takes longer for 32-bit processors. By placing this instruction before the loop
starts the compiler ensured that the loop won’t begin on an unaligned instruc-
tion. Also, notice that again the compiler could have used NOPs, but instead
used this instruction which does nothing, yet accurately fills the 2-byte gap
that was present.
After obtaining a backslash-free version of the file name, the function goes
to create the new file that will contain the extracted data. After creating the file
the function checks that 004017B0actually found a file by testing EBP, which
is where the function’s return value was stored. If it is zero, Cryptex displays a
file not found error message and quits. If EBPis nonzero, Cryptex calls the
familiar 00401030 , which reads and decrypts a sector, while using EBP(the
return value from 004017B0) as the second parameter, which is treated as the
cluster number to read and decrypt.
So, you now know that 004017B0returns a cluster index, but you’re not
sure what this cluster index is. It doesn’t take much guesswork to figure out
that this is the cluster index of the file you’re trying to extract, or at least the
first cluster for the file you’re trying to extract (most files are probably going to
occupy more than one cluster). If you go back to our discussion of the file
lookup function, you see that its return value came from offset +4 in the file
entry (see instruction at 004018BC). The bottom line is that you now know
that offset +4 in the file entry contains the index of the first data cluster.
If you look in the debugger, you will see that the third parameter is a pointer
into which the data was decrypted, and that after the function returns this buffer
contains the lovely asterisks! It is important to note that the asterisks are pre-
ceded by a 4-byte value: 0000046E. A quick conversion reveals that this num-
ber equals 1134, which is the exact file size of the original asterisks.txtfile
you encrypted earlier.The Floating-Point Sequence
If you go back to the extraction sequence from Listing 6.8, you will find that
after reading the first cluster you run into a code sequence that contains some
highly unusual instructions. Even though these instructions are not particu-
larly important to the extraction process (in fact, they are probably the least
important part of the sequence), you should still take a close look at them just
to make sure that you can properly decipher this type of code. Here is the
sequence I am referring to:00401D28 FILD DWORD PTR SS:[ESP+2C]
00401D2C JGE SHORT cryptex.00401D34
00401D2E FADD DWORD PTR DS:[403BA0]
00401D34 FDIVR QWORD PTR DS:[403B98]
00401D3A MOV EAX,SS:[ESP+24]236 Chapter 6