0

I am trying to reverse engineer a DLL file, but I am getting this warning when it's loaded:

Warning message

As well, then on some of the functions error appears sp analysis failed like on this picture:

Error message

Is it possible to get code from that function ?

Once in pseudo code, there is only ";" inside the function. Parameters do match.

http://i.imgur.com/0Y2ccpx.png

perror
  • 19,083
  • 29
  • 87
  • 150
Conrad
  • 1
  • 1
  • 3
  • Not enough information regarding the stack.Open IDA, go to options-->general, enable stack pointer checkbox. You will see the stack pointer value on each instruction of the function. This will allow you to see where exactly there is a problem. – w s Sep 10 '14 at 05:42
  • @ws i.imgur.com/0Y2ccpx.png I am not to sure what is causing this error. I've been trying to do what IDA is saying, but might have done it wrong. hex-rays.com/products/ida/support/idadoc/1368.shtml – Conrad Sep 10 '14 at 06:00
  • As I see now this is obfuscated function (which means it is not standard assembly generated by compiler directly, this code was transformed). AFAIK IDA doesn't handle such kind of things good. You can try this: http://opticode.coseinc.com/ to deobfuscate the code. – w s Sep 10 '14 at 06:20
  • @ws I've been trying to put bits of code in there but it keeps giving me errors. especially on "arg_8 = dword ptr 0Ch", and declaration of DllEntryPoint. Will this help? https://www.dropbox.com/s/8yjjitd98aa7zrn/RGSS301%201080p.asm?dl=0 – Conrad Sep 10 '14 at 08:28
  • @ws I also have not modified the file at all. It was all purely generated. – Conrad Sep 10 '14 at 08:30
  • 1
    See http://reverseengineering.stackexchange.com/questions/72/unpacking-binaries – Jason Geffner Sep 10 '14 at 13:55
  • arg_8 = dword ptr 0ch means [ebp+0c] simply add oxc to what ida shows ie if it shows [ESP+XX+arg_8] make it [esp+XX+0c] are you trying to recompile the asm file ? it is incomplete output several calls / subs and code at jump location are missing in the asm file. arg_8 is fdwReason which can be ProcessAttach etc on process Attach it is setting up an Exceptional handler (incomplete asm ) on other reasons it returns TRUE back – blabb Sep 11 '14 at 19:48

0 Answers0