sigcrack is a Rust-based tool designed to find Solidity function signature collisions. This tool is useful for colliding 4-byte Keccak256 hashes, particularly in the context of Ethereum smart contracts where function signatures can collide through brute force.
You need Rust and Cargo installed on your machine. See the installation guide here.
Then clone the repo and install the CLI globally like this:
cargo install --path .
sigcrack has the following options:
--target-hash <HASH>
: The target 4-byte Keccak-256 hash prefix (required).--prefix <PREFIX>
: The prefix for the function names (optional).--suffix <SUFFIX>
: The suffix for the function names (optional).--length <LENGTH>
: The length of the guessed elements of the function name to be generated (optional, default is 6).
For detailed information on each command and its options, you can access the help message by running such commands:
sigcrack -h
sigcrack <COMMAND> -h
sigcrack --target-hash 0x12345678
This command runs with only a target hash specified. It will:
- Search for function names that, when hashed with Keccak-256, produce a 4-byte prefix matching the given target hash
0x12345678
. - Use the default length of 6 characters for function names.
- Generate function names using alphanumeric characters (a-z, A-Z, 0-9).
- Continue searching until a match is found sooner or later.
If no specific function parameters are provided, the tool will loop through the following default parameter types: uint256
, address
, bool
, bytes
, string
, and ()
.
The brute-force algorithm used in sigcrack has an overall time complexity similar to a normal brute-force attack, which can be expressed as:
-
$L$ is the total length of the function name, -
$P$ is the length of the prefix (if any), -
$S$ is the length of the suffix (if any), -
$C$ is the constant time taken to compute the keccak256 hash, which is$O(1)$ .
The term
The term
In summary, the time complexity indicates that the number of combinations grows exponentially with the length of the function name minus the lengths of the prefix and suffix, and each combination requires a constant amount of time to compute its hash.
Given a speed of approximately 4.4 MH/s, the expected time to find a matching hash can be estimated based on the number of combinations generated. For example, if you are searching for function names of length 6 with no prefix or suffix, the total combinations would be
- Total combinations:
$$62^6 \approx 56.8 \text{ billion} $$ \ - Speed:
$4.4 \text{ MH/s}$ - Expected time (in seconds):
$\text{Expected Time} = \frac{56,800,235,584}{4,400,000} \approx 12,909 \text{ seconds} \approx 3.6 \text{ hours}$
This means that on average it will take approximately 3 hours to guarantee finding a matching function signature. The actual time can vary depending on the length and constraints provided. Some searches may take around 10 minutes, while others may take up to 5 hours. In my experience, it usually takes around 45 minutes or less.
sigcrack --target-hash 0x12345678 --length 8
This command specifies a custom length for the function names:
- Generate function names that are exactly 8 characters long.
- Use alphanumeric characters for the entire name.
- Useful when you want to constraint the exact length of the function you're looking for.
sigcrack --target-hash 0x12345678 --prefix Hello
- This command adds a prefix to the search:
- All generated function names will start with "Hello" now.
- The remaining characters will be filled with alphanumeric characters by the given length.
- The total length of the function name will be the prefix plus 6 characters by default.
- Useful when you want a beginning of one function name but need to find the rest to match the desired signature.
sigcrack --target-hash 0x12345678 --suffix "(uint256)"
This command adds a function parameter constraint:
- All generated function names will end with the desired function parameter
(uint256)
. - The characters before the parameters will be filled with alphanumeric characters.
- The total length of the function name will be 6 characters by default.
- Useful when you want a specific function parameter but need a valid signature.
sigcrack --target-hash 0x12345678 --prefix Hello --suffix "(uint256)" --length 8
This command combines prefix, suffix, and length constraints:
- Function names will start with "Hello" and have the parameter
(uint256)
. - The total length of the function name (excluding prefix and suffix) will be 8 characters.
- The tool will generate variations to fill the space between the prefix and suffix.
- Useful when you want the start of a function and a specific function parameter but need to find a valid signature.
To uninstall the program, run:
cargo uninstall sigcrack
Contributions are welcome! Open an issue or submit a pull request with your improvements.
This project is licensed under the MIT License. See the LICENSE file for details.
For any questions or feedback, please take contact or submit an issue in the repository. Happy cracking!