Many attacks on hash functions can be reformulated in finding a hash 
execution with constraints being fixed values of internal variables. Those 
variables can be input or output bits, input of active S-boxes or AND 
operations, etc.. 

The constraints lead to a system of nonlinear equations, which sometimes 
can be solved with a fast algorithm resembling the Gaussian elimination. If a 
system has been solved then solutions can be produced with negligible time 
costs.

The main condition for the algorithm to succeed is relatively slow diffusion in
 the attacked primitive. Provided this we show how to attack AES as a hash 
function and prove that a 30-round MD6 compression function can be 
distinguished from the random oracle.

I will also show how it worked in practice in a GUI-tool.