algorithm and treating the resulting 160-bit hash as the key. The same 160-bit
key is hashed again using the MD5 algorithm and the resulting 16-byte hash is
the one that ends up in the Cryptex header—it looks as if the only reason for
its existence is so that Cryptex can verify that the typed password matches the
one that was used when the archive was created.
You have learned that Cryptex archives are divided into fixed-sized clusters.
Some clusters contain file list information while others contain actual file data.
Information inside Cryptex archives is always managed on a cluster level;
there are apparently no bigger or smaller chunks that are supported in the file
format. All clusters are encrypted using the triple-DES algorithm with the key
derived from the SHA hash; this applies to both file list clusters and actual file
data clusters. The actual size of a single cluster is 4,104 bytes, yet the actual
content is only 4,092 bytes. The first 4 bytes in a cluster generally contain the
index of the next cluster (yet there are several exceptions), so that explains the
4,096 bytes. We have not been able to determine the reason for those extra 8
bytes that make up a cluster.
The next interesting element in the Cryptex archive is the file list data struc-
ture. A file list is made up of one or more clusters, and each cluster contains 26
file entries. Figure 6.3 illustrates what is known about a single file entry.Figure 6.2 The Cryptex header.Signature1 () Offset +00
Signature2 () Offset +04
Cryptex File Header Structure
Unknown Offset +08
First File-List Cluster Offset +0C
Unknown Offset +10
Unknown Offset +14
Offset +18
Offset +1C
Offset +20
Offset +24
PassworPassword Hashssword Hashd Hash
240 Chapter 6