To achieve interoperability with a third party’s software product Interoperability means getting the software to cooperate with software written by someone else Undocumented file formats or networking protocols cannot be accessed by any program other than those written by the original owner of the format No one else knows the details of the propietary format Using data reverse engineering Obtain the missing information regarding a propietary data format Write code that reads or even generates data in the propietary format Examples Undocumented file format (.doc format) Windows has contained hundreds of undocumented APIs
A program written by Eldad Eilam A command-line data encryption tool It can encrypt files using a password It manages archive files (.crx) that can contain multiple encrypted files It uses 3DES encryption algorithm 3DES An enhanced version of the original Data Encryption Standard (DES) algorithm (IBM, 1976), 56-bit key to encrypt data Uses 56-bit keys and encrypts the plaintext three times using the DES algorithm, each time with a different key 56*3=168-bit key Security: 12345, your name versus j8&1`#:#mAkQ)d
Cryptex reason that justify deciphering the file format of a program To evaluate the level of security offered by the product A back door? A trivial encryption algorithm? An incorrect use of strong, industry- standard encryption algorithm Reversing file formats? For compatibility For interoperatibility
Cryptex reversing Cryptex Code that reads from the file But not to the code that generates files using that format Time for studying the code that reads the file format The password is somehow stored in the file! Cryptex a Test1 6666666666 asterisks.txt Cryptex 1.0 – Written by Eldad Eilam Archive “Test1.crx” does not exists. Creating a new archive. Adding file “asterisks.txt” to archive “Test1” Encrypting “asterisks.txt” – 100.00 percent completed.
Cryptex reversing Cryptex Cryptex l Test1 6666666666 Cryptex 1.0 – Written by Eldad Eilam Listing all files in archive “Test1” File Size File Name 3K asterisks.txt Total files listed: 1 Total size: 3K Cryptex l Test1 6666666665 Cryptex 1.0 – Written by Eldad Eilam Listing all files in archive “Test1” ERROR: Invalid password. Unable to process file.
Cryptex reversing Cryptex: inside the Cryptex archive files Detect apparently random byte secuence Entire contents + the file table have been encrypted As expected Password asterisks.txt file name actual asterisks cannot be found within the file Look inside the program in order to see how it manages its data Windows Crypto API: a generic cryptographic library: CryptEncript, CryptDecrypt functions Cryptographic Service Providers (CSPs) Symmetric and Asymmetric Cryptographic algoritms: DES, RSA, AES
Catching the “bad password” message 1. Create an archive 2. Start Cryptex in a debugger feeding an incorrect password 3. Try to catch the place in the code where Cryptex notifies the user that a bad password has been supplied 4. Trace back from that call to see how Cryptex made the decision to print that message 1. WinDbg, OllyDbg: place breakpoint on the printf function from MSVCR71.DLL
Proceso de verificación de contraseñas The Password Transformation Algorithm 1. Place a memory breakpoint on the global variable that stores the currently type password 2. Look at the stack 3. Try to trace back 4. Find the call made from Cryptex to the encryption engine
Proceso de verificación de contraseñas Cryptex’s key-generation and password-verification process