Forensics sTMNxQr

Published on February 3rd, 2019 📆 | 2104 Views ⚑


sheep-wolf – Exploit MD5 Collisions For Malware Detection

sheep-wolf is a tool to help you Exploit MD5 Collisions in software, specially malware samples which are commonly detected using MD5 hash signatures.


  • 32-bit Windows (virtual) machine (64-bit breaks stuff)
  • Visual Studio 2012 to compile the projects (Express will do)
  • Fastcoll for collisions
  • Optional: Cygwin+MinGW to compile Evilize


How does it work?

  • shepherd.bat executes shepherd.exe with the user supplied command line arguments
    • shepher.exe generates a header file (sc.h) that contains the encrypted shellcode, the password and the CRC of the plain shellcode
  • shepherd.bat executes the build process of sheep.exe
    • sheep.exe is built with sc.hincluded by Visual Studio
  • shepherd.bat executes evilize.exe
    • evilize.exe calculates a special IV for the chunk of sheep.exe right before the block where the collision will happen
    • evilize.exe executes fastcoll.exe with the IV as a parameter
      • fastcoll.exe generates two 128 byte colliding blocks: a and b
    • evilize.exe replaces the original string buffers of sheep.exe so that they contain combinations a and b
    • The resulting files (evilize/wolf.exe and evilize/sheep.exe ) have the same MD5 hashes but behave differently. The real code to be executed only appears in the memory of evilize/wolf.exe.

You can download sheep-wolf here:

Or read more here.

Free Download WordPress Themes
Download Premium WordPress Themes Free
Download Premium WordPress Themes Free
Free Download WordPress Themes
free download udemy paid course

Tagged with:

Leave a Reply ✍