SWITCH STATEMENTS

Last updated 2 months ago

SWITCH STATEMENTS

the switch statements are used by programmers & malware authors to make a decision based on a character or integer.

SWITCH CASES

IF STYLE

from the disassembly, it is difficult to know whether the original code was a switch statement or a sequence of if statements because a compiled switch statement looks like a group of if statements.

#C CODE SNIPPET
switch(i)
{
  case 1:
    printf("i = %d", i+1);
    break;
   case 2:
     printf("i = %d", i+2);
     break;
   case 3:
     printf("i = %d", i+3);
     break;
   default:
     break;
}

#ASSEMBLY CODE SNIPPET
00401013        cmp     [ebp+var_8], 1
00401017        jz      short loc_401027 ❶
00401019        cmp     [ebp+var_8], 2
0040101D        jz      short loc_40103D
0040101F        cmp     [ebp+var_8], 3
00401023        jz      short loc_401053
00401025        jmp     short loc_401067 ❷
00401027        loc_401027:
00401027        mov     ecx, [ebp+var_4] ❸
0040102A        add     ecx, 1
0040102D        push    ecx
0040102E        push    offset unk_40C000 ; i = %d
00401033        call    printf
00401038        add     esp, 8
0040103B        jmp     short loc_401067
0040103D        loc_40103D:
0040103D        mov     edx, [ebp+var_4] ❹
00401040        add     edx, 2
00401043        push    edx
00401044        push    offset unk_40C004 ; i = %d
00401049        call    printf
0040104E        add     esp, 8
00401051        jmp     short loc_401067
00401053        loc_401053:
00401053        mov     eax, [ebp+var_4] ❺
00401056        add     eax, 3
00401059        push    eax
0040105A        push    offset unk_40C008 ; i = %d
0040105F        call    printf
00401064        add     esp, 8

JUMP TABLE

the disassembly in this example switch statement is commonly found with large, contiguous switch statements. in this type, the compiler optimizes the code to avoid needing to make so many comparisons.

#C CODE SNIPPET
switch(i)
{
   case 1:
      printf("i = %d", i+1);
      break;
   case 2:
      printf("i = %d", i+2);
      break;
   case 3:
      printf("i = %d", i+3);
      break;
   case 4:
      printf("i = %d", i+3);
      break;
   default:
      break;
}

#ASSEMBLY CODE SNIPPET
00401016        sub     ecx, 1
00401019        mov     [ebp+var_8], ecx
0040101C        cmp     [ebp+var_8], 3
00401020        ja      short loc_401082
00401022        mov     edx, [ebp+var_8]
00401025        jmp     ds:off_401088[edx*4] ❶
0040102C        loc_40102C:
                ...
00401040        jmp     short loc_401082
00401042        loc_401042:
                ...
00401056        jmp     short loc_401082
00401058        loc_401058:
                ...
0040106C        jmp     short loc_401082
0040106E        loc_40106E:
                ...
00401082        loc_401082:
00401082        xor     eax, eax
00401084        mov     esp, ebp
00401086        pop     ebp
00401087        retn
00401087        _main   endp
00401088        ❷off_401088  dd offset loc_40102C
0040108C               dd offset loc_401042
00401090               dd offset loc_401058
00401094               dd offset loc_40106E

 * the ecx in this example contains the switch variable, and 1 is subtracted from it in the first line

PreviousIF STATEMENTS NextLOOPS