issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1

offset +8 contains the file size in clusters, so Cryptex is essentially checking for a
nonzero file size. The fact that Cryptex supports skipping file entries indicates
that it allows for holesin its file list, so when a file is deleted Cryptex simply
marks its entry as deleted and doesn’t have to start copying any entries. When
deleted entries are encountered they are simply ignored, as you can see here.
This is exactly the type of thing you probably wouldn’t see in a robust com-
mercial security product. By not erasing these data blocks, Cryptex creates a
slight security risk. Sure, the “deleted” clusters are probably still encrypted (they
couldn’t be in plain text because Cryptex isn’t ever supposed to insert plaintext
data into the archives!), but they might contain sensitive information. Suppose
that you used Cryptex to send files to someone who had the password to your
archive. Because deleted files might still be in the archive, you might actually be
sending that person additional files you thought you had deleted!


Dumping the Directory Layout


So, what would you have to do in order to actually dump the file list in a Cryp-
tex archive? It’s actually not that complicated. The following steps must be
taken in order to correctly dump the list of files inside a Cryptex archive:



  1. Initialize the Crypto API and open the archive file.

  2. Verify the 8-byte header signature.

  3. Calculate an SHA hash out of the typed password, and calculate an
    MD5 hash out of that.

  4. Verify that the calculated MD5 hash matches the stored MD5 hash from
    the Cryptex header (at offset +18).

  5. Produce a 3DES key using the SHA hash object.

  6. Read the first file list cluster (whose index is stored in offset +0C in the
    Cryptex header) in the same manner as it is read in Cryptex (reading
    4,104 bytes and decrypting them using our 3DES key).

  7. Loop through those 152-bytes long entries and dump each entry’s name
    if its offset +8 (which is the file size in clusters) is nonzero.

  8. Proceed to read and decrypt additional file-list clusters if they are
    present. List any entries within those clusters.


The actual code that implements the preceding sequence is relatively
straightforward to implement. If you’d like to see what it looks like, it is avail-
able on this book’s Web site at http://www.wiley.com/go/eeilam.


Deciphering File Formats 227
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.