Manually Finding Private Keys in Wallet.dat

[whohackedme]

I have seen the tools that will pull address & keys directly off your hard drive.  I am trying to learn the details how to do this manually.

Can someone give me a step by step guide how to pull the address and key for the code below?

This is the binary from an empty wallet.dat.  I have a dump of the address and keys for this wallet.dat  Just looking for the instructions on how to manually pull the address and key from the hex.

I read the the address is before the 04 20 and key is after.




Sorry, as a newbie account (since my 500+ account was hacked) I can not embed images.

[1714922512]

1714922512

[1714922512]

1714922512

[1714922512]

1714922512

[1714922512]

1714922512

[1714922512]

1714922512

[LoyceV]

Here you go:

Is pywallet what you're looking for?

[whohackedme]

Yes, thank you.  I have pywallet.  Just wanting to understand a little of the details.

So this is the private key, directly after 04 20:

8814396648a8c19b783e6e72b3e3896d51bfc5d5edc2ec88a2b298a8a3a38c19   (64 hex digits after 0420 - this is the priv key in hex)

Bitcoin Address: 1PAnFPbgkZE3WTyDH6zrhYXpJAPB8418j3
Bitcoin Address Compressed:  15JaZ8uoPiCgRz1fHrF9Svuq1ht4Bq5aZJ

I cant seem to find any correlation to the hex and the addresses.  I am trying to find the corresponding addresses in the hex? 

Can someone show me how to find the address in the hex of the wallet.dat?
Thanks!

[NeuroticFish]

Yes, thank you.  I have pywallet.  Just wanting to understand a little of the details.

So this is the private key, directly after 04 20:

8814396648a8c19b783e6e72b3e3896d51bfc5d5edc2ec88a2b298a8a3a38c19   (64 hex digits after 0420 - this is the priv key in hex)

Bitcoin Address: 1PAnFPbgkZE3WTyDH6zrhYXpJAPB8418j3
Bitcoin Address Compressed:  15JaZ8uoPiCgRz1fHrF9Svuq1ht4Bq5aZJ

I cant seem to find any correlation to the hex and the addresses.  I am trying to find the corresponding addresses in the hex?  

Can someone show me how to find the address in the hex of the wallet.dat?
Thanks!

I've done some research for you and:
1. If you go to https://gobittest.appspot.com/PrivateKey and paste 8814396648a8c19b783e6e72b3e3896d51bfc5d5edc2ec88a2b298a8a3a38c19 into the first editbox after "Private key to wallet import format" (and send)
2. You obtain below at #7: 5JrDY6YmGbGsSd5odJgFxLY5UATGaGkoPyLBoTNiisaPE3YPFS9 which is the private key.
3. If you use the private key in the first edit at https://iancoleman.io/bitcoin-key-compression/ you obtain 15JaZ8uoPiCgRz1fHrF9Svuq1ht4Bq5aZJ Ta-Dam!

PS. Obviously, don't use online tools for anything else than test wallets


Edit: the story should be here: https://en.bitcoin.it/wiki/Private_key

[whohackedme]

Thanks everyone.

I can find the key in the wallet.dat and use your solution.  but:

I am trying to find the key for a specific address in the wallet.dat.  So I would like to find the address, then extract the key for that address.

(I have a wallet.dat with about 2000 keys, I dont want to run 2000 manual checks on every key to figure out what address they belong to)

I am starting to think that the addresses are NOT stored in the wallet.dat file, just the private keys.

Any ideas how to do this without checking every key?

[HCP]

I am trying to find the key for a specific address in the wallet.dat.  So I would like to find the address, then extract the key for that address.

I am starting to think that the addresses are NOT stored in the wallet.dat file, just the private keys.

Exactly... As far as I'm aware, the wallet.dat only stores the keypairs (ie, Private + Public keys) so it doesn't actually store addresses. (Although, there is a chance that the wiki info is outdated).

However, the code for "dumpprivkey" decodes the address to a "destination" (aka pubkey) and then looks up the privkey... and looking at the "dumpwallet" code, you can see that it has to derive the addresses for a key by using the GetWalletAddressesForKey() function

All of which would tend to backup the theory that the addresses themselves are not stored.


One other point to note if you're reading the wallet.dat file directory... is that if you have a password on your wallet.dat, the private key section of your wallet will be encrypted. So the "bytes" that you see for a private key will likely be the "encrypted bytes". You need to decrypt those using the appropriate passphrase, then convert those bytes from "Private Key" -> "Public Key" -> "Address" using the appropriate algorithm.

[sphinx666]

Hey all, I'm a total noob here, what I have with me is a uncompressed bitcoin address and its private key, can I know how to do I compress it and confirm the private key?

It would be a great help.

[Xynerise]

Hey all, I'm a total noob here, what I have with me is a uncompressed bitcoin address and its private key, can I know how to do I compress it and confirm the private key?

It would be a great help.

If you want to do it locally download the bitaddress website on your computer, go to wallet details, enter your private key, click, view details and it'll show you both compressed and uncompressed address.

[sphinx666]

hey thanks i tried it, apparently my private seems to have issues with it, but my public uncompressed key is correct, is there a way to get a confirmed private key?

[bob123]

hey thanks i tried it, apparently my private seems to have issues with it, but my public uncompressed key is correct, is there a way to get a confirmed private key?

It doesn't work like that.
You can't get the private key out of an address.

What exactly are you trying to accomplish? Xynerise already gave you an answer.

You need to enter your private key (first download the site and run it offline).
Then you will get an compressed and uncompressed key.

What exactly isn't working properly?

[sphinx666]

I tried it at the bit address page online it says my private key is invalid. I really don't know what to do. I tried downloading the bitaddress page offline but I'm getting jscript error, by the way you're a mixer, interesting.

[bob123]

I tried it at the bit address page online it says my private key is invalid. I really don't know what to do.

You should NEVER paste your private key into a website. You may have exposed your private key now.
After you have accessed your funds, consider this private key as compromised.

How much characters does your private key have? And what does it start with? 5.., L.., K.. ?

I tried downloading the bitaddress page offline but I'm getting jscript error, by the way you're a mixer, interesting.

Did you open it with the same browser as when accessing it online? 
What kind of error do you get? 

[sphinx666]

I have a whole list of private keys, i only tried one with a small balance, it tells me the private key is invalid. yes I used the same browser.

[bob123]

I have a whole list of private keys, i only tried one with a small balance, it tells me the private key is invalid. yes I used the same browser.

Please answer the questions. I do not ask them out of curiosity.

How much characters does your private key have? And what does it start with? 5.., L.., K.. ?

What kind of error do you get?  

[nc50lc]

I have a whole list of private keys, i only tried one with a small balance, it tells me the private key is invalid. yes I used the same browser.

Do not paste your private keys in any online wallet that you didn't trust, in other words, all of them.
To try if those Private Keys are valid, use offline Electrum instead, you can paste them all in one go using the "restore/new wallet" using private key(s) option.

Answer Bob's question, it's pretty important:

How much characters does your private key have? And what does it start with? 5.., L.., K.. ?

[sphinx666]

Ok...

It has 51 characters, it begins with "5.."

The error message was..."The private key entered is not a valid private key".

But there is one thing weird though, the private key is a mixture of letters and numbers except the alphabets are all capital, that should not be the case right?

[nc50lc]

Right 51 characters that starts with 5, that must be a private key (uncompressed).
Almost all cases, private keys composed of lower case and upper case aside from numbers but there's a very very slim chance to have a full capital character in a private key.

If all of your private keys have all Caps, there must be something wrong with the file dump or the txt editor you've used.

[HCP]

But there is one thing weird though, the private key is a mixture of letters and numbers except the alphabets are all capital, that should not be the case right?

It's probably not impossible, but it is highly unlikely that all the letters in a Base58check encoded private key would be in uppercase.

It sounds like whomever recorded these private keys did so without differentiating between upper and lower case properly

That's going to be a real hassle to fix! Not impossible, but could potentially take a long time trying all the various combinations to find the right one.

Will definitely need some scripting or coding... Doing it manually will take forever.


I have an old Python script somewhere that I used to bruteforce a Bitcoin puzzle private key that tried combinations of letters... It could probably be repurposed to generate a list of valid private keys starting with all capitals. I'll have a look for it when I get off shift and see if I can find it

[bob123]

I tried it at the bit address page online it says my private key is invalid. I tried downloading the bitaddress page offline but I'm getting jscript error

The error message was..."The private key entered is not a valid private key".

Obviously this error is only due to the wrong private key.

I'd highly suggest you are going to use the downloaded version of the site. Preferably on an offline PC.
While it does not necessarly lead to a loss of your funds when you enter your private key on the online version, it makes it way more probable that it is going to happen.

But there is one thing weird though, the private key is a mixture of letters and numbers except the alphabets are all capital, that should not be the case right?

If only one of your private keys does have capitals only, it might be a coincidence. But if all do have capitals only, something weird happened.

A small bruteforce script (like suggested by HCP) would be the easiest/fastest way to access your funds.

[LoyceV]

If only one of your private keys does have capitals only, it might be a coincidence.

It's very unlikely to be all upper case, unless they haven't been generated at random.

But if all do have capitals only, something weird happened.

Agreed. So sphinx666, start your story from the beginning: how did you create the private keys, what steps did you take in between, and how did you end up in the current situation. But you're hijacking this thread, so click Start new topic and post a complete description there.

A small bruteforce script (like suggested by HCP) would be the easiest/fastest way to access your funds.

With about 2^40 possibilities, that gives a trillion options per private key. I have no idea how fast this can be checked, if you reach a million per second it will take about a week.