Java MD5 (hex)

I needed to make a program in java which logins with the vBulletin login system.
As you may know, many php boards use MD5 for hashing passwords.
vBulletin uses a “more advanced way” of hashing, just like phpBB3. phpBB2 used just old plain MD5 hashes.
So I needed to find out how I could use MD5 in java.

Off course there is no MD5 function like in php .
That’s why I searched a function that can do it, a little search on google like “java MD5 function” and so I looked at the first pages links and tried the functions that weren’t too long.

FAIL

I created the vBulletin login system in java and with the first test account I could login …. BUT my own login failed :(. Quite irritating if you try 10 passes, all work and when you put it live, many people complaining they can’t login…

As I got “lucky” with my pass, I found that my hashed login was wrong, so after some debugging I found a 0 (zero) was missing in the first MD5. So the MD5 function was WRONG:(

As a test, I created a program that creates random passwords and create the MD5 of it with the functions I found on different sites (found by using  google).

Extra info

Both MySQL and php’s MD5 function has a hex notation, clearly not all MD5-functions found are hex notated, this is not a must, but off course needed for being compatible with php/MySQL.

The problem

In the next image you can see the standard behavior of the MD5-function found.
Most of them looks okay, but notice that the one from bombaydigital uses upper-case hex notation, and by using it for another round with MD5 it will go wrong.
The one found on Stockoverflow clearly doesn’t use hex-notation. And the one from Spiration, lost a 0 (zero).

MD5 function output from different sites

With double MD5 you see the differences even faster, like shown in the next image:

differences seen by using double use of MD5 functions found for java

The first marked line, you see that Spiration’s MD5 is wrong, in the second marked line, you see Spirition’s MD5 is ok. So it’s not reliable.
In the first and second marked lines you can see that dzone’s MD5  is ok, but the third and fourth are wrong. Also, not reliable.
As noted by single MD5, StockOverflow is not hex and bombaydigital is upper-case, so both functions aren’t giving me the expected output.

The right solution

This leaves us with the one from twmacinta, clearly it’s working, but in code, I needed 779 lines (including comment)
But it’s not really worth if it can be done in nearly 10 lines of code.

public String MD5(String md5) {
   try {
        java.security.MessageDigest md = java.security.MessageDigest.getInstance("MD5");
        byte[] array = md.digest(md5.getBytes());
        StringBuffer sb = new StringBuffer();
        for (int i = 0; i < array.length; ++i) {
          sb.append(Integer.toHexString((array[i] & 0xFF) | 0x100).substring(1,3));
       }
        return sb.toString();
    } catch (java.security.NoSuchAlgorithmException e) {
    }
    return ';
}

So don’t just copy/paste everything you find by using google. Other sites (just like me) can be wrong, yes, we are also just people.

This Post Has 4 Comments

  1. Detective Fox M.

    This was helpful but I’m wondering if you could possibly explain in greater detail what the vbulletin login in its entirety looks like.

  2. Tom V

    $hash = md5(md5($password) . $salt);

    wherein $password is the plain password and $salt is the salt for that user (found in the db)

  3. Detective Fox M.

    Thanks again. My situation is this: I need to log into vbulletin with my username and password using POST in Java. Is this what you did as well? Are the POST form names “vb_login_password” and “vb_login_username”? I can’t seem to find this information anywhere.

  4. Tom V

    Sorry for the late answer, but I’m not going further in this, I suggest to ask this at vBulletin forums as I got not enough insight in vBulletin

Leave a Reply