Reversing : The Hacker's Guide to Reverse Engineering
that stores the currently typed password. This is the variable at 00405038 against which the header data was compared in Listing ...
004022C8 MOV EAX,SS:[ESP+10] 004022CC PUSH ESI 004022CD PUSH 0 004022CF LEA EDX,SS:[ESP+C] 004022D3 PUSH EDX 004022D4 PUSH EAX 0 ...
MD5 (MD stands for message-digest) is a highly popular cryptographic hash- ing algorithm that produces a long (128-bit) hash or ...
00402300 SUB ESP,24 00402303 MOV EAX,DS:[405020] 00402308 PUSH EDI 00402309 MOV EDI,SS:[ESP+2C] 0040230D MOV SS:[ESP+24],EAX 004 ...
00402390 PUSH EAX 00402391 CALL DS:[<&ADVAPI32.CryptGetHashParam>] 00402397 TEST EAX,EAX 00402399 JNZ SHORT cryptex.00 ...
value 0x8003as its algorithm ID, while this function uses 0x8004, which identifies the CALG_SHAalgorithm. SHA is another hashing ...
of one hashing algorithm with another hashing algorithm? That is not clear at the moment. After the MD5 function returns (and as ...
Figure 6.1 Cryptex’s key-generation and password-verification process. The Directory Layout Now that you have a basic understand ...
The first hit comes from an internal system call made by ADVAPI32.DLL. Releasing the debugger brings it back to ReadFileagain, e ...
00401A07 LEA EAX,SS:[ESP+14] ; 00401A0B PUSH EAX ; pBytesRead 00401A0C PUSH 28 ; BytesToRead = 28 (40.) 00401A0E PUSH cryptex.00 ...
00401A9A ADD ESI,98 00401AA0 SUB DWORD PTR SS:[ESP+14],1 00401AA5 JNZ SHORT cryptex.00401A70 00401AA7 MOV ECX,SS:[ESP+10] 00401A ...
00401051 LEA EDX,SS:[ESP+18] ; 00401055 PUSH EDX ; pOffsetHi 00401056 PUSH EAX ; OffsetLo 00401057 PUSH ESI ; hFile 00401058 CAL ...
This function starts out by reading a fixed size (4,104-byte) chunk of data from the archive file. The interesting thing about t ...
With this view, you can immediately see a somewhat improved picture. The first three DWORDs are obviously some kind of 32-bit fi ...
EDXis then added to itself, twice. This is equivalent of edx = edx × 4 , which means that so far you’ve essentially calculated ...
that the string starts at offset +14 in the structure, you can assume that there aren’t any additional data entries after it in ...
offset +8 contains the file size in clusters, so Cryptex is essentially checking for a nonzero file size. The fact that Cryptex ...
The File Extraction Process Cryptex would not be worth much without having the ability to decrypt and extract files from its enc ...
00401C20 PUSH 0 ; /pOverlapped = NULL 00401C22 LEA EAX,SS:[ESP+24] ; | 00401C26 PUSH EAX ; |pBytesRead 00401C27 PUSH 28 ; |Bytes ...
00401CBC PUSH cryptex.004032B0 ; |format = “File “%s” not found in archive.” 00401CC1 CALL DS:[<&MSVCR71.printf>] 0040 ...
«
8
9
10
11
12
13
14
15
16
17
»
Free download pdf