99 CryptGetHashParam
8B CryptDestroyHash
8F CryptEncrypt
89 CryptDecrypt
85 CryptAcquireContextAMSVCR71.dll
CA _c_exit
FA _exit
4B _XcptFilter
CD _cexit
7C __p___initenv
C2 _amsg_exit
6E __getmainargs
13F _initterm
9F __setusermatherr
BB _adjust_fdiv
82 __p__commode
87 __p__fmode
9C __set_app_type
6B __dllonexit
1B8 _onexit
DB _controlfp
F1 _except_handler3
9B __security_error_handler
300 sprintf
305 strchr
2EC printf
297 exit
30F strncpy
1FE _stricmpListing 6.2 (continued)Let’s go through each of the modules in Listing 6.2 and examine what it’s
revealing about how Cryptex works. Keep in mind that not all of these entries
are directly called by Cryptex. Most programs statically link with other
libraries (such as runtime libraries), which make their own calls into the oper-
ating system or into other DLLs.
The entries in KERNEL32.dll are highly informative because they’re
telling us that Cryptex apparently uses direct calls into Win32 File I/O APIs
such as CreateFile, ReadFile, WriteFile, and so on. The following sec-
tion in Listing 6.2 is also informative and lists functions called from the
ADVAPI32.dllmodule. A quick glance at the function names reveals a very
important detail about Cryptex: It uses the Windows Crypto API (this is easy
to spot with function names such as CryptEncryptand CryptDecrypt).206 Chapter 6