LOOPS

FOR LOOP

EXAMPLE 1:

EXAMPLE 2:

#C CODE SNIPPET
int i;

for(i=0; i<100; i++)
{
   printf("i equals %d\n", i);
}

#ASSEMBLY CODE SNIPPET
00401004        mov     [ebp+var_4], 0 ❶                 ;initialization
0040100B        jmp     short loc_401016 ❷
0040100D loc_40100D:
0040100D        mov     eax, [ebp+var_4] ❸
00401010        add     eax, 1                           ;increment operation
00401013        mov     [ebp+var_4], eax ❹
00401016 loc_401016:
00401016        cmp     [ebp+var_4], 64h ❺               ;comparison
0040101A        jge     short loc_40102F ❻
0040101C        mov     ecx, [ebp+var_4]                 ;part of comparison
0040101F        push    ecx
00401020        push    offset aID  ; "i equals %d\n"
00401025        call    printf
0040102A        add     esp, 8
0040102D        jmp     short loc_40100D ❼                ;jump to cause the increment to occur

 * in assembly, the for loop can be recognized by locating the four components - initialization, comparison, execution, and increment/decrement operation
    - the

In the figure, the upward pointing arrow after the increment code indicates a loop. These arrows make loops easier to recognize in the graph view than in the standard disassembly view. The graph displays five boxes: The top four are the components of the for loop (initialization, comparison, execution, and increment, in that order). The box on the bottom right is the function epilogue which is the portion of a function responsible for cleaning up the stack & returning

disassembly graph of a for loop

WHILE LOOP

EXAMPLE 1:

EXAMPLE 2:

while loops is frequently used by malware authors to loop until a condition is met, such as receiving a packet or command. the while loop look similar to the for loop in assembly, but are easier to understand

#C CODE SNIPPET
int status=0;
int result = 0;

while(status == 0){
     result = performAction();
     status = checkResult(result);
}

#ASSEMBLY CODE SNIPPET
00401036        mov     [ebp+var_4], 0
0040103D        mov     [ebp+var_8], 0
00401044        loc_401044:
00401044        cmp     [ebp+var_4], 0
00401048        jnz     short loc_401063 ❶
0040104A        call    performAction
0040104F        mov     [ebp+var_8], eax
00401052        mov     eax, [ebp+var_8]
00401055        push    eax
00401056        call    checkResult
0040105B        add     esp, 4
0040105E        mov     [ebp+var_4], eax
00401061        jmp     short loc_401044 ❷

 * the while loop in assembly can be distinguished from the for loop due to the
    absence of an "increment/decrement" section
     -  the only way for this code to stop executing repeatedly is for that conditional jump to occur
PreviousSWITCH STATEMENTSNextSTRING PATCHING

Last updated