View Full Version : IDA - SP-Analysis

June 15th, 2009, 15:13
Hi guys,

Recently I installed the Hex-Rays Decompiler plugin to give it a try. I, then, downloaded a crackMe to try and use it.

It decompiles every function correctly except one, and displays the error: #error "401252: invalid basic block (funcsize=64)"

so i looked here for more information: http://www.hex-rays.com/manual/failures.shtml#03 but I don't know what to do with the function tails nor what what to modify in the function boundaries.

The function terminates in this way:

.text:00401252 jmp loc_401126
.text:00401252 sub_401177 endp
.text:00401257 pop edi
.text:00401258 pop esi
.text:00401259 pop ebx
.text:0040125A leave
.text:0040125B retn 4

I placed the endp on 0040125B but to no avail. I then noticed that in the function above this one there's also an error "sub_401112 endp ; sp-analysis failed" but this functions is decompiled correctly.

Nevertheless I looked here: http://www.openrce.org/forums/posts/848 and the author said he solved the problem by changing the sp pointer. So I tried to change it too, but I wasn't sure to what should I change it, I tried a few values but failed.

Hope you can help. Thanks!

UPDATE: I was able to solve the sp-analysis by checking the function as "does not return", however I still get the "invalid basic block".

June 16th, 2009, 05:32
can you give me a link to the crack me ? i think i may help ...

June 16th, 2009, 10:19
Thanks for your availability, I've put the crack me on sendspace: http://www.sendspace.com/file/htnjip

The crack me is pretty straight-forward, no fancy stuff, I am really just trying to use Hex-Rays Decompiler.


June 20th, 2009, 10:41

Had any luck with it?

June 20th, 2009, 12:53
IDA has analyzed functions wrongly.

Take the function, and the one above it (both the 401112 and 401177) and DELETE THEM.

Then, mark the area from 401112 upto 40125B and then CREATE a function.

Your F5 should now work OK. However, note that it will NOT Decomplie everything. That I think you can figure it out why

Note that just because IDA identified a block of code as a function, does not mean it is. 'Interactive' is the word, eh?

Have Phun

June 22nd, 2009, 08:32
Thanks aimless! Yeah you're right =p I've never been an IDA hardcore user, didn't about that