issuhub.com

Reverse Engineering for Beginners

(avery) #1 
CHAPTER 13. SWITCH()/CASE/DEFAULT CHAPTER 13. SWITCH()/CASE/DEFAULT

Now let’s press F7 or F8 (step over) and return...not tof(), but rather tomain():

Figure 13.8:OllyDbg: return tomain()

Yes, the jump was direct, from the guts ofprintf()tomain(). BecauseRAin the stack points not to some place inf(),

but rather tomain(). AndCALL 0x00FF1000was the actual instruction which calledf().

13.1.2 ARM: Optimizing Keil 6/2013 (ARM mode).


.text:0000014C f1:

.text:0000014C 00 00 50 E3 CMP R0, #0

.text:00000150 13 0E 8F 02 ADREQ R0, aZero ; "zero\n"

.text:00000154 05 00 00 0A BEQ loc_170

.text:00000158 01 00 50 E3 CMP R0, #1

.text:0000015C 4B 0F 8F 02 ADREQ R0, aOne ; "one\n"

.text:00000160 02 00 00 0A BEQ loc_170

.text:00000164 02 00 50 E3 CMP R0, #2

.text:00000168 4A 0F 8F 12 ADRNE R0, aSomethingUnkno ; "something unknown\n"

.text:0000016C 4E 0F 8F 02 ADREQ R0, aTwo ; "two\n"

.text:00000170

.text:00000170 loc_170: ; CODE XREF: f1+8

.text:00000170 ; f1+14

.text:00000170 78 18 00 EA B __2printf

Again, by investigating this code we cannot say if it was a switch() in the original source code, or just a pack of if() statements.

Anyway, we see here predicated instructions again (likeADREQ(Equal)) which is triggered only in caseR0 = 0, and then

loads the address of the string«zero\n»intoR0. The next instructionBEQredirects control flow toloc_170, ifR0 = 0.

An astute reader may ask, willBEQtrigger correctly sinceADREQbefore it has already filled theR0register with another

value? Yes, it will sinceBEQchecks the flags set by theCMPinstruction, andADREQdoes not modify any flags at all.

The rest of the instructions are already familiar to us. There is only one call toprintf(), at the end, and we have already

examined this trick here (6.2.1 on page 45). In the end, there are three paths toprintf().

The last instruction,CMP R0, #2, is needed to check ifa= 2. If it is not true, thenADRNEloads a pointer to the string
«something unknown \n»intoR0, sinceawas already checked to be equal to 0 or 1, and we can sure that theavariable is
not equal to these numbers at this point. And ifR0 = 2, a pointer to the string«two\n»will be loaded byADREQintoR0.


13.1.3 ARM: Optimizing Keil 6/2013 (Thumb mode)

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.