md5crack v0.2  written by Patrick_.

md5crack is just a fun little program I wrote in assembly (any other language would be ridiculous) to break MD5 hashes using brute force. As it uses sheer brute-force to crack the hash, breaking any hash made from over 7 characters is highly impractical. However, this program wasn't made to go around cracking MD5 hashes maliciously; it was a fun experiment, it's got novelty going for it, and it can be quite a good real-world CPU benchmark.

The algorithm is quite simple, though it could be improved (I'm thinking, I'm thinking!). We have a 64-byte array. We start at the letter 'a' and go to 'z', then from 'A' to 'Z', then '0' to '9'. No other characters are matched (besides letters and numbers), for speed reasons. If we went through all of the possible combinations (62^n), with n being the current data length, we increase the data length, and try again. So, to crack a hash created from four 1-byte characters, it would take a maximum of 62^4, or 14776336 combinations. Now you can see why we only create alpha-numeric data combinations. If we tried the entire ASCII table (256 characters), the maximum combinations would soar to a whopping 256^4, or 4294967296 combinations.

Any ideas on how to speed this sucker up, please tell. I've sped it up by over 125% already using various techniques and rereading the code over and over, making sure I missed nothing. I've tested this baby against other MD5 brute-forcers, and the only one that beats it (some of the time) is one that only cracks lower-case letters and numbers. So, instead of 62^4 max combinations for a 4-byte message, it takes only 36^4 max combinations... a much, much lower amount.

UPDATE: I've added a copy of md5crack, md5crackl, that does not check for upper-case letters. It only checks for lower-case letters, and numbers. This _greatly_ speeds up the brute-forcing process, if you know the hash was generated from a string not containing upper-case letters. The difference is highly exponential... Whereas it took over 26 seconds to crack a hash made from "hello", with md5crackl, it only takes 3 seconds. This beats the competition by over 100%.

 --------
| HASHES |
 --------

Below are some hashes, their valid results, and the time they took to crack on my machine, which is a Pentium 4C 2.4GHz @ 3.2GHz, 768MB RAM. They were generated using md5crack, not md5crackl.

1) ab56b4d92b40713acc5af89985d4b786
   "abcde"
   3.314s
   
2) 7f138a09169b250e9dcb378140907378
   "MD5"
   0.033s
   
3) eb62f6b9306db575c2d596b1279627a4
   "0123"
   2.780s

4) 1c493451798f90e8da58078185a549f5
   "fAsM"
   0.335s
   
5) 594f803b380a41396ed63dca39503542
   "aaaaa"
   3.261s
   
6) 3d1f63e96089a094b096a3ace304a8f5
   "0a1b2"
   2m48.116s
   
7) 52a9391e60126ddac322103fb54c5e90
   "ab012"
   3.322s

8) 643922ceda5dfa09f49aefc2a56f9ce1
   "a012b"
   6.025s
   
Notice how much faster a hash generated from a string that starts with a lower-case letter is than one that starts with an upper-case letter/number. 

 -------   
| NOTES |
 -------

-This app makes some valid assumptions, to boost cracking speed. For example, if the message it is trying to crack is equal to or over 55 bytes, it will never find the message. This removes quite a few branches, and possible loops. 

For now, this is safe, as it would take probably millions of years on current CPUs to crack the message. When we have 1Thz CPUs, maybe I'll update this app to take advantage of larger messages.

-Hashes made from messages containing upper-case letters or numbers will take longer than those with just lower-case letters. For the sake of speed, md5crack first generates lower-case letters. It then goes to upper-case, and finally numbers, as this is what I think the most common order will be in. If you know the hash was creating from a string not containing upper-case letters, then use md5crackl. This will _greatly_ speed up the cracking process.

-This app is written to run on *nix. For Windows users, download and run md5crack under LINE (http://sourceforge.net/projects/line). There are no speed penalties; basically all LINE does is intercept system calls, and translate. This only happens when the hash has been cracked.

For Mac geeks, this should run for you; however, I'm not sure if the system calls for *nix and OSX are one and the same. If not, just run the thing in a debugger (I recommend ald), and when the app is done, examine the memory at the address in ebp.

-Oh yeah, a fast CPU will help... ;)
   

