Malware analysis

Understanding switch statements in C

November 5, 2019 by Srinivas

Branching out in multiple ways, the switch statement appropriately dispenses execution to parts of code, based on the expression’s value. A switch statement is a code construct that is used in programming to make a decision, based on a character or integer. Lengthy “if” statements that compare integral values against a variable are often replaced by a switch statement. 

When reverse-engineering a malicious binary, being able to identify switch statements can be useful when dealing with most malware classes. For instance, malware with keylogger functionality most likely uses a switch statement for switching through special keys such as SHIFT in the keyboard. 

In this article, we will discuss how switch statements can be spotted when reversing a binary.

Switch statements

Below shows a code snippet of how switch statements are used in the C programming language. 

#include <stdio.h>

void main()


int i = 3;



case 1: printf(“Value is 1n”);


case 2: printf(“Value is 2n”);


case 3: printf(“Value is 3n”);


default: printf(“Value out of rangen”);




The integer variable named “i” was declared and initialized with value 3 to keep the example simple. This value passes to a switch statement. Then the statements inside the matching case will be executed. The text “Value is 3” will be printed when this code is compiled and run. 

When the code is compiled and the binary is opened using a debugger (OllyDbg in this case), the following results.





CALL switch.00401610

MOV DWORD PTR SS:[ESP+1C],3          ; |

CMP DWORD PTR SS:[ESP+1C],2          ; |

JE SHORT switch.00401549             ; |

CMP DWORD PTR SS:[ESP+1C],3          ; |

JE SHORT switch.00401557             ; |

CMP DWORD PTR SS:[ESP+1C],1          ; |

JNZ SHORT switch.00401565            ; |

MOV DWORD PTR SS:[ESP],switch.00404000   ; |ASCII “Value is 1”

CALL <JMP.&msvcrt.puts>              ; puts

JMP SHORT switch.00401571

MOV DWORD PTR SS:[ESP],switch.0040400B   ; |ASCII “Value is 2”

CALL <JMP.&msvcrt.puts>              ; puts

JMP SHORT switch.00401571

MOV DWORD PTR SS:[ESP],switch.00404016   ; |ASCII “Value is 3”

CALL <JMP.&msvcrt.puts>              ; puts

JMP SHORT switch.00401571

MOV DWORD PTR SS:[ESP],switch.00404021   ; |ASCII “Value out of range”

CALL <JMP.&msvcrt.puts>              ; puts




The code above shows how the switch statement works in assembly. First, the following instruction is used to initialize the local variable “i” by pushing its value onto the stack. 


The figure below shows the stack after the instruction is executed. 

As we can see, the value 3 is pushed onto the stack and it is referenced by [ESP+1C]. 1C in hex translates to decimal value 28. This value 3 will be used to check against the case values in the next few instructions, as shown below.

CMP DWORD PTR SS:[ESP+1C],2           

JE SHORT switch.00401549     

The above code shows a comparison is done using the value pushed onto the stack against the case value 2. If both these values are equal, JE will take a jump. The values are not the same and the jump will not be taken. The next instructions will be executed, as shown below.

CMP DWORD PTR SS:[ESP+1C],3           

JE SHORT switch.00401557            

The comparison is done against case value 3 and the values being compared will be equal. The zero flag will be set to 1 after the CMP instruction is executed. This is shown below.

Since the zero flag is set to 1, the JE instruction will take the jump and case 3 will be executed, as shown in below.

MOV DWORD PTR SS:[ESP],switch.00404016   ; |ASCII “Value is 3”

CALL <JMP.&msvcrt.puts>              ; puts

(Note: This is an overview of assembly instructions and their respective addresses)


Identifying switch statements is important when analyzing executables because they allow a value to transfer control of execution. However, code with switch statements produce multiple CMP and JXX instructions which may look like a sequence of “if” statements. Identifying these instructions as switch is difficult without access to the source code. Using a debugger like OllyDbg is helpful in making this determination by offering the assembly code where source code is unavailable.



  1. x86 instruction set reference,
  2. Michael Sikorski and Andrew Honig, “Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software,” No Starch Press, February 2012
Posted: November 5, 2019
View Profile

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs Email: