Last active
August 29, 2015 14:20
-
-
Save natmchugh/e5418f21febbd6a772e5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| include __DIR__.'/MD5.php'; | |
| $inFile = __DIR__.'/demo'; | |
| $dummyText = str_pad('', 64, 'A'); | |
| function replaceDummyText($input, $replacment, $position) | |
| { | |
| return substr_replace($input, $replacment, $position, strlen($replacment)); | |
| } | |
| function findDummyText($filestring, $dummyText) | |
| { | |
| $pos = 0; | |
| $chunks = str_split($filestring, 64); | |
| foreach ($chunks as $chunk) { | |
| if ($chunk == $dummyText) { | |
| break 1; | |
| } | |
| $pos++; | |
| } | |
| return $pos*64; | |
| } | |
| // read in the original binary file in | |
| $filestring = file_get_contents($inFile); | |
| // find the place where we have the dummy string and its at start of a 64 byte block | |
| $pos = findDummyText($filestring, $dummyText); | |
| printf('I want to replace %d bytes at position %d in %s'.PHP_EOL, 128, $pos, $inFile); | |
| $firstPart = substr($filestring, 0, $pos); | |
| //find the IV up to the point we want to insert then print that out | |
| $iv = md5_hash($firstPart); | |
| printf('Chaining variable up to that point is %s'.PHP_EOL, $iv); | |
| if (!file_exists(__DIR__.'/a')) { | |
| print('Run fastcoll to generate a 2 block collision in MD5'.PHP_EOL); | |
| return; | |
| } | |
| // replace the dummy text at the correct location | |
| $good = replaceDummyText($filestring, file_get_contents(__DIR__.'/a'), $pos); | |
| $bad = replaceDummyText($filestring, file_get_contents(__DIR__.'/b'), $pos); | |
| // find the secod dummy string | |
| $secondDummyTextStart = strpos($good, str_pad('', 191, 'A')); | |
| // serach back from where we inserted the collision first time so we can grab the whole | |
| // 192 bytes and use it to replace the second string | |
| while ('A' == substr($filestring, $pos-1, 1)) { | |
| --$pos; | |
| } | |
| //the 192 butes of str1 | |
| $replacement = substr($good, $pos, 192); | |
| // replace str1 with 192 bytes cut from of the files | |
| // the file it came from will then compare str1 and str2 to 0 | |
| $good = replaceDummyText($good, $replacement, $secondDummyTextStart); | |
| file_put_contents(__DIR__.'/devil', $good); | |
| printf('Just output new file %s with hash %s'.PHP_EOL, __DIR__.'/devil', md5($good)); | |
| $bad = replaceDummyText($bad, $replacement, $secondDummyTextStart); | |
| file_put_contents(__DIR__.'/angel', $bad); | |
| printf('Just output new file %s with hash %s'.PHP_EOL, __DIR__.'/angel', md5($bad)); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A PHP script that does a wacky bit of processing on a compiled binary and creates two similar binaries with same MD5 but differing behaviours.