One of the basic yardsticks we use to judge a cryptographic hash function is its resistance to second preimage attacks. That means that if I give you x and y such that H(x) = y, you should have a tough time finding x' such that H(x') = H(x) = y.
How tough? Brute-force tough. For a 2^b hash function, we want second preimage attacks to cost 2^b operations.
This turns out not to be the case for very long messages.
Consider the problem we're trying to solve: we want to find a message that will collide with H(x) in the very last block. But there are a ton of intermediate blocks, each with its own intermediate hash state.
What if we could collide into one of those? We could then append all the following blocks from the original message to produce the original H(x). Almost.
We can't do this exactly because the padding will mess things up.
What we need are expandable messages.
In the last problem we used multicollisions to produce 2^n colliding messages for n*2^(b/2) effort. We can use the same principles to produce a set of messages of length (k, k + 2^k - 1) for a given k.
Now you can make a message of any length in (k, k + 2^k - 1) blocks by choosing the appropriate message (short or long) from each pair.
Now we're ready to attack a long message M of 2^k blocks.
The padding in the final block should now be correct, and your forgery should hash to the same value as M.