IDA was found to be positive sp

Question

IDA was found to be positive sp

We have a DLL for which we lost the source, so I'm trying to figure out how this works with the IDA Dissembler. However, it seems to be a function that I cannot access because I am getting the following error:

Decompilation failure: 46AFAF: positive sp value has been found

Looking at the IDA website, he should say the following:

 The stack pointer at the specified address is higher than the initial stack pointer. Functions behaving so strangely can not be decompiled. If you see that the stack pointer values are incorrect, modify them with the Alt-K (Edit, Functions, Change stack pointer) command in IDA.

http://www.hex-rays.com/products/decompiler/manual/failures.shtml#04

Since I'm new to the entire demo scene, can someone provide more information on what causes the stack pointer to be higher than the start stack pointer, and whether it is fixed. thank you for your time

+7

disassembly ida

A dark divided gem Apr 15 '12 at 19:53

source share

1 answer

Willem hegeveld · Accepted Answer · 2012-04-16T14:01:20+0000

This usually happens when a function has multiple returns, and the ida does not understand this. The solution is to use alt-k to change the offset of the stack pointer back to the desired value.

Example with ARM code:

 .text:00012A10 MOV R0, #1 ; -0xd0 + 0 .text:00012A14 ADD SP, SP, #0xC8 ; -0xd0 + 0xc8 .text:00012A18 LDMFD SP!, {R4,PC} ; -0x08 - 0xc8 <<< modified .text:00012A1C ; --------------------------------------------------------------------------- .text:00012A1C .text:00012A1C loc_12A1C ; CODE XREF: sub_129E4+20j .text:00012A1C MOV R3, #0 ; -0xd0 + 0

In the comments, I wrote the alt-k values. At 0x12A18, sp correction was corrected back to -0xd0

IDA was found to be positive sp

More articles: