1

While trying to reverse engineer a "crackme" binary, I stumbled upon a function that starts like this:

mov ecx, [esp+4]
test ecx, 3
jz short loc_106A9F0

The first argument for the function (which is MOV'd to ECX in the first line of the function) is a pointer to a string. If I understand correctly, the next line performs the TEST operation with one operand being a memory address and the other being a constant. I was wondering why a program might do that, considering the fact that the memory address itself should be irrelevant.
In short, I'm wondering why would a program TEST a pointer with a non-zero const.

Sep Roland
  • 33,889
  • 7
  • 43
  • 76
OreOS
  • 43
  • 1
  • 6

1 Answers1

6

It's checking for 4-byte alignment of the pointer, i.e. for both of the low 2 bits being zero, so
p % 4 == 0

That's something you might do at the start of an optimized strlen or similar function that reads memory more than one byte at a time; see Is it safe to read past the end of a buffer within the same page on x86 and x64?

Or it could be for a tagged-pointer thing where you use the low 2 bits of an int * for something else, because a real int * will always have 2 zero bits at the bottom (on a byte-addressable machine like x86, in a C implementation with alignof(int) == 4). You clear them before dereferencing the pointer, or extract them to get at the extra data. It might be plausible to be branching on them being both clear.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847