Skip to content

Convert switch-case with two cases {0, 1} to an if-else branch #5637

New issue
New issue
Open
Enhancement
Open
Convert switch-case with two cases {0, 1} to an if-else branch#5637
Enhancement
Labels
Effort: TrivialIssues require < 1 day of workIL OptimizationIssue involving optimization of representation (not correctness)Impact: LowIssue is a papercut or has a good, supported workaround
@xusheng6

Description

@xusheng6
xusheng6
opened on Jun 20, 2024

I have a binary that obfuscates a regular if-else statement to a switch-case with two cases. It would be good if we can automatically concert such a case to an if-else branch, thus defeating the obfuscation, with minimal user-interaction:

Here is what it now looks like in HLIL:

Screenshot 2024-06-20 at 12 43 49 PM

We can see it is checking if the start of the buffer is 0x5a4d, a typical check for PE file.

Repro steps:

  1. Download the binary from https://malshare.com/sample.php?action=detail&hash=0cf55c7e1a19a0631b0248fb0e699bbec1d321240208f2862e37f6c9e75894e7 and open it
  2. Go to function 0x434a60
  3. Set the type of the data variable at 0x44284c to const int32_t
  4. Set the type of the data variable at 0x442844 to const int32_t[2]
  5. View the function code in HLIL

I came across this while looking at #5629.

P.S. some other switch-case conversion related issues: #4670, #1723

Metadata

Metadata

Assignees

No one assigned

    Labels

    Effort: TrivialIssues require < 1 day of workIL OptimizationIssue involving optimization of representation (not correctness)Impact: LowIssue is a papercut or has a good, supported workaround

    Type

    Enhancement

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions