Switch¶
The switch-case is a common construct in compiled code, and IDA is doing a great job at analyzing it.
>>> switch = sark.Switch(idc.here())
>>> for case, target in switch:
... print("{} -> 0x{:08X}".format(case, target))
0 -> 0x004224C9
1 -> 0x0042249F
2 -> 0x0042251B
3 -> 0x0042251B
4 -> 0x00422475
5 -> 0x0042251B
6 -> 0x0042251B
7 -> 0x0042251B
8 -> 0x004224F3
9 -> 0x0042251B
10 -> 0x0042251B
11 -> 0x00422448
It provides the following members
| Member | Usage |
|---|---|
| targets | switch target addresses |
| cases | switch case values |
| pairs | iterator of (case, target) pairs |
| get_cases | get the cases matching a target |
The sark.Switch object is similar to a Python dict, mapping
cases to targets. switch[case] returns the relevant target, and
iteration returning the cases.
Getting Switches¶
To check if an address is a switch address, use sark.is_switch(ea).
To get the switch, use sark.Switch(ea).