how can I set the mask to a md5 hash result of itself?
what we know is the [salt] consists of 32 characters ( 0123456789abcdef ), seems like a md5 hash.
now I want crack this salt,
if I try to do this:
hashcat64 md5_hash.txt -m 0 -a 3 abcd?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h
I think it's impossible.

Sometime the [salt] was created by md5(a simple str),
in fact, in this case, the [salt] is md5(simple) = 8dbdda48fb8748d6746f1965824e966a

So, my question is, how can I set the mask to a md5 hash result of itself?
suck as...
hashcat64 md5_hash.txt -m 0 -a 3 abcd[md5(?s?s?s?s?s?s)]
hex encoded or binary? not that it really matters because the search space is too large anyway.
I mean, if the 32 bytes salt is just a md5 hash of some simple text, and I search it as a 32 bytes completely random value,
that's too stupid.

So if I already knew the salt is a md5 hash of some short text, can I figure out the short text?
Basically your salt is the "password" you are looking for. There should be a corresponding hash mode.
I got it, but another problem.
In my practical case, "Salt-length exception"
... why there is a limit to salt string.. I don't get it.

My salt length is 65..
You are using the wrong hash mode. You need to use this one:
-m 3710 = md5($salt.md5($pass))

(Note: if you know the original password and are looking for the salt, you need to switch the role of these two and therefore the salt becomes your password which you are trying to find out and the original pass is known and therefore could be seen as your salt)


The hash format is like this:

in your case it is:

and your password candidate list should contain the correct password whoes MD5 digest is 8dbxxxx8fb8748dxxxxf1965xxxxe966a (i.e. in this case "simple", without quotes)