key. You can turn it into a private key with a tool such as https://brainwalletx.github.io/ and paste the hex into the "Secret Exponent" section, be sure to select compressed/uncompressed format or the right crypto network. not sure if that answers. Also don't use https://brainwalletx.github.io/ without downloading it first/inspecting the code if possible from Usually people just add padding with 0's on the key it all depends on how you use the key. |
|
|
|
found this in my old notes, <?xml version="1.0" encoding="UTF-8"?>
<FileTypeList version="2.0">
<FileType id="50001" group="Other files" description="bitcoin wallets" features="" extension="dat">
<Begin combine="OR">
<Signature>\x61\x15\x06\x00</Signature>
<Signature>\x00\x06\x15\x61</Signature>
<Signature>\x62\x31\x05\x00</Signature>
<Signature>\x00\x05\x31\x62</Signature>
<Signature offset="12">\x61\x15\x06\x00</Signature>
<Signature offset="12">\x00\x06\x15\x61</Signature>
<Signature offset="12">\x62\x31\x05\x00</Signature>
<Signature offset="12">\x00\x05\x31\x62</Signature>
<Signature offset="12">\x53\x22\x04\x00</Signature>
<Signature offset="12">\x00\x04\x22\x53</Signature>
<Signature offset="12">\x88\x09\x04\x00</Signature>
<Signature offset="12">\x00\x04\x09\x88</Signature>
</Begin>
<End combine="OR"/>
</FileType>
</FileTypeList> i think it's supposed to be used in https://www.google.com/search?q=R-Studio I can't vouch for it, but like i said before if you recover using photorec anything that resembles a wallet database (bdb) it will have a .db extension and be missing the first 8kb or less, that will probably be seperared, the wallet wont read correctly but you can fix it edit: this post: https://bitcointalk.org/index.php?topic=2637884.0 is also very useful but i have yet to test properly, had to take a break from trying to recover my old coins. Two years ago I formatted my harddisk and installed Windows 10 on it. Before this I did a backup, but unfortunately the backup was broken. So I lost my wallet.dat, with a few Bitcoins in it. I could restore some files with RStudio, and I had older backups for the rest, but seemed to be that the latest wallet.dat was already overwritten, and I frequently add new addresses. So I gave up, not a big deal, maybe $200 lost. But I didn't use the harddisk and bought a new one. Fast forward to December 2017: Now a few Bitcoins is some serious money, so I decided to give it another try. I tried any option I could find in RStudio, checking the dozens of filesystems it reported after scanning it for hours (only a few where valid from previous installations), but I couldn't restore it. Ok, this needed some more work. My assumption was, that the file headers were broken, so I wrote a small C program myself, which scanned the whole harddisk for the wallet.dat signature (testing for the first 16 bytes). The filesystem was NTFS, which has 4k sector sizes and a file starts always at sector start, if I understand it correctly, which makes things easier. Also usually if there is enough space, contiguous sectors are used to save a file. My hope was that somewhere I could find old version of the wallet.dat, but not too old that the new keys were missing. This is the very simple and straightforward scan program I hacked together: #include <stdio.h>
#include <stdint.h>
#include <inttypes.h>
#include <string.h>
uint8_t buf[4096];
char filename[1000];
uint8_t search[] = {
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x31, 0x05, 0x00
};
int main(int argc, char** argv)
{
uint64_t pos = 0;
FILE* f = fopen("/dev/sdd", "rb");
FILE* w = NULL;
int walletNumber = 0;
int walletIndex = 0;
uint64_t max = 1000000000000ULL;
while (1) {
int c = fread(buf, 1, 4096, f);
if (c != 4096) break;
if (!w) {
if (memcmp(search, buf, 16) == 0) {
sprintf(filename, "wallet%i.dat", walletNumber++);
walletIndex = 0;
w = fopen(filename, "wb");
printf("found: %" PRIu64 "\n", pos);
}
}
if (w) {
fwrite(buf, 1, 4096, w);
walletIndex++;
if (walletIndex == 256) {
fclose(w);
w = NULL;
}
}
pos += 4096;
}
fclose(f);
return 0;
}
I used it on Linux as my host system and the old harddisk was visible as /dev/sdd (you can see this with dmesg). I compiled it with "gcc -O3 scan.cpp -o scan" and started it with "sudo ./scan", and a few hours later (it was a 1 TB harddisk) I got a wallet0.dat to wallet9.dat, each 1 MB in size (it doesn't matter if there is crap after the wallet data). This was a nice start  Then I tried to copy it to a wallet.dat of a current Bitcoin installation, but most of the time it said the wallet was corrupt, once it even crashed at start and when it said it could salvage some information, no keys were in it. My rescue was https://github.com/joric/pywallet This program could decode all files and output it in JSON format. It needs the wallet.dat in a bitcoin-qt installation in the .bitcoin directory. I knew one of my old addresses, so I wrote a script which did test all files (actual key changed) : for i in $( ls wallet*.dat ); do
echo item: $i
cp $i .bitcoin/wallet.dat
./pywallet.py --dumpwallet --datadir=.bitcoin | grep -i 12QDRXssT63Pv5KTGBN2kyAvfLW3s7jxBs
done
The output looked like this: item: wallet0.dat
item: wallet10.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet11.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet1.dat
WARNING:root:encrypted wallet, specify password to decrypt
item: wallet2.dat
item: wallet3.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet4.dat
Traceback (most recent call last):
File "./pywallet.py", line 1706, in <module>
main()
File "./pywallet.py", line 1683, in main
read_wallet(json_db, db_env, True, True, "")
File "./pywallet.py", line 1556, in read_wallet
parse_wallet(db, item_callback)
File "./pywallet.py", line 1287, in parse_wallet
for (key, value) in db.items():
bsddb.db.DBPageNotFoundError: (-30986, 'BDB0075 DB_PAGE_NOTFOUND: Requested page not found')
item: wallet5.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet6.dat
WARNING:root:encrypted wallet, specify password to decrypt
"addr": "12QDRXssT63Pv5KTGBN2kyAvfLW3s7jxBs",
item: wallet7.dat
WARNING:root:encrypted wallet, specify password to decrypt
item: wallet8.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet9.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
So the address was in wallet6.dat, success! I then used "/pywallet.py --dumpwallet --datadir=.bitcoin --password=mysecrectpassword > keys.txt" and I got all my keys back. In the bitcoin client I could import it with importprivkey (don't forget the "false" parameter as the last parameter, to avoid rescanning after each import, if you import multiple keys) and after the final rescan, I got my Bitcoins back. One day work for like 2 Bitcoins, which I already sold, that's a nice hourly rate  Maybe this will help some other people as well. In case you rescue a lot of Bitcoins, I would really love it if you would send me some to 1ieKggPzp2DfroFBNie4ib77kHKNbJMkw. Marilyn wishes you a merry Christmas, a merry Christmas, And a happy New Year! |
|
|
|
- Only select text file types for output. This will filter out any non-text files and make the results easier to search through.
- Use the aggressive recovery option. This will have PhotoRec search more thoroughly for file fragments, increasing the chance of recovering partial or fragmented wallet files.
- Reduce the block size PhotoRec searches. A smaller block size means PhotoRec has to search more blocks to recover a file, but it is more likely to find small fragments. For fragmented wallet files, this can help in recovering more of the data.
- Grep the results for keywords like "stored_height" or "mpk" or "xpub", maybe use grep with regular expresions for addresses/pi. This can help filter the results to only show files potentially containing wallet data.
- Recover the files multiple times with different options. Different options may yield different results, so multiple recoveries can help recover more wallet data.
- Search for lower size files and file fragments. Wallet keys and seeds are typically short pieces of text, so searching for smaller file sizes and fragments may yield more relevant results.
- Be prepared for partial and fragmented results. When recovering deleted data, full files are not always recovered. But even recovering parts of wallet files, keys, or seeds can help in restoring access to funds.
The key is experimenting with different recovery options and thoroughly searching the results. With patience and persistence, there is a chance of recovering at least some Electrum wallet data using PhotoRec. Please let me know if you have any other questions!
https://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step== How PhotoRec works == FAT, NTFS, ext2/ext3/ext4 file systems store files in data blocks (also called clusters under Windows). The cluster or block size remains at a constant number of sectors after being initialized during the formatting of the file system. In general, most operating systems try to store the data in a contiguous way so as to minimize data fragmentation. The seek time of mechanical drives is significant for writing and reading data to/from a hard disk, so that's why it's important to keep the fragmentation to a minimum level. When a file is deleted, the meta-information about this file (file name, date/time, size, location of the first data block/cluster, etc.) is lost; for example, in an ext3/ext4 file system, the names of deleted files are still present, but the location of the first data block is removed. This means the data is still present on the file system, but only until some or all of it is overwritten by new file data. To recover these lost files, PhotoRec first tries to find the data block (or cluster) size. If the file system is not corrupted, this value can be read from the superblock (ext2/ext3/ext4) or volume boot record (FAT, NTFS). Otherwise, PhotoRec reads the media, sector by sector, searching for the first ten files, from which it calculates the block/cluster size from their locations. Once this block size is known, PhotoRec reads the media block by block (or cluster by cluster). Each block is checked against a signature database which comes with the program and has grown in the type of files it can recover ever since PhotoRec's first version came out. For example, PhotoRec identifies a JPEG file when a block begins with: * 0xff, 0xd8, 0xff, 0xe0 * 0xff, 0xd8, 0xff, 0xe1 * or 0xff, 0xd8, 0xff, 0xfe If PhotoRec has already started to recover a file, it stops its recovery, checks the consistency of the file when possible and starts to save the new file (which it determined from the signature it found). If the data is not fragmented, the recovered file should be either identical to or larger than the original file in size. In some cases, PhotoRec can learn the original file size from the file header, so the recovered file is truncated to the correct size. If, however, the recovered file ends up being smaller than its header specifies, it is discarded. Some files, such as *.MP3 types, are data streams. In this case, PhotoRec parses the recovered data, then stops the recovery when the stream ends. When a file is recovered successfully, PhotoRec checks the previous data blocks to see if a file signature was found but the file wasn't able to be successfully recovered (that is, the file was too small), and it tries again. This way, some fragmented files can be successfully recovered. Enable Keep corrupted fileson https://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step go to https://www.cgsecurity.org/mw/images/PhotoRec_options.png |
|
|
|
is it possible to make torrents Torrents for Merit data? for whatever has a snapshot with high value/demand and deserves archiving |
|
|
|
Hey folks, yes, I'm still goofing with this wallet. I just went back and tried the "ismine" thing again and finally got a response: "false". Is it possible this opens the door to finally getting somewhere with this wallet?
If your in the uk hit me a pm. |
|
|
|
Download Mentalist from https://github.com/sc0tfree/mentalistIt's an amazing tool, easy to use and helps you build a custom wordlist. With btcrecover you can load the wordlist with the --passwordlist command (afaik), with mentalist can use the GUI and have a better understanding of how large the wordlist will also be. The mask options have been confusing for me in btcrecover, it does a good job at checking if the password is correct most of the time but the wordlist is better generated with mentalist. You also mentioned macbook, best thing to do is export all the passwords from the keychain and create a wordlist with them. You might also want to check the better branch of btcrecover it's over at https://github.com/3rdIteration and the maintainer has great videos at https://www.youtube.com/@CryptoGuideThank so much, Mentalist looks interesting. I hope I can run it offline! I am using the latest version of Btcrecover as I only started this journey a few weeks ago. I hadn't used the Macbook at the time of creating the passphrase. Entering it on the Ledger Nano S was the only way. Nice tip though. Yeah it runs offline mate just go to https://github.com/sc0tfree/mentalist/releases/tag/v1.0 and download Mentalist-v1.0-OSX.zip Also running something offline doesn't always make it secure, this is a protip. If you want to be extra safe, Run this on a live usb or an old laptop with the network device removed &/or disabled from the bios. Malware can aggregate data offline for posting it out later on, also crash reports, memory persistence happen too. |
|
|
|
download python3 https://github.com/3rdIteration/btcrecover and run ./btcrecover.py --wallet=/path/to/your/wallet.aes.json --correct-wallet-password=Y0urWa11etP@assword! --dump-wallet /path/to/where/you/want/your/decrypted_wallet.txt Before you do this, learn how to use python or set this up ufcourse. this will decrypt the wallet.aes.json and show your wallet addresses and other important data such as private keys, wallet id in most cases. |
|
|
|
Download Mentalist from https://github.com/sc0tfree/mentalistIt's an amazing tool, easy to use and helps you build a custom wordlist. With btcrecover you can load the wordlist with the --passwordlist command (afaik), with mentalist can use the GUI and have a better understanding of how large the wordlist will also be. The mask options have been confusing for me in btcrecover, it does a good job at checking if the password is correct most of the time but the wordlist is better generated with mentalist. You also mentioned macbook, best thing to do is export all the passwords from the keychain and create a wordlist with them. You might also want to check the better branch of btcrecover it's over at https://github.com/3rdIteration and the maintainer has great videos at https://www.youtube.com/@CryptoGuide |
|
|
|
I opened 2 subsequent wallets from the original after all this started (electrum wallet 1 and electrum wallet 2 from the main wallet) but haven't been able to do anything with them either. I've done all the suggestions on those wallets and get the same results. They show all the same info as the main wallet. The options are you have the right wallet but you need to extend the gap limit as per nc50lc's instructions, you have the right seed phrase but are recovering the wrong wallet either via the wrong derivation path or a missing passphrase, you have the wrong seed phrase altogether, or your coins have been moved/stolen. Can you try to answer each of the following questions to help us narrow this down: So am I correct in saying that your original wallet file, and the wallet file you recovered from your seed phrase, are identical, containing the same addresses? Do you have any other wallet files or seed phrases? Do you remember ever setting an additional passphrase or extending your seed phrase with custom words? Does your wallet show any transaction history - i.e. coins have come in and gone out, or is it just completely blank? And what about the addresses which currently hold your coins? You are absolutely certain that your coins haven't been moved? You say these addresses which hold your coins came from an Electrum wallet - are you sure it was this wallet? And you are sure you saw them show up in your Electrum wallet whenever you initially received them? What character to these addresses start with? When you restored your wallet from the seed phrase, on the screen where you type in you seed phrase but before you click next it should have said something like "Seed Type: XXX" or "BIP39". What does yours say? 1. Both wallets, original and restored, showing all the same addresses. I have a Trust wallet and a Blockchain wallet I opened at the advice of others on another forum. I have done no transactions on either wallet. I did not modify in any way the seed provided in the electrum wallet. There is no transaction history. The page is blank. 2. Since I opened the electrum wallet I have not conducted any transactions other than purchase coin. I don't know where these addresses came from. They appear when I click the "addresses" tab on the wallet. Honestly, it's been so long since I was in this wallet I don't remember if I ever saw a balance of more than "0". I think, early on, a balance did show but I'm not absolutely sure. I found it easier to check the blockchain site. All the addresses begin with bc1q. 3. When I did the restore the box said the seed type was "Electrum". I did not change it. I just looked at my account history on the site where I bought all my coin. I've made 8 total transactions. The last was on 3/18/23 and the site had a note on this transaction saying the wallet needed verifying but the coins were delivered to my electrum address even though I did not verify the wallet. (This transaction is reflected on the blockchain site and Bitref as delivered to my Electrum address.) I will check with them to see if anything more needs to be done. Before that all my transactions were done between 4/21 and 8/21 and are checked off as completed. Get the extended pubkey from "wallet" --> "information" Make sure it starts with xpub/ypub/zpub go to https://btc1.trezor.io/enter the extended pubkey and it should show your transaction history there, if there are any. Also click on "file", and then "open" and see if there are more than 1 files in the folder, if so, go up one directory and select all the files and make a archive of it and keep it safe. In the folder where "wallets" folder is located, there should be a file named "config" it will have something like this in it: {
"advanced_preview": true,
"amt_precision_post_satoshi": 3,
"auto_connect": true,
"backup_dir": "/home/satoshi/electrum/electrum/wallets",
"blockchain_preferred_block": {
"hash": "000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f",
"height": 0
},
"check_updates": false,
"config_version": 3,
"decimal_point": 8,
"gui_last_wallet": "/Users/work/.electrum/wallets/default_wallet",
"is_maximized": false,
"num_zeros": 8,
"oneserver": false,
"recently_open": [
"/home/satoshi/electrum/wallets/default_wallet",
"/home/satoshi/electrum/wallets/wallet_2.backup",
"/home/satoshi/electrum/wallets/wallet_2",
"/home/satoshi/electrum/wallets/wallet_1"
],
"rpcpassword": "dGhpcyBpc24ndCBteSBwYXNzd29yZA==",
"rpcuser": "user",
"server": "s.someelectrum.server:19492:s",
"show_addresses_tab": true,
"show_channels_tab": true,
"show_console_tab": true,
"show_contacts_tab": true,
"show_utxo_tab": true
}Does the "recently_open" have more than one path? the recently open in the above example config is: "recently_open": [
"/home/satoshi/electrum/wallets/default_wallet",
"/home/satoshi/electrum/wallets/wallet_2.backup",
"/home/satoshi/electrum/wallets/wallet_2",
"/home/satoshi/electrum/wallets/wallet_1"
], so if your one has more than one path look at these paths. Also, this might help, if you are using windows download recuva (or another file recovery software, on linux i had good success with photorec) Scan for text files under 100kb (or however large your wallet file would possibly be), and recover from the whole disk, search the text files for "xpub" "xprv" "stored_height" or any other keywords you can find, it might be harder to locate encrypted wallets But you can still do so, This method found older versions of my wallet files, like at different states. I hope this helps. edit: Also don't ever load electrum seeds on other wallets, your going to lead to all sorts of issues, the other wallets have different derivation paths usually and you will have change outputs moving to paths that electrum probably or might not notice if you use the wallet to spend coins on another client. |
|
|
|
|
Wallet Client? electrum i guess?
|
|
|
|
|
You're doing god's work. Thanks for everything, btw is it possible to make torrents maybe we can seed these?
|
|
|
|
|
In my experience with altcoins and living a life of mistakes i suggest not syncing any wallet on a network. Just download the blocks and process the history offline by rescanning.
I could name a dozen ways this can go wrong, hell why did the developers think resending wallet transactions on loading wallet was a good idea lol. Imagine loading a wallet with orphan tx and boom as soon as you want 1/100th of your prev balance from the value going up you end up sending it all away.
Also keys can be in your log files if the database for the wallet is not detached. Or has run into corruption issues from cves or bugs. Dont delete the database directory no matter what people say.
|
|
|
|
|
You could be running a node on a super computer it doesnt matter if the config is broken. Try to setup on testnet first and then go for the big chain.
|
|
|
|
Are you on libera now?
No, still freenode, despite Libera's attempts to steal users with FUD freenode was gone for months/years? you sure its still the same i couldn't id |
|
|
|
|
Show Posts
.
