Skip to content

Instantly share code, notes, and snippets.

@saelo
Created May 4, 2015 21:58
Show Gist options
  • Save saelo/ff1f03ace4bd2f05614a to your computer and use it in GitHub Desktop.
Save saelo/ff1f03ace4bd2f05614a to your computer and use it in GitHub Desktop.
Find php md5 collisions
/*
* Find php md5 collisions (var_dump(md5('240610708') == md5('QNKCDZO'));)
*
* gcc -Ofast -std=c99 -lcrypto -o phpcoll phpcoll.c
*
* Copyright (c) 2015 Samuel Groß
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/md5.h>
size_t hashcount = 0;
inline int check(unsigned char* md)
{
if (md[0] == 0x0e) {
for (int i = 1; i < 16; i++) {
unsigned char hn = md[i] >> 4;
unsigned char ln = md[i] & 0xf;
if (hn >= 0xa || ln >= 0xa) {
return 0;
}
}
return 1;
}
return 0;
}
int main(int argc, char** argv)
{
unsigned char md[16];
if (argc < 2) {
printf("Usage: %s prefix", argv[0]);
return 0;
}
size_t length = strlen(argv[1]);
char* data = calloc(1, length + 1024);
if (!data) {
printf("calloc failed");
return -1;
}
strcpy(data, argv[1]);
char* ptr = data + length;
size_t curlength = length + 1;
*ptr = 0x2f;
while (1) {
if (*ptr == 0x7e) {
char* curr = ptr;
while (*++curr == 0x7e) {
if (curr - ptr >= 1024) {
puts("wat");
return -1;
}
}
memset(ptr, 0x30, curr - ptr);
if (*curr == 0x0) {
*curr = 0x30;
curlength++;
} else {
*curr = *curr + 1;
}
} else {
*ptr = *ptr + 1;
}
MD5_CTX md5ctx;
MD5_Init(&md5ctx);
MD5_Update(&md5ctx, data, curlength);
MD5_Final(md, &md5ctx);
hashcount++;
if (check(md)) {
puts(data);
printf("tried %lu hashes\n", hashcount);
return 0;
}
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment