00401A9A ADD ESI,98
00401AA0 SUB DWORD PTR SS:[ESP+14],1
00401AA5 JNZ SHORT cryptex.00401A70
00401AA7 MOV ECX,SS:[ESP+10]
00401AAB MOV ESI,DS:[ECX]
00401AAD TEST ESI,ESI
00401AAF JE SHORT cryptex.00401ACC
00401AB1 MOV EDX,SS:[ESP+20]
00401AB5 MOV EAX,SS:[ESP+1C]
00401AB9 PUSH EDX
00401ABA PUSH ESI
00401ABB PUSH EAX
00401ABC CALL cryptex.00401030
00401AC1 ADD ESP,0C
00401AC4 TEST ESI,ESI
00401AC6 MOV SS:[ESP+10],EAX
00401ACA JNZ SHORT cryptex.00401A60
00401ACC POP EDI
00401ACD POP ESI
00401ACE POP EBP
00401ACF MOV EAX,EBX
00401AD1 POP EBX
00401AD2 ADD ESP,8
00401AD5 RETNListing 6.6 (continued)
This function starts out with a familiar sequence that reads the Cryptex
header into memory. This is obvious because it is reading 0x28bytes from off-
set 0 in the file. It then proceeds to call into a function at 00401030 , which,
upon stepping into it, looks quite important. Listing 6.7 provides a disassem-
bly of the function at 00401030.
00401030 PUSH ECX
00401031 PUSH ESI
00401032 MOV ESI,SS:[ESP+C]
00401036 PUSH EDI
00401037 MOV EDI,SS:[ESP+14]
0040103B MOV ECX,1008
00401040 LEA EAX,DS:[EDI-1]
00401043 MUL ECX
00401045 ADD EAX,28
00401048 ADC EDX,0
0040104B PUSH 0 ; Origin = FILE_BEGIN
0040104D MOV SS:[ESP+18],EDX ;Listing 6.7 A disassembly of Cryptex’s cluster decryption function. (continued)
Deciphering File Formats 221