issuhub.com

Reverse Engineering for Beginners

(avery) #1

CHAPTER 13. SWITCH()/CASE/DEFAULT CHAPTER 13. SWITCH()/CASE/DEFAULT


Listing 13.4: MSVC 2010

tv64 = -4 ; size = 4
_a$ = 8 ; size = 4
_f PROC
push ebp
mov ebp, esp
push ecx
mov eax, DWORD PTR _a$[ebp]
mov DWORD PTR tv64[ebp], eax
cmp DWORD PTR tv64[ebp], 4
ja SHORT $LN1@f
mov ecx, DWORD PTR tv64[ebp]
jmp DWORD PTR $LN11@f[ecx*4]
$LN6@f:
push OFFSET $SG739 ; 'zero', 0aH, 00H
call _printf
add esp, 4
jmp SHORT $LN9@f
$LN5@f:
push OFFSET $SG741 ; 'one', 0aH, 00H
call _printf
add esp, 4
jmp SHORT $LN9@f
$LN4@f:
push OFFSET $SG743 ; 'two', 0aH, 00H
call _printf
add esp, 4
jmp SHORT $LN9@f
$LN3@f:
push OFFSET $SG745 ; 'three', 0aH, 00H
call _printf
add esp, 4
jmp SHORT $LN9@f
$LN2@f:
push OFFSET $SG747 ; 'four', 0aH, 00H
call _printf
add esp, 4
jmp SHORT $LN9@f
$LN1@f:
push OFFSET $SG749 ; 'something unknown', 0aH, 00H
call _printf
add esp, 4
$LN9@f:
mov esp, ebp
pop ebp
ret 0
npad 2 ; align next label
$LN11@f:
DD $LN6@f ; 0
DD $LN5@f ; 1
DD $LN4@f ; 2
DD $LN3@f ; 3
DD $LN2@f ; 4
_f ENDP


What we see here is a set ofprintf()calls with various arguments. All they have not only addresses in the memory of
the process, but also internal symbolic labels assigned by the compiler. All these labels are also mentioned in the$LN11@f
internal table.


At the function start, ifais greater than 4, control flow is passed to label$LN1@f, whereprintf()with argument'some-
thing unknown'is called.


But if the value ofais less or equals to 4, then it gets multiplied by 4 and added with the$LN11@ftable address. That is
how an address inside the table is constructed, pointing exactly to the element we need. For example, let’s sayais equal to



  1. 2 ∗4 = 8(all table elements are addresses in a 32-bit process and that is why all elements are 4 bytes wide). The address
    of the$LN11@ftable + 8 is the table element where the$LN4@flabel is stored.JMPfetches the$LN4@faddress from
    the table and jumps to it.


This table is sometimes calledjumptableorbranch table^3.


(^3) The whole method was once calledcomputed GOTOin early versions of FORTRAN:wikipedia. Not quite relevant these days, but what a term!

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.