Figure 6.3 The format of a Cryptex file entry.
A Cryptex file list table supports holes, which are unused entries. The file
size or first cluster index members are typically used as an indicator for
whether or not an entry is currently in use or not. You can safely assume that
when adding a new file entry Cryptex will just scan this list for an unused
entry and place the file in it. File names have a maximum length of 128 bytes.
This doesn’t sound like much, but keep in mind that Cryptex strips away all
path information from the file name before adding it to the list, so these 128
bytes are used exclusively for the file name. Each file entry contains an MD5
hash that is calculated from the contents of the entire plaintext of the file. This
hash is recalculated during the decryption process and is checked against the
one stored in the file list. It looks as if Cryptex will still write the decrypted file
to disk during the extraction process—even if there is a mismatch in the MD5
hash. In such cases, Cryptex displays an error message.
Files are stored in cluster sequences that are linked using the “next cluster”
member in offset +0 inside each cluster. The last cluster in each file chain con-
tains the exact number of bytes that are actually in use within the current clus-
ter. This allows Cryptex to accurately reconstruct the file size during the
extraction process (because the file entry only contains the file size in clusters).
Digging Deeper
You might have noticed that even though you’ve just performed a remarkably
thorough code analysis of Cryptex, there are still some details regarding its file
format that have eluded you. This makes sense when you think about it; you
have not nearly covered all the code in Cryptex, and some of the fields must
Next Cluster Index Offset +00
Fileís First Cluster Index Offset +04
File Size in Clusters Offset +08File Name String Offset +1COffset +0C
Offset +10
Offset +14
Offset +18File MD5 HashIndividual Cryptex File Entry Structure
Entry #0Entry #1Entry #25.
.
.
.Cryptex File Entry Cluster Layout
Entry #2 (EMPTY)Deciphering File Formats 241