This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The reason will be displayed to describe this comment to others. Learn more.
@karan commit hashes are just sha1 hashes. Since there are no limitations on how many times you can alter the commit, you can repeatedly alter it (though you would have to automate this for it to be at all effective) until the hash begins with the text you desire. It's the same idea behind Bitcoin vanity addresses.
The reason will be displayed to describe this comment to others. Learn more.
I don't know enough about how the sha sums are generated (I assume it's based on commit contents + time of commit + commit message + "voodoo magic"), but assuming that each [a-f][0-9] is distributed uniformly and has an equal chance of appearing at any position, then the odds of generating deadbeef in the first 8 characters is
The reason will be displayed to describe this comment to others. Learn more.
In case anyone cared how long it takes to get deadbeef, it took me about 30 minutes on MBP.
peterdietz:gitbrute peterdietz$ time go run gitbrute.go --prefix deadbeef
[master deadbeef] Merge pull request #3 from Jubobs/master
Author: Brad Fitzpatrick <brad@danga.com>
real 30m9.491s
user 177m7.754s
sys 6m20.912s
Then, it's a pretty normal looking git hash:
peterdietz:gitbrute peterdietz$ git log
commit deadbeef384da2b4b9c7701a93f1c85977027b30
Merge: 12179d7 37350ac
Author: Brad Fitzpatrick <brad@...>
Date: Fri Oct 17 07:14:08 2014 -0700
Merge pull request #3 from Jubobs/master
correct typo in README
One of the doomsday ideas of full-collision deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, yeah, that would take a looong time, but yeah, theoretical.
The reason will be displayed to describe this comment to others. Learn more.
Cute! This is the same approach I used to generate the feefee commit on my Large Hashsum Collider project in February 2013, except mine was written in JavaScript, and generated the collision by jiggling words in the commit message instead of the timestamps.
deadbeeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lol.
gitbrute could've been handy during the last Stripe CTF, for the 2nd task.
deadbeeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How'd you do that?
deadbeeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@karan commit hashes are just sha1 hashes. Since there are no limitations on how many times you can alter the commit, you can repeatedly alter it (though you would have to automate this for it to be at all effective) until the hash begins with the text you desire. It's the same idea behind Bitcoin vanity addresses.
deadbeeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's smart dude.
deadbeeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great.
deadbeeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Delight!
deadbeeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah,
level1in Stripe CTF3 was pretty much this. https://github.com/ctfs/write-ups/tree/master/stripe-ctf3/level1#readmedeadbeeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know enough about how the sha sums are generated (I assume it's based on commit contents + time of commit + commit message + "voodoo magic"), but assuming that each
[a-f][0-9]is distributed uniformly and has an equal chance of appearing at any position, then the odds of generatingdeadbeefin the first 8 characters isRight? So you end up having to generate a lot of hashes in order to get
deadbeef.deadbeeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@coldhawaiian That's per attempt.
If you go through 1 million attempts per second, the expected time to get a match would be 72 minutes.
deadbeeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just knew there would be other uses for bitcoin mining hardware....
deadbeeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
deadbeeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In case anyone cared how long it takes to get
deadbeef, it took me about 30 minutes on MBP.Then, it's a pretty normal looking git hash:
One of the doomsday ideas of full-collision
deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, yeah, that would take a looong time, but yeah, theoretical.deadbeeThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cute! This is the same approach I used to generate the
feefeecommit on my Large Hashsum Collider project in February 2013, except mine was written in JavaScript, and generated the collision by jiggling words in the commit message instead of the timestamps.