Ethereum Wallet.dat File Format: Key Field Check

When scanning encrypted wallet.dat files from large files, it is important to understand the format of the key field in these files. This is crucial for recovering private keys from victim wallets.

In this article, we will take a look at the Ethereum wallet.dat file format, and in particular, we will focus on the structure of the mkey field.

Ethereum Wallet.dat File Format Overview

The Ethereum wallet.dat file format is a binary format used to store encrypted wallet data. The file consists of three main parts:

  • Title

    Ethereum: Format of mkey field in encrypted wallet.dat file

    : This section contains the metadata of the file, including its name and version.

  • Index Block: This section is used for indexing purposes, allowing for efficient searching of specific blocks on the blockchain.
  • Wallet Information: This section stores encrypted wallet information.

Mkey Field

In the Mkey field, we focus specifically on the structure and content of this field.

Block Header Format

Before we move on to the “mkey” field, let’s take a look at the format of the block header:

Title:
Version (4 bytes)
Flags (4 bytes)
Block Number (8 bytes)

The block number is stored as a 64-bit unsigned integer in big endian byte order.

Index Block Format

In the Directory Block section, you will find the following fields:

  • BlockHash: The hash of the previous block.
  • TransactionCount: The number of transactions contained in this block.
  • IndexBlockHash: The hash of the index block header (not displayed here).

The “mkey” field is located in the directory block section. This is a 256-bit word, which is a 32-byte unsigned integer.

mkey field format

The Mkey field consists of two fields:

  • Version: A single byte indicating the type of data stored in this field.
  • Hash: The hash value (in bytes) of the underlying key.

Here is an example of what the “mkey” field might look like:

Catalog block 1:
mkey: 0x12345678 0x90123456 // Version, Hash

Reconstructing the Mkey field

To reconstruct the original key, we can extract the “Version” and “Hash” fields from each “mkey” field. Since there are multiple mkey fields in one index block, we need to combine them.

Assuming there are two consecutive blocks with identical “mkey” structure, we can represent the reconstructed key as follows:

Reconstructed key:
Version: 0x12345678
Hash: 0x90123456 0x87654321

Conclusion

In summary, understanding the format of the mkey field in Ethereum wallet.dat files is crucial to recovering private keys from victim wallets. By analyzing parts of the header and index block, we can reconstruct the original key using the extracted “Version” and “Hash” fields.

When writing a C++ application that checks large files for encrypted wallet.dat files, it is important to carefully analyze each “mkey” field in individual blocks to allow for accurate recovery of private keys.

(Visited 6 times, 1 visits today)