00401E9B CALL EBP
00401E9D ADD ESP,4
00401EA0 MOV ECX,4
00401EA5 LEA EDI,SS:[ESP+6C]
00401EA9 LEA ESI,SS:[ESP+5C]
00401EAD XOR EDX,EDX
00401EAF REPE CMPS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00401EB1 JE SHORT cryptex.00401EC2
00401EB3 MOV EAX,SS:[ESP+18]
00401EB7 PUSH EAX
00401EB8 PUSH cryptex.004033B4 ; ASCII “ERROR: File “%s” is
corrupted!”
00401EBD CALL EBP
00401EBF ADD ESP,8
00401EC2 MOV ECX,SS:[ESP+1C]
00401EC6 PUSH ECX
00401EC7 CALL DS:[<&ADVAPI32.CryptDestroyHash>]
00401ECD MOV EDX,SS:[ESP+14]
00401ED1 MOV ESI,DS:[<&KERNEL32.CloseHandle>]
00401ED7 PUSH EDX ; /hObject
00401ED8 CALL ESI ; \CloseHandle
00401EDA PUSH EBX ; /hObject
00401EDB CALL ESI ; \CloseHandle
00401EDD MOV ECX,SS:[ESP+7C]
00401EE1 POP ESI
00401EE2 POP EBP
00401EE3 POP EDI
00401EE4 POP EBX
00401EE5 CALL cryptex.004027C9
00401EEA ADD ESP,70
00401EED RETNListing 6.8 (continued)
Let’s begin with a quick summary of the most important operations per-
formed by the function in Listing 6.8. The function starts by opening the archive
file. This is done by calling a function at 00401670 , which opens the archive
and proceeds to call into the header and password verification function at
004011C0, which you analyzed in Listing 6.3. After 00401670 returns the
function proceeds to create a hash object of the same type you saw earlier that
was used for calculating the password hash. This time the algorithm type is
0x8003, which is ALG_SID_MD5. The purpose of this hash object is still unclear.
The code then proceeds to read the Cryptex header into the same global
variable at 00406058 that you encountered earlier, and to search the file list
for the relevant file entry.
Deciphering File Formats 233