Bitcoin Forum
December 09, 2016, 11:18:18 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: Wallet.Dat Recovery... Recover Your Own Lost Bitcoins!  (Read 19214 times)
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
July 26, 2011, 01:14:43 AM
 #21

Not necessary, I have no problem converting hex to binary on-the-fly.  I just gotta dig into pywallet code (eventually) and figure out how to get what I want out of it.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
1481325498
Hero Member
*
Offline Offline

Posts: 1481325498

View Profile Personal Message (Offline)

Ignore
1481325498
Reply with quote  #2

1481325498
Report to moderator
1481325498
Hero Member
*
Offline Offline

Posts: 1481325498

View Profile Personal Message (Offline)

Ignore
1481325498
Reply with quote  #2

1481325498
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481325498
Hero Member
*
Offline Offline

Posts: 1481325498

View Profile Personal Message (Offline)

Ignore
1481325498
Reply with quote  #2

1481325498
Report to moderator
1481325498
Hero Member
*
Offline Offline

Posts: 1481325498

View Profile Personal Message (Offline)

Ignore
1481325498
Reply with quote  #2

1481325498
Report to moderator
1481325498
Hero Member
*
Offline Offline

Posts: 1481325498

View Profile Personal Message (Offline)

Ignore
1481325498
Reply with quote  #2

1481325498
Report to moderator
jackjack
Hero Member
*****
Offline Offline

Activity: 882


May Bitcoin be touched by his Noodly Appendage


View Profile
July 26, 2011, 01:18:20 AM
 #22

Actually it's not even binary, it's a pywallet format
I just finished the code, I run some tests and push the commit

Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2
Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
jackjack
Hero Member
*****
Offline Offline

Activity: 882


May Bitcoin be touched by his Noodly Appendage


View Profile
July 26, 2011, 01:42:09 AM
 #23

Done, it's much more useful with hex support anyway
If you want to use it, grab the last version and run './pywallet.py  --importprivkey blahblahblah --importhex', with --datadir and --wallet maybe

Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2
Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
July 26, 2011, 11:35:58 PM
 #24

Is this only for a single private key?  Can I supply a file with a list of private keys instead?  I started to try to figure out the mechanism by which the code tracks the keys and writes them to the wallet file, but so far I've been unsuccessful.  I also didn't try very hard...

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
jackjack
Hero Member
*****
Offline Offline

Activity: 882


May Bitcoin be touched by his Noodly Appendage


View Profile
July 26, 2011, 11:47:56 PM
 #25

Yes, only for a single key
I plan to add json file support soon though

Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2
Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
adlib
Newbie
*
Offline Offline

Activity: 1


View Profile
February 12, 2014, 07:30:06 PM
 #26

Hello, I need some help please.

So, I followed the instructions on the first post, and I found many occurences of the byte series "01 03 6B 65 79 41 04" for "keyA" on my disk.
I don't know what to do now, the first post tells about private keys, but what about the public keys? How can I find the public-private key combinations? Or is there a way to recover the wallet.dat file as a whole?
Also there are texts like "pool", "wallet.dat", "addr.dat", "blkindex.dat" in between random characters around that area.

Thanks!
Stevets
Member
**
Offline Offline

Activity: 70


View Profile
February 12, 2014, 08:08:09 PM
 #27

I accidentally formatted the wrong drive which had my wallet on it!

I was able to recover everything using Reclaime http://www.reclaime.com/library/

Interestingly enough, I recovered more data than the original drive held. The recovery even included files that I had deleted prior to my stupid self inflicted disaster.

I already had a backup of my drive but it was six months old and didn't include my current wallet. Now I back up every night and I back up the backup! Terrabyte drives are cheap compared to what I thought I had lost forever.
DewJunkie
Newbie
*
Offline Offline

Activity: 4


View Profile
February 12, 2015, 05:31:12 PM
 #28

just wanted to say thanks, thanks, thanks casascius, I was able to recover a lost wallet with your info.  I thought I'd add some helpful steps to automate it.  Not 100% automated, but saved a bunch of time and automated enough for me.
Here are the tools I used:
pywallet.py https://github.com/jackjack-jj/pywallet Save this in the folder/drive where you will be doing the recovery from. ie 1.2.1
Notepad++ http://notepad-plus-plus.org/  If you're good with sed or for then you can probably get away without this, but this is a great editor 10/10 would recommend for just about anything.
MultiBit https://multibit.org/ Multibit allows you to import private keys, that's why I chose it.
WinHex http://www.x-ways.net/winhex/

My 1st step suggestion would be to try testdiskhttp://www.cgsecurity.org/wiki/TestDisk_Download.  This program has no gui, but I have had much success with it in the past.  Unfortunately for me this time, the file it recovered had already been overwritten, and had spam data in it.

I created an image of my hard drive with WinHex.  I had the luxury of having another disk.  Any time you are doing data recovery your best bet is to not touch.  Ideally don't even boot off of the drive with the data you are recovering.  I was booted off of the disk I recovered from, so it is possible.  I didn't have a huge amount of BTC, so loosing them would have been a bummer, but not worth the hassle of moving the drive to another machine for me.  If you don't have an extra disk with enough space to store the partition you are trying to recover, this won't work for you.  Anyway on to the guide.  I did this on Windows 8.1, but should work on any version of windows past XP.  Also I'm writing this after the fact, but I'll try not to miss any steps.  I just figured it would have saved me some time.

To paste in the command window you have to right click and choose paste, ctrl+v does something else.  If you don't get a menu when you right click, click on the upper window icon, and Edit->Paste will be there.

1) Image the hard drive with WinHex.  This will take a while, took 3-4 hours on my computer iirc
  1.1)File->Create Disk Image...
    1.1.1)Edit Disk Window will open, select the partition where your wallet was.
  1.2)Next the Create Disk Image will open
    1.2.1)In Path and File name, choose a seperate disk to back up to, I don't know what the assigned automatically would do.  My choice was R:\Drive C.whx
    1.2.2)Scope:Sectors, put 0 in the first box
    1.2.3)Compression, choose none
    1.2.4)Split image into segments of, I left this at the default of 4096MB

from here on out we will be working in a cmd window.  Start->Run cmd doesn't need to be admin, but you'll need write access on the drive.  And Notepadd++.  Don't close either after a step, we'll be switching back and forth between them.
The drive i dumped to was R:\ from step 1.2.1.
Code:
r:
cd (directory where you did the dump to, if you dumped to a subdirectory)

2) scan the dumps with pywallet.py
  2.1)  Get a list of the dumps
Code:
dir /s /b /od (path you selected in 1.2.1 with a well place * wildcard) >> walletrecoveryStep1.cmd
for me this was
Code:
dir /s /b /od "Drive C*.whx" >> walletrecoveryStep1.cmd
3) Create a password input file pass.txt, this will automate pywallet so you don't have to type in a password to use for the recovery wallet, and passwords to try on the dumps.  Save this in the same folder where you did the dumps.  Use notepad, notepad++, echo whatever you are most comfortable with, but it must be a plain text editor.  No word or whatever else.  Extra lines won't matter, but if you don't have enough, pywallet.py will be prompting you for them.  If pywallet is not running all of them automatically, and is asking for input, then you don't have enough empty lines in your pass.txt
Code:
Pass
RecovePass1
RecovePass2
etc...


Mine looked like this, because my original wallet did not have a password on it.
Code:
Pass



4) Open wallet recoveryStep1.cmd in notepad++.  Notpad++ allows column selection and editing, that is the main feature we will be using.  A little bit of search and replace also.  Column selection works by holding shift+alt
File will look like this
Code:
R:\Drive C.whx
R:\Drive C-2.whx
...
but many more dumps, mine went up to 233
  3.1) build the beginning of each line. Open Replace with ctrl+f, then select the replace tab
    3.1.1) findwhat =
Code:
^
   3.1.2) replace with =
Code:
pywallet.py --recover --recov_size=5Gio --recov_outputdir="r:\WalletRecovery" --recov_device="
   3.1.3) Search mode = Regular expression
  3.2) build the end of each line.  Open Replace with ctrl+f, then select the replace tab
    3.2.1) findwhat =
Code:
$
   3.2.2) replace with =
Code:
"< pass.txt
   3.2.3) Search mode = Regular expression
  3.3) Delete the last line if if looks like this, ie has no recov_device
Code:
pywallet.py --recover -recov_size=5Gio --recov_outputdir="r:\WalletRecovery" --recov_device=""< pass.txt
 3.3) Save the file, it should now look like this
Code:
pywallet.py --recover -recov_size=5Gio --recov_outputdir="r:\WalletRecovery" --recov_device="R:\Drive C.whx"< pass.txt
pywallet.py --recover -recov_size=5Gio --recov_outputdir="r:\WalletRecovery" --recov_device="R:\Drive C-2.whx"< pass.txt
...
4) Create the WalletRecovery directory. pywallet will fail if it doesn't exist
Code:
mkdir WalletRecovery
4) run your generated cmd file. in the command window you openned earlier.  This will take a while, but not as much time as 1)
Code:
walletrecoveryStep1.cmd
5) You should now have files in your WalletRecovery directory, the important ones are recovered_wallet_*.dat, hopefully you have some with a size > 32KB, this means pywallet.py has found something.
6) Build a script to extract the keys
  6.1)
Code:
dir /s/b WalletRecovery\recov*.dat > walletrecoveryStep2.cmd
 6.2) open walletrecoveryStep2.cmd in notepad++, should look like this
Code:
R:\WalletRecovery\recovered_wallet_1423758885.dat
R:\WalletRecovery\recovered_wallet_1423758939.dat
...
 6.3) Open Replace with ctrl+f, then select the replace tab
    6.3.1) findwhat =
Code:
^
   6.3.2) replace with =
Code:
pywallet.py --dumpwallet --passphrase=Pass --datadir=(your bitcoin directory, default is %appdata%\Bitcoin) --wallet=
here's mine
Code:
pywallet.py --dumpwallet --passphrase=Pass --datadir=g:\\Bitcoin --wallet=
   6.3.3) Search mode = Regular expression
  6.4) build the end of each line.  Open Replace with ctrl+f, then select the replace tab
    6.4.1) findwhat =
Code:
$
   6.4.2) replace with =
Code:
| findstr \\"sec\\": >> keys.txt
   6.4.3) Search mode = Regular expression
  6.5) Delete the last line if it has not wallet path in it ie
Code:
pywallet.py --dumpwallet --passphrase=Pass --datadir=g:Bitcoin --wallet=| findstr "sec": >> keys.txt
7) Extract the keys
Code:
walletrecoveryStep2.cmd
Cool Open keys.txt in notepad++.  Should Look Something like this.  I had some which were 1 character either longer or shorter, don't remember, and I don't know if this matters or not, but I just used all that it made.
Code:
           "sec": "YepThisIsAKeyItWillHaveLettersUpperAndLowerCaseAnd09",
            "sec": "YepThisIsAKeyItWillHaveLettersUpperAndLowerCaseAnd09",
...
 8.1) Open Replace with ctrl+f, then select the replace tab
    8.1.1) findwhat =
Code:
^\s*"sec": "
   8.1.2) replace with = empty
    8.1.3) Search mode = Regular expression
  8.2) Open Replace with ctrl+f, then select the replace tab
    8.2.1) findwhat =
Code:
",\s*$
   8.2.2) replace with =
Code:
2016-01-01T00:00:00Z
Change this date so that it is earlier than your last transaction.  There is a space after the date
    8.2.3) Search mode = Regular expression
  8.3) Convert the line endings, Edit->EOL Conversion->Unix/OSX Format
  8.3) Save the file as Keys.key
9) Import the keys into multibit, Tools->Import Private Keys
  9.1) Choose Import File, select keys.key
  9.2) Click Import private keys
10) Profit, you can now either transfer these to a new wallet, move it to your preffered client.  I transferred mine out.
  10.1) I went back and changed the dates on the key file to an earlier date.  and then re-imported them, I don't know if this is needed or not.  I used a later date originally, because I didn't want it to have to sync up with as much.  After you found you wallet, you can then just do a send transaction and send them to a newly generated wallet.
DewJunkie
Newbie
*
Offline Offline

Activity: 4


View Profile
February 12, 2015, 06:28:41 PM
 #29

ouch, I have no clue, but I would assume this will only work with a magnetic storage device.  If you were able to image the iphone storage somehow, or gain block level access you could continue on from the steps after having the image created.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!