0

In IDA when disassembling a x86 EXE file there is a line

test byte ptr [ebp+XXX], cl

Before this line cl has a value of 0x11

The Hex-Rays decompiler plugin translates it as if (v10 &0x11).

Why is test decompiled like and?

Improve this question
2
  • 1
    It seems likely you are referring to the Hex-Rays decompiler. This integrates very well with IDA and is by the same company. However, they are separate products and you can use IDA without a decompiler. It might be worth updating your question.
    – David
    Commented Mar 4, 2019 at 19:00
  • 1
    did you ever read the test instruction's manual, or at least google for x86 test instruction?
    – phuclv
    Commented Mar 5, 2019 at 0:21

1 Answer 1

Reset to default
6

test is basically an and instruction except it doesn't update the left operand. In the other hand, cmp is the equivalent of sub instruction except it doesn't update the left operand.

To sum up:

if (v & n)

Is compiled as test instruction.

if (v == n)

Is compiled as cmp instruction (or test reg, reg is n is 0x0)

v = a & n

Is compiled as and instruction.

Improve this answer
0

Not the answer you're looking for? Browse other questions tagged or ask your own question.