The first step you must take in order to get an overview of Cryptex and how it works is to obtain a list of its imported functions. This can be done using any executable dumping tool such as those discussed in 4; I often choose Microsoft s DUMPBIN, which is a command-line tool. The import list is important because it will provide us with an overview of how Cryptex does some of the things that it does. For example, how does it read and write to the archive files Does it use a section object, does it call into some kind of runtime library file I/O functions, or does it directly call into the Win32 file I/O APIs Establishing which system (and other) services the program utilizes is critical because in order to track Cryptex s I/O accesses (which is what you re going to have to do in order to find the logic that generates and deciphers .crx files) you re going to have to place breakpoints on these function calls. Listing 6.2 provides (abridged) DUMPBIN output that lists imports from Cryptex.exe.
KERNEL32.dll 138 D3 1B1 15C 12F 2E5 2E 4D 303 394 2A9 169 C9 30E 13B 13E 1C0 1D5 297 177 AF ADVAPI32.dll 8C A0 8A 88 9D CryptDestroyKey CryptReleaseContext CryptDeriveKey CryptCreateHash CryptHashData GetCurrentDirectoryA FindNextFileA GetStdHandle GetFileSizeEx GetConsoleScreenBufferInfo SetConsoleCursorPosition CloseHandle CreateFileA SetEndOfFile WriteFile ReadFile GetLastError FindFirstFileA SetFilePointer GetCurrentProcessId GetCurrentThreadId GetSystemTimeAsFileTime GetTickCount QueryPerformanceCounter GetModuleHandleA ExitProcess
Listing 6.2 A list of all functions called from Cryptex.EXE, produced using DUMPBIN. (continued)
99 8B 8F 89 85 MSVCR71.dll CA FA 4B CD 7C C2 6E 13F 9F BB 82 87 9C 6B 1B8 DB F1 9B 300 305 2EC 297 30F 1FE
CryptGetHashParam CryptDestroyHash CryptEncrypt CryptDecrypt CryptAcquireContextA
_c_exit _exit _XcptFilter _cexit __p___initenv _amsg_exit __getmainargs _initterm __setusermatherr _adjust_fdiv __p__commode __p__fmode __set_app_type __dllonexit _onexit _controlfp _except_handler3 __security_error_handler sprintf strchr printf exit strncpy _stricmp
Listing 6.2 (continued)
Let s go through each of the modules in Listing 6.2 and examine what it s revealing about how Cryptex works. Keep in mind that not all of these entries are directly called by Cryptex. Most programs statically link with other libraries (such as runtime libraries), which make their own calls into the operating system or into other DLLs. The entries in KERNEL32.dll are highly informative because they re telling us that Cryptex apparently uses direct calls into Win32 File I/O APIs such as CreateFile, ReadFile, WriteFile, and so on. The following section in Listing 6.2 is also informative and lists functions called from the ADVAPI32.dll module. A quick glance at the function names reveals a very important detail about Cryptex: It uses the Windows Crypto API (this is easy to spot with function names such as CryptEncrypt and CryptDecrypt).
Deciphering File Formats
The Windows Crypto API is a generic cryptographic library that provides support for installable cryptographic service providers (CSPs) and can be used for encrypting and decrypting data using a variety of cryptographic algorithms. Microsoft provides several CSPs that aren t built into Windows and support a wide range of symmetric and asymmetric cryptographic algorithms such as DES, RSA, and AES. The fact that Cryptex uses the Crypto API can be seen as good news, because it means that it is going to be quite trivial to determine which encryption algorithms the program employs and how it produces the encryption keys. This would have been more difficult if Cryptex were to use a built-in implementation of the encryption algorithm because you would have to reverse it to determine exactly which algorithm it is and whether it is properly implemented. The next entry in Listing 6.2 is MSVCR71.DLL, which is the Visual C++ runtime library DLL. In this list, you can see the list of runtime library functions called by Cryptex. This doesn t really tell you much, except for the presence of the printf function, which is used for printing messages to the console window. The printf function is what you d look at if you wanted to catch moments where Cryptex is printing certain messages to the console window.
