Switch Statements


Branching out in multiple ways, the switch statement appropriately dispenses execution to parts of code, based on the expression’s value. A switch statement is a code construct that is used in programming to make a decision, based on a character or integer. Lengthy “if” statements that compare integral values against a variable are often replaced by a switch statements. 

When reverse-engineering a malicious binary, being able to identify switch statements can be useful when dealing with most malware classes. For instance, a malware with keylogger functionality most likely uses a switch statement for switching through special keys such as SHIFT in the keyboard. 

In this article, we will discuss how switch statements can be spotted when reversing a binary.

Switch statements

Figure 1 shows a code snippet of how switch statements are used in the C programming language. 


#include <stdio.h>

void main()


int i = 3;



case 1: printf(“Value is 1n”);


case 2: printf(“Value is 2n”);


case 3: printf(“Value is 3n”);


default: printf(“Value out of rangen”);




Figure 1


The integer variable named “i” was declared and initialized with value 3 to keep the example simple. This value passes to a switch statement. Then the statements inside the matching case will be executed. The text “Value is 3” will be printed when this code is compiled and run. 

When the Figure 1 code is compiled and the binary is opened using a debugger (OllyDbg in this case), the following results.






CALL switch.00401610

MOV DWORD PTR SS:[ESP+1C],3          ; |

CMP DWORD PTR SS:[ESP+1C],2          ; |

JE SHORT switch.00401549             ; |

(Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Srinivas. Read the original post at: