Unsurprisingly, Cryptex provides the following response:Cryptex 1.0 - Written by Eldad Eilam
Listing all files in archive “Test1”.
ERROR: Invalid password. Unable to process file.So, Cryptex actually confirms the password before providing the list of files.
This might seem like a futile exercise, considering that the documentation
explicitly said that the password is always required. However, the exact text of
the invalid-password message is useful because you can later look for the code
that displays it in the program and try to determine how it establishes whether
or not the password is correct.
For now, let’s start looking inside the Cryptex archive files. For this purpose
any hex dump tool would do just fine—there are quite a few free products
online, but if you’re willing to invest a little money in it, Hex Workshop is one
of the more powerful data-reversing tools. Here are the first 64 bytes of the
Test1.crxfile just produced.00000000 4372 5970 5465 5839 0100 0000 0100 0000 CrYpTeX9........
00000010 0000 0000 0200 0000 5F60 43BC 26F0 F7CA ........_'C.&...
00000020 6816 0D2B 99E7 FA61 BEB1 DA78 C0F6 4D89 h..+...a...x..M.
00000030 7CC7 82E8 01F5 3CB9 549D 2EC9 868F 1FFD |.....<.T.......Like most file formats, .crx files start out with a signature, CrYpTeX9in this
case, followed by what looks like several data fields, and continuing into an
apparently random byte sequence starting at address 0x18. If you look at the
rest of the file, it all contains similarly unreadable junk. This indicates that the
entire contents of the file have been encrypted, including the file table. As
expected, none of the key strings such as the password, the asterisks.txt
file name, or the actual asterisks can be found within this file. As further evi-
dence that the file has been encrypted, we can use the Character Distribution
feature in Hex Workshop to get an overview of the data within the file. Inter-
estingly, we discover that the file contains seemingly random data, with an
almost equal character distribution of about 0.4 percent for each of the 256
characters. It looks like the encryption algorithm applied by Cryptex has com-
pletely eliminated any obvious resemblance between the encrypted data and
the password, file name, or file contents.
At this point, it becomes clear that you’re going to have to dig into the pro-
gram in order to truly decipher the .crx file format. This is exactly where con-
ventional code reversing and data reversing come together: you must look
inside the program in order to see how it manages its data. Granted, this pro-
gram is an extreme example because the data is encrypted, but even with pro-
grams that don’t intentionally hide the contents of their file formats, it is often
very difficult to decipher a file format by merely observing the data.204 Chapter 6