Thursday, 14 September 2017

Practical Reverse Engineering Exercise Solutions: Page 35 / Exercise 8

Our task as formulated in exercise 8:

Sample H. Decompile sub_11732 and explain the most likely programming construct used in the original code.

The function's disassembly:

sub_1172E:
push    esi
mov     esi, [esp+8]
dec     esi
jz      short loc_1175F
dec     esi
jz      short loc_11755
dec     esi
jz      short loc_1174B
sub     esi, 9
jnz     short loc_1176B
mov     esi, [eax+8]
shr     esi, 1
add     eax, 0Ch
jmp     short loc_11767
; ---------------------------------------------------------------------------

loc_1174B:                             
mov     esi, [eax+3Ch]
shr     esi, 1
add     eax, 5Eh
jmp     short loc_11767
; ---------------------------------------------------------------------------

loc_11755:                           
mov     esi, [eax+3Ch]
shr     esi, 1
add     eax, 44h
jmp     short loc_11767
; ---------------------------------------------------------------------------

loc_1175F:                             
mov     esi, [eax+3Ch]
shr     esi, 1
add     eax, 40h

loc_11767:                             
  
mov     [ecx], esi
mov     [edx], eax

loc_1176B:                             
pop     esi
retn    4

Obviously, the sought-after programming construct in this case is a switch...case statement. Translating the assembly code from above in pseudo-C-code yields:

function(eax, ecx, edx, enum)
{
switch (enum):
case 1: 
goto 5F;
case 2: 
goto 55;
case 3: 
goto 4B;
case 12:
var = *(eax+8);
var >> 1; // equal to var / 2
eax = eax + 0x0C
goto 67;
default:
goto 6B;


4B:
var = *(eax+0x3C)
var >> 1; // equal to var / 2
eax = eax + 0x5E;
goto 67;


55:
var = *(eax+0x3C)
var >> 1; // equal to var / 2
eax = eax + 0x44;
goto 67;

5F:
var = *(eax+0x3C)
var >> 1; // equal to var / 2
eax = eax + 0x40;

67:
*ecx = var;
*edx = eax;

6B:
return eax;
}

No comments:

Post a Comment