6

I have come across the following instructions:

mov ecx, [ebp + var_4]
imul ecx, 4
call dword_1423d4[ecx]

Can someone explain to me what it possibly means or point me in the right direction? Why is the call made to a variable?

Jason Geffner
  • 20,681
  • 1
  • 36
  • 75
Cream Cracker
  • 145
  • 1
  • 6

2 Answers2

5

dword_1423d4 is a pointer to a global array of 32-bit function pointers.

var_4 is an index into this array.

The call instruction calls the function at index var_4 in the dword_1423d4 function array.

Jason Geffner
  • 20,681
  • 1
  • 36
  • 75
  • 3
    it's a common representation of a "switch()" statement when the values are linear. The var_4 is the parameter to the switch(), the dword_1423d4 is the table of case handlers. – peter ferrie Jun 25 '13 at 17:50
  • 2
    @peterferrie - From my experience, switch statements are typically compiled to use jmp, not call, but I suppose a compiler might choose the latter in some circumstances. – Jason Geffner Jun 25 '13 at 21:53
  • 1
    I agree with Jason, it is unlikely (although not guaranteed) to be a switch statement due to the call and no jmp. Possibly a custom function dispatcher or something. – QAZ Jun 26 '13 at 09:39
  • 1
    Also agree with @JasonGeffner. I've never seen a switch statement (or anything aside from a real function call, for that matter) on x86 implemented with a call instruction. – Jonathon Reinhart Jun 28 '13 at 05:41
  • By the way @JasonGeffner, I thought your name sounded familiar from BlackHat a couple years back. – Jonathon Reinhart Jun 28 '13 at 06:00
1

What immediately comes to mind is some type of virtualization layer accessing an IAT or IVT. I absolutely agree with the previous answer that this is a call to a function vector in an array of function pointers. I also agree that it does not look like a switch statement. That's what takes me down the interrupt vector table/address table.

David Hoelzer
  • 401
  • 2
  • 7
  • Would you please add more details into your answer? How is it different from the answer above? At the moment, it reads like a kudos to Jason's answer. If that is what you intended, you can show your agreement with another answer by clicking on the upvote button next to it. Posting a separate answer is not needed. – asheeshr Jul 14 '13 at 02:30
  • I must have missed a reference to an interrupt vector or address table in his answer. – David Hoelzer Jul 14 '13 at 02:39