wallet.dat (hex values) from 2009

19 replies 286 views
Posts: 1 · Reputation: 89
#1Jun 24, 2021, 05:59 PM
I recently dug up my old hard drive and found wallet.dat, but a lot of files are corrupted. Also, I can’t identify the names and dates of most of the files. I tried to search for the binary (hex code?) but I found a ton of files with "6b 65 79" and couldn't locate "04 20". Honestly, I'm not a computer whiz and I’m clueless about how to fix these corrupted files. If "04 20" didn't exist back in 2009, can anyone guide me on how to find my private key? Thanks in advance.
6 Reply Quote Share
0xOrbitMember
Posts: 28 · Reputation: 197
#2Jun 25, 2021, 04:30 PM
So you lost your keys and now you're having trouble finding 420?
0 Reply Quote Share
Posts: 14 · Reputation: 211
#3Jun 27, 2021, 12:37 AM
Are you on Windows? Or Mac? I'm going to assume Windows. Download WinHex: https://www.x-ways.net/winhex/ Unzip it. (If you don't know how to do this, tell us which version of Windows you're running. It could be Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP... The process changes slightly depending.) Right Click WinHex.exe. (It may just be called WinHex. The icon will look like this: https://i.imgur.com/RdWDVSZ.png Run it as administrator. (Needed to do a raw byte search of the disk.) https://i.imgur.com/HuEkazY.png You then may have to allow it which again will vary slightly depending on which Windows you're running. Go to tools, open disk. https://i.imgur.com/OPTT0mG.png Select your recovered drive and click OK. It will begin traversing the drive: https://i.imgur.com/G1BZjLG.png You can click the x. It will ask if you want to abort. Click yes. Go to search, find hex values. You will get a window that looks like this: https://i.imgur.com/xPhKBf9.png Type 0420 into it exactly as shown. Click OK. After some amount of time, the window should find an instance of it. There will be a blinking cursor highlighting it on the window. https://i.imgur.com/bKMkS8N.png This is (probably) not the start of your private key. It's just to make sure your hard drive isn't totally messed up. (It's pretty unlikely any given two bytes would not be found on a used hard drive. If it's really not found as you claim, you're probably out of luck.) If it found something, go to search, find hex values again. Enter this value: 308201130201010420 https://i.imgur.com/nKojITh.png Click OK. This search could take a LONG time depending on the size of the harddrive. Expect to wait at least a few hours. If it finds a result, just as before, the cursor will be blinking at the start of the result. Your private key is (probably) after the 0420 after the cursor. Write down the 64 digits following 0420 (including the letters) and show no one anything related to these 64 digits. It will allow them to steal your money. Edit: After you have written down the digits, go to search, continue search. If another result is found, once again, write down the 64 digits after the 0420 again. Then go to search, continue search again. (Unless the digits are identical.) If you see this instead: https://i.imgur.com/GNh1Xmd.png You're probably out of luck. But I could write similar step by step instructions for PyWallet. (I probably should have done that in the first place that you mentioned searching for 0420 locked my mind into this hex search method.)
4 Reply Quote Share
0rb1t777Member
Posts: 1 · Reputation: 61
#4Jun 27, 2021, 08:35 AM
I am going through this now. I mined coins in Feb 2009 and am either mourning or recovering them, not sure which. I have confirmed this approach using a 2009 0.1.3 bitcoin client which I recently downloaded. I ran the client in a windows VM, and deleted the VM. this method found the private key. stop using all media until you image them. you can image the media from any system. back up all media to a large external drive, you really want to do this I use a western digital 6tb my book ($140) , its very fast for going through multiple images. when you search images you don't have to worry about overwriting the file in deleted sectors when you are installing search tools.. do this to all your media, especially any thumb drives you have. buy some thumb drives. search your trash for things you might have thrown away ( I threw away a floppy disk containing my 2009 wallet.dat ) If media is broken, including hard drives, Kroll Ontrack is the best in the world, and can usually recover them, hard drives are about $1500 back up with the unix tools dd or ddrescue or install ddrescue with OS X homebrew this program will image corrupt media, save the image to the external drive, I brew install ddrescue or make a disk image using OS X disk utility or use a tool like "disk drill" on the Mac, which can create images as well. bitcoin wallets do not show in traditional file recovery software, they don't have definite boundaries in the file, so the tools don't like them. A signature based recover works best, signature meaning it searches for hex code immediately preceding the private key. some recovery software can retrieve them if they were JUST deleted. my solution is to use the python program keyhunter.py https://github.com/pierce403/keyhunter download the repo from GitHub, using either git or just download it. make the keyhunter.py executable install python move the .py executable to the directory whose images you want to search. run it. if you're on a Mac, diskutil list  to find the hard disk to attack usually /dev/disk0 if it's file vault encrypted its /dev/rdisk1 if your on linux lsblk copy the device path run the program thusly ./keyhunter.py /dev/disk0 if is searching an image. ./keyhunter.py IMAGENAME if your searching a whole directory of images for x in *.img; do ./keyhunter.py $x;done; then wait a really really long time, it searches the entire drive, 10 megs at a time for the offending hex keys. it searches deleted sections, it searches old vm's in deleted sections as well as current vm's, it's good. when it finds a match it returns the private key in base58 format. if you find a key, GREAT. if you don't find a key, maybe at some point you zipped the file to move from machine to machine. a zipped file will not have the same signature. you can use recovery tools to find all old zip files ( this is really tedious, and a external drive will shine here ) unzip them, and search using keyhunter.py now download an run the tool pycoin. Use the python program pip to install it. https://github.com/richardkiss/pycoin pycoin installs the tool 'ku' run ku YOUR_PRIVATE_KEY if the key starts with a  5 this indicates whether the base58 key is uncompressed , it will correspond only to a uncompressed address. see https://en.bitcoin.it/wiki/Private_key it will return a bunch of info about it. look for the compressed and uncompressed address. each key corresponds to exactly one address, either uncompressed address or compressed address, but not both. check blockchain.info for the address. DO NOT ENTER YOUR PRIVATE KEY IN THE SEARCH FIELD ON WEBPAGES. if you find a hit, run ku again, get the either compressed or uncompressed wif key, import that to a modern electrum wallet. If you want to see how many coins you might have. https://www.reddit.com/r/Bitcoin/comments/2twrs7/all_42400_dormant_bitcoin_addresses_with_a/ The minimum in 2009 was 50 coins. it initially took about 20 minutes on a fast machine to generate this many. Mine was 10 years old, and really slow.
2 Reply Quote Share
Posts: 5 · Reputation: 77
#5Jun 29, 2021, 07:48 PM
joel.from.minnesota pretty much gave you a good 'tutorial' on how to recover (or at least try to recover) those files. But i want to say one ahead: Do not access/use this hard drive until you have made an (forensic) image of it! Every access to your hard drive can damage those files you are looking for. Additionally, if you have larger amounts on your hard drive (which you really cant afford to lose), then you should consider using a writeblocker [1] (to be on the sure side). If you need help with the tutorial from joel feel free to PM here / awnser in this thread. [1] http://www.forensicswiki.org/wiki/Write_Blockers
1 Reply Quote Share
CalmNovaFull Member
Posts: 72 · Reputation: 357
#6Jun 29, 2021, 11:34 PM
Hi, Can someone tell me if the WINHEX method also works as detailed if the wallet.dat was encrypted (with Multibit Classic in early 2014)? Many thanks,
4 Reply Quote Share
maxi2009Member
Posts: 6 · Reputation: 63
#7Jun 30, 2021, 04:00 AM
MultiBit Classic doesn't use "wallet.dat"... it uses a completely different wallet file format... and defaulted to calling those files "multibit.wallet". You will NOT be able to use the WINHEX method outlined above due to the different wallet formats.
3 Reply Quote Share
CalmNovaFull Member
Posts: 72 · Reputation: 357
#8Jul 2, 2021, 01:40 PM
Ok thanks, I'm looking to recover two different wallets. The first one being a Multibit Classic Bitcoin wallet and the second being a Litecoin-qt core Litecoin Wallet. Will the WINHEX method work with the encrypted Litecoin qt wallet?
3 Reply Quote Share
maxi2009Member
Posts: 6 · Reputation: 63
#9Jul 3, 2021, 06:27 PM
Honestly no idea... I'd probably use Pywallet... it can be made to work with coins other than Bitcoin by using the appropriate "--otherversion" parameter. It has a "recover" mode which scans disks looking for wallets/keys etc. refer: https://bitcointalk.org/index.php?topic=38004.0
1 Reply Quote Share
Posts: 7 · Reputation: 83
#10Jul 3, 2021, 09:41 PM
And if wallet.dat was renamed for disguise in something.rar? How does this keyhunter.py run under windows 10? To me write this and proposes to kill the program
1 Reply Quote Share
maxi2009Member
Posts: 6 · Reputation: 63
#11Jul 4, 2021, 05:49 PM
Are you trying to run the script from the command line? Or are you simply double clicking it? Python and Python scripts run OK when using Windows 10... I write and run them all the time. However, you cannot just double click on the file,a you need to run it from a "command" window... So, if keyhunter.py is in the C:\Python27 directory like your post suggests... Try opening a command prompt (WINDOWS+R, type cmd and press enter):
1 Reply Quote Share
Posts: 7 · Reputation: 83
#12Jul 4, 2021, 10:16 PM
Edit with IDLE \ Run \ Run module I get it ./C:\Python27\keyhunter.py <filename> If you add a filename C:\Python27\python.exe C:\Python27\keyhunter.py aaa.txt nothing happens.
3 Reply Quote Share
maxi2009Member
Posts: 6 · Reputation: 63
#13Jul 4, 2021, 11:55 PM
Looking at the code for keyhunter.py, it only prints output if it finds keys in the file. If you are getting no output, then the script was unable to find any keys. It basically just opens the file and starts reading bytes looking for the sequence: '\x01\x30\x82\x01\x13\x02\x01\x01\x04\x20' So, if that sequence of bytes is not detected anywhere in the file, it will return empty. Have you tried testing it with a known good file? Ie. A new empty wallet.dat to make sure that the script actually works? I'd suggest using an encrypted and an unencrypted wallet.dat Once you have confirmed that the script works on a known good wallet file, you can try it on the old file.
3 Reply Quote Share
Posts: 7 · Reputation: 83
#14Jul 5, 2021, 02:10 AM
As if he quickly works out if he ran all the hard and did not write anything and then immediately gives out. For the test set, core 0.4.0., v0.1 Well, how do I check the CDs for them? Created wallet.dat in v0.1 version the same. ./C: \ Python27\keyhunter.py <filename> It should scan the entire disk, and not on the way to watch AppData\Roaming\Bitcoin
1 Reply Quote Share
maxi2009Member
Posts: 6 · Reputation: 63
#15Jul 6, 2021, 07:18 PM
It will only scan the entire disk if you're using Linux... as you can pass a "device" name to the keyhunter.py script in Linux and keyhunter.py will attempt to treat it like a "file" and start reading through it. Linux: ./keyhunter.py /dev/sdc /dev/sdc is a "device" like a harddisk... EDIT: unfortunately, you can't do this in Windows. It doesn't work that way. So, you'd need to create an image file of your disk using some sort of disk imaging tool and then pass that image file to the script. For windows you need to use \\.\PhysicalDiskN where N is the number of the disk you are trying to read (Credit to 2112): Otherwise, your best bet is to forget about keyhunter... and use pywallet. It has a recover mode for scanning whole disks/images.
5 Reply Quote Share
alt420Member
Posts: 3 · Reputation: 56
#16Jul 9, 2021, 05:06 AM
It does work just fine on Windows. The syntax is something like keyhunter.py \\.\PhysicalDisk2 . Of course one does have to use "elevated command prompt" a.k.a. "run as administrator".
3 Reply Quote Share
Posts: 7 · Reputation: 83
#17Jul 9, 2021, 06:06 AM
Nothing works, it's dull. some kind of sadomasochism (linux). pywallet < this just install the whole attraction. Assembler with dos is no longer relevant?..))
4 Reply Quote Share
4lt404Member
Posts: 1 · Reputation: 98
#18Jul 11, 2021, 10:30 AM
I know this is a very old thread but i'm coming up short on all my google searches. I was wondering if it's possible to find the wallet with keys if that wallet was an encrpted? I have the old drive and forensics shows data but i can't find the wallet with hex and the mentioned sequence. is there a differenet sig for an encrpted wallet? or is it truely lost? I may have been decieved or scammed? but this was a first year wallet with the first qt client and had what i think I rememeber was 1000 coins?
4 Reply Quote Share
alex.gw31Member
Posts: 33 · Reputation: 218
#19Jul 11, 2021, 11:15 AM
I believe it uses the same signature bytes. According to my memory, I saw berkeley db entries for "key" and "ckey" (unencrypted and encrypted it stands for, I believe), having a common byte sequence like that one. Please explain your situation more, because we have no idea how you would've been scammed like this.
6 Reply Quote Share
Posts: 13 · Reputation: 110
#20Jul 11, 2021, 01:01 PM
Imho your best choice is to make your own separate topic explaining (much) more clearly your situation and asking for help. Asking in such old topics will get no answers from the original user(s) anyway, since those people are usually inactive for years already.
5 Reply Quote Share

Related topics