Rating:

# __Sharif CTF 8__
## _fHash_

## Information
**Category:** | **Points:** | **Writeup Author**
--- | --- | ---
Crypto | 200 | MiKHalyCH

**Description:**

> We designed a hash function called "fHash". fHash takes a message (M), as well as two initialization values, designated as left (hl) and right (hr). You can find the implementation of fHash [here](fHash.py).
Let M1 = '7368617269666374'. Notice that fHash('7575', 'A8A8', M1) = '260c01da'.
Find M2 ≠ M1, as well as two initialization values hl and hr, such that fHash(hl, hr, M2) = '260c01da'. That is, find a [second-preimage](https://en.wikipedia.org/wiki/Preimage_attack) for M1.
Each of hl and hr must be two bytes, while M2 must be 8 bytes.

## Solution

As we can see, [algo](fHash.py) splits M1 into 4 blocks.
We don't need to search values for all 4 iterations. Only for first.

Now our task in searching new hl_, hr_, m that gives same value at first iteration, as initial hl, hr, M1[:4].
It's easy to use [random bruteforce](solver.py) here, because we just need to get same md5(hr_+m)[:4], not full collision.
Then we can brute hl_ and get new values for old hash: hl_, hr_, m+M1[4:]

Original writeup (https://github.com/VoidHack/write-ups/tree/master/SharifCTF%208/crypto/fHash).