Reverse Engineering: Switch Cases in Bomb3.exe

Source: http://opensecuritytraining.info/

Switch cases are compiled into different styles, depending on the compiler, optimization settings, and case values
- may look like nested if..else if..else if..else..
- may use a jump table array
For a jump table, the case is translated into an index within the table and multipled by the size of a pointer.

mov     edx, [ebp+var_18]
jmp     ds:off_401328[edx*4]

Analysts are faced with many paths that are never visited
Understanding the input and desired output can help to avoid unnecessary analysis

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Connecting to %s

%d bloggers like this:

	Peter Kruse on Let’s Learn: In-Depth on…
	mark Johnson on Malware Traffic Internals: Bla…
	Passion on Let’s Learn: In-Depth Re…
	Unknown on Programming Challenge in …
	Hung-Ting on Installing Cuckoo Sandbox on M…

	Peter Kruse on Let’s Learn: In-Depth on…
	mark Johnson on Malware Traffic Internals: Bla…
	Passion on Let’s Learn: In-Depth Re…
	Unknown on Programming Challenge in …
	Hung-Ting on Installing Cuckoo Sandbox on M…

	Peter Kruse on Let’s Learn: In-Depth on…
	mark Johnson on Malware Traffic Internals: Bla…
	Passion on Let’s Learn: In-Depth Re…
	Unknown on Programming Challenge in …
	Hung-Ting on Installing Cuckoo Sandbox on M…