The first step you must take in order to get an overview of Cryptex and how
it works is to obtain a list of its imported functions. This can be done using any
executable dumping tool such as those discussed in Chapter 4; I often choose
Microsoft’s DUMPBIN, which is a command-line tool. The import list is
important because it will provide us with an overview of how Cryptex does
some of the things that it does. For example, how does it read and write to the
archive files? Does it use a section object, does it call into some kind of runtime
library file I/O functions, or does it directly call into the Win32 file I/O APIs?
Establishing which system (and other) services the program utilizes is critical
because in order to track Cryptex’s I/O accesses (which is what you’re going to
have to do in order to find the logic that generates and deciphers .crx files)
you’re going to have to place breakpoints on these function calls. Listing 6.2 pro-
vides (abridged) DUMPBIN output that lists imports from Cryptex.exe.
KERNEL32.dll138 GetCurrentDirectoryA
D3 FindNextFileA
1B1 GetStdHandle
15C GetFileSizeEx
12F GetConsoleScreenBufferInfo
2E5 SetConsoleCursorPosition
2E CloseHandle
4D CreateFileA
303 SetEndOfFile
394 WriteFile
2A9 ReadFile
169 GetLastError
C9 FindFirstFileA
30E SetFilePointer
13B GetCurrentProcessId
13E GetCurrentThreadId
1C0 GetSystemTimeAsFileTime
1D5 GetTickCount
297 QueryPerformanceCounter
177 GetModuleHandleA
AF ExitProcessADVAPI32.dll8C CryptDestroyKey
A0 CryptReleaseContext
8A CryptDeriveKey
88 CryptCreateHash
9D CryptHashDataListing 6.2 A list of all functions called from Cryptex.EXE, produced using DUMPBIN.
(continued)
Deciphering File Formats 205