that the string starts at offset +14 in the structure, you can assume that there
aren’t any additional data entries after it in the structure, which would mean
that the maximum length of a file name in Cryptex is 152 – 20, or 132 bytes.
Once this loop ends, an interesting thing takes place. The first member in the
buffer you read and decrypted earlier is tested, and if it is nonzero, Cryptex
calls the function at 00401030 , the function from Listing 6.7 that reads and
decrypts a data chunk that we analyzed earlier. The second parameter, which
is used as a kind of cluster number (remember how the function multiplies
that number by 4104?), is taken directly from that first member. Clearly the
idea here is to read and decrypt another chunk of data and scan it for files. It
looks likes the file list can span an arbitrary number clusters and is essentially
implemented using a sort of cluster linked list. This brings up one question: Is
the first cluster hard-coded to number one? Let’s take a look at the code that
made the initial call to read the first file-list cluster, from Listing 6.6.00401A1E MOV EDX,DS:[406064]
00401A24 PUSH ECX
00401A25 PUSH EDX
00401A26 PUSH ESI
00401A27 CALL cryptex.00401030The first-cluster index is taken from a global variable with a familiar
address. It turns out that 00406064 is a part of the Cryptex header loaded into
00406058 just a few lines earlier. So, it looks like offset +0C in the Cryptex
header contains the index of the first cluster in the file table.
Going back to Listing 6.7, after 00401030 returns, ESIis tested for a
nonzero value again (even though it has already been tested and its value
couldn’t have been changed), and if it is nonzero Cryptex loops back into the
code that reads the file table. You now know that the first member in these file
table clusters is the next cluster element that tells Cryptex which cluster con-
tains the following file table entries, if any. Because the size of each file entry is
fixed, there must also be a fixed number of entries in each cluster. Since a local
variable at [ESP+14]is used for counting the remaining number of items in
the current cluster, you easily find the instruction at 00401A67, which initial-
izes this variable to 0x1A(26 in decimal), so you know that each cluster can
contain up to 26 file entries.
Finally, it is important to pay attention to three lines in Listing 6.6 that we’ve
so far ignored.00401A70 MOV EAX,DS:[ESI]
00401A72 TEST EAX,EAX
00401A74 JE SHORT cryptex.00401A9AIt appears that a file entry must have a nonzero value in its offset +8 in order
for Cryptex to actually pay attention to the entry. As we’ve recently established,226 Chapter 6