我正在查看的代码使用异常处理程序，似乎在异常处理程序的情况下堆栈指针计算错误。我把这个函数作为一个完整的例子发布了，以便可以看到问题。

我感兴趣的是，如何摆脱 sp 分析失败。

000                 push    ebp
004                 mov     ebp, esp
004                 push    0
008                 push    ebx
00C                 push    esi
010                 mov     ebx, eax
010                 xor     eax, eax
010                 push    ebp
014                 push    offset j_ExceptionHandler1_2
018                 push    dword ptr fs:[eax]
01C                 mov     fs:[eax], esp
01C                 push    1               ; uIDEvent
020                 mov     eax, [ebx+28h]
020                 push    eax             ; hWnd
024                 call    j_KillTimer
01C                 mov     esi, [ebx+24h]
01C                 test    esi, esi
01C                 jz      short loc_4467F1
01C                 cmp     byte ptr [ebx+34h], 0
01C                 jz      short loc_4467F1
01C                 cmp     word ptr [ebx+2Eh], 0
01C                 jz      short loc_4467F1
01C                 push    0               ; lpTimerFunc
020                 push    esi             ; uElapse
024                 push    1               ; nIDEvent
028                 mov     eax, [ebx+28h]
028                 push    eax             ; hWnd
02C                 call    j_SetTimer
01C                 test    eax, eax
01C                 jnz     short loc_4467F1
01C                 lea     edx, [ebp+Str]
01C                 mov     eax, ds:off_5C6E3C
01C                 call    LoadString      ; EAX = StringResource
                                            ; EDX = Target
                                            ;
01C                 mov     ecx, [ebp+Str]
01C                 mov     dl, 1
01C                 mov     eax, off_40CA00
01C                 call    sub_409F34
01C                 call    GlobalExceptionE

    loc_4467F1:                             ; CODE XREF: sub_446788+27j
                                            ; sub_446788+2Dj
                                            ; sub_446788+34j
                                            ; sub_446788+46j
00C                 xor     eax, eax
00C                 pop     edx
008                 pop     ecx
004                 pop     ecx
000                 mov     fs:[eax], edx
000                 push    offset loc_44680E

    loc_4467FE:                             ; CODE XREF: CODE:0044680Cj
004                 lea     eax, [ebp+Str]  ; RDStr
004                 call    ReleaseDelphiString ; EAX = Pointer to a stringpointer
                                            ;
                                            ; Refcount is decreased and the pointer is set to NULL.
004                 retn
    sub_446788      endp ; sp-analysis failed

    ; [00000005 BYTES: COLLAPSED FUNCTION j_ExceptionHandler1_2. PRESS KEYPAD "+" TO EXPAND]
    ; ---------------------------------------------------------------------------
                    jmp     short loc_4467FE
    ; ---------------------------------------------------------------------------
    ; START OF FUNCTION CHUNK FOR sub_446788

    loc_44680E:                             ; CODE XREF: sub_446788+7Ej
                                            ; DATA XREF: sub_446788+71o
004                 pop     esi
000                 pop     ebx
-04                 pop     ecx
-08                 pop     ebp
-0C                 retn

更新

在该GlobalExceptionE功能是本

000                 pop     edx
-04                 push    esp
000                 push    ebp
004                 push    edi
008                 push    esi
00C                 push    ebx
010                 push    eax
014                 push    edx
018                 push    esp             ; lpArguments
01C                 push    7               ; nNumberOfArguments
020                 push    1               ; dwExceptionFlags
024                 push    0EEDFADEh       ; dwExceptionCode
028                 push    edx
02C                 jmp     j_RaiseException