Scanning the File List
The scanning of the file list is performed by calling a function at 004017B0,
which goes through a familiar route of scanning the file list and comparing
each name with the name of the file being extracted. Once the correct item is
found the function retrieves several fields from the file entry. The following is
the code that is executed in the file searching routine once a file entry is found.00401881 MOV ECX,SS:[ESP+10]
00401885 LEA EAX,DS:[ESI+ESI*4]
00401888 ADD EAX,EAX
0040188A ADD EAX,EAX
0040188C SUB EAX,ESI
0040188E MOV EDX,DS:[ECX+EAX*8+8]
00401892 LEA EAX,DS:[ECX+EAX*8]
00401895 MOV ECX,SS:[ESP+24]
00401899 MOV DS:[ECX],EDX
0040189B MOV ECX,SS:[ESP+28]
0040189F TEST ECX,ECX
004018A1 JE SHORT cryptex.004018BC
004018A3 LEA EDX,DS:[EAX+C]
004018A6 MOV ESI,DS:[EDX]
004018A8 MOV DS:[ECX],ESI
004018AA MOV ESI,DS:[EDX+4]
004018AD MOV DS:[ECX+4],ESI
004018B0 MOV ESI,DS:[EDX+8]
004018B3 MOV DS:[ECX+8],ESI
004018B6 MOV EDX,DS:[EDX+C]
004018B9 MOV DS:[ECX+C],EDX
004018BC MOV EAX,DS:[EAX+4]First of all, let’s inspect what is obviously an optimized arithmetic sequence
of some sort in the beginning of this sequence. It can be slightly confusing
because of the use of the LEAinstruction, but LEAdoesn’t have to deal with
addresses. The LEAat 00401885 is essentially multiplying ESIby 5 and stor-
ing the result in EAX. If you go back to the beginning of this function, it is easy
to see that ESIis essentially employed as a counter; it is initialized to zero and
then incremented by one with each item that is traversed. However, once all
file entries in the current cluster are scanned (remember there are 0x1A
entries), ESIis set to zero again. This implies that ESIis used as the index into
the current file entry in the current cluster.
Let’s return to the arithmetic sequence and try to figure out what it is doing.
You’ve already established that the first LEAis multiplying ESIby 5. This is fol-
lowed by two ADDs that effectively multiply ESIby itself. The bottom line is that
ESIis being multiplied by 20 and is then subtracted by its original value. This is
equivalent to multiplying ESIby 19. Lovely isn’t it? The next line at 0040188E
actually uses the outcome of this computation (which is now in EAX) as an234 Chapter 6