Am I correct to assume that call to 18222E214 will be never executed?

sub     rsp, 28h
mov     byte ptr [rsp 27h], 0
mov     al, [rsp 27h]
test    al, 1
jz      short loc_182C60C26
call    loc_18222E214

This is from an obfuscated library I'm analyzing.

Update

Later on in flow instructions just multiple

mov     dword ptr [rsp 20h], 7D9EAD41h
mov     eax, [rsp 20h]
mov     dword ptr [rsp 20h], 4071AA37h
mov     eax, [rsp 20h]
nop // 
mov     dword ptr [rsp 20h], 0D6C6C2CDh
mov     eax, [rsp 20h]
// so on and so forth

Feels just like deadstore.

CodePudding user response：

It shouldn't be. You're loading the value 0 into the al register. test al,1 sets the Sign, Zero, and Parity flags as though an and instruction had been executed. If you do an and al,1 when al contains 0, the Zero flag is set.

In your example, the Zero flag will be set by the test instruction, so the short jump will be taken and the call instruction following the jz will not be executed.

Update

Since you edited your question to say that it looks like the branch is being taken, then it's likely that there's something you didn't catch. Possibilities:

• There's some code that branches to one of the instructions that follows the mov al, [rsp 27h] instruction.
• Some multi-threading code moves some value into [rsp 27h] after you put 0 in there, but before you load al.
• Some other thread is calling loc_18222E214.
• Some other scenario that I haven't thought of.

Can't solve your problem without more information.