8.7. ENCRYPTED DATABASE CASE #1
checked with my tracer utility, but any debugger can be used). I checked, if my CPU really supports AES
instructions. Some Intel i3 CPUs are not. And if not, CryptoPP library falling back to AES functions imple-
mented in old way^22. But my CPU supports them. WhyAESDECis still not executed? Why the program
use AES encryption in order to decrypt database?
OK,it’snotaproblemtofindafunctionwhichencryptsblock. ItiscalledCryptoPP::Rijndael::Enc::ProcessAndXorBlock:
https://github.com/mmoss/cryptopp/blob/2772f7b57182b31a41659b48d5f35a7b6cedd34d/src/rijndael.
cpp#L349, and it can call from another function:Rijndael::Enc::AdvancedProcessBlocks()
https://github.com/mmoss/cryptopp/blob/2772f7b57182b31a41659b48d5f35a7b6cedd34d/src/rijndael.
cpp#L1179, which, in turn, can be call the two functions (AESNI_Enc_BlockandAESNI_Enc_4_Blocks)
which hasAESENCinstructions.
So, judging by CryptoPP internals,
CryptoPP::Rijndael::Enc::ProcessAndXorBlock()encrypts one 16-byte block. Let’s set breakpoint on it and
see, what happens during decryption. I use my simple tracer tool again. The software must decrypt
first data block now. Oh, by the way, here is the first data block converted from base64 encoding to
hexadecimal data, let’s have it at hand:
00000000: CA 39 B1 85 75 1B 84 1F F9 31 5E 39 72 13 EC 5D .9..u....1^9r..]
00000010: 95 80 27 02 21 D5 2D 1A 0F D9 45 9F 75 EE 24 C4 ..'.!.-...E.u.$.
00000020: B1 27 7F 84 FE 41 37 86 C9 C0 .'...A7...
These are also arguments of the function from CryptoPP source files:
size_t Rijndael::Enc::AdvancedProcessBlocks(const byte inBlocks, const byte xorBlocks, byte *⤦
ÇoutBlocks, size_t length, word32 flags);
So it has 5 arguments. Possible flags are:
enum {BT_InBlockIsCounter=1, BT_DontIncrementInOutPointers=2, BT_XorInput=4, ⤦
ÇBT_ReverseDirection=8, BT_AllowParallel=16} FlagsForAdvancedProcessBlocks;
OK, run tracer onProcessAndXorBlock()function:
... tracer.exe -l:filename.exe bpf=filename.exe!0x4339a0,args:5,dump_args:0x10
Warning: no tracer.cfg file.
PID=1984|New process software.exe
no module registered with image base 0x77320000
no module registered with image base 0x76e20000
no module registered with image base 0x77320000
no module registered with image base 0x77220000
Warning: unknown (to us) INT3 breakpoint at ntdll.dll!LdrVerifyImageMatchesChecksum+0x96c (0⤦
Çx776c103b)
(0) software.exe!0x4339a0(0x38b920, 0x0, 0x38b978, 0x10, 0x0) (called from software.exe!.text+0⤦
Çx33c0d (0x13e4c0d))
Argument 1/5
0038B920: 01 00 00 00 FF FF FF FF-79 C1 69 0B 67 C1 04 7D "........y.i.g..}"
Argument 3/5
0038B978: CD CD CD CD CD CD CD CD-CD CD CD CD CD CD CD CD "................"
(0) software.exe!0x4339a0() -> 0x0
Argument 3/5 difference
00000000: C7 39 4E 7B 33 1B D6 1F-B8 31 10 39 39 13 A5 5D ".9N{3....1.99..]"
(0) software.exe!0x4339a0(0x38a828, 0x38a838, 0x38bb40, 0x0, 0x8) (called from software.exe!.⤦
Çtext+0x3a407 (0x13eb407))
Argument 1/5
0038A828: 95 80 27 02 21 D5 2D 1A-0F D9 45 9F 75 EE 24 C4 "..'.!.-...E.u.$."
Argument 2/5
0038A838: B1 27 7F 84 FE 41 37 86-C9 C0 00 CD CD CD CD CD ".'...A7........."
Argument 3/5
0038BB40: CD CD CD CD CD CD CD CD-CD CD CD CD CD CD CD CD "................"
(0) software.exe!0x4339a0() -> 0x0
(0) software.exe!0x4339a0(0x38b920, 0x38a828, 0x38bb30, 0x10, 0x0) (called from software.exe!.⤦
Çtext+0x33c0d (0x13e4c0d))
Argument 1/5
0038B920: CA 39 B1 85 75 1B 84 1F-F9 31 5E 39 72 13 EC 5D ".9..u....1^9r..]"
Argument 2/5
0038A828: 95 80 27 02 21 D5 2D 1A-0F D9 45 9F 75 EE 24 C4 "..'.!.-...E.u.$."