The first hit comes from an internal system call made by ADVAPI32.DLL.
Releasing the debugger brings it back to ReadFileagain, except that again, it
was called internally from system code. You will very quickly realize that there
are way too many calls to ReadFilefor this approach to work; this API is used
by the system heavily.
There are many alternative approaches you could take at this point, depend-
ing on the particular application. One option would be to try and restrict the
ReadFile breakpoint to calls made on the archive file. You could do this by
first placing a breakpoint on the API call that opens or creates the archive (this
is probably going to be a call to the CreateFileAPI), obtain the archive han-
dle from that call, and place a selective breakpoint on ReadFilethat only
breaks when the specific handle to the Cryptex archive is specified (such
breakpoints are supported by most debuggers). This would really reduce the
number of calls—you’d only see the relevant calls where Cryptex reads from
the archive, and not hundreds of irrelevant system calls.
On the other hand, since Cryptex is really a fairly simple program, you
could just let it run until it reached the key-generation function from Listing
6.5. At this point you could just step through the rest of the code until you
reach interesting code areas that decipher the directory data structures. Keep
in mind that in most real programs you’d have to come up with a better idea
for where to place your breakpoint, because simply stepping through the pro-
gram is going to be an unreasonably tedious task.
You can start by placing a breakpoint at the end of the key-generation func-
tion, on address 00402416. Once you reach that address, you can step back
into the calling function and step through several irrelevant code sequences,
including a call into a function that apparently performs the actual opening of
the archive and ends up calling into 004011C0, which is the function ana-
lyzed in Listing 6.3. The next function call goes into 004019F0, and (based on
a quick look at it) appears to be what we’re looking for. Listing 6.6 lists the
OllyDbg-generated disassembly for this function.
004019F0 SUB ESP,8
004019F3 PUSH EBX
004019F4 PUSH EBP
004019F5 PUSH ESI
004019F6 MOV ESI,SS:[ESP+18]
004019FA XOR EBX,EBX
004019FC PUSH EBX ; Origin => FILE_BEGIN
004019FD PUSH EBX ; pOffsetHi => NULL
004019FE PUSH EBX ; OffsetLo => 0
004019FF PUSH ESI ; hFile
00401A00 CALL DS:[<&KERNEL32.SetFilePointer>]
00401A06 PUSH EBX ; pOverlapped => NULLListing 6.6 Disassembly of function that lists all files within a Cryptex archive. (continued)
Deciphering File Formats 219