-
Notifications
You must be signed in to change notification settings - Fork 276
jumptable
joelpx edited this page Nov 27, 2016
·
5 revisions
The analyzer can detect simple jump-tables (only for x86 actually). If a jmp REG or jmp [INDEX*N + DISP] is found, the
analyzer will try to find an address which corresponds to the table.
Then the number of entries is guessed by scanning the table :
- all entries should contains an address
- the scan is done until an entry is not an address, or an xref is found, or the scan is in an other section
Here is an example :
$ plasma tests/analyzer/switch.bin -i
>> x main
function main (.text) {
frame_size = 24
int var_c = -0xc
0x400506: push rbp
0x400507: rbp = rsp
0x40050a: rsp -= 16
0x40050e: var_c = 2
# 0x400515: cmp dword ptr [rbp - 4], 0xa
# 0x400519: ja 0x400564
if (var_c (unsigned) <= 10) {
0x40051b: eax = var_c
0x40051e: rax = *((rax*8) + &jmptable_400620[0])
0x400526: jmp rax ; switch statement jmptable_400620[11]
; case 10 jmptable_400620
0x400558: edi = unk_400610 "10"
0x40055d: call puts
0x400562: jmp ret_0x40056f
; case 5 jmptable_400620
0x40054c: edi = unk_40060e "5"
0x400551: call puts
0x400556: jmp ret_0x40056f
; case 4 jmptable_400620
0x400540: edi = unk_40060c "4"
0x400545: call puts
0x40054a: jmp ret_0x40056f
; case 3 jmptable_400620
0x400534: edi = unk_40060a "3"
0x400539: call puts
0x40053e: jmp ret_0x40056f
; case 2 jmptable_400620
0x400528: edi = unk_400608 "2"
0x40052d: call puts
0x400532: jmp ret_0x40056f
} else {
; case 0, 1, 6, 7, 8, 9 jmptable_400620
0x400564: edi = asc_400613 "default"
0x400569: call puts
0x40056e: nop
}
ret_0x40056f:
0x40056f: eax = 0
0x400574: leave
0x400575: ret
}If you think a jump-table was not correct, you can use the command jumptable to create another one. For
the previous example we should have done (a jump-table at 0x400620 is set with 11 entries, an address is on 8 bytes) :
>> jmptable 0x400526 0x400620 11 8