Jump to content
bowler99

Seriously lost trying to recover XRP from 2013

Recommended Posts

On 10/12/2018 at 5:05 AM, eiprol said:

Guys, I got it.

A HUGE thank you to you all!

Let me explain how, so anyone in my situation can make use of it. I used dchapes script.

 

FIRST
Since my wallet was OLD, I had to use the old passkey code on dchape's script, as @amulecregg  pointed.

So I had to find this line and uncomment it (commenting the one above):


//passkey := strconv.Itoa(len(*nameFlag)) + "|" + *nameFlag + *passFlag
passkey := *nameFlag + *passFlag // old bad method

(That also required removing some import at the top of the file)

 

SECOND

Then, I created a list of possible usernames and possible passwords, separated by spaces, and placed them on the same folder, on a names.txt file and a words.txt file.

I did it automatically with a hand made script, but you could well do it by hand if there are only a few.

 

THIRD

I ran this bash script on terminal:


for i in $(cat names.txt); do for j in $(cat words.txt); do wallet-recover -json -stub end.txt -name $i -pass $j);done;done;

 

Note that I'm using  -stub end.txt, so it creates and writes to a file when it succesfully decrypts the wallet!

 

THE END

When the script ended, I couldn't believe that there were an end.txt file on it. I had tried soooo many times without success... but there it was!

However, if you open it, you will find another encrypted wallet. what? yes, but don't worry. This means that you have the right name and the right password.

Go the your terminal, press ctrl+f / cmd+f, and look for this: master_seed

There it is. Your seed. And a few lines above, your username and password.

Thank you all!


PS: My username was not my nickname, was another simple username I use sometimes. But not related to the public key!

Since my wallet was OLD, I had to use the old passkey code on dchape's script, as @amulecregg  pointed.

So I had to find this line and uncomment it (commenting the one above):

//passkey := strconv.Itoa(len(*nameFlag)) + "|" + *nameFlag + *passFlag
passkey := *nameFlag + *passFlag // old bad method

(That also required removing some import at the top of the file)

 

assuming I have an old one too, but what imports did you need to remove? Any other steps besides switching the lines comment status? IIRC you said you had some special characters in your name as well, did you just exclude them? 

Share this post


Link to post
Share on other sites
10 hours ago, eiprol said:


Type this and show me the output:


echo $GOROOT

No matter the output, type this (we are going to try unsetting this $GOROOT variable. I didn't set it, and it's working for me, so let's do it):


unset $GOROOT

If you type this again, it should be empty now:


echo $GOROOT

So now, try again this again:


go get bitbucket.org/dchapes/ripple/wallet-recover

If still fails, type this and paste me the output:


ls /home/me/gotest && ls /home/me/go

I'm not the GO expert here, not at all, but in the mean time... I think you might be pointing the $GOPATH to your GO installation folder, instead of to the proper one (if that's the case, setting $GOPATH to /home/me/go instead of /home/met/gotest , repeating the nano & source process I said before, could fix it)

believe I have everything setup correctly, except perhaps modifications to the wallet-recover file. I have it running and it seems to take some inputs, spits a lot of info etc. 

 

few questions

do I enter password as : "password" or password

do I enter username as bowler99 or as the real name, B[o]WLer99 etc, or "bowler99" ? 

I've got three versions of the wallet-recover file open, original, an original edited to use the old method, and the one kindly posted by eiprol. 

 

I get the error: error decrypting and authenticating blob:ccm: message authentication failed exit status 1    on version 1,

on second I got the error 'undefined: strconv, rand, passkey'  (removing new wallet method through commenting and using old) 

I get the error: invalid BOM in the middle of the file with eiprols,

 

so I am left very dissapointed now but I do feel closer than ever before. I hope its some semantics issue and not an issue with the username or the like. 

Edited by bowler99

Share this post


Link to post
Share on other sites
11 hours ago, bowler99 said:

changing directory appeared to work, but when I change to 

/home/me/gotest/src/bitbucket.org/dchapes/ripple/cmd/wallet-recover and try to run ./wallet-recover.go I get the error:

./wallet-recover.go
bash: ./wallet-recover.go: Permission denied

 sudo ./wallet-recover.go
[sudo] password for me:     
sudo: ./wallet-recover.go: command not found
 

:( suppose its close to working but I am not sure where to go from there 

 

 

Don't worry, even though I'm not a Go expert, I think I know that one. You are trying to run a "Go source code file" as a binary, that's why It fails.

To run a source file, you first have to compile it and build a binary. But in this case, with a go source file, you can also do this (I think you you don't even need sudo):

go run wallet-recover.go

Which I guess tells the go compiler to run this source file on real time, acting as a binary (or something like that).

 

However, unless you are using my modded source, which takes names and passwords from text files, you still need to add flags to that command, or it won't do anything:

go run wallet-recover.go -name yourname -pass yourpass

 

=========
 

Quote

Since my wallet was OLD, I had to use the old passkey code on dchape's script, as @amulecregg  pointed.

So I had to find this line and uncomment it (commenting the one above):

//passkey := strconv.Itoa(len(*nameFlag)) + "|" + *nameFlag + *passFlag
passkey := *nameFlag + *passFlag // old bad method

(That also required removing some import at the top of the file)

 

assuming I have an old one too, but what imports did you need to remove? Any other steps besides switching the lines comment status? IIRC you said you had some special characters in your name as well, did you just exclude them? 

 

I removed the "strconv" at the top of the file because it was failing for me, but maybe you could leave it and still run it, using the "go run xxxx" I said above.

The only thing you have to make sure when commenting the new method and uncommenting the old one, is that after passkey, you have := instead of =

BAD:

//passkey := strconv.Itoa(len(*nameFlag)) + "|" + *nameFlag + *passFlag
passkey = *nameFlag + *passFlag // old bad method


GOOD:

//passkey := strconv.Itoa(len(*nameFlag)) + "|" + *nameFlag + *passFlag
passkey := *nameFlag + *passFlag // old bad method

(I'm not 100% sure, but I think it was without the := on dchapes code. But I might be wrong. Just make sure)

 

=========

 

Quote

 

(I'm not 100% sure, but I think it was without the := on dchapes code. But I might be wrong. Just make sure)

few questions : 

do I enter password as : "password" or password

do I enter username as bowler99 or as the real name, B[o]WLer99 etc, or "bowler99" ? 

I've got three versions of the wallet-recover file open, original, an original edited to use the old method, and the one kindly posted by eiprol. 

 

 

 

 

I would say without quote marks; but I could be wrong, and both might be valid.

The username must be lowercase, no matter what you used. But it must contain any symbol. So: b[o]wler99

The password doesn't have to be lowercase. Could be: PaSsWoRd8213.

 

Quote

I get the error: error decrypting and authenticating blob:ccm: message authentication failed exit status 1    on version 1,

This is normal, means that it failed to open the wallet (incorrect username or password)

(That's why I modified it, to use a bunch of usernames and passwords, instead of going one by one)

Edited by eiprol
Added new quotes to answer more questions

Share this post


Link to post
Share on other sites

There was a lot of good discussion here recently but imo it got a little bit difficult to find useful information.
Especially for non-technical people it might be quite confusing.

Kudos to @amulecregg for pointing out the comment about old passkey which helped eiprol get his master_seed out and also for new build allowing to use a flag to control that.
Sadly I no longer see your repo/build available so for the rest of these instructions I will just use DChapes repo only.

Kudos to @eiprol for providing wallet contents for test - I will use that quite a bit in my instructions below.
While you also created new repo with built-in option for bruteforcing - I will stay away from it to avoid potential of future changes becoming potentially insecure - althouhg for anyone stuck in big bruteforcing please refer to @eiprol's repository as it is probably much faster !

So my idea now is to provide instructions that will be easy to follow for anyone regardless of OS and skill level that is safe and easy to follow.
I tested that on both Windows and Mac with success and I would love to hear from you about whether it looks ok.

Top level summary of what's below:
- create linux VM on your PC using trusted sources (automated)
- create environment for GO and wallter-recover executable (automated)
- create bruteforcing script that only requires you to put your username/password wordlists (obviously manual)
- prevent any scripts run in VM to access internet (by removing network from VM)
- test recovery works using test wallet

First let's install virtualbox (https://www.virtualbox.org/wiki/Downloads) and vagrant (https://www.vagrantup.com/downloads.html)
Why ? because these are used by millions of people and are considered safe. You can do it on any OS and will be the only thing to uninstall after you are done.
Virtualbox wil lallow us to create Ubuntu VM on your PC and Vagrant will help to automate majority of set up.
Since we will run everything in virtual machine you will be able to unplug virtual network cable and there is no risk then that your secrets will be stolen as VM will have no internet connectivity.
I won't go into steps of how to install them - refer to instructions on software vendor website. You should restart your pc after installation

Now that we have both installed let's create Ubuntu Virtual Machine.
To do that with minimal hassle create a new folder (i.e. ripple_recover) and Inside it create another one called ‘stuff’.
Then in ripple_recover create new file “Vagrantfile” (no extension !) with following contents:

Quote

$script = <<-SCRIPT
echo "Installing Docker"
sleep 5

#setup docker as per instructions https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-using-the-repository
sudo apt-get update
sudo apt-get install -y \
    apt-transport-https \
    ca-certificates \
    curl \
    software-properties-common

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"
   
sudo apt-get update
sudo apt-get install -y docker-ce

#add vagrant to docker group
sudo usermod -aG docker vagrant

echo "Creating dockerfile for wallet-recover go executable"
echo "\tfrom DChapes https://bitbucket.org/dchapes/ripple/src/default/cmd/wallet-recover/wallet-recover.go"
echo "\twith separate version for old type passkey"
echo "\tand brute-forcing script"
sleep 5

#create dockerfile for wallet-recover from dchapes
cat >/home/vagrant/Dockerfile <<EOL
FROM golang:latest
WORKDIR /tmp
ENV GOPATH /go/src
RUN go get bitbucket.org/dchapes/ripple/cmd/wallet-recover
#replace passkey with oldmethod
RUN sed -i 's/passkey := strconv.*/passkey := *nameFlag + *passFlag/' /go/src/src/bitbucket.org/dchapes/ripple/cmd/wallet-recover/wallet-recover.go 
#remove unused package
RUN sed -i '/strconv/d' /go/src/src/bitbucket.org/dchapes/ripple/cmd/wallet-recover/wallet-recover.go 
#build as wallet-recover-old
RUN go build -o /go/src/bin/wallet-recover-old /go/src/src/bitbucket.org/dchapes/ripple/cmd/wallet-recover/ 
EOL

#create bruting script in case needed
#kudos eiprol
cat >/stuff/brute.sh <<EOL
#!/bin/sh
#This script is to be run from within docker not on VM
wfile=\\\${1:-ripple-wallet.txt}
usernames=\\\$(cat /tmp/brute-usernames.txt)
passwords=\\\$(cat /tmp/brute-passwords.txt)
ucount=\\\$(echo \\\$usernames | wc -w)
pcount=\\\$(echo \\\$passwords | wc -w)
total=\\\$((\\\$ucount * \\\$pcount))
index=0
echo "Trying \\$ucount users and \\$pcount passwords\\n"
for i in \\\$usernames; do 
    for j in \\\$passwords; do 
        index=\\\$(expr \\\$index + 1)
        printf "Progress: \\\$index/\\\$total\\t\\t\\r"
        if /go/src/bin/wallet-recover -name \\\$i -pass \\\$j -wallet \\\$wfile 2>/dev/null; then
            echo "Success with user: \\\$i and pass: \\\$j using new passkey"
            /go/src/bin/wallet-recover -json -name \\\$i -pass \\\$j -wallet \\\$wfile 2>/dev/null
            break 2;
        fi
        if /go/src/bin/wallet-recover-old -name \\\$i -pass \\\$j -wallet \\\$wfile 2>/dev/null; then
            echo "Success with user: \\\$i and pass: \\\$j using old passkey"
            /go/src/bin/wallet-recover-old -json -name \\\$i -pass \\\$j -wallet \\\$wfile 2>/dev/null
            break 2;
        fi
    done;
done;
echo "Done. Tried \\$index/\\$total combinations. Hope somewhere above you see 'master_seed' :) If not, try to expand your username/password wordlist"
EOL
chmod +x /stuff/brute.sh

#create brute username list
echo "wrong wrong wrong wrong eiprol wrong wrong wrong wrong wrong wrong " > /stuff/brute-usernames.txt
#create brute passwordlist
echo "wrong wrong wrong wrong wrong wrong wrong wrong TestPass01" > /stuff/brute-passwords.txt

#create old type wallet for test
#kudos eiprol
echo eyJpdiI6IlBhT2lmTmJid0U4cytVVmRZOEJkUXc9PSIsInYiOjEsIml0ZXIiOjEwMDAsImtzIjoyNTYsInRzIjo2NCwibW9kZSI6ImNjbSIsImFkYXRhIjoiJTVCJTVEIiwiY2lwaGVyIjoiYWVzIiwic2FsdCI6IjNpYjA1SFcwZ0FvPSIsImN0IjoibjFObjlRZ0xiRmJEWVNReDBNOE9rWU15NDN3NUdCNi9qaGROT00wK05BaEFIMTQ1Tk84cW1SdDdRNFhiMHBSQ1hOd1ZtZ3FhLzFIdVZPWFRCZnI3T3FjY1JHT3MxRXNmNzhkY1E0MExrVnhhb0ZXREdxT0IrZHFHcVdiVkxjU1RXU1hsU0Iza1NpbU5BMlRBN09BVkdzcThtS3BTcTRPQ282elFJV1E2N1R6d1RXTEpGWkVJTHZUdStDUFYxQ1daMzBXdHdENjM0ckJNYWt2Nk90MWhLaDZhSkxqbCt0dWZ3U2c9In0K >/stuff/test-wallet-old.txt


echo "alias wallet-recover='docker run -v \\\$(pwd):/tmp wr /go/src/bin/wallet-recover'" >> /home/vagrant/.bash_aliases
echo "alias wallet-recover-old='docker run -v \\\$(pwd):/tmp wr /go/src/bin/wallet-recover-old'" >> /home/vagrant/.bash_aliases
echo "alias bruteforce='docker run -v \\\$(pwd):/tmp wr /tmp/brute.sh'" >> /home/vagrant/.bash_aliases

echo "Building docker image silently (it will take a while)"
sudo docker build -q -t wr -f /home/vagrant/Dockerfile /home/vagrant

#final words
echo "Looks like we are done"
echo "Check there are no errors above (anything in red ?)"
echo "You can disable VM network for increased safety"
echo "To test log into VM using username:vagrant, password:vagrant and run following:"
echo "\tcd /stuff"
echo "\twallet-recover --json -name eiprol -pass TestPass01 -wallet test-wallet-old.txt"
echo "\twallet-recover-old -name eiprol -pass TestPass01 -wallet test-wallet-old.txt"
echo "\tbruteforce test-wallet-old.txt"
echo "First one should fail as test wallet has old type passkey"
echo "Second one should succeed"
echo "Third one should succeed after a while by using brute force method"
echo "Good Luck !"
SCRIPT

Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu/trusty64"
  config.vm.synced_folder "stuff/", "/stuff"
  config.vm.provision "shell", inline: $script
end


Explanation:
ubuntu/trusty is an official Ubuntu prebuild VM picked up from this list of public machines: https://app.vagrantup.com/boxes/search
Provisionning script will install docker as per instructions from https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-using-the-repository
I could have installed go etc but I prefer using docker- much simpler imo.
It will also make it so that ‘stuff’ folder from your PC is mirrored in /stuff folder in VM - this allows for easier file modification of wallet or bruteforcing usernames/passwords.
Then scipt adds vagrant user to docker group so we can run docker commands later once we log in into VM
Creates Dockerfile that will have wallet-recover from DChapes
It will also replace passkey to use old method and build that as wallet-recoer-old executable
Furthermore vagrant will create (in stuff folder) bruteforcing script, test wallet file and username/password wordlists with test entries for bruteforcing
Vagrant will also also prepare 3 aliases:
wallet-recover - will trigger docker command to execute wallet-recover from within docker
wallet-recover-old - will trigger docker command to execute wallet-revoer-old from within docker
bruteforce - will trigger bruteforcing through docker


I would like to ask community to review this script and confirm what I'm saying is true (@amulecregg, @eiprol ?)


Once we have the file created lets try creating the VM:

Open command line in this new folder (riplle_recover ?) and execute ‘vagrant up --provider=virtualbox’

What you should see is that:

01_vagrant_up.png

And it might take good few minutes to finish.

Once it's done our VM should be running.
To get to it, open up virtualbox where you will see your box running: 

02_virtualbox_machine.png


When you dobule click on that you will notice sht like that: 
03_box_login.png

you can type in vagrant for login and vagrant for password to get into the box
When you get message about the mouse just read it and click ‘capture’, (Note: to get back to your host and have mouse normally moving press right-ctrl (by default))

Lets switch to stuff folder by typing
cd /stuff

And check whether we have internet connection with:
curl https://google.com

We do - so lets disable it in virtualbox menu:
click Devices -> Network -> Connect Network Adapter
This should unplug your cable from VM

Try curl again. It should get stuck for a while and then return error.
04_curl_test.png


From now on no program or script run within VM can go out to internet so even if it's something dodgy it won't be able to steal your secrets.

Now lets test that everything is ok by trying to recover test wallet:
wallet-recover --json -name eiprol -pass TestPass01 -wallet test-wallet-old.txt
wallet-recover-old -name eiprol -pass TestPass01 -wallet test-wallet-old.txt
bruteforce test-wallet-old.txt

First one should fail and next two should be successful.

Result of wallet-recover: 

05_wallet_recover_fail.png

Result of bruteforce: 

06_bruteforce_success.png


Now that we know things work and your data is safe we can start to work on own wallet.
Copy your ripple-wallet.txt to ripple_recover/stuff folder on your PC (your ! not VM)
This actually makes it available on VM in /stuff directory (VM directory)

try running
wallet-recover --json -name YOUR_USER -pass YOUR_PASS
and
wallet-recover-old --json -name YOUR_USER -pass YOUR_PASS

If either is successful - GRATS !
If not, open up on your PC two files in ripple_recover/stuff directory:
brute-passwords.txt
and
brute-usernames.txt

remove all the contents (these were used for test only)
And put any user you can think of -(in user file) same with passwords (in password file) space delimited.

Run (in VM) ‘bruteforce’ and hope for the best.
If it fails you will need to basically think of new usernames/passwords to put in for bruteforcing.
Might be worth reading on crunch https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-4-creating-custom-wordlist-with-crunch-0156817/

Hope it makes sense - I was really rushing and it still took me a good while.

Even if you don;t plan to use it lets hope it might work as a reference for any questions being asked.

EDIT: if you copy text to Vagrantfile and it complain with undefined method - look at the line it points to and edit manually any quotes or spaces as copy-pasting could have changed characters to unicode - sorry. Not My fault

EDIT 2: bruter script must be updated to encapsulate username/password and possible even encode for save bash use - will try to update it sometime soon

I might create repo just for this part of the work and organize the scripts a little bit better - if only I find time 

Edited by sajkox
moving images around

Share this post


Link to post
Share on other sites

it's somewhat worrying to see xrps flying out of @bowler99's account without any news from him. 

I certainly hope it is you who managed to finally get access - if not - notify binance and kraken asap with account ids that these zerps went out to so they can maybe block it or at least assure they keep information on person who registered account in case you need to involve law enforcement.

Considering there are some some left I must assume it was you though - so congratulations :)

Share your experience with any tips as there certainly will be others coming here in the future trying to do the same thing.

 

Just a note though - it looks like you did 10k move at first - should have tried small amount first to make sure it worked. It was risky imo.

Edited by sajkox

Share this post


Link to post
Share on other sites

Hey, I just got it :) I tried using a different copy of the wallet and it worked, I was learning to use linux and did the -diff on my wallet and saw some differences in them, so I tried the other copies and it worked straight away. I was sort of shocked and didnt know what to do so I sent some to exchanges lol 

thanks for checking up and all of the help! tremendously appreciated, I am planning on making a good donation to an orphanage/temple here for the good luck and the relief is amazing! I will post an update soon in the thread too

Share this post


Link to post
Share on other sites
9 hours ago, bowler99 said:

Hey, I just got it :) I tried using a different copy of the wallet and it worked, I was learning to use linux and did the -diff on my wallet and saw some differences in them, so I tried the other copies and it worked straight away. I was sort of shocked and didnt know what to do so I sent some to exchanges lol 

thanks for checking up and all of the help! tremendously appreciated, I am planning on making a good donation to an orphanage/temple here for the good luck and the relief is amazing! I will post an update soon in the thread too

Congratulations! 😁

Share this post


Link to post
Share on other sites
12 hours ago, bowler99 said:

Hey, I just got it :) I tried using a different copy of the wallet and it worked, I was learning to use linux and did the -diff on my wallet and saw some differences in them, so I tried the other copies and it worked straight away. I was sort of shocked and didnt know what to do so I sent some to exchanges lol 

thanks for checking up and all of the help! tremendously appreciated, I am planning on making a good donation to an orphanage/temple here for the good luck and the relief is amazing! I will post an update soon in the thread too

Happy to read that :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×