I ended up opening a GitHub codespaces and directing Claude 4 to rebuild the .dat file. It analyzed it and did a bunch of tests then rebuilt it and it was no longer corrupt.
Well, it's rather simple to "
fix" it by deriving the correct extended (
master) public key pair of the extended (
master) private key in the wallet.
And replace the fake extended public key with it.
But if the goal is to keep the high-value transactions brought by the fake extended public key:
It's not possible to compute its extended private key pair with traditional computing unless it's just commented out there somewhere in the wallet.
And why would a malware corrupt a wallet that it can decrypt to insert some JSON instead of stealing the funds?
1. Wallet -> Info -> Standard, BIP39, Seed, Master Pub Key visible... Derivation path: m
-snip- to rebuild the .dat file.
Interesting...