1

Pasting a snippet of code I found inside a malware sample.

0040F695 push ecx 0040F696 lea ecx,dword ptr ss:[esp+8] 0040F69A sub ecx,1000 0040F6A0 sub eax,1000 0040F6A5 test dword ptr ds:[ecx],eax 0040F6A7 cmp eax,1000 0040F6AC jae sample.40F69A 0040F6AE sub ecx,eax 0040F6B0 mov eax,esp 0040F6B2 test dword ptr ds:[ecx],eax 0040F6B4 mov esp,ecx 0040F6B6 mov ecx,dword ptr ds:[eax] 0040F6B8 mov eax,dword ptr ds:[eax+4] 0040F6BB push eax 0040F6BC ret

I am not sure what the test instruction achieves here. I am used to seeing a conditional jump right after it. But here there is a test, cmp and then a conditional jump and also a test followed by no jumps. Would it make any difference if the test instructions were omitted?

Improve this question
3
  • 2
    It seems like a junk instruction here. The result of the first test is not used because of a cmp right after it, but there is still a (small) chance that the result of the second test is actually used later on after ret - it affected flags whch were not overwritten afterwards. The first test is a junk instruction and so is the second most likely. Commented Nov 29, 2020 at 10:00
  • @bart1e Can this sort of instruction be used to put off decompilers? Commented Nov 29, 2020 at 11:42
  • Possibly, but I think that these esp manipulations confuse decompilers even more. Commented Nov 29, 2020 at 11:51

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.