After some vanity Googling today, I noticed MDCrack, a project that I helped with back in ~2001 has been resurrected by the lead developer Gregory Duchemin.  Well it was resurrected in 2006, but I’ve been busy….

Makes me want to restart tinkering with the MD2/MD4/MD5 hashes, and build my dream cracker.

Another point to note was that Gregory was right, the idea of pre-computed hash tables, now known as rainbow tables were/are a good idea. Back when I had a 2GB hard drive, they didn’t seem like an effective idea, compared to a network of machines, ala Distributed.Net

Google MD5 searches

I have been getting a few search from Google on MD5 like this one, in which I noticed this freshmeat project, by Dave Hope.

So I download the code, and reviewed it. Brute force it correct, almost brute fumble, worst crime against CPUs every where is:

  • Converting the resulting hash to ASCII and using printf for each attempt.

Close runner ups are:

  • Then there is the multiple use of strlen, when you have an outer loop with an integer already holding the length of the string been processed.
  • Doing a string compare on the ASCII result string vs the original.

With those limitations in place, you can safely assume the code will never get past ~9 character passwords, thus you could re-shuffle the code as I did when I did this exact same thing. But publishing this code as a tool seems premature.

While picking on the sins, what with the #include “Functions.c” inside the main function. I can only assume this is yet another useful GCC 3.x feature, but is very ugly. Why not just put three prototypes before main (only one is actually needed) and put the block of code below.

<\Rant> back to work for now…

Well maybe not, just noticed on the English version of that search, that the freshmeat project is the first item, but is also 1 1/2 years old. sigh.

MD5 Brute Force Cracking

Back in 2000 I spent a few months working on a brute force MD5 hash cracker. This was largely inspired by Distributed.Net and MD5 been how password where stored on our products at work.

After a few months I’d produced some code that had moved as much intrinsic things out of the main loop as possible.

I year later I found MDCrack, and spent some time working with Gregory to use the code. From that point on I have got the odd question asking about the code (at my old email simeon.pilgrim at With Google Analytics I can see it’s one of the major reasons my old blog it still getting hits.

I have just uploaded my old project onto my homepage. I updated it from a VS6.0 to VS2005 project.

At some point I intend to document it, but for now my old source available.