Recognizing Loops - Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software - Michael Sikorski and Andrew Honig - RutLib.com

shows an example of a for loop.

, ❶ corresponds to the initialization step. The code between ❸ and ❹ corresponds to the increment that is initially jumped over at ❷ with a jump instruction. The comparison occurs at ❺, and at ❻, the decision is made by the conditional jump. If the jump is not

00401004        mov     [ebp+var_4], 0 ❶ 0040100B        jmp     short loc_401016 ❷ 0040100D loc_40100D: 0040100D        mov     eax, [ebp+var_4] ❸ 00401010        add     eax, 1 00401013        mov     [ebp+var_4], eax ❹ 00401016 loc_401016: 00401016        cmp     [ebp+var_4], 64h ❺ 0040101A        jge     short loc_40102F ❻ 0040101C        mov     ecx, [ebp+var_4] 0040101F        push    ecx 00401020        push    offset aID  ; "i equals %d\n" 00401025        call    printf 0040102A        add     esp, 8 0040102D        jmp     short loc_40100D ❼

A for loop can be recognized using IDA Pro’s graphing mode, as shown in .

as the portion of a function responsible for cleaning up the stack and returning.

will continue to loop until the status returned from checkResult is 0.

looks similar to the for loop, except that it lacks an increment section. A conditional jump occurs at ❶ and an unconditional jump at ❷, but the only way for this code to stop executing repeatedly is for that conditional jump to occur.

00401036        mov     [ebp+var_4], 0 0040103D        mov     [ebp+var_8], 0 00401044 loc_401044: 00401044        cmp     [ebp+var_4], 0 00401048        jnz     short loc_401063 ❶ 0040104A        call    performAction 0040104F        mov     [ebp+var_8], eax 00401052        mov     eax, [ebp+var_8] 00401055        push    eax 00401056        call    checkResult 0040105B        add     esp, 4 0040105E        mov     [ebp+var_4], eax 00401061        jmp     short loc_401044 ❷

Назад: Recognizing if Statements

Дальше: Understanding Function Call Conventions