Published on February 3rd, 2019 📆 | 2299 Views ⚑0
sheep-wolf – Exploit MD5 Collisions For Malware Detection
sheep-wolf is a tool to help you Exploit MD5 Collisions in software, specially malware samples which are commonly detected using MD5 hash signatures.
- 32-bit Windows (virtual) machine (64-bit breaks stuff)
- Visual Studio 2012 to compile the projects (Express will do)
- Fastcoll for collisions
- Optional: Cygwin+MinGW to compile Evilize
How does it work?
shepherd.exewith the user supplied command line arguments
shepher.exegenerates a header file (
sc.h) that contains the encrypted shellcode, the password and the CRC of the plain shellcode
shepherd.batexecutes the build process of
sheep.exeis built with
sc.hincluded by Visual Studio
evilize.execalculates a special IV for the chunk of
sheep.exeright before the block where the collision will happen
fastcoll.exewith the IV as a parameter
fastcoll.exegenerates two 128 byte colliding blocks:
evilize.exereplaces the original string buffers of
sheep.exeso that they contain combinations
- The resulting files (
evilize/sheep.exe) have the same MD5 hashes but behave differently. The real code to be executed only appears in the memory of
You can download sheep-wolf here:
Or read more here.