Re: Corrupted Wallet? Or Hacked?

Quote from: jackjack on January 28, 2021, 08:47:35 PM

Sorry to insist but can you confirm that you see encrypted_keys with pywallet?
I've helped many people and even small misunderstandings can lead to a great amount of lost time

Quote

The issue is that the password that was set worked to access the smaller amount within the wallet, but not for the larger amount in the wallet.

This is not the issue
When created, the wallet file contains around a hundred keys (let's say K1, K2, K3, etc, K100)
Those keys contain keys you can see and some hidden change keys
All are used to compute the displayed balance
When you set a password you encrypt the whole wallet with this unique password, so all the initial keys are in there
(One problem can arise when you made around one hundred transactions after the last backup but this doesn't seem to be the case here)

Do you happen to have either the transaction number, the sending address or the receiving address of the big transfer? (check but don't write it here)
Maybe you were actually hacked and this could confirm this

Also I'm confused with this sentence of yours

Quote

We were unable to use the password created on 1/1/2021 to access the larger amount that had been received back as change on 1/7. We have tried multiple combinations of passwords since. We have done the Python method, but since the password isn't working we can't access the private keys

Are you talking about the same wallet file?
As I wrote above, one wallet has exactly one unique password for all the keys
And you say that you were 'able to access the original small change', so that would mean you know the wallet password

Another questions
When was the wallet created? Encrypted?
What is your bitcoin-core version?
What is your OS, Windows or Linux?

Last thing:
This may be about a 'change addresses'-related bug triggered on old wallets
If you know the address that received the 'lost' funds, look for its info with this pywallet (download the new version, I just pushed it!) command output

Quote

python pywallet.py --wallet=path/to/wallet.py --find_address 1YoUradDress

, if there is no output then answer all my previous questions and don't read below
If it is there though you should have the key (if hacked then the coins would be gone though)
The output should look like this:

Code:

{
"addr": "13aLG7bQrokjmwpjSTV252MAUVFSvSTdvJ",
"compressed": true,
"hexsec": "aec3301d51faa7c31b8fd6a7eb902f3ccfdd5d4a4491a088004a03b260901a37",
"private": "xxxx",
"pubkey": "020017ebde6ec0ca2c76324d96c725f26fd66b331f02e1f3033d7e639058537836",
"reserve": 1,
"sec": "L35RgAh2euE8Q1pLEaA2ERsH6D9QEcQGK1mDwxZkg3ir3tco8Anq",
"secret": "aec3301d51faa7c31b8fd6a7eb902f3ccfdd5d4a4491a088004a03b260901a3701"
}

What you need is the "sec" value, this is your private key (here for the 13aLG7bQrokjmwpjSTV252MAUVFSvSTdvJ address)

If you have this instead:

Code:

{
"addr": "13aLG7bQrokjmwpjSTV252MAUVFSvSTdvJ",
"compressed": true,
"encrypted_privkey": "7e77381ea8764ca899599dc47ad8e4f135188b482ffa2f7bdc6f174c920ebca4ab8716f890cc2da65de139c5f280711c",
"pubkey": "020017ebde6ec0ca2c76324d96c725f26fd66b331f02e1f3033d7e639058537836",
"reserve": 1
},

This means that you must specify your password by adding the `--passphrase your-password` option to the command line and you'd get the "sec" value as expected (consider this insecure though so you should change your password afterwards, but let's focus on recovering the private key first)

If you can't get the "sec" value of your address, then come back here to tell us what errors you encounter and post them (without sensitive content though)
If you can get the "sec" value then just download the Electrum wallet, import the private key and check you see the balance ( https://bitcoinelectrum.com/importing-your-private-keys-into-electrum/ )

DO NOT SHARE ANY OF THE "sec", "secret", "hexsec", "private" OR "encrypted_privkey" VALUES!

Answers to the questions:

Do you happen to have either the transaction number, the sending address or the receiving address of the big transfer? Yes, we have all 3. We are able to view the address in python, so we were not hacked (that was our original fear).

"Also I'm confused with this sentence of yours

Quote

Are you talking about the same wallet file?
As I wrote above, one wallet has exactly one unique password for all the keys
And you say that you were 'able to access the original small change', so that would mean you know the wallet password"

I think we actually ended up with 2 different wallet files. When the wallet was opened on Jan 1 of this year there was a small amount at one address within the wallet and a larger amount at another address within the wallet. I believe it forked once transactions began being made.

When was the wallet created? Encrypted? Created in 2010. Encrypted January 2021
What is your bitcoin-core version? When encrypted on Jan 1, 2021 was using most recent core version. However, changed to 0.17 last week to correct the error "
"Can't generate a change address key. No keys in the internal keypool and can't generate any keys." that we were having with the smaller amount of BTC.
What is your OS, Windows or Linux? Windows

Here is the error we get in python (version 2.7) with privkey info removed:

The wallet is encrypted but no passphrase is used
Version mismatch (must be <= 81000)
[
{
"addr": "1HL8tBBJWY7SaY4jARmgtxjN1Q7mN6Eei6",
"compressed": false,
"encrypted_privkey": "xxxxxx",
"pubkey": "04ccb74331debe609218bda9abdb5890aa2b192ec483936b4f49267710edf654ebebd8e3c46a327 4f976ce28e018739eb5a22ee4652ddf3a9046f4dc712f08f314",
"reserve": 1
}
]