After a while, I’m publishing a blog post which made me interested. With the recent tweets about the undocumented
SystemFunction032 Win32 API function, I decided to quickly have a look at it. The first thing I noted after Googling this function was the source code from ReactOS. Seems like other SystemFunctions from 001 got other cryptographic functions and hash functions. The
SystemFunction032 is an RC4 implementation. This API is in the export table of
The export table entry points to the DLL
Cryptsp.dll which actually has the function implemented and exported.
Cryptsp.dll as you can see the
SystemFunction033 point to the same offset, which means loading either of these functions will do the same RC4 encryption.
This is the disassembly of the function which does the RC4 encryption. It takes in the data and key structs as parameters.