ngoại trừ một lần nữa, nó được gọi là nội bộ từ mã hệ thống. Bạn sẽ nhanh chóng nhận ra rằng có quá nhiều cuộc gọi ReadFile cho phương pháp này để làm việc, API này được sử dụng bởi hệ thống rất nhiều. Có nhiều phương pháp khác bạn có thể vào thời điểm này, tùy thuộc vào ứng dụng cụ thể. | Deciphering File Formats 219 The first hit comes from an internal system call made by ADVAPI3 . Releasing the debugger brings it back to ReadFile again except that again it was called internally from system code. You will very quickly realize that there are way too many calls to ReadFile for this approach to work this API is used by the system heavily. There are many alternative approaches you could take at this point depending on the particular application. One option would be to try and restrict the ReadFile breakpoint to calls made on the archive file. You could do this by first placing a breakpoint on the API call that opens or creates the archive this is probably going to be a call to the CreateFile API obtain the archive handle from that call and place a selective breakpoint on ReadFile that only breaks when the specific handle to the Cryptex archive is specified such breakpoints are supported by most debuggers . This would really reduce the number of calls you d only see the relevant calls where Cryptex reads from the archive and not hundreds of irrelevant system calls. On the other hand since Cryptex is really a fairly simple program you could just let it run until it reached the key-generation function from Listing . At this point you could just step through the rest of the code until you reach interesting code areas that decipher the directory data structures. Keep in mind that in most real programs you d have to come up with a better idea for where to place your breakpoint because simply stepping through the program is going to be an unreasonably tedious task. You can start by placing a breakpoint at the end of the key-generation function on address 00402416. Once you reach that address you can step back into the calling function and step through several irrelevant code sequences including a call into a function that apparently performs the actual opening of the archive and ends up calling into 004011C0 which is the function analyzed in Listing .