Skip to content

Mizogg/BitcoinWalletAnalyzer

BranchesTags

Repository files navigation

Bitcoin Wallet Analyzer

image

The Bitcoin Wallet Analyzer is a Python-based graphical tool that allows users to load and analyze Bitcoin wallet files (.dat) generated by Bitcoin Core. The tool extracts encrypted keys (ckey), public keys, and addresses, providing a way to match them against a target Bitcoin wallet address. Built with PyQt6, the program offers a user-friendly interface for wallet analysis.

Features:

Load and analyze Bitcoin Core .dat wallet files. Extract and display encrypted keys, public keys, and public addresses. Match specific target addresses and display relevant details. Support for drag-and-drop and file browsing to load wallet files. Visualize the Bitcoin public address generation process (SHA-256, RIPEMD-160). How to Run the Program

Prerequisites:

Ensure you have Python 3.6+ installed, as well as pip to manage dependencies.

Installation Steps:

Clone the repository to your local machine:

git clone https://github.com/Mizogg/BitcoinWalletAnalyzer.git

Navigate to the project directory:

cd BitcoinWalletAnalyzer

Install the required dependencies listed in the requirements.txt file:

pip install -r requirements.txt

Running the Application:

Once all dependencies are installed, run the program with the following command:

python main.py

The application window will open, where you can:

Enter a target wallet address in the provided field. Load a Bitcoin Core wallet file (wallet.dat) using the "Load Wallet File" button or by dragging and dropping the file into the window. The tool will display details about the encrypted keys, public keys, and any matches with the target address.

Example:

Match found for address 1F654t1HxrZtg7uhcXyZeFvRsyB8HCnBXJ! Encrypted ckey: 3e2c64bb5a632d7b3c0b6318d5bc9eb7efc0d3c71a20d4108696a5e9ac750c242764c73978c6809a8f5d033f75575609 Public key : 0313c403e04becbcb83e93fbdd9eb9d1b04d9479bfc0864ef46c49a6ca266b6f1f Raw address : 009a873c5363eba23619bc1962d56e84277c9af969a763b5bd Mkey_encrypted: e648d207eb6a457cc3b415e5e6db38759de529051d808b5d34c679c43020a233e6b5161de2e85070127009d61e4c24c8

This output details:

The matching Bitcoin address. The encrypted ckey (the encrypted private key). The public key used to generate the Bitcoin address. The raw address before encoding into the final Bitcoin address format. The encrypted master key (mkey_encrypted) from the wallet file.

The functionality provided by this Bitcoin Wallet Analyzer can be useful in several specific scenarios, particularly for those who need to analyze or recover information from Bitcoin wallets. Here are some practical applications:

1. Recovering Lost Bitcoin Wallets

Purpose: People who have lost access to their Bitcoin wallets may still possess a wallet file (wallet.dat), but they lack the password or a matching private key. Use Case: This tool allows users to extract and display the public keys, addresses, and encrypted private keys (ckey) from their wallet file. By identifying and matching a target address, users can focus on cracking or recovering the associated private key using tools like hashcat.

2. Forensic Cryptocurrency Investigations

Purpose: In legal, forensic, or investigative contexts, authorities may need to analyze Bitcoin wallets as part of a cybercrime or fraud investigation. Use Case: This tool provides insights into the wallet file structure, helping forensic investigators identify the public addresses and encrypted keys stored within a wallet. They can then correlate this information with transactions on the blockchain to trace funds.

3. Cryptography & Educational Insights

Purpose: Enthusiasts, researchers, and students studying cryptography and blockchain technology may want to understand how public addresses are derived from public keys. Use Case: The tool walks through each step of the address generation process, showing how SHA-256 and RIPEMD-160 hashes are applied, which can serve as an educational tool for understanding Bitcoin's cryptographic mechanisms.

4. Wallet File Compatibility Verification

Purpose: Someone may have a wallet file but is unsure if it's a valid Bitcoin Core wallet or if the file is corrupted. Use Case: This tool verifies the structure of the wallet file, checking for the correct magic bytes and extracting keys. It can give users a clear indication if the file is usable or corrupted.

5. Identifying Target Addresses

Purpose: When dealing with multiple wallet files, you may be searching for a specific Bitcoin address that you know holds value. Use Case: This tool allows the user to input a specific Bitcoin address, and the program will search the wallet file for that address and display its associated keys and other relevant details. This can help identify which wallet contains specific funds.

6. Managing Multiple Bitcoin Wallets

Purpose: Users who maintain several wallets may lose track of which wallet holds specific funds.

Use Case: By loading different wallet files, users can quickly match addresses to find out which wallet holds their Bitcoin.

Summary of Benefits:

Recovery Aid: Helps in cases where access to a wallet is partially lost.

Educational Tool: Illustrates how Bitcoin’s public address system works.

Forensic Use: Assists in tracking down wallets and tracing transactions.

Compatibility Check: Verifies Bitcoin Core wallet structure and content.

Key Extraction: Extracts critical information such as public keys and addresses.

In short, this tool provides a way to inspect wallet files, extract useful cryptographic details, and potentially assist in recovering access to Bitcoin addresses.

It Has two methods, read_encrypted_key and read_wallet, which both contribute to the analysis of a Bitcoin Core wallet file. The two methods use consoleWindow to print or display the results. Here's a detailed breakdown of what each method is doing:

1. read_encrypted_key(self, wallet_filename)

This method reads the encrypted master key from a Bitcoin Core wallet file and extracts various cryptographic details.

Step-by-Step Breakdown:

  • wallet_file.seek(12):

    • The method starts by skipping the first 12 bytes of the wallet file, likely to ignore metadata or header information that is irrelevant to this part of the analysis.

  • magic_bytes = wallet_file.read(8):

    • The next 8 bytes are read to check for the presence of specific magic bytes (b"\x62\x31\x05\x00\x09\x00\x00\x00") that are unique to Bitcoin Core wallet files. If the file doesn't match, it prints an error message.

  • Search for the Master Key (mkey):

    • It then looks for the bytes \x04mkey\x01\x00\x00\x00 which signify the presence of an encrypted master key (mkey) in the wallet file. If it's not found, it prints an error message.

  • Extracting the Encrypted Master Key:

    • The method extracts 49 bytes representing the encrypted master key, 9 bytes for the salt, and 4 bytes each for the key derivation method and iteration count (used to derive the key).
    • These fields are unpacked from the file using struct.unpack_from("<49s9sII", mkey_data).

  • Warning for Unexpected Key Derivation Methods:

    • If the key derivation method is different from what is expected (method != 0), it prints a warning, indicating that a non-standard key derivation method was used in the wallet.

  • Extracting Important Fields:

    • IV (Initialization Vector): Extracted from the 16th to 32nd byte of the encrypted master key.
    • Ciphertext (ct): Extracted from the last 16 bytes of the encrypted master key.
    • Iterations: The number of iterations for key derivation is stored in iterations, which is formatted as hexadecimal.

  • Console Output:

    • The results, including the encrypted master key, ciphertext, salt, IV, and iteration count, are printed to the console (self.consoleWindow.append_output(...)). These values are critical for key recovery tools, such as when attempting to brute-force or decrypt the wallet.

2. read_wallet(self, file_path)

This method analyzes the entire wallet file, calling read_encrypted_key and performing additional analysis, like finding and extracting ckey (encrypted private keys) and public keys.

Step-by-Step Breakdown:

  • self.read_encrypted_key(file_path):

    • It starts by calling read_encrypted_key to extract and display the encrypted master key as discussed above.

  • Read Wallet Data:

    • The method reads the entire wallet file into memory (data = wallet.read()), which will be used for further analysis.

  • Find and Extract the Master Key (mkey):

    • It searches for the term mkey in the wallet file, similar to the previous method, but this time it extracts 48 bytes preceding the found mkey as part of its data analysis.

  • Console Output for Master Key:

    • If a master key is found, it prints the encrypted master key to the console using self.consoleWindow.append_output.

  • Extracting ckey (Encrypted Private Keys):

    • After extracting the master key, it searches for occurrences of the term ckey, which signifies an encrypted private key.
    • If a ckey is found, it extracts 123 bytes of data around the found location. The first 48 bytes are the encrypted private key, and the public key follows.

  • Public Key Analysis:

    • The length of the public key is determined from the 57th byte, and the public key is extracted. The extracted public key is passed to self.pubkeytopubaddress(public_key) to generate the corresponding Bitcoin public address.

  • Console Output for Encrypted Private Key and Public Key:

    • The method then prints the extracted information to the console window, including:
      • The encrypted ckey (encrypted private key).
      • The public key.
      • The Bitcoin public address derived from the public key.

  • pubkeytopubaddress(public_key):

    • This is a helper function that converts the public key into a Bitcoin public address. It does this by:
      1. Hashing the public key with SHA-256.
      2. Applying RIPEMD-160 to the SHA-256 hash.
      3. Adding a network byte prefix (0x00 for Bitcoin).
      4. Computing a checksum using double SHA-256.
      5. Encoding the result using Base58 (a Bitcoin address format).
    • This derived Bitcoin address is printed to the console.

Summary of the Methods:

  1. read_encrypted_key():

    • This method focuses on extracting and printing details related to the encrypted master key (mkey) from a wallet file. It gathers essential cryptographic details (like IV, ciphertext, and salt) for potential decryption attempts.

  2. read_wallet():

    • This method is more comprehensive. It not only extracts the master key but also identifies and extracts encrypted private keys (ckey) and associated public keys. It further converts the public keys into Bitcoin addresses and prints all this information to the console.
    • This method calls read_encrypted_key first, then proceeds to scan the wallet for additional information such as encrypted keys and addresses.

Both methods provide valuable insight into a wallet's structure and can assist in recovering lost or encrypted Bitcoin funds.

About

This 🐍Python🐍 project uses `PyQt6` to create a GUI that reads and analyzes Bitcoin wallet files, providing insights into encrypted keys, public addresses, and other wallet details.

Resources

Readme

License

MIT license
Activity

Stars

11 stars

Watchers

1 watching

Forks

14 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages