Bitcoin Forum
March 01, 2024, 08:13:46 PM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Hex pattern for electrum wallet  (Read 164 times)
mackminer (OP)
Sr. Member
****
Offline Offline

Activity: 348
Merit: 251



View Profile
April 02, 2020, 04:35:58 PM
Merited by ABCbits (1)
 #1

I'm trying to find an electrum wallet on a disk, it was saved without an extension - can anyone tell me what hex pattern I could search for to find the file?

Thanks a mill. Smiley

1BFf3Whvj118A5akc5fHhfLLwxYduMmq1d
The trust scores you see are subjective; they will change depending on who you have in your trust list.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1709324026
Hero Member
*
Offline Offline

Posts: 1709324026

View Profile Personal Message (Offline)

Ignore
1709324026
Reply with quote  #2

1709324026
Report to moderator
1709324026
Hero Member
*
Offline Offline

Posts: 1709324026

View Profile Personal Message (Offline)

Ignore
1709324026
Reply with quote  #2

1709324026
Report to moderator
keychainX
Member
**
Offline Offline

Activity: 366
Merit: 52

Telegram @keychainX


View Profile WWW
April 02, 2020, 04:56:17 PM
 #2

I'm trying to find an electrum wallet on a disk, it was saved without an extension - can anyone tell me what hex pattern I could search for to find the file?

Thanks a mill. Smiley

There is no hex pattern as its a hashed encrypted wallet. Only hint is that the hash ends with == so you could search for that

HCP
Legendary
*
Offline Offline

Activity: 2086
Merit: 4314

<insert witty quote here>


View Profile
April 02, 2020, 08:04:18 PM
Last edit: November 15, 2023, 01:43:15 AM by HCP
Merited by BitMaxz (1), ABCbits (1), hosseinimr93 (1), Heisenberg_Hunter (1)
 #3

That depends on whether or not a password was used and/or whether or not full file encryption was used.

Electrum supports THREE different options:

1. Unencrypted (wallet is stored in plaintext)
  - No password required

2. "Secrets only" encrypted (wallet is still plaintext, but the "secrets" (private keys/seeds etc) are encrypted)
  - Wallet will open without the password, but password required to send transactions/view seed and private keys etc

3. Full file encryption
  - Wallet will not even open without password


In any case, the file itself is just a simple text file... not sure you'll find a "standard" hex pattern that will guarantee identification of an Electrum wallet file.

In cases #1 & #2, a plaintext file search for: "wallet_type" should find those...

There is no hex pattern as its a hashed encrypted wallet. Only hint is that the hash ends with == so you could search for that
In case #3, I've some that end in == and some that end in = and some that don't... Undecided







█▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

█          ▄         ▄      ▄▄▄▄▄
█       ▄███      ▄███      █████
█        ████      ████     ▀▀▀▀▀
█         ████      ████
█          ████▄▄▄▄▄▄████▄▄▄▄▄▄▄▄
█           █████████████████████
█            ▀█████▄   ▀█████▄
█              ▀█████▀   ▀█████▀
█                 ▀▀        ▀▀

█▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
.....Your private Bitcoin wallet for desktop.....█▀▀▀▀▀▀











█▄▄▄▄▄▄
▀▀▀▀▀▀█











▄▄▄▄▄▄█
ewaspiro
Member
**
Offline Offline

Activity: 74
Merit: 10


View Profile
April 02, 2020, 08:27:58 PM
 #4

That depends on whether or not a password was used and/or whether or not full file encryption was used.

Electrum supports THREE different options:

1. Unencrypted (wallet is stored in plaintext)
  - No password required

2. "Secrets only" encrypted (wallet is still plaintext, but the "secrets" (private keys/seeds etc) are encrypted)
  - Wallet will open without the password, but password required to send transactions/view seed and private keys etc

3. Full file encryption
  - Wallet will not even open without password


In any case, the file itself is just a simple text file... not sure you'll find a "standard" hex pattern that will guarantee identification of an Electrum wallet file.

In cases #1 & #2, a plaintext file search for: "wallet_type" should find those...

There is no hex pattern as its a hashed encrypted wallet. Only hint is that the hash ends with == so you could search for that
In case #3, I've some that end in == and some that end in = and some that don't... Undecided







with only the = its very common pattern

If I dont reply to your PM means I dont want to have you send me more PMs
pooya87
Legendary
*
Offline Offline

Activity: 3374
Merit: 10345



View Profile
April 03, 2020, 03:45:26 AM
 #5

with only the = its very common pattern

you are talking about base-64 encoding of an arbitrary length data (wallet file that has transactions inside that can be any size), so there really is no way to say which padding is the most common. most probably all 3 possibilities (2 pads, 1 pad, and no pad) are equally possible.

  BTC
.
BTC
.
 BTC
.
BTC
..JAMBLER.io..
██
██
██
██
██
██
██

██

██

██

██
YOUR OPPORTUNITY TO
HAVE BITCOIN BUSINESS

██
██
██
██
██
██
██

██

██

██

██
.
  BTC
. BTC
.
.
 
BTC
  BTC
nc50lc
Legendary
*
Offline Offline

Activity: 2338
Merit: 5316


Self-proclaimed Genius


View Profile
April 03, 2020, 05:31:53 AM
 #6

One thing that I've noticed is every fully encrypted wallet mostly starts with "QklFMQ" when opened using a text editor.
Starts with "42 49 45 31" when converted the full base64 string into hex.

But it starts with "51 6B 6C 46 4D 51" if you directly convert the wallet file into HEX, not the contents.

Those are varying in length so it will be hard to pin-point what you're looking for if you just have a hex dump of your disk.

  BTC
.
BTC
.
 BTC
.
BTC
..JAMBLER.io..
██
██
██
██
██
██
██

██

██

██

██
YOUR OPPORTUNITY TO
HAVE BITCOIN BUSINESS

██
██
██
██
██
██
██

██

██

██

██
.
  BTC
. BTC
.
.
 
BTC
  BTC
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!