The File Extraction Process
Cryptex would not be worth much without having the ability to decrypt and
extract files from its encrypted archive files. This is done using the xcom-
mand, which simply creates a file with the same name as the original that was
encoded (minus the file’s path) and decrypts the original data into it. Revers-
ing the extraction process should provide you with a clearer view of the file list
data layout and on how files are actually stored within archive files. The rather
longish Listing 6.8 contains the Cryptex file extraction routine.00401BB0 SUB ESP,70
00401BB3 MOV EAX,DS:[405020]
00401BB8 PUSH EBX
00401BB9 PUSH EDI
00401BBA MOV EDI,SS:[ESP+84]
00401BC1 PUSH 0
00401BC3 MOV SS:[ESP+78],EAX
00401BC7 MOV EAX,SS:[ESP+80]
00401BCE PUSH 0
00401BD0 PUSH EAX
00401BD1 PUSH EDI
00401BD2 CALL cryptex.00401670
00401BD7 MOV EDX,DS:[405048]
00401BDD ADD ESP,10
00401BE0 LEA ECX,SS:[ESP+14]
00401BE4 PUSH ECX
00401BE5 PUSH 0
00401BE7 PUSH 0
00401BE9 PUSH 8003
00401BEE PUSH EDX
00401BEF MOV EBX,EAX
00401BF1 CALL DS:[<&ADVAPI32.CryptCreateHash>]
00401BF7 TEST EAX,EAX
00401BF9 JNZ SHORT cryptex.00401C11
00401BFB PUSH cryptex.00403284 ; /format = “Unable to verify the
file’s hash value!”
00401C00 CALL DS:[<&MSVCR71.printf>]
00401C06 ADD ESP,4
00401C09 PUSH 1 ; /status = 1
00401C0B CALL DS:[<&MSVCR71.exit>]
00401C11 PUSH EBP
00401C12 PUSH ESI
00401C13 PUSH 0 ; /Origin = FILE_BEGIN
00401C15 PUSH 0 ; |pOffsetHi = NULL
00401C17 PUSH 0 ; |OffsetLo = 0
00401C19 PUSH EBX ; |hFile
00401C1A CALL DS:[<&KERNEL32.SetFilePointer>]Listing 6.8 A disassembly of Cryptex’s file decryption and extraction routine.228 Chapter 6