00401078 add ecx,1
0040107B jmp 00401060
0040107D cmp ebp,3
00401080 ja 00401071
00401082 mov ecx,9
00401087 jmp 00401060
00401089 mov ebx,edi
0040108B add ecx,1
0040108E jmp 00401060
00401090 sub ebp,4
00401093 jmp 00401055
00401095 mov esi,dword ptr [esp+20h]
00401099 xor dword ptr [edx],esi
0040109B add ecx,1
0040109E jmp 00401060
004010A0 xor eax,edi
004010A2 add ecx,1
004010A5 jmp 00401060
004010A7 add edx,4
004010AA add ecx,1
004010AD jmp 00401060
004010AF pop edi
004010B0 pop esi
004010B1 pop ebp
004010B2 pop ebx
004010B3 pop ecx
004010B4 retThe function’s jump table:
0x004010B8 0040107d 00401076 00401095 0040106f
0x004010C8 00401089 004010a0 004010a7 00401090
0x004010D8 004010afListing 10.3 (continued)The function in Listing 10.3 is functionally equivalent to the one in 10.2, but
it was obfuscated using a table interpretation transformation. The function
was broken down into nine segments that represent the different stages in the
original function. The implementation constantly loops through a junction
that decides where to go next, depending on the value of ECX. Each code seg-
ment sets the value of ECXso that the correct code segment follows. The spe-
cific code address that is executed is determined using the jump table, which
is included at the end of the listing. Internally, this is implemented using a sim-
ple switch statement, but when you think of it logically, this is similar to a lit-
tle virtual machine that was built just for this particular function. Each
“instruction” advances the “instruction pointer”, which is stored in ECX. The
actual “code” is the jump table, because that’s where the sequence of opera-
tions is stored.350 Chapter 10