The Windows Crypto API is a generic cryptographic library that provides
support for installable cryptographic service providers (CSPs) and can be used for
encrypting and decrypting data using a variety of cryptographic algorithms.
Microsoft provides several CSPs that aren’t built into Windows and support a
wide range of symmetric and asymmetric cryptographic algorithms such as
DES, RSA, and AES. The fact that Cryptex uses the Crypto API can be seen as
good news, because it means that it is going to be quite trivial to determine
which encryption algorithms the program employs and how it produces the
encryption keys. This would have been more difficult if Cryptex were to use a
built-in implementation of the encryption algorithm because you would have
to reverse it to determine exactly which algorithm it is and whether it is prop-
erly implemented.
The next entry in Listing 6.2 is MSVCR71.DLL, which is the Visual C++ run-
time library DLL. In this list, you can see the list of runtime library functions
called by Cryptex. This doesn’t really tell you much, except for the presence of
the printffunction, which is used for printing messages to the console win-
dow. The printffunction is what you’d look at if you wanted to catch
moments where Cryptex is printing certain messages to the console window.
The Password Verification Process
One basic step that is relatively simple and is likely to reveal much about how
Cryptex goes about its business is to find out how it knows whether or not the
user has typed the correct password. This will also be a good indicator of
whether or not Cryptex is secure (depending on whether the password or
some version of it is actually stored in the archive).
Catching the “Bad Password” Message
The easiest way to go about checking Cryptex’s password verification process
is to create an archive (Test1.crxfrom earlier in this chapter would do just
fine), and to start Cryptex in a debugger, feeding it with an incorrect password.
You would then try to catch the place in the code where Cryptex notifies the
user that a bad password has been supplied. This is easy to accomplish
because you know from Listing 6.2 that Cryptex uses the printfruntime
library function. It is very likely that you’ll be able to catch a printfcall that
contains the “bad password” message, and trace back from that call to see how
Cryptex made the decision to print that message.
Start by loading the program in any debugger, preferably a user-mode one
such as WinDbg or OllyDbg (I personally picked OllyDbg), and placing a
breakpoint on the printffunction from MSVCR71.DLL. Notice that unlike
the previous reversing session where you relied exclusively on dead listing,
Deciphering File Formats 207