Bitcoin Forum
October 23, 2019, 07:28:51 PM
 News: Latest Bitcoin Core release: 0.18.1 [Torrent]
 Home Help Search Login Register More
 Pages: [1]
 Author Topic: wallet.dat (hex code) in 2009  (Read 494 times)
leftslider
Newbie

Offline

Activity: 3
Merit: 0

 January 31, 2018, 05:54:19 PM

I just recover my old HDD to find wallet.dat but many files are corrupted.
Also, I cannot recognize name and date of most of files.
I was try to find binary(hex code?) there is too many files with "6b 65 79" but I could not find with "04 20".
Actually, I am not computer expert and I have no idea how to recover those corrupted files.
Appreciate.
1571858931
Hero Member

Offline

Posts: 1571858931

Ignore
 1571858931

1571858931
 Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1571858931
Hero Member

Offline

Posts: 1571858931

Ignore
 1571858931

1571858931
 Report to moderator
kyogi14
Newbie

Offline

Activity: 20
Merit: 0

 January 31, 2018, 06:24:00 PM

So you lost your keys and now you're having trouble finding 420?
Shirase
Newbie

Offline

Activity: 5
Merit: 0

 January 31, 2018, 11:31:39 PMLast edit: January 31, 2018, 11:43:55 PM by Shirase

Are you on Windows? Or Mac?
I'm going to assume Windows.
Unzip it. (If you don't know how to do this, tell us which version of Windows you're running. It could be Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP... The process changes slightly depending.)
Right Click WinHex.exe. (It may just be called WinHex. The icon will look like this:
https://i.imgur.com/RdWDVSZ.png
Run it as administrator. (Needed to do a raw byte search of the disk.)
https://i.imgur.com/HuEkazY.png
You then may have to allow it which again will vary slightly depending on which Windows you're running.
Go to tools, open disk.
https://i.imgur.com/OPTT0mG.png
Select your recovered drive and click OK.
It will begin traversing the drive:
https://i.imgur.com/G1BZjLG.png
You can click the x. It will ask if you want to abort. Click yes.
Go to search, find hex values. You will get a window that looks like this:
https://i.imgur.com/xPhKBf9.png
Type 0420 into it exactly as shown.
Click OK. After some amount of time, the window should find an instance of it. There will be a blinking cursor highlighting it on the window.
https://i.imgur.com/bKMkS8N.png
This is (probably) not the start of your private key. It's just to make sure your hard drive isn't totally messed up. (It's pretty unlikely any given two bytes would not be found on a used hard drive. If it's really not found as you claim, you're probably out of luck.)
If it found something, go to search, find hex values again. Enter this value:
308201130201010420
https://i.imgur.com/nKojITh.png
Click OK. This search could take a LONG time depending on the size of the harddrive. Expect to wait at least a few hours.

If it finds a result, just as before, the cursor will be blinking at the start of the result. Your private key is (probably) after the 0420 after the cursor. Write down the 64 digits following 0420 (including the letters) and show no one anything related to these 64 digits. It will allow them to steal your money.

Edit: After you have written down the digits, go to search, continue search. If another result is found, once again, write down the 64 digits after the 0420 again. Then go to search, continue search again. (Unless the digits are identical.)

https://i.imgur.com/GNh1Xmd.png
You're probably out of luck. But I could write similar step by step instructions for PyWallet. (I probably should have done that in the first place that you mentioned searching for 0420 locked my mind into this hex search method.)
joel.from.minnesota
Newbie

Offline

Activity: 2
Merit: 0

 February 10, 2018, 01:36:56 AMLast edit: February 10, 2018, 02:02:18 AM by joel.from.minnesota

I am going through this now. I mined coins in Feb 2009 and am either mourning or recovering them, not sure which.

I have confirmed this approach using a 2009 0.1.3 bitcoin client which I recently downloaded.
I ran the client in a windows VM, and deleted the VM.
this method found the private key.

stop using all media until you image them.

you can image the media from any system.

back up all media to a large external drive, you really want to do this
I use a western digital 6tb my book ($140) , its very fast for going through multiple images. when you search images you don't have to worry about overwriting the file in deleted sectors when you are installing search tools.. do this to all your media, especially any thumb drives you have. buy some thumb drives. search your trash for things you might have thrown away ( I threw away a floppy disk containing my 2009 wallet.dat ) If media is broken, including hard drives, Kroll Ontrack is the best in the world, and can usually recover them, hard drives are about$1500

back up with the unix tools
dd or ddrescue

or install ddrescue with OS X homebrew
this program will image corrupt media, save the image to the external drive, I
brew install ddrescue

or make a disk image using OS X disk utility
or use a tool like "disk drill" on the Mac, which can create images as well.

bitcoin wallets do not show in traditional file recovery software, they don't have definite boundaries in the file, so the tools don't like them.
A signature based recover works best, signature meaning it searches for hex code immediately preceding the private key. some recovery software can retrieve them if they were JUST deleted.

my solution is to use the python program keyhunter.py

https://github.com/pierce403/keyhunter

make the keyhunter.py executable
install python
move the .py executable to the directory whose images you want to search.
run it.

if you're on a Mac,

diskutil list

to find the hard disk to attack

usually /dev/disk0

if it's file vault encrypted its
/dev/rdisk1

lsblk

copy the device path

run the program thusly
./keyhunter.py /dev/disk0

if is searching an image.
./keyhunter.py IMAGENAME

if your searching a whole directory of images

for x in *.img; do ./keyhunter.py \$x;done;

then wait a really really long time, it searches the entire drive, 10 megs at a time for the offending hex keys. it searches deleted sections, it searches old vm's in deleted sections as well as current vm's, it's good. when it finds a match it returns the private key in base58 format.

if you find a key, GREAT.

if you don't find a key, maybe at some point you zipped the file to move from machine to machine. a zipped file will not have the same signature.
you can use recovery tools to find all old zip files ( this is really tedious, and a external drive will shine here ) unzip them, and search using keyhunter.py

now download an run the tool pycoin. Use the python program pip to install it.
https://github.com/richardkiss/pycoin

pycoin installs the tool 'ku'

run

ku YOUR_PRIVATE_KEY

if the key starts with a  5 this indicates whether the base58 key is uncompressed , it will correspond only to a uncompressed address.
see
https://en.bitcoin.it/wiki/Private_key

it will return a bunch of info about it.
look for the compressed and uncompressed address.

check blockchain.info for the address. DO NOT ENTER YOUR PRIVATE KEY IN THE SEARCH FIELD ON WEBPAGES.

if you find a hit, run ku again, get the either compressed or uncompressed wif key, import that to a modern electrum wallet.

If you want to see how many coins you might have.

The minimum in 2009 was 50 coins. it initially took about 20 minutes on a fast machine to generate this many. Mine was 10 years old, and really slow.

bob123
Legendary

Offline

Activity: 1050
Merit: 1568

 February 10, 2018, 11:35:35 AM

I just recover my old HDD to find wallet.dat but many files are corrupted.
Also, I cannot recognize name and date of most of files.
~snip~

joel.from.minnesota pretty much gave you a good 'tutorial' on how to recover (or at least try to recover) those files.

But i want to say one ahead:
Do not access/use this hard drive until you have made an (forensic) image of it!

Additionally, if you have larger amounts on your hard drive (which you really cant afford to lose), then you should consider
using a writeblocker [1] (to be on the sure side).

If you need help with the tutorial from joel feel free to PM here / awnser in this thread.

[1] http://www.forensicswiki.org/wiki/Write_Blockers

 ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀ .ChipMixer.{ MIXING REINVENTED FOR YOUR PRIVACY #.ChipMixer. ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀
Deepcold
Newbie

Offline

Activity: 2
Merit: 0

 February 17, 2018, 03:58:04 AM

Hi,

Can someone tell me if the WINHEX method also works as detailed if the wallet.dat was encrypted (with Multibit Classic in early 2014)?

Many thanks,
HCP
Legendary

Offline

Activity: 1120
Merit: 1839

<insert witty quote here>

 February 17, 2018, 08:57:18 AM

Can someone tell me if the WINHEX method also works as detailed if the wallet.dat was encrypted (with Multibit Classic in early 2014)?
MultiBit Classic doesn't use "wallet.dat"... it uses a completely different wallet file format... and defaulted to calling those files "multibit.wallet".

You will NOT be able to use the WINHEX method outlined above due to the different wallet formats.

 ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀ .ChipMixer.{ MIXING REINVENTED FOR YOUR PRIVACY #.ChipMixer. ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀
Deepcold
Newbie

Offline

Activity: 2
Merit: 0

 February 17, 2018, 06:48:55 PM

Can someone tell me if the WINHEX method also works as detailed if the wallet.dat was encrypted (with Multibit Classic in early 2014)?
MultiBit Classic doesn't use "wallet.dat"... it uses a completely different wallet file format... and defaulted to calling those files "multibit.wallet".

You will NOT be able to use the WINHEX method outlined above due to the different wallet formats.

Ok thanks, I'm looking to recover two different wallets. The first one being a Multibit Classic Bitcoin wallet and the second being a Litecoin-qt core Litecoin Wallet.

Will the WINHEX method work with the encrypted Litecoin qt wallet?
HCP
Legendary

Offline

Activity: 1120
Merit: 1839

<insert witty quote here>

 February 19, 2018, 02:24:43 AM

Will the WINHEX method work with the encrypted Litecoin qt wallet?
Honestly no idea... I'd probably use Pywallet... it can be made to work with coins other than Bitcoin by using the appropriate "--otherversion" parameter.

It has a "recover" mode which scans disks looking for wallets/keys etc.

refer: https://bitcointalk.org/index.php?topic=38004.0

 ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀ .ChipMixer.{ MIXING REINVENTED FOR YOUR PRIVACY #.ChipMixer. ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀
Andzhig
Newbie

Online

Activity: 107
Merit: 0

 June 08, 2018, 04:26:03 AM

Quote
if you don't find a key, maybe at some point you zipped the file to move from machine to machine. a zipped file will not have the same signature.
you can use recovery tools to find all old zip files ( this is really tedious, and a external drive will shine here ) unzip them, and search using keyhunter.py
And if wallet.dat was renamed for disguise in something.rar? How does this keyhunter.py run under windows 10? To me write this and proposes to kill the program

Quote
Python 2.7.15 (v2.7.15:ca079a3ea3, Apr 30 2018, 16:30:26) [MSC v.1500 64 bit (AMD64)] on win32
>>>
===================== RESTART: C:\Python27\keyhunter.py =====================
./C:\Python27\keyhunter.py <filename>
>>>
HCP
Legendary

Offline

Activity: 1120
Merit: 1839

<insert witty quote here>

 June 08, 2018, 03:02:10 PM

Are you trying to run the script from the command line? Or are you simply double clicking it?

Python and Python scripts run OK when using Windows 10... I write and run them all the time.

However, you cannot just double click on the file,a you need to run it from a "command" window...

Code:
C:\Python27\python.exe path\to\keyhunter.py

So, if keyhunter.py is in the C:\Python27 directory like your post suggests... Try opening a command prompt (WINDOWS+R, type cmd and press enter):
Code:
C:\Python27\python.exe C:\Python27\keyhunter.py

 ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀ .ChipMixer.{ MIXING REINVENTED FOR YOUR PRIVACY #.ChipMixer. ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀
Andzhig
Newbie

Online

Activity: 107
Merit: 0

 June 08, 2018, 04:42:16 PM

Quote
Are you trying to run the script from the command line? Or are you simply double clicking it?
Edit with IDLE \ Run \ Run module

Quote
C:\Python27\python.exe C:\Python27\keyhunter.py
I get it ./C:\Python27\keyhunter.py <filename>

If you add a filename C:\Python27\python.exe C:\Python27\keyhunter.py aaa.txt nothing happens.

HCP
Legendary

Offline

Activity: 1120
Merit: 1839

<insert witty quote here>

 June 09, 2018, 01:14:55 AM

Looking at the code for keyhunter.py, it only prints output if it finds keys in the file. If you are getting no output, then the script was unable to find any keys.

It basically just opens the file and starts reading bytes looking for the sequence: '\x01\x30\x82\x01\x13\x02\x01\x01\x04\x20'

So, if that sequence of bytes is not detected anywhere in the file, it will return empty.

Have you tried testing it with a known good file? Ie. A new empty wallet.dat to make sure that the script actually works? I'd suggest using an encrypted and an unencrypted wallet.dat

Once you have confirmed that the script works on a known good wallet file, you can try it on the old file.

 ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀ .ChipMixer.{ MIXING REINVENTED FOR YOUR PRIVACY #.ChipMixer. ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀
Andzhig
Newbie

Online

Activity: 107
Merit: 0

 June 09, 2018, 06:02:53 AMLast edit: June 09, 2018, 06:15:29 AM by Andzhig

As if he quickly works out if he ran all the hard and did not write anything and then immediately gives out. For the test set, core 0.4.0., v0.1 Well, how do I check the CDs for them?

Created wallet.dat in v0.1 version the same. ./C: \ Python27\keyhunter.py <filename>

It should scan the entire disk, and not on the way to watch AppData\Roaming\Bitcoin
HCP
Legendary

Offline

Activity: 1120
Merit: 1839

<insert witty quote here>

 June 10, 2018, 02:08:52 AMLast edit: June 10, 2018, 02:45:34 AM by HCP

It will only scan the entire disk if you're using Linux... as you can pass a "device" name to the keyhunter.py script in Linux and keyhunter.py will attempt to treat it like a "file" and start reading through it.

Linux: ./keyhunter.py /dev/sdc

/dev/sdc is a "device" like a harddisk... EDIT: unfortunately, you can't do this in Windows. It doesn't work that way. So, you'd need to create an image file of your disk using some sort of disk imaging tool and then pass that image file to the script.

For windows you need to use \\.\PhysicalDiskN where N is the number of the disk you are trying to read (Credit to 2112):
Code:
C:\Python27\python.exe C:\Python27\keyhunter.py \\.\PhysicalDisk2

Otherwise, your best bet is to forget about keyhunter... and use pywallet. It has a recover mode for scanning whole disks/images.

 ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀ .ChipMixer.{ MIXING REINVENTED FOR YOUR PRIVACY #.ChipMixer. ░░░░░▄▄██████▄▄░░▄████▀▀▀▀▀▀████▄░███▀░░░░░░░░░░▀█▀████░░░▄██████▄▄░░░██░░░░░█████████░░░░██▌░░░░█████████████████░░░░█████████████████░░░░░███████████████████▄░░▀██████▀░░░████▀█▄▄░░░░░░░░░░▄███░░▀████▄▄▄▄▄▄████▀░░░░░▀▀██████▀▀
2112
Legendary

Offline

Activity: 2114
Merit: 1032

 June 10, 2018, 02:17:11 AMMerited by HCP (2)

Linux: ./keyhunter.py /dev/sdc

/dev/sdc is a "device" like a harddisk... unfortunately, you can't do this in Windows. It doesn't work that way.
It does work just fine on Windows. The syntax is something like keyhunter.py \\.\PhysicalDisk2 . Of course one does have to use "elevated command prompt" a.k.a. "run as administrator".

Please comment, critique, criticize or ridicule BIP 2112: https://bitcointalk.org/index.php?topic=54382.0
Long-term mining prognosis: https://bitcointalk.org/index.php?topic=91101.0
Andzhig
Newbie

Online

Activity: 107
Merit: 0

 June 10, 2018, 08:20:48 AM

Nothing works, it's dull. some kind of sadomasochism (linux). pywallet < this just install the whole attraction. Assembler with dos is no longer relevant?..))
 Pages: [1]