## Thursday, 14 September 2017

### Practical Reverse Engineering Exercise Solutions: Page 35 / Exercise 8

Our task as formulated in exercise 8:

Sample H. Decompile sub_11732 and explain the most likely programming construct used in the original code.

The function's disassembly:

sub_1172E:
push    esi
mov     esi, [esp+8]
dec     esi
jz      short loc_1175F
dec     esi
jz      short loc_11755
dec     esi
jz      short loc_1174B
sub     esi, 9
jnz     short loc_1176B
mov     esi, [eax+8]
shr     esi, 1
jmp     short loc_11767
; ---------------------------------------------------------------------------

loc_1174B:
mov     esi, [eax+3Ch]
shr     esi, 1
jmp     short loc_11767
; ---------------------------------------------------------------------------

loc_11755:
mov     esi, [eax+3Ch]
shr     esi, 1
jmp     short loc_11767
; ---------------------------------------------------------------------------

loc_1175F:
mov     esi, [eax+3Ch]
shr     esi, 1

loc_11767:

mov     [ecx], esi
mov     [edx], eax

loc_1176B:
pop     esi
retn    4

Obviously, the sought-after programming construct in this case is a switch...case statement. Translating the assembly code from above in pseudo-C-code yields:

function(eax, ecx, edx, enum)
{
switch (enum):
case 1:
goto 5F;
case 2:
goto 55;
case 3:
goto 4B;
case 12:
var = *(eax+8);
var >> 1; // equal to var / 2
eax = eax + 0x0C
goto 67;
default:
goto 6B;

4B:
var = *(eax+0x3C)
var >> 1; // equal to var / 2
eax = eax + 0x5E;
goto 67;

55:
var = *(eax+0x3C)
var >> 1; // equal to var / 2
eax = eax + 0x44;
goto 67;

5F:
var = *(eax+0x3C)
var >> 1; // equal to var / 2
eax = eax + 0x40;

67:
*ecx = var;
*edx = eax;

6B:
return eax;
}