OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: November 5, 2008 10:49 CST by scar99 .

hi,
I use Ida Pro with Hex-Rays to create some pseudo code, and the .exe I debug is quite big ;).

HEX-Rays throws: POSITIVE SP VALUE FOUND
.text:004561E3 loc_4561E3:
.text:004561E3 mov     ecx, [ebp+var_C]
.text:004561E6 pop     edi
.text:004561E7 pop     esi
.text:004561E8 mov     large fs:0, ecx
.text:004561EF pop     ebx
.text:004561F0 leave
.text:004561F1 retn //error:  POSITIVE SP VALUE FOUND
.text:004561F1 sub_455DB4 endp ; sp-analysis
esp points to: 0012FC3C dd    45B84Bh ; .text:loc_45B84B

my question: what could I do to create a pseudocode from hex-rays, without error? why would an .exe create such "bad" code? scrambler - packer?
PEiD and Co. say:
Microsoft Visual C++ 6.0 [Debug]
.exe is a MFC APPLICATION

thanks guys

thierryzoller		November 5, 2008 19:59.05 CST

ZuTLe		November 6, 2008 06:32.45 CST
> scar99: > .text:004561F1 retn //error: POSITIVE SP VALUE FOUND > .text:004561F1 sub_455DB4 endp ; sp-analysis > esp points to: 0012FC3C dd 45B84Bh ; .text:loc_45B84B > > my question: what could I do to create a pseudocode from hex-rays, without error? The clue is that the disassembly will have to be perfect in order for the decompiler to work. IDA keeps track of the stack pointer at all times throughout the disasm, and in this case my guess is that IDA says "sp-analysis failed" just after the 'endp' (did you leave "failed" out of your listing?) You will need to help IDA make a perfect disasm, or just read the disasm instead of the pseudocode :) > why would an .exe create such \"bad\" code? scrambler - packer? It's not bad when it works, ey? My guess is that this is compiler generated code. Things can get a bit tricky when the compiler modifies the stack frame, which is what happens with exception handling. If you look at the start of this function, you might see a call to __EH_prologue (that registers a CxxFrameHandler) Since I can't predict what your function did at the beginning, this is just a guess... .text:004561E3 mov ecx, [ebp+var_C] ; ecx = NEXT_SEH_FRAME .text:004561E6 pop edi .text:004561E7 pop esi .text:004561E8 mov large fs:0, ecx ; fs[0] = NEXT_SEH_FRAME (restore SEH the way it was before this function was called) You should really consider reading this great article by igorsk (see "C++ Exception Model Implementation). btw.. don't expect to decompile packed code any time soon ^^

Note: Registration is required to post to the forums.

There are 31,323 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit