Encrypted wallet.dat, lost password, any solutions?

[cycloid]

Hey guys this is amazing any chance i can get help with my 10k ltc wallet? I forgot i had it on my laptop and remember the password as its simmilar and i just change either number at the end or used "ks" instead of "x" or "o" instead of "a" . In this case its over 33characters long and i been at it for a week with a notepad file where i record all combinations i tried and nothing so far :/

I know this is off topic but this is the best answer to similar problem i seen so far.

I will give a donation to anyone who can help i know this is just a mispelling because I remember writing it out in a notepad, then copy pasting it twice in ltc wallet and BAM since i cant get it to work ....( yes i know this is extremly stupid  to do and yet for some dumb reason i did it to save time )


thanks in advance and sorry to post here regarding ltc wallet agian.

[1714790990]

1714790990

[1714790990]

1714790990

[Revalin]

What if you know the start of the password and some of the letters in the end?

Roughly how many characters are in the middle?  Would it be all numbers, all lowercase, etc?  Anything you know will help.

[Revalin]

Hey guys this is amazing any chance i can get help with my 10k ltc wallet? I forgot i had it on my laptop and remember the password as its simmilar and i just change either number at the end or used "ks" instead of "x" or "o" instead of "a" . In this case its over 33characters long and i been at it for a week with a notepad file where i record all combinations i tried and nothing so far :/

I know this is off topic but this is the best answer to similar problem i seen so far.

I will give a donation to anyone who can help i know this is just a mispelling because I remember writing it out in a notepad, then copy pasting it twice in ltc wallet and BAM since i cant get it to work ....( yes i know this is extremly stupid  to do and yet for some dumb reason i did it to save time )


thanks in advance and sorry to post here regarding ltc wallet agian.

Hey, I'm cool with LTC.  Let's see what we can do:

Code:

#!/usr/bin/ruby

passphrase = 'I fargat my paxxward'
max_digits = 5

def test(phrase)
  print phrase, "\t"
  system("./litecoind", "walletpassphrase", phrase, "20")
  case $?.exitstatus
  when 0
    puts "Found it! #{phrase}"
    exit 0
  when 127
    puts "bitcoind not found in current dir"
    exit 1
  when nil
    puts "Aborting"
    exit 1
  end
end

indexes = (0..passphrase.length-1).select{|i| passphrase[i].match /a|x/}
phrases = (0..2**indexes.length-1).map do |mask|
  new_phrase = passphrase.chars.to_a
  (0..(indexes.length-1)).select{|i| (mask>>i).odd?}.map do |index|
    target = new_phrase[indexes[index]]
    target.sub!("a", "o")
    target.sub!("x", "ks")
    target
  end
  new_phrase.join
end

(0..max_digits).each do |digits|
  (0..10**digits-1).each do |i|
    phrases.each do |phrase|
      test("%s%0#{digits}d" % [phrase,i])
    end
  end
end

The instructions are the same as for bitcoind:  Set your RPC passphrase, start the litecoind daemon, then start the script running.  You should see the passphrases being tested followed by "Error: The wallet passphrase entered was incorrect."  I haven't actually tried it on litecoind so let me know if it doesn't work.

When you enter your passphrase at the top, use all "a" and "x", don't use "o" or "ks".  Set the max_digits to the maximum number of digits to try on the end.

It will take about a week as shown: 6 "a"s and "x"es to try and max_digits = 5.  Every extra a or x doubles the time.  Every extra digit is about 10x the time.

Good luck!

[knybe]

finally can post in here...


Anyway, All the hooplah started up again in Feb 2013 so, excitedly I sits down to open up my wallet and see what I got and send them few bitcoins out to market BUT low and behold; I cannot remember my effing passphrase... for the life of me. been trying for weeks. Even been running Revalin's brute.rb script to no avail.

been trying to reenact the whole scene the day I made the pphrase; visualization, meditation, qi-gong, etc. nothing has come... yet

any ideas appreciated.

possible compensation for a solution.

[riX]

Ok, since I now get more than 1 request for cracking wallets every day, I'd like to put it a little note here:

If you contact me having forgotten your password, which is "somewhere between 1-32 characters, mixed case including numbers and special characters", please, there is no chance, and you probably stole the wallet anyway, or you would have known more.

To get an idea of the chance of success, try to make a rough estimate of the number of possible combinations your info about the password will result in. If this is more than one million, I will not waste my time.
As an example, the maximum complexity is like 6 unknown digits, or 4-5 unknown letters.
Conclusion: raw bruteforce is not feasible, what needs to be done is educated guesses, so unless you have a very good idea of what the password might be, and probably just typed it in wrongly twice when setting it, there is a high risk of never getting that wallet open.

Some types of requests I have been able to find passwords for:
"The password might be any of these 6 different 20+ character passwords i regularly use, possibly with a combination of two random double letters at the end, like passwordxxyy".
"I'm sure I typed in this 50 character password, but it just isn't working".
"My passwords always starts with the date I created the account, in format mm.dd.yyyy, and then a clockwise or anti-clockwise circle of keys on the keyboard around some key, and then that key 10 times at the end, like 11.12.2012dertgbvcffffffffff. I know it was created sometime in November or December."

That should give you an idea of what is possible.

[the founder]

Ok, since I now get more than 1 request for cracking wallets every day

Clearly there is a market for it. 

Assume there is 1 BTC in that encrypted wallet.

sell it for .01 BTC each (people don't have an incentive to share it because it widens the pool).

Limit it to 100 sales (if there was a 1 coin in it),  you got your coin back,  and everyone pretty much just bought a lottery ticket for .01 BTC for a crack at opening 1 BTC in there.

That's how I would solve the problem,  everyone get's a chance at making 100 times their .01 back, you got your 1 BTC back.

I take tips if you like the idea.  :  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f

In a few weeks one of the guys will contact you and say he opened it or something...  all good.   It may not solve you cracking the wallet yourself, BUT it would get your money back,  and someone else will get a chance at making 100 times his money.

Honestly there might a market for this,  ASIC miners have more horsepower than most of us,  they might buy encrypted wallets like this all the time... might be more profitable for them than mining itself.

[knybe]

Ok, since I now get more than 1 request for cracking wallets every day

Clearly there is a market for it. 

Assume there is 1 BTC in that encrypted wallet.

sell it for .01 BTC each (people don't have an incentive to share it because it widens the pool).

Limit it to 100 sales (if there was a 1 coin in it),  you got your coin back,  and everyone pretty much just bought a lottery ticket for .01 BTC for a crack at opening 1 BTC in there.

That's how I would solve the problem,  everyone get's a chance at making 100 times their .01 back, you got your 1 BTC back.

I take tips if you like the idea.  :  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f

In a few weeks one of the guys will contact you and say he opened it or something...  all good.   It may not solve you cracking the wallet yourself, BUT it would get your money back,  and someone else will get a chance at making 100 times his money.

Honestly there might a market for this,  ASIC miners have more horsepower than most of us,  they might buy encrypted wallets like this all the time... might be more profitable for them than mining itself.

unfortunately I have a bit more than 1 BTC in it...

[knybe]

Ok, since I now get more than 1 request for cracking wallets every day, I'd like to put it a little note here:

If you contact me having forgotten your password, which is "somewhere between 1-32 characters, mixed case including numbers and special characters", please, there is no chance, and you probably stole the wallet anyway, or you would have known more.

To get an idea of the chance of success, try to make a rough estimate of the number of possible combinations your info about the password will result in. If this is more than one million, I will not waste my time.
As an example, the maximum complexity is like 6 unknown digits, or 4-5 unknown letters.
Conclusion: raw bruteforce is not feasible, what needs to be done is educated guesses, so unless you have a very good idea of what the password might be, and probably just typed it in wrongly twice when setting it, there is a high risk of never getting that wallet open.

Some types of requests I have been able to find passwords for:
"The password might be any of these 6 different 20+ character passwords i regularly use, possibly with a combination of two random double letters at the end, like passwordxxyy".
"I'm sure I typed in this 50 character password, but it just isn't working".
"My passwords always starts with the date I created the account, in format mm.dd.yyyy, and then a clockwise or anti-clockwise circle of keys on the keyboard around some key, and then that key 10 times at the end, like 11.12.2012dertgbvcffffffffff. I know it was created sometime in November or December."

That should give you an idea of what is possible.

The wallet is mine.
I do somewhat remember the combinations of words that I used to make up the passphrase, but then I mixed and replaced characters with numbers, etc. The thing is, I know I wrote it down somewhere but mindlessly misplaced it over the last year or so when I put bitcoin on the back burner (I know, I know; "O ye of little faith"). It's gotta be in my house somewhere... it's so frustrating to look and look and look and not find... hopefully it didn't get thrown away.

[niklas]

Anything is possible, especially in the presence of bugs or various typing-utilities/spelling-checkers/etc. Blind typing into the bitcoin-qt window is a classic failure mode for that, e.g. for Germans: Kongressstraße vs. Kongreßstraße.

For KGB agents the example would be: Microsoft vs. Microsoft. (For non-KGB-agents: the second "c" is actually a cyrillic "s".)

Edit: Oh, and guys, please don't race into registering the homo-glyph accounts for the Bitcoin luminaries. Registering as "Gavin-non-break-space-Andresen" is not that funny.

Edit2: Fixed the external link.

After all this trouble with the encoding on linux I switched back to Windows 7 to try to crack my password. Cracking a test-wallet with a password that contains an umlaut now works with Revalins' script.

However, the next issue is up: the ruby script is so slow on Windows (compared to Linux). On my linux laptop with a Core i7 it tried passwords at a frquency of about 10-20 attempts per second. On a Windows 7 machine wiht a Core i3 it slows down to something like one password per second. Part of this is probably due to the CPU used, but the larger part seems to be OS specific. Is there anything one could do about that?

Desperate,

Niklas

[2112]

Maybe this will help someone with mistyped password on Windows. This is a short Powershell script that tries the passwords read from standard input as rapidly as the particular cryptocoin client will allow.

Code:

# 
# Please put the correct RPC username/password below
#
$h = new-object Net.WebClient
$h.Credentials = new-object Net.NetworkCredential("user","pass")
$h.Encoding = [Text.Encoding]::Default
# Above "Default" works for original encryption from the command line
# Change to "UTF8" when the GUI was used to encrypt
#
# read the password guesses from standard input
#
# Change "$Input" to a known good password in single quotes
# to test the program, e.g. 'Kongreßstraße'.
$Input | foreach { 
    try {
        $p = $_
        Write-Output "Trying '$p'"
        $r = $h.UploadString('http://localhost:8332/','{"method":"walletpassphrase","params":["'+$p+'",1]}')
        # Write-Output $r
        Write-Output "Correct password found!"
        break
    }
    catch [Net.WebException] {
        $e = $_
        switch -wildcard ($e.Exception.Message) {
             "*(401) Unauthorized*" {
                  Write-Output "Fix the user/pass!"
                  Exit-PSSession
             }
             "*(500) Internal Server Error*" {
                  continue
             }
             default {
                  $e | Format-List -Force 
                  Exit-PSSession
            }
        }
    }
}
#
# Exiting without success!
#
Write-Output "Exiting!"
# Note about saving the text of this script: Please view it with an hex editor,
# and look for the character representing the German "sharp s".
# If it is __ , then the file was saved as ____ .
# DF - Windows-1252 or ISO-8859-1
# E1 - Code Page 850 or 437
# 41 4E 38 2D - UTF-7
# C3 9F - UTF-8
# 00 DF - UTF-16 Big Endian
# DF 00 - UTF-16 Little Endian
# Make sure that the powershell.exe, cmd.exe and any other programs
# you used are appropriately configured. In particular your Command
# Prompt window may need the fonts changed (from Raster to TrueType)
# and you may need to run CHCP. There are too many combinations
# to enumerate them here.

You can either feed it a file/dictionary of possible passwords:

Code:

powershell -executionpolicy bypass -file bitcrack.ps1 < dictionary.txt

or a pipe in the one-per-line output from the password generator:

Code:

generator.exe | powershell -executionpolicy bypass -file bitcrack.ps1

.

For someone who already has the Ruby installed on their Windows machine you can take those programs and delete the system() call and the case/end statement below it. Also change 'print phrase, "\t"' to 'puts phrase'. They should speed up the checks to the maximum achievable without hacking the wallet-handling code in the Satoshi client.

Edit: I put some more clarifying comments into the source code.

[niklas]

Maybe this will help someone with mistyped password on Windows. This is a short Powershell script that tries the passwords read from standard input as rapidly as the particular cryptocoin client will allow.

Code:

# 
# Please put the correct username/password below
#
$h = new-object Net.WebClient
$h.Credentials = new-object Net.NetworkCredential("user","pass")
$h.Encoding = [Text.Encoding]::Default
#
# read the passord guesses from standard input
#
$Input | foreach { 
    try {
        $p = $_ # + 'Kongreßstraße'
        Write-Output "Trying '$p'"
        $r = $h.UploadString('http://localhost:8332/','{"method":"walletpassphrase","params":["'+$p+'",1]}')
        # Write-Output $r
        #
        # Correct password found!
        #
        break
    }
    catch [Net.WebException] {
        $e = $_
    	switch -wildcard ($e.Exception.Message) {
    		"*(401) Unauthorized*" {
    			Write-Output "Fix the user/pass!"
    			Exit-PSSession
    		}
    		"*(500) Internal Server Error*" {
    			continue
    		}
    		default {
                $e | Format-List -Force 
    			Exit-PSSession
            }
        }
    }
}
#
# Exiting without success!
#
Write-Output "Exiting!"

You can either feed it a file/dictionary of possible passwords:

Code:

powershell -executionpolicy bypass -file bitcrack.ps1 < dictionary.txt

or a pipe in the one-per-line output from the password generator:

Code:

generator.exe | powershell -executionpolicy bypass -file bitcrack.ps1

.

For someone who already has the Ruby installed on their Windows machine you can take those programs and delete the system() call and the case/end statement below it. Also change 'print phrase, "\t"' to 'puts phrase'. They should speed up the checks to the maximum achievable without hacking the wallet-handling code in the Satoshi client.

Thank you, 2112, this looks promising.

I have changed the brute.rb script from Revalin according to your suggestions and I am now using it as a password generator for your powershell script. It took some trying but now I know that there is something like a decent cli on windows

The whole thing runs very fast now. Problem is, I still do have the problems with the umlauts. Again I have checked that using a fresh, empty wallet with a password containing umlauts -which was not found. If I set the password to one without umlauts, your script finds it.

I assume that this has something to do with the encodings settings in your script. I already tried changing the encoding to 'BigEndianUnicode' and 'UTF8', but in both circumstances, the password was not found.

Do you have any further ideas.

Slightly less desperated, maybe even a bit optimistic ...

Niklas

[2112]

Do you have any further ideas.

At this moment all I can say is "works for me". I put some more comments into my previous post above, to clarify the usage and describe the common pitfalls.

I tested on my Windows 7 US English version both for command-line and graphical-user-interface passphrases. The program was used essentially unchanged to help an user who had to restore German Windows Vista backup into a replacement machine made for the US market (or an opposite, don't recall the details.)

Test it character by character, umlaut by umlaut, both command line and GUI, until you find what's wrong. Or just hire somebody to do that for you.

[Revalin]

Maybe this will help someone with mistyped password on Windows. This is a short Powershell script that tries the passwords read from standard input as rapidly as the particular cryptocoin client will allow.

Nice.  I should have done something like this from the start.  I'll add it to my next version.

[Revalin]

Here's one for mik3 @ https://bitcointalk.org/index.php?topic=170137 .

Anyone on Windows or who's had trouble getting these scripts to run may want to grab the test() function from this one.  It uses JSON-RPC instead of calling bitcoind, as suggested by 2112 above.

Code:

#!/usr/bin/ruby
require "net/http"
require "json"

# Fill in your RPC username and password from your bitcoin.conf here.
$rpc_auth = "user", "pass"

max_bangs = 10
words = [
  [ "one"   , "One"   , "ONE"]   , 
  [ "two"   , "Two"   , "TWO"]   , 
  [ "three" , "Three" , "THREE"] , 
  [ "four"  , "Four"  , "FOUR"]  , 
]

def test(passphrase)
  puts passphrase
  request = Net::HTTP::Post.new("/")
  request.basic_auth *$rpc_auth
  request.body = { method:"walletpassphrase", params:[passphrase, 1] }.to_json
  response = Net::HTTP.new("localhost", 8332).request(request)
  if response.code == "401" ; puts "Incorrect RPC user/pass" ; exit 1 ; end
  ret = JSON.parse response.body
  if ret["error"].nil? ; puts "\nFound it! #{passphrase.inspect}" ; exit ; end
  return if ret["error"]["code"] == -14 # wrong passphrase
  raise "WTF? #{ret.inspect}"
end

def spin(phrase, array)
  return phrase if array.empty?
  array.first.map do |word|
    p = phrase.dup.push word
    spin(p, array[1,99])
  end
end

spin([], words).flatten(words.count - 1).each do |phrase|
  phrase.permutation(words.count) do |shuffled|
    (max_bangs + 1).times do |bangs|
      test shuffled.join(" ") + ("!" * bangs)
    end
  end
end

puts "No luck."

[gollum]

What about this solution for the bitcoin-client to prevent forgotten passwords:

support for yubi-key so you can buy your own Yubi-key and connect it to the specifik wallet.
In this way each wallet would be locked to a specifik Yubi-key.
The risk now is that if you lose your Yubi-key you will never get your coins back - Is this assumption correct or is it possible to order a new Yubi-key with identical key?

[Revalin]

What about this solution for the bitcoin-client to prevent forgotten passwords:

support for yubi-key so you can buy your own Yubi-key and connect it to the specifik wallet.
In this way each wallet would be locked to a specifik Yubi-key.
The risk now is that if you lose your Yubi-key you will never get your coins back - Is this assumption correct or is it possible to order a new Yubi-key with identical key?

The advantage of a Yubikey is it can do challenge-response auth instead of passphrases.  That's not really useful in this case.

I recommend storing your passphrase on paper.  If you want cut and paste convenience I think it's cheaper and equally secure to store it on a thumb drive, or preferably a few thumb drives.

[Revalin]

We have a success over in the Newbies forum: https://bitcointalk.org/index.php?topic=169232.msg

Niklas, you should try what he did in line 2 to mark the script as UTF-8 (or UTF-16, if you saved it on windows).  When I get a chance I'll add some proper unicode support, but just adding the comment at the top to ensure the embedded strings are handled correctly might be worth a shot for now.

Here's his post in case it helps anyone else:

Hi, could some admin please move this to https://bitcointalk.org/index.php?topic=85495.100 and let member Revalin know (being a newbie, I cannot post there nor PM him).
Revalin, thanks for your script. Me, too, I forgot my precise passphrase. I remembered the overall mechanism to construct my wallet passphrase but didn't remember exactly how I applied it.
My wallet passphrase consists of a left and a right part. The left part was a sequence of character, maybe "Start" or "start" or "beginning"... Same with the right part. It could have been "end" or "End" or ... So, the passphrase could have been "startend", "Startend", "beginningEnd", ... There were about twenty possibilities for the left and also for the right part, too many to test manually. So I adapted your script.

Code:

#!/usr/bin/ruby
# -*- coding: utf-8 -*-
lefts = [ "start", "Start", "Beginning" ] # The possible words for the left part
rights = ["end", "End", "ending"] # The possible words for the right part

def test(phrase)
  print phrase, "\t"
  system("./bitcoind", "walletpassphrase", phrase, "20")
  case $?.exitstatus
  when 0
    puts "Found it! #{phrase}"
    exit 0
  when 127
    puts "bitcoind not found in current dir"
    exit 1
  when nil
    puts "Aborting"
    exit 1
  end
end

lefts.each do |left|
  rights.each do |right|
    test(left + right)
  end
end

If someone wants to use it, then replace the words in lefts and rights with your words and add as many as required.

Another comment: as reported earlier by niklas, the script runs unusable slow on Windows. I recommend installing some Linux image. I had no problems with German special characters.
Revalin, please PM me, I would like to send you a Bitcoin reward. Without your script, I probably wouldn't have recovered my wallet.

[veryveryinteresting]

We have a success over in the Newbies forum: https://bitcointalk.org/index.php?topic=169232.msg

Niklas, you should try what he did in line 2 to mark the script as UTF-8 (or UTF-16, if you saved it on windows).  When I get a chance I'll add some proper unicode support, but just adding the comment at the top to ensure the embedded strings are handled correctly might be worth a shot for now.

Here's his post in case it helps anyone else:

Hi, could some admin please move this to https://bitcointalk.org/index.php?topic=85495.100 and let member Revalin know (being a newbie, I cannot post there nor PM him).
Revalin, thanks for your script. Me, too, I forgot my precise passphrase. I remembered the overall mechanism to construct my wallet passphrase but didn't remember exactly how I applied it.
My wallet passphrase consists of a left and a right part. The left part was a sequence of character, maybe "Start" or "start" or "beginning"... Same with the right part. It could have been "end" or "End" or ... So, the passphrase could have been "startend", "Startend", "beginningEnd", ... There were about twenty possibilities for the left and also for the right part, too many to test manually. So I adapted your script.

Code:

#!/usr/bin/ruby
# -*- coding: utf-8 -*-
lefts = [ "start", "Start", "Beginning" ] # The possible words for the left part
rights = ["end", "End", "ending"] # The possible words for the right part

def test(phrase)
  print phrase, "\t"
  system("./bitcoind", "walletpassphrase", phrase, "20")
  case $?.exitstatus
  when 0
    puts "Found it! #{phrase}"
    exit 0
  when 127
    puts "bitcoind not found in current dir"
    exit 1
  when nil
    puts "Aborting"
    exit 1
  end
end

lefts.each do |left|
  rights.each do |right|
    test(left + right)
  end
end

If someone wants to use it, then replace the words in lefts and rights with your words and add as many as required.

Another comment: as reported earlier by niklas, the script runs unusable slow on Windows. I recommend installing some Linux image. I had no problems with German special characters.
Revalin, please PM me, I would like to send you a Bitcoin reward. Without your script, I probably wouldn't have recovered my wallet.

I have an issue similar to this. Revalin helped me get the code going, but I used a different password format than I usually do. I found the sheet with the "building blocks", but I don't know the order.

I don't have much BTC, but I am willing to give a 1 BTC (out of the handful in my wallet) to someone who can help me with this.

I used 4 or 5 different words, with pronunciations that I remember.
I also used some numbers.
Lastly, I used a symbol somewhere in the password.

Is there a way to try passwords generated like this:

wordlist = ["PassWord", "passWord", "ninja", "pIRate", "ATTack"] (all my pronunciation variations- I will write those, I know what the variations are, which ones I use and don't use)

numbers = [0,1,2,3,4,5,6,7,8,9] (I may have used as many as 4 numbers in the password)

symbol = [$] (maximum of one symbol in the passphrase)

So it would take words from the word list, add a number(s), and symbol, and try all variations:

words (that I know, up to 5 maximum) + numbers (up to 4 single digits, 0-9999, maximum of four digits in passphrase, either appearing as singles ("8") or together("34" or "512" or "2323"), before or after words) + 1 symbol somewhere in the passphrase (maximum 1 time shown up, before or after a word or number)

It could be as few as 1 word and as many as 5. Could be as few as 2 numbers (at least 2) and as many as 4. Needs at least one symbol.

I hope this makes sense. If it doesn't, please let me know. I wish I could program. That powershell looks awesome!

Thanks,
VVI

[veryveryinteresting]

Just received this PM from Rahazan, looks great!

Hello there,

(If this is the second time you receive this, it's because I was not sure whether the message was sent or not).

After a long night of learning the syntax of PowerShell (I only know Java and a little Clean) and debugging I have been able to program what you requested in this thread https://bitcointalk.org/index.php?topic=85495.120 . A way to get your coins back, hopefully.

http://pastebin.com/9MYBV9ve
It is fairly well documented, it should contain all the information you need.

The reason I didn't simply post this in the thread is because I have not been whitelisted yet (which I have requisted however). I will post it up in the thread for others to use when I am able to.
Time for some sleep now ;].

Hope it works for you

Regards,
Rahazan

His code is here:

Code:

# Bitcoin encrypted wallet somewhat-brute-force-recovery.
# Also works for litecoins probably (untested).
# By Rahazan
#
# Originally created for veryveryinteresting (VVI)
# https://bitcointalk.org/index.php?topic=85495.120
# My first ever powershell script, by the way. 
# Pardon any convention I broke in this language (for I did not study any conventions of this language).

################################################################
# Recovered your coin     using this? Consider a donation to   #
# the AI student who scripted this :)                          #
# Donations BTC:    1FkXY2WVG9X4WqVuKdrSrX64ZTj9HgG34U         #
# Donations LTC:    LKdLS4seKpE2MNmt4t618oZV7v7tNkD6zL         #
################################################################


######################################################
# How does it work?
######################################################

# This script creates every possible combination in a depth-first order.
# After this it tries all of these. On my crappy laptop it achieved ~ 5 attempts per second.

######################################################
# How do I use this?
######################################################

# - Edit the values in the next block of this script to your likings, make sure you set your RPC password & username.
# - Run the daemon service found in Bitcoin\daemon  (bitcoind.exe)
# - Run this script (save as SOMENAME.ps1 and right click -> run with PowerShell.
# (To run it you might have to change some settings regarding allowing PowerShell scripts to run.. Google this.)
# (Press CTRL+C to cancel if you wish to stop it.)
# - Grab a cup of coffee as it tries a gazillion combinations.
# - Get your coin back.
# - Maybe donate a portion? ;)
# - DELETE THIS SCRIPT (Shred it!). It holds way too valuable information about your password!


######################################################
#Values you will probably want to set!
#Please note that the more free you make these variables, computation time will increase by A LOT.
######################################################

# Min/Max length of your password (included! so min:1 max: 3 would allow password length 1 but also length 3)
# So if you know the length, these should both be the same number.
[int] $global:minLength = 10
[int] $global:maxLength = 16

#Word list
$wordsList = @("abcd","efgh")
[int] $numWords = 2 #Amount of times one of these word blocks can exist in your pass

#Symbol list
$symbolList = @("&")
[int] $numSymbols = 1 #Amount of times one of these symbol blocks can exist in your pass

#Number list
$numberList = @("0","1","2","3","4","5","6","7","8","9") #Possible numbers, do not have to be single numbers. For instance it could be just "22" if you know you have that in your pass somewhere with numNumbers 1
[int] $numNumbers = 2 #Amount of times one of these number blocks can exist in your pass

#Option to print when adding a possibility to the list of possibilities.
#Consider making this false, it might make it somewhat faster (especially for very long passwords with small "blocks" in the lists.
$verbose = $TRUE


# Please put the correct RPC username/password below
$h = new-object Net.WebClient
$h.Credentials = new-object Net.NetworkCredential("RPCUSERNAME","RPCPASSWORD")
$h.Encoding = [Text.Encoding]::Default
# Above "Default" works for original encryption from the command line
# Change to "UTF8" when the GUI was used to encrypt (Was not necessary when tested -Rahazan)

[string[]]  $global:allPossibilities = @() #Empty array, you can manually add possibilities if you want (that you think will not be generated by the algorithm).

######################################################
# Time to create an array of all the possibilities! No need to change anything past this point.
######################################################



# Algorithm is next, it recursively builds the array of all possibilities.

Function generateAllPossibilities([string]$wordSoFar, $wordsList, $symbolList, $numberList, [int]$numWords, [int]$numSymbols, [int]$numNumbers)
{
    #Base case: Length of the created pass is too big, no need to further explore this node, go up one step in the tree.
	if ($wordSoFar.length -gt $global:maxLength) {
        #Too long! Done with this branch!
        return
    }
	
   #Add the word to the possibilities if the right length
	if ($wordSoFar.length -gt $global:minLength) {
		$global:allPossibilities += $wordSoFar
	}
    
	if ($numWords -gt 0) {#Have not added max amount of words to this possibility yet.
        for ($i=0;$i -lt $wordsList.length; $i++) {
	      generateAllPossibilities ($wordSoFar+$wordsList[$i]) $wordsList $symbolList $numberList ($numWords-1) $numSymbols $numNumbers
        }
	}
    
	if ($numSymbols -gt 0) {#Have not added max amount of symbols to this branch yet.
		for ($i=0;$i -lt $symbolList.length; $i++) {
	      generateAllPossibilities ($wordSoFar + $symbolList[$i]) $wordsList $symbolList $numberList ($numSymbols-1) $numNumbers
        }
	}
	
	if ($numNumbers -gt 0) {#Have not added max amount of nums to this branch yet. 
		for ($i=0;$i -lt $numberList.length; $i++) {
	      generateAllPossibilities ($wordSoFar + $numberList[$i] ) $wordsList $symbolList $numberList $numWords $numSymbols ($numNumbers-1)
        }
	}

}

[string]$wordsofar = ""

Write-Host "Generating all possibilities, may take a long time depending on the amount + size of the \"blocks\" you have given !"

#Calling the algorithm (function) above to fill the list!
generateAllPossibilities $wordSoFar $wordsList $symbolList $numberList $numWords $numSymbols $numNumbers

Write-Host "DONE Generating!"
Write-Host "Note: There seems to be a slight bug, about 1 in 100 of these strings break the rules (for instance 2 symbols where numSymbols was 1).. don't know why."
Write-Host "Will be printing all possibilities now:"


Write-Host $global:allPossibilities

Write-Host "===================="
Write-Host "Amount to be tested:"  $global:allPossibilities.length
Write-Host "Starting bruteforce!"
Write-Host "===================="
######################################################
# Time to start trying them one by one!
######################################################

$i = 0

# Somewhat altered code by 2112 -> from https://bitcointalk.org/index.php?topic=85495.msg1756901#msg1756901
$global:allPossibilities | foreach { 
    $i++
    try {
        $p = $_
        
        if ($i%4 -eq 0) {
            Write-Host "   '$p' " $i "/" $global:allPossibilities.length
        }
        else {
         Write-Host "   '$p'" -nonewline
        }
        
        $r = $h.UploadString('http://localhost:8332/','{"method":"walletpassphrase","params":["'+$p+'",1]}')
        # Write-Output $r
        Write-Output "Correct password found!"
        Write-Output "'$p'"
        break
    }
    catch [Net.WebException] {
        $e = $_
        switch -wildcard ($e.Exception.Message) {
             "*(401) Unauthorized*" {
                  Write-Output "Fix the user/pass!"
                  Exit-PSSession
             }
             "*(500) Internal Server Error*" {
                  continue
             }
             default {
                  $e | Format-List -Force 
                  Exit-PSSession
            }
        }
    }
}
#
# Exiting without success!
#
Write-Output "===================="

Write-Output "Exiting!"

I am running it now, after verifying it works with a newly encrypted wallet. I had to change my ExecutionPolicy settings in PowerShell (googled it as Rahazan suggested). I also googled and added a "pause" or Press Any Key to continue after the correct password is found, as running straight from the script simply closed the window after it was done, therefore not showing me the password.

Thanks Rahazan! If it works, I'll be sending you some BTC!

[Rahazan]

Any luck?