Figure 6.1 Cryptex’s key-generation and password-verification process.The Directory Layout
Now that you have a basic understanding of how Cryptex manages its pass-
words and encryption keys, you can move on to study the Cryptex directory
layout. In a real-world program, this step would be somewhat less relevant for
those interested in a security-level analysis for Cryptex, but it would be very
important for anyone interested in reading or creating Cryptex-compatible
archives. Since we’re doing this as an exercise in data reverse engineering, the
directory layout is exactly the kind of complex data structure you’re looking to
get your hands on.Analyzing the Directory Processing Code
In order to decipher the directory layout you’ll need to find the location in the
Cryptex code that reads the encrypted directory layout data, decrypts it, and
proceeds to decipher it. This can be accomplished by simply placing a break-
point on the ReadFileAPI and tracing forward in the program to see what it
does with the data. Let’s restart the program in OllyDbg (don’t forget to cor-
rect the password in the command-line argument), place a breakpoint on
ReadFile, and let the program run.SHA Hash
(160-bits)MD5 Hash
(128-bits)Original
Plaintext
Password3DES
EncrypterRaw DataCryptex
HeaderEncrypted
Data218 Chapter 6