new module: md5 with substitution
#1
hello

i have a fixed substitution for each character:


Code:
subs['a'] = 'd13hfgkjgl8kj'
subs['b'] = ...
...
subs['f'] = 'gdf4oiu8gug'
...
subs['o'] = 'u3otyu081rty'
...
subs['z'] = ...
subs['0'] = ...
...
subs['9'] = ...

then the hash is:

Code:
hash('foo') = md5(subs['f']+subs['o']+subs['o'])
            = md5('gdf4oiu8gugu3otyu081rtyu3otyu081rty') = '2144e74661812f17e37f972c981282d9'

i like to find a 6-character string s such that hash(s) = target hash.

do i need to create a new custom module/algorithm?

i have read src/modules/module_00000.c to see how the md5 cracker works, but not sure how to do this.

thank you for your ideas.
Reply
#2
anyone an idea?



how to brute force such a hash with all alphanumeric 6 char strings?



example with 3 char only:



Code:
hash('foo') = md5(subs['f']+subs['o']+subs['o'])
            = md5('gdf4oiu8gugu3otyu081rtyu3otyu081rty') = '2144e74661812f17e37f972c981282d9'


thanks!
Reply
#3
(05-13-2022, 09:27 AM)phaphip Wrote: how to brute force such a hash with all alphanumeric 6 char strings?

You need to create custom module.

But there is more simple and fast way. Total number of passwords is small (36^6 = 2'176'782'336), you can easily process all combinations without using GPU. For example, you can write short PHP or Python script.
Reply
#4
(05-13-2022, 02:47 PM)nick8606 Wrote: You need to create custom module.

But there is more simple and fast way. Total number of passwords is small (36^6 = 2'176'782'336),

thanks, but i also want it to work for 7 or 8 characters or more (digits, letters upper or lowercase) so it's 62^6, 62^7, 62^8 which is large.

i have read src/modules/module_00000.c and i would like to adapt it, but i don't see how to do the substitution in "module_hash_encode" function.

would you have a hint for this nick8606?

for each input char, the substitution can become 50 characters, so in fact

Code:
hash('abcdefgh') = hash(subs('a')+...+subs('h')) = md5(400_char_long_string)
Reply
#5
(05-13-2022, 06:22 PM)phaphip Wrote: i have read src/modules/module_00000.c and i would like to adapt it, but i don't see how to do the substitution in "module_hash_encode" function.

You need to modify GPU part of module. Replacement must be done after password generation and before hash calculation.
Reply
#6
(05-14-2022, 06:13 AM)nick8606 Wrote: You need to modify GPU part of module. Replacement must be done after password generation and before hash calculation.

thanks. where in the code should this be done? in which function?
src/modules/module_00000.c
OpenCL/m00000_a0-optimized.cl
OpenCL/m00000_a0-pure.cl
OpenCL/m00000_a1-optimized.cl
OpenCL/m00000_a1-pure.cl
OpenCL/m00000_a3-optimized.cl
OpenCL/m00000_a3-pure.cl
another file?
(of course i'll create a new module with a new number instead of 00000)


i want to use brute force mode (aaaaaa, aaaaab, aaaac, ..., 999999) for password generation, and have substitutions: each single character is replaced by a long string, with a lookup table.

nick8606, would you have a simple code example showing where in the code and how to replace the first character c of the password (after password generation and before hash calculation) by func(c) ?
then i'll find how to adapt this to multiple substitutions.
Reply
#7
"OpenCL/m00000_a3-pure.cl" will be enough for your task.

At first, read and understand "docs/hashcat-plugin-development-guide.md".

Source code is relatively short, replacement must be done before
Code:
md5_update_vector (&ctx, w, pw_len);

Pay attention: type of 2nd parameter is array of dwords (not string or array of bytes).
Reply
#8
(05-15-2022, 02:54 AM)nick8606 Wrote: Source code is relatively short, replacement must be done before

Code:
md5_update_vector (&ctx, w, pw_len);

thanks.

should it be done in "m00000_sxx" or "m00000_mxx"?


will it be ok if after "replacement" the new w has possibly 400 or 500 characters, instead of just 6 to 10?

can md5_update_vector perform multiple blocks at once?
Reply
#9
(05-17-2022, 11:11 AM)phaphip Wrote: should it be done in "m00000_sxx" or "m00000_mxx"?
In both.

(05-17-2022, 11:11 AM)phaphip Wrote: will it be ok if after "replacement" the new w has possibly 400 or 500 characters, instead of just 6 to 10?
sizeof(w)==256, too short for your task. It's needed to use new local array for data after replacing.

(05-17-2022, 11:11 AM)phaphip Wrote: can md5_update_vector perform multiple blocks at once?
3rd parameter of md5_update_vector() is data size. All this size is processed.
Reply
#10
(05-18-2022, 02:18 AM)nick8606 Wrote: sizeof(w)==256, too short for your task. It's needed to use new local array for data after replacing.




3rd parameter of md5_update_vector() is data size. All this size is processed.

thank you.

would you have a short example code showing how to md5 an input string of fixed length 200 char?

multiple calls of md5_update_vector() one after another?

Code:
md5_update (&ctx, w[0], 64);
md5_update (&ctx, w[64], 64);
md5_update (&ctx, w[128], 64);
md5_update (&ctx, w[192], 8);  /* for the 8 remaining char, should i pad it to 64 dwords */

should i split it by blocks of 64 dwords?

thanks
Reply