Our task as formulated in exercise 8:
Sample H. Decompile sub_11732 and explain the most likely programming construct used in the original code.
The function’s disassembly:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
| sub_1172E:
push esi
mov esi, [esp+8]
dec esi
jz short loc_1175F
dec esi
jz short loc_11755
dec esi
jz short loc_1174B
sub esi, 9
jnz short loc_1176B
mov esi, [eax+8]
shr esi, 1
add eax, 0Ch
jmp short loc_11767
; ---------------------------------------------------------------------------
loc_1174B:
mov esi, [eax+3Ch]
shr esi, 1
add eax, 5Eh
jmp short loc_11767
; ---------------------------------------------------------------------------
loc_11755:
mov esi, [eax+3Ch]
shr esi, 1
add eax, 44h
jmp short loc_11767
; ---------------------------------------------------------------------------
loc_1175F:
mov esi, [eax+3Ch]
shr esi, 1
add eax, 40h
loc_11767:
mov [ecx], esi
mov [edx], eax
loc_1176B:
pop esi
retn 4
|
Obviously, the sought-after programming construct in this case is a switch...case statement.
Translating the assembly code from above in pseudo-C-code yields:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
| function(eax, ecx, edx, enum)
{
switch (enum):
case 1:
goto 5F;
case 2:
goto 55;
case 3:
goto 4B;
case 12:
var = *(eax+8);
var >> 1; // equal to var / 2
eax = eax + 0x0C
goto 67;
default:
goto 6B;
4B:
var = *(eax+0x3C)
var >> 1; // equal to var / 2
eax = eax + 0x5E;
goto 67;
55:
var = *(eax+0x3C)
var >> 1; // equal to var / 2
eax = eax + 0x44;
goto 67;
5F:
var = *(eax+0x3C)
var >> 1; // equal to var / 2
eax = eax + 0x40;
67:
*ecx = var;
*edx = eax;
6B:
return eax;
}
|