Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-18-2019, 01:58
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 114
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 145
Thanks Rcvd at 73 Times in 38 Posts
Stingered Reputation: 2
IDA Pro 7.0 error when hitting F5 key during analysis

I'm decompiling a 1mb EXE and it seems that autoanalysis is complete, however, I'm getting this error message after hitting F5 key:

See image HERE.

A bug or feature?



-thx
Reply With Quote
  #2  
Old 01-18-2019, 02:43
tonyweb tonyweb is offline
Family
 
Join Date: Jan 2009
Posts: 139
Rept. Given: 163
Rept. Rcvd 86 Times in 31 Posts
Thanks Given: 1,158
Thanks Rcvd at 167 Times in 84 Posts
tonyweb Reputation: 86
The message in the screenshot just suggests you to wait for code analysis to finish before asking for the decompiler services.
Just wait till analysis finishes (traffic light becomes green), then press again F5, simple

Is the autoanalysis completed? I would have made a larger screenshot ... so to see also the analysis indicator and/or the log.

Regards,
Tony
__________________
Want to learn unpacking ... but I'm too stupid
Reply With Quote
The Following User Says Thank You to tonyweb For This Useful Post:
niculaita (01-18-2019)
  #3  
Old 01-18-2019, 04:48
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 114
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 145
Thanks Rcvd at 73 Times in 38 Posts
Stingered Reputation: 2
Quote:
Originally Posted by tonyweb View Post
The message in the screenshot just suggests you to wait for code analysis to finish before asking for the decompiler services.
Just wait till analysis finishes (traffic light becomes green), then press again F5, simple

Is the autoanalysis completed? I would have made a larger screenshot ... so to see also the analysis indicator and/or the log.

Regards,
Tony
Thanks, and yes IDA is still "thinking", but seems to be taking a very, long time (hours). The log does not show analysis complete.
Reply With Quote
  #4  
Old 01-18-2019, 04:52
deepzero's Avatar
deepzero deepzero is online now
VIP
 
Join Date: Mar 2010
Location: Europe
Posts: 218
Rept. Given: 99
Rept. Rcvd 60 Times in 38 Posts
Thanks Given: 83
Thanks Rcvd at 95 Times in 50 Posts
deepzero Reputation: 60
can you share the file?
Reply With Quote
  #5  
Old 01-18-2019, 05:14
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 114
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 145
Thanks Rcvd at 73 Times in 38 Posts
Stingered Reputation: 2
Quote:
Originally Posted by deepzero View Post
can you share the file?
D/L HERE
Reply With Quote
  #6  
Old 01-18-2019, 11:40
computerline computerline is offline
Friend
 
Join Date: Jun 2014
Posts: 71
Rept. Given: 40
Rept. Rcvd 27 Times in 11 Posts
Thanks Given: 100
Thanks Rcvd at 106 Times in 44 Posts
computerline Reputation: 27
Quote:
Originally Posted by Stingered View Post
D/L HERE
Code:
.text:0000000140507E60                             ;   try {
.text:0000000140507E60 18                                          db  18h
.text:0000000140507E61 B9                                          db 0B9h ; ¹
.text:0000000140507E62 04                                          db    4
.text:0000000140507E63 00                                          db    0
.text:0000000140507E64 0F                                          db  0Fh                 ; CODE XREF: sub_140507780+6BA↑j
.text:0000000140507E64                                                                     ; sub_140507780+6C4↑j ...
.text:0000000140507E64                             ;   } // starts at 140507E60
.text:0000000140507E65                             ; ---------------------------------------------------------------------------
.text:0000000140507E65 0B 90 90 90 90 90                           or      edx, [rax-6F6F6F70h]
.text:0000000140507E65
.text:0000000140507E65                             ; ---------------------------------------------------------------------------
.text:0000000140507E6B 90                                          db  90h
.text:0000000140507E6C 90                                          db  90h
.text:0000000140507E6D 90                                          db  90h
.text:0000000140507E6E 90                                          db  90h
IDA 7.0 Analysis loop at address 0x140507E65, don't known why, but seem it IDA bug, or there some anti analysis in the binary, I see many nop, maybe it make IDA analysis confuse.

Anyway, you could stop the analysis by click the yellow cycle on top toolbar and continue your work.

I tried IDA 6.8 and doen't got problem.

Last edited by computerline; 01-18-2019 at 11:50.
Reply With Quote
The Following 3 Users Say Thank You to computerline For This Useful Post:
kienmanowar (01-18-2019), Stingered (01-18-2019), tonyweb (01-18-2019)
  #7  
Old 01-18-2019, 11:50
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 114
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 145
Thanks Rcvd at 73 Times in 38 Posts
Stingered Reputation: 2
Thumbs up

Quote:
Originally Posted by Stingered View Post
D/L HERE
Quote:
Originally Posted by computerline View Post
Code:
.text:0000000140507E60                             ;   try {
.text:0000000140507E60 18                                          db  18h
.text:0000000140507E61 B9                                          db 0B9h ; ¹
.text:0000000140507E62 04                                          db    4
.text:0000000140507E63 00                                          db    0
.text:0000000140507E64 0F                                          db  0Fh                 ; CODE XREF: sub_140507780+6BA↑j
.text:0000000140507E64                                                                     ; sub_140507780+6C4↑j ...
.text:0000000140507E64                             ;   } // starts at 140507E60
.text:0000000140507E65                             ; ---------------------------------------------------------------------------
.text:0000000140507E65 0B 90 90 90 90 90                           or      edx, [rax-6F6F6F70h]
.text:0000000140507E65
.text:0000000140507E65                             ; ---------------------------------------------------------------------------
.text:0000000140507E6B 90                                          db  90h
.text:0000000140507E6C 90                                          db  90h
.text:0000000140507E6D 90                                          db  90h
.text:0000000140507E6E 90                                          db  90h
IDA Analysis loop at address 0x140507E65, don't known why, but seem it IDA bug, or there some anti analysis in the binary, I see many nop, maybe it make IDA analysis confuse.

Anyway, you could stop the analysis by click the yellow cycle on top toolbar and continue your work.
Thanks for review! I think it may be a bug and why I posted. Unfortunately, I don't have later release of IDA, but yes I can pause the analysis and go from there.
Reply With Quote
  #8  
Old 01-18-2019, 16:41
deepzero's Avatar
deepzero deepzero is online now
VIP
 
Join Date: Mar 2010
Location: Europe
Posts: 218
Rept. Given: 99
Rept. Rcvd 60 Times in 38 Posts
Thanks Given: 83
Thanks Rcvd at 95 Times in 50 Posts
deepzero Reputation: 60
Yes, it seems like an IDA bug. You should report it to the IDA devs.
Reply With Quote
The Following 2 Users Say Thank You to deepzero For This Useful Post:
Stingered (01-19-2019), tonyweb (01-19-2019)
  #9  
Old 01-19-2019, 01:06
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 114
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 145
Thanks Rcvd at 73 Times in 38 Posts
Stingered Reputation: 2
Quote:
Originally Posted by deepzero View Post
Yes, it seems like an IDA bug. You should report it to the IDA devs.
Will do! Thx for confirming.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Doqu 2.0 analysis Anticode General Discussion 10 06-29-2015 05:20


All times are GMT +8. The time now is 20:59.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX