// wp_hash_test.php
<?php
class PasswordHash {
var $itoa64;
function PasswordHash()
{
$this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
}
function encode64($input, $count)
{
$output = '';
$i = 0;
do {
$value = ord($input[$i++]);
$output .= $this->itoa64[$value & 0x3f];
if ($i < $count)
$value |= ord($input[$i]) << 8;
$output .= $this->itoa64[($value >> 6) & 0x3f];
if ($i++ >= $count)
break;
if ($i < $count)
$value |= ord($input[$i]) << 16;
$output .= $this->itoa64[($value >> 12) & 0x3f];
if ($i++ >= $count)
break;
$output .= $this->itoa64[($value >> 18) & 0x3f];
} while ($i < $count);
return $output;
}
function crypt_private($password, $salt)
{
$count = 8192;
$hash = md5($salt . $password, TRUE);
do {
$tmp = $hash . $password;
$hash = md5($tmp, TRUE);
} while (--$count);
$output = '$P$B';
$output .= $salt;
$output .= $this->encode64($hash, 16);
return $output;
}
function HashPassword($password, $salt)
{
$hash = $this->crypt_private($password, $salt);
return $hash;
}
}
//for test from WordPress v4.1
//$P$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/
$passwordValue = "123123";
$saltValue = "YEYcHEj3";
$wp_hasher = new PasswordHash();
$sigPassword = $wp_hasher->HashPassword($passwordValue, $saltValue);
echo "生成的密碼hash爲:".$sigPassword."\n";
echo '正確的密碼hash爲:$P$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/'."\n";
?>
// main.c
#include <stdio.h>
#include <string.h>
/* build.sh
* gcc -c md5.c -o md5.o
* gcc -c wordpress.c -o wordpress.o
* gcc -c main.c -o main.o
* gcc -o wp_hash main.o md5.o wordpress.o
*/
/* wordpress.c */
extern int wordpress( unsigned char * salt, unsigned char *passwd, int count, unsigned char *code );
int main(int argc, char* argv[])
{
if (3 != argc)
{
printf("usage: ./wp_hash DICFILE 'WORDPRESS_HASH'\n");
printf("example: ./wp_hash pwd.txt '$P$BYEYcHEj3vDhV1lwGBv6rpxurKOEWY/'\n");
return -1;
}
char* filename = argv[1];
char* hash = argv[2];
char salt[9];
memcpy(salt, hash+4, 8);
salt[8] = '\0';
printf("hash = [%s]\n", hash);
printf("salt = [%s]\n", salt);
const int MAX_LINE_LEN = 512; // 單行所允許的最大長度
char szLineBuf[MAX_LINE_LEN];
FILE *fp = fopen(filename, "rb");
if (fp)
{
while ( NULL != fgets(szLineBuf, sizeof(szLineBuf), fp) )
{
szLineBuf[strlen(szLineBuf)-1] = '\0';
if ( '\r' == szLineBuf[strlen(szLineBuf)-1] )
{
szLineBuf[strlen(szLineBuf)-1] = '\0';
}
unsigned char code[40];
wordpress((unsigned char*)salt, (unsigned char*)szLineBuf, 8192, code);
if ( 0 == strcmp(hash, (const char*)code) )
{
printf("\nFounded!!! [%s]\n", szLineBuf);
break;
}
else
{
printf("*");
}
}
fclose(fp);
}
printf("\nDone\n");
return 0;
}
// md5.c
#include <stdio.h>
#include <memory.h>
#include <string.h>
#define UINT4 unsigned int
#define F(x,y,z) ((x & y) | (~x & z))
#define G(x,y,z) ((x & z) | (y & ~z))
#define H(x,y,z) (x^y^z)
#define I(x,y,z) (y ^ (x | ~z))
#define ROTATE_LEFT(x,n) ((x << n) | (x >> (32-n)))
#define FF(a,b,c,d,x,s,ac) \
{ \
a += F(b,c,d) + x + ac; \
a = ROTATE_LEFT(a,s); \
a += b; \
}
#define GG(a,b,c,d,x,s,ac) \
{ \
a += G(b,c,d) + x + ac; \
a = ROTATE_LEFT(a,s); \
a += b; \
}
#define HH(a,b,c,d,x,s,ac) \
{ \
a += H(b,c,d) + x + ac; \
a = ROTATE_LEFT(a,s); \
a += b; \
}
#define II(a,b,c,d,x,s,ac) \
{ \
a += I(b,c,d) + x + ac; \
a = ROTATE_LEFT(a,s); \
a += b; \
}
/* MD5 context. */
typedef struct {
UINT4 state[4]; /* state (ABCD) */
UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */
unsigned char buffer[64]; /* input buffer */
} MD5_CTX;
void MD5Init(MD5_CTX *context);
void MD5Update(MD5_CTX *context,unsigned char *input,unsigned int inputlen);
void MD5Final(MD5_CTX *context,unsigned char digest[16]);
void MD5Transform(unsigned int state[4],unsigned char block[64]);
void MD5Encode(unsigned char *output,unsigned int *input,unsigned int len);
void MD5Decode(unsigned int *output,unsigned char *input,unsigned int len);
unsigned char PADDING[]= {0x80,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
};
void MD5Init(MD5_CTX *context)
{
context->count[0] = 0;
context->count[1] = 0;
context->state[0] = 0x67452301;
context->state[1] = 0xEFCDAB89;
context->state[2] = 0x98BADCFE;
context->state[3] = 0x10325476;
}
void MD5Update(MD5_CTX *context,unsigned char *input,unsigned int inputlen)
{
unsigned int i = 0,index = 0,partlen = 0;
index = (context->count[0] >> 3) & 0x3F;
partlen = 64 - index;
context->count[0] += inputlen << 3;
if(context->count[0] < (inputlen << 3))
context->count[1]++;
context->count[1] += inputlen >> 29;
if(inputlen >= partlen)
{
memcpy(&context->buffer[index],input,partlen);
MD5Transform(context->state,context->buffer);
for(i = partlen; i+64 <= inputlen; i+=64)
MD5Transform(context->state,&input[i]);
index = 0;
}
else
{
i = 0;
}
memcpy(&context->buffer[index],&input[i],inputlen-i);
}
void MD5Final(MD5_CTX *context,unsigned char digest[16])
{
unsigned int index = 0,padlen = 0;
unsigned char bits[8];
index = (context->count[0] >> 3) & 0x3F;
padlen = (index < 56)?(56-index):(120-index);
MD5Encode(bits,context->count,8);
MD5Update(context,PADDING,padlen);
MD5Update(context,bits,8);
MD5Encode(digest,context->state,16);
}
void MD5Encode(unsigned char *output,unsigned int *input,unsigned int len)
{
unsigned int i = 0,j = 0;
while(j < len)
{
output[j] = input[i] & 0xFF;
output[j+1] = (input[i] >> 8) & 0xFF;
output[j+2] = (input[i] >> 16) & 0xFF;
output[j+3] = (input[i] >> 24) & 0xFF;
i++;
j+=4;
}
}
void MD5Decode(unsigned int *output,unsigned char *input,unsigned int len)
{
unsigned int i = 0,j = 0;
while(j < len)
{
output[i] = (input[j]) |
(input[j+1] << 8) |
(input[j+2] << 16) |
(input[j+3] << 24);
i++;
j+=4;
}
}
void MD5Transform(unsigned int state[4],unsigned char block[64])
{
unsigned int a = state[0];
unsigned int b = state[1];
unsigned int c = state[2];
unsigned int d = state[3];
unsigned int x[64];
MD5Decode(x,block,64);
FF(a, b, c, d, x[ 0], 7, 0xd76aa478);
FF(d, a, b, c, x[ 1], 12, 0xe8c7b756);
FF(c, d, a, b, x[ 2], 17, 0x242070db);
FF(b, c, d, a, x[ 3], 22, 0xc1bdceee);
FF(a, b, c, d, x[ 4], 7, 0xf57c0faf);
FF(d, a, b, c, x[ 5], 12, 0x4787c62a);
FF(c, d, a, b, x[ 6], 17, 0xa8304613);
FF(b, c, d, a, x[ 7], 22, 0xfd469501);
FF(a, b, c, d, x[ 8], 7, 0x698098d8);
FF(d, a, b, c, x[ 9], 12, 0x8b44f7af);
FF(c, d, a, b, x[10], 17, 0xffff5bb1);
FF(b, c, d, a, x[11], 22, 0x895cd7be);
FF(a, b, c, d, x[12], 7, 0x6b901122);
FF(d, a, b, c, x[13], 12, 0xfd987193);
FF(c, d, a, b, x[14], 17, 0xa679438e);
FF(b, c, d, a, x[15], 22, 0x49b40821);
GG(a, b, c, d, x[ 1], 5, 0xf61e2562);
GG(d, a, b, c, x[ 6], 9, 0xc040b340);
GG(c, d, a, b, x[11], 14, 0x265e5a51);
GG(b, c, d, a, x[ 0], 20, 0xe9b6c7aa);
GG(a, b, c, d, x[ 5], 5, 0xd62f105d);
GG(d, a, b, c, x[10], 9, 0x2441453);
GG(c, d, a, b, x[15], 14, 0xd8a1e681);
GG(b, c, d, a, x[ 4], 20, 0xe7d3fbc8);
GG(a, b, c, d, x[ 9], 5, 0x21e1cde6);
GG(d, a, b, c, x[14], 9, 0xc33707d6);
GG(c, d, a, b, x[ 3], 14, 0xf4d50d87);
GG(b, c, d, a, x[ 8], 20, 0x455a14ed);
GG(a, b, c, d, x[13], 5, 0xa9e3e905);
GG(d, a, b, c, x[ 2], 9, 0xfcefa3f8);
GG(c, d, a, b, x[ 7], 14, 0x676f02d9);
GG(b, c, d, a, x[12], 20, 0x8d2a4c8a);
HH(a, b, c, d, x[ 5], 4, 0xfffa3942);
HH(d, a, b, c, x[ 8], 11, 0x8771f681);
HH(c, d, a, b, x[11], 16, 0x6d9d6122);
HH(b, c, d, a, x[14], 23, 0xfde5380c);
HH(a, b, c, d, x[ 1], 4, 0xa4beea44);
HH(d, a, b, c, x[ 4], 11, 0x4bdecfa9);
HH(c, d, a, b, x[ 7], 16, 0xf6bb4b60);
HH(b, c, d, a, x[10], 23, 0xbebfbc70);
HH(a, b, c, d, x[13], 4, 0x289b7ec6);
HH(d, a, b, c, x[ 0], 11, 0xeaa127fa);
HH(c, d, a, b, x[ 3], 16, 0xd4ef3085);
HH(b, c, d, a, x[ 6], 23, 0x4881d05);
HH(a, b, c, d, x[ 9], 4, 0xd9d4d039);
HH(d, a, b, c, x[12], 11, 0xe6db99e5);
HH(c, d, a, b, x[15], 16, 0x1fa27cf8);
HH(b, c, d, a, x[ 2], 23, 0xc4ac5665);
II(a, b, c, d, x[ 0], 6, 0xf4292244);
II(d, a, b, c, x[ 7], 10, 0x432aff97);
II(c, d, a, b, x[14], 15, 0xab9423a7);
II(b, c, d, a, x[ 5], 21, 0xfc93a039);
II(a, b, c, d, x[12], 6, 0x655b59c3);
II(d, a, b, c, x[ 3], 10, 0x8f0ccc92);
II(c, d, a, b, x[10], 15, 0xffeff47d);
II(b, c, d, a, x[ 1], 21, 0x85845dd1);
II(a, b, c, d, x[ 8], 6, 0x6fa87e4f);
II(d, a, b, c, x[15], 10, 0xfe2ce6e0);
II(c, d, a, b, x[ 6], 15, 0xa3014314);
II(b, c, d, a, x[13], 21, 0x4e0811a1);
II(a, b, c, d, x[ 4], 6, 0xf7537e82);
II(d, a, b, c, x[11], 10, 0xbd3af235);
II(c, d, a, b, x[ 2], 15, 0x2ad7d2bb);
II(b, c, d, a, x[ 9], 21, 0xeb86d391);
state[0] += a;
state[1] += b;
state[2] += c;
state[3] += d;
}
void MD5(unsigned char * buf, unsigned int len, unsigned char *out, int type)
{
int i;
MD5_CTX md5;
unsigned char digest[16];
char hex[]="0123456789abcdef";
char HEX[]="0123456789ABCDEF";
MD5Init(&md5);
MD5Update(&md5, buf,len);
MD5Final(&md5, digest);
if (type == 0)
{
for (i = 0; i < 16; i++)
{
out[i+i] = hex[digest[i] >> 4];
out[i+i+1] = hex[digest[i] & 0x0f];
}
}
else if (type == 1)
{
for (i = 0; i < 16; i++)
{
out[i+i] = HEX[digest[i] >> 4];
out[i+i+1] = HEX[digest[i] & 0x0f];
}
}
out[i+i] = '\0';
}
// wordpress.c
#include <stdio.h>
#include <string.h>
/* md5.c */
extern void MD5(unsigned char * buf, unsigned int len, unsigned char *out, int type);
#define WORDPRESS_MD5_CHAR_NUM 16
unsigned char base64Char[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
void fast_md5_to_unsigned_char(unsigned char *hash) // todo: fix bug
{
int i;
unsigned char md5[17];
for (i = 0; i < 16; i++)
{
if (hash[2*i] >= '0' && hash[2*i] <= '9')
md5[i] = (hash[2*i] - '0') << 4;
else if (hash[2*i] >= 'a' && hash[2*i] <= 'f')
md5[i] = (hash[2*i] - 'a') <<4;
if (hash[2*i+1] >= '0' && hash[2*i+1] <= '9')
md5[i] = md5[i] | ((hash[2*i+1] - '0') & 0x0f);
else if (hash[2*i+1] >= 'a' && hash[2*i+1] <= 'f')
md5[i] = md5[i] | ((hash[2*i+1] - 'a') & 0x0f);
}
md5[16] = '\0';
for (i = 0; i < 16; i++)
hash[i] = md5[i];
hash[16] = '\0';
}
// 616263 -> abc
// 4297f44b13955235245b2497399d7a93 -> ?
void md5_to_unsigned_char(unsigned char *hash)
{
int i;
unsigned char md5[17];
for (i = 0; i < 16; ++i)
{
char temp[3];
temp[0] = hash[i*2+0];
temp[1] = hash[i*2+1];
temp[2] = '\0';
int hex;
sscanf(temp, "%x", &hex);
md5[i] = hex;
}
md5[16] = '\0';
//strcpy((char*)hash, (const char*)md5); // bug because of 00
for (i = 0; i < 16; i++)
hash[i] = md5[i];
hash[16] = '\0';
}
void fast_base64Encode(unsigned char *md5, unsigned char *result) // todo: fix bug
{
int num_24bits = 5;
int i;
for (i = 0; i < num_24bits; ++i)
{
result[4 * i + 0] = base64Char[(md5[3 * i] >> 2) & 0x3F];
result[4 * i + 1] = base64Char[(((md5[3 * i] & 0x3) << 4) | (md5[3 * i + 1] >> 4)) & 0x3F];
result[4 * i + 2] = base64Char[((md5[3 * i + 1] << 2) | (md5[3 * i + 2] >> 6)) & 0x3F];
result[4 * i + 3] = base64Char[md5[3 * i + 2] & 0x3F];
}
result[20] = base64Char[md5[15] >> 2];
result[21] = base64Char[(md5[15] << 4) & 0x3F];
result[22] = '\0';
}
void base64Encode(unsigned char *md5, unsigned char *result)
{
char buf_t[32];
int index_t = 0;
int value;
int i;
for (i = 0; i < 16; )
{
value = (int)md5[i++];
buf_t[index_t++] = base64Char[value & 0x3f];
if (i < 16)
value |= ((int)md5[i] << 8);
buf_t[index_t++] = base64Char[(value >> 6) & 0x3f];
if (i++ >= 16)
break;
if (i < 16)
value |= ((int)md5[i] << 16);
buf_t[index_t++] = base64Char[(value >> 12) & 0x3f];
if (i++ >= 16)
break;
buf_t[index_t++] = base64Char[(value >> 18) & 0x3f];
}
memcpy(result, buf_t, index_t);
}
int wordpress( unsigned char * salt, unsigned char *passwd, int count, unsigned char *code )
{
int i, j;
char symbol;
unsigned char buffer[100];
unsigned char base64_code[23];
int len = strlen( (char *)passwd );
//first time use md5 function with salt
strcpy( (char *)buffer, (char *)salt );
strcat( (char *)buffer, (char *)passwd );
MD5( buffer, strlen( (char *)buffer), buffer, 0 );
md5_to_unsigned_char( buffer );
//count times md5 function
for (i = 0; i < count; i++)
{
memcpy( (void *)&buffer[WORDPRESS_MD5_CHAR_NUM], passwd, len );
MD5( buffer, WORDPRESS_MD5_CHAR_NUM + len, buffer, 0 );
md5_to_unsigned_char( buffer );
}
base64Encode( buffer, base64_code );
strcpy( (char *)code, "$P$" );
code[3] = 'B';
code[4] = '\0';
strcat( (char *)code, (char *)salt);
memcpy( (void *)&code[12], base64_code, 22);
return 0;
}
// crack_wp_hash.sh
#!/bin/bash
hash=$1
pass=$2
for n in $(cat $hash)
do
echo "./wp_hash $pass '$n'"
`./wp_hash $pass $n >> crack_results.txt`
done
echo