Conditionals
Files used -> 4-if-else.c, 4-if-else.exe, 4-if-else-1.c, 4-if-else-1.exe,
Last updated
Files used -> 4-if-else.c, 4-if-else.exe, 4-if-else-1.c, 4-if-else-1.exe,
Last updated
Loading the compiled executable in IDA and moving to main function.
Lets look this without code at the side and look it block by block. For ease I have numbered the block.
Starting with Block 1, we see prologue, then moving 0Bh (0x0b or 11) into var_4 variable (stack referenced, ebp+var_4). Then we see 2 instruction [and eax, 800000001h; jns short loc_40101a]
If we look at this information from the Wikipedia. We can see js checks if signed flag (SF) is set or not. And SF is set when value is less than 0 or specifically negative value.
In our case, we have jns, i.e. if SF is not set then jump.
And we know, 0xb (which is 11) a positive number, is moved in eax. Therefore, SF will not be set.
Hence, condition is true and then jump will be taken to loc_40101A [Block 3]
Moving to Block 3, we have test eax, eax; jnz short loc_401031.
We know test is used to check if ZF is set or not, i.e. NULL value.
Then jnz is used and execution flow is decided accordingly. If ZF is not set it will move to Block 5 else ZF is set it will move to Block 4. Where, we see pushing the variable on the stack along with string, and call to function is made, which is probably print function. And 2 arguments are pushed to print function.
When a conditional statement is there in code, we will see two branches originating from the block in disassembly. Two branches denotes the output of Condition. If satisfied then branch one else condition not satisfied move to branch two.
Now seeing the source code ->
var_4 was ‘number’ variable. Checking for NULL or ZF was actually checking number%2==0. When not zero then move to block 5, which prints 11 is odd number. Otherwise, when result is 0 move to block 4 and print 11 is even number.
Another example: (4-if-else-1.c)
Starting with Block 1, We have Prologue, assigning values to two variables var_8 and var_4 the values of 2 and 5 respectively.
Then we have:
cmp eax, [ebp+var_4]; jle short loc_401029.
This means, if eax is less than equal to [ebp+var_4] then jump to loc_401029.
eax is having var_8 (value of 2). [ebp+var_4] contains value of 5.
2 is less than or equal to 5?
Yes. Condition satisfies. Jump will be taken to Block 3.
In Block 3, we again go to same process but with variables swapped. Now var_8 (value 2) is compared with var_4 (value 5 inside ecx).
Currently, the condition is, if ecx is less than equal to [ebp+var_8] jump to short loc_401040.
Now, 5 is neither less nor equal to 2, therefore jump to loc_401040 will not be taken, rather execution will move to other direction that is Block 4.
In Block 4, We are printing, B is bigger, by pushing it as an argument to printf (sub_4010A0)
One thing important, Since we moved to Block 4 (which would printed ‘B is bigger’) when 5 is compared with 2. That means var_8(value 2) is variable ‘A’. And var_4(value 5) is variable ‘B’. And we can rename the variables.
With that being said, lets check the source code.
Here, a reference can be taken for following JMP instructions ->
