What is the encoding of this byte literal?

Question

I'm using the BTCRecover python scripts to try and dump the contents of an old (MultiBit Classic) bitcoin wallet. Specifically I'm trying to recover the private key. When I run the script it identifies the wallet as bitcoinj wallet format, which is apparently serialized using protocol buffers. The script fails with the error "bitcoinj wallet is not encrypted". That's fine, I suspected it was not encrypted...I just want to dump the unencrypted keys.

I modified the Python script to print out the wallet after the protocol buffer has been deserialized, and this is the output (secret_bytes omitted):

Starting btcrecover 1.10.0-Cryptoguide on Python 3.9.5 64-bit, 21-bit unicodes, 64-bit ints
network_identifier: "org.bitcoin.production"
last_seen_block_hash: "\000\000\000\000\000\000\0019\017+j\246\336\317\251q\277zL;\302n\237\022\r.\032sM\240S\306"
key {
  type: ORIGINAL
  secret_bytes: "XXXXXXXX"
  public_key: "\003\nJK\303\3561\216\250\027\213\366X\374\262E)\010\022\215[%\224~\007K5\346*\372\315\231\222"
  creation_timestamp: 1365727360000
}

It appears that the file has been deserialized correctly, but the last_seen_block_hash, public_key, and secret_bytes don't make sense (to me, anyway). When I print just public_key, this is the result:

b'\x03\nJK\xc3\xee1\x8e\xa8\x17\x8b\xf6X\xfc\xb2E)\x08\x12\x8d[%\x94~\x07K5\xe6*\xfa\xcd\x99\x92'

I've tried running .decode() on the byte literal with many different encodings (utf-8, utf-16, utf-16-be, utf-32, latin1, ascii, etc.). In each case I either get an error or gibberish.

Does anyone know what encoding this is? Or is there a deeper issue here?

Answer 1

The strings are using latin1 encoding.

The public_key string contains a 33 byte compressed public key. Converting it to a P2PKH address gives 19eBSVoQiDdJMuMAWToZB4qvGPii5s6Eie which may look more familiar.

The last_seen_block_hash refers to block 00000000000001390f2b6aa6decfa971bf7a4c3bc26e9f120d2e1a734da053c6, which is at height 230939 from 2013.