////////////////////////////////////////////////////////////////////////////
///////////////////////////////
//
// MySQL brute force password crack
//
// to compile : gcc -omysqlpassword mysqlpassword.c -O6 -lm
//
#include <stdio.h>
#include <stdlib.h>
#include <math.h>

struct rand_struct {
	unsigned long seed1,seed2,max_value;
	double max_value_dbl;
};

void make_scrambled_password(char *,const char *);
char *scramble(char *,const char *,const char *, int);


////////////////////////////////////////////////////////////////////////////
///////////////////////////////
//
// Min / Max brute range. Min == ' ' Max == '~' see std ascii chart
//
#define MIN 32
#define MAX 126

int brute(char *to,const char* password) {
	
////////////////////////////////////////////////////////////////////////////
///////////////////////////////
	//
	// weak 1-9 MIN-MAX character brute
	//
	int i;
	unsigned long attempts=0;
	char hash[32]={MIN,MIN,MIN,MIN,MIN,MIN,MIN,MIN,MIN,MIN,MIN};
	char temp[32]={MIN,MIN,MIN,MIN,MIN,MIN,MIN,MIN,MIN,MIN,MIN};
	for(hash[9]=MIN;hash[9]<MAX;hash[9]++) {
	for(hash[8]=MIN;hash[8]<MAX;hash[8]++) {
	for(hash[7]=MIN;hash[7]<MAX;hash[7]++) {
	for(hash[6]=MIN;hash[6]<MAX;hash[6]++) {
	for(hash[5]=MIN;hash[5]<MAX;hash[5]++) {
	for(hash[4]=MIN;hash[4]<MAX;hash[4]++) {
	for(hash[3]=MIN;hash[3]<MAX;hash[3]++) {
	for(hash[2]=MIN;hash[2]<MAX;hash[2]++) {
	for(hash[1]=MIN;hash[1]<MAX;hash[1]++) {
	for(hash[0]=MIN;hash[0]<MAX;hash[0]++) {
		attempts++;
		sprintf(temp,"%s",hash);
		for(i=0;i<10;i++) {
			if(temp[i]==MIN) {
				temp[i]='\0';
			}
		}
		make_scrambled_password(to,temp);
		if(!strcmp(to,password)) {
			printf("MATCH [%s] [%s]==[%s]\n",temp,to,password);
			return(0);
		}
		if(attempts % 100000 == 0) {
			// Show status every 100,000 records
	
printf("(%li)\t[0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%02x,0x%0
2x,0x%02x]\t[%s]
[%s]!=[%s]\n",attempts,hash[0],hash[1],hash[2],hash[3],hash[4],hash[5],hash[
6],hash[7],hash[8],hash[9],temp,to,password);
		}
	}
	}
	}
	}
	}
	}
	}
	}
	}
	}
	return(-1);
}

int main(int argc, char* argv[]) {
	char *to;
	if(argc!=2) {
		fprintf(stderr,"usage : %s [ENCRYPTED MYSQL
PASSWORD]\nexample , 5d2e19393cc5ef67 is encrypted value 'password' : %s
5d2e19393cc5ef67\n",argv[0],argv[0]);
		return(0);
	}
	to=malloc(1024);
	return(brute(to,argv[1]));
}
////////////////////////////////////////////////////////////////////////////
///////////////////////////////
//
// thx mysql source ^_^
//
void randominit(struct rand_struct *rand_st,ulong seed1, ulong seed2) {
	rand_st->max_value= 0x3FFFFFFFL;
	rand_st->max_value_dbl=(double) rand_st->max_value;
	rand_st->seed1=seed1%rand_st->max_value ;
	rand_st->seed2=seed2%rand_st->max_value;
}
static void old_randominit(struct rand_struct *rand_st,ulong seed1) {
	rand_st->max_value= 0x01FFFFFFL;
	rand_st->max_value_dbl=(double) rand_st->max_value;
	seed1%=rand_st->max_value;
	rand_st->seed1=seed1 ; rand_st->seed2=seed1/2;
}
double rnd(struct rand_struct *rand_st) {
	rand_st->seed1=(rand_st->seed1*3+rand_st->seed2) %
rand_st->max_value;
	rand_st->seed2=(rand_st->seed1+rand_st->seed2+33) %
rand_st->max_value;
	return(((double) rand_st->seed1)/rand_st->max_value_dbl);
}
void hash_password(ulong *result, const char *password) {
	register ulong nr=1345345333L, add=7, nr2=0x12345671L;
	ulong tmp;
	for (; *password ; password++) {
		if (*password == ' ' || *password == '\t')
			continue;
		tmp= (ulong) (unsigned char) *password;
		nr^= (((nr & 63)+add)*tmp)+ (nr << 8);
		nr2+=(nr2 << 8) ^ nr;
		add+=tmp;
	}
	result[0]=nr & (((ulong) 1L << 31) -1L); /* Don't use sign bit
(str2int) */;
	result[1]=nr2 & (((ulong) 1L << 31) -1L);
	return;
}
void make_scrambled_password(char *to,const char *password) {
	ulong hash_res[2];
	hash_password(hash_res,password);
	sprintf(to,"%08lx%08lx",hash_res[0],hash_res[1]);
}
static inline uint char_val(char X) {
	return (uint) (X >= '0' && X <= '9' ? X-'0' : X >= 'A' && X <= 'Z' ?
X-'A'+10 : X-'a'+10);
}
char *scramble(char *to,const char *message,const char *password, int
old_ver) {
	struct rand_struct rand_st;
	ulong hash_pass[2],hash_message[2];
	if(password && password[0]) {
		char *to_start=to;
		hash_password(hash_pass,password);
		hash_password(hash_message,message);
		if (old_ver)
			old_randominit(&rand_st,hash_pass[0] ^
hash_message[0]);
		else
			randominit(&rand_st,hash_pass[0] ^ hash_message[0],
		hash_pass[1] ^ hash_message[1]);
		while (*message++)
			*to++= (char) (floor(rnd(&rand_st)*31)+64);
		if (!old_ver) {
			char extra=(char) (floor(rnd(&rand_st)*31));
			while(to_start != to)
				*(to_start++)^=extra;
			}
		}
	*to=0;
	return to;
}