CRACKED — Claude Code Companion Decoder

CLAUDE CODE COMPANION DECODER

CRACKED

An Wyhash preimage attack, beautifully packaged.

YOUR ACCOUNT UUID

Find yours: ~/.claude.json → oauthAccount.accountUuid

Wyhash is not a cryptographic hash function.
Preimage attacks are trivially fast.
This tool runs entirely in your browser.

How does this work? →

CRACKED

CRACKING

TRIED

0

SPEED

0M/s

ELAPSED

0.000s

LIVE CANDIDATES

searching... 0%

⚡ PREIMAGE FOUND

THE STRING WAS

HOW TO USE THIS

Copy the string above. Then tell Claude Code:

Click to copy. The companion regenerates from the UUID on every read — no restart needed.

Manual path: ~/.claude/.claude.json → oauthAccount.accountUuid

HOW THIS WORKS

Wyhash is not a cryptographic
hash function.

WHAT WYHASH IS Wyhash is a non-cryptographic hash designed for speed. Claude Code uses Bun.hash() — which is Zig's std.hash.Wyhash — masked to 32 bits. It has no preimage resistance. It was never meant to keep secrets. seed = wyhash_init(0, secret[0], secret[1]) // process input in 16-byte blocks with 64-bit multiply-mix a = read64(input) ^ secret[1] b = read64(input+8) ^ seed (lo, hi) = 128bit_multiply(a, b) return mix(lo ^ secret[0] ^ len, hi ^ secret[1]) & 0xFFFFFFFF

WHAT A PREIMAGE ATTACK IS A preimage attack finds any input that produces a given hash output. For a cryptographic hash (SHA-256, bcrypt), this is computationally infeasible. For Wyhash with a constrained input space, it takes milliseconds.

THE COMPANION PIPELINE Claude Code's /buddy system generates companions deterministically: userId = config.oauthAccount.accountUuid seed = wyhash(userId + "friend-2026-401") rng = Mulberry32(seed) rarity = rng() \to weighted pick species = rng() \to uniform pick eyes = rng() \to uniform pick hat = rng() \to uniform pick (none if common) shiny = rng() < 0.01 stats = rng() \times 5 \to peak/dump/fill The "bones" (appearance, stats) are never stored — they're re-derived from the userId hash on every read. The "soul" (name, personality) is generated once by Claude and persisted. Editing config can't change rarity... but editing the UUID input can.

WHY THIS IS INSTANT 32-bit output = only ~4.3 billion possible companions total. Modern browsers compute Wyhash at ~5M hashes/sec per Web Worker. With 8 workers: ~400M/sec. Worst case: 11 seconds to try every possible seed. With prefix constraints, typically under 100ms.

The point: using Wyhash as the sole entropy source for a gacha-style system means the "randomness" is trivially reversible. The anti-cheat comment in the source says "editing config.companion can't fake a rarity" — and they're right. But editing the UUID input to the hash function can produce any rarity. They guarded the output and left the input wide open.

RESPONSIBLE DISCLOSURE This is not a security vulnerability. Wyhash is working as designed — it was never meant to be cryptographic. This tool exists to demonstrate a design choice, not to exploit one. Built by Jake L'Ami with Claude Opus 4.6 (Ike). Claude reverse-engineered the companion system from the Claude Code source, computed the hash collisions, built the brute forcer, and wrote the web app. The human bought the domain at 2am. If Anthropic's safety and alignment team would like to talk about what else we found in the source: the domain name is the ask.

← Back