decryptmessage fail with access violation - windows
function for initiliase Schannel
SecureConnect proc uses ebx edi esi, _host: dword, _port: dword, phContext: dword, pCredHandle: dword, cSocket: dword
SECPKG_CRED_OUTBOUND equ 2
SCHANNEL_CRED_VERSION equ 4
SCH_CRED_NO_DEFAULT_CREDS equ 10h
SCH_CRED_MANUAL_CRED_VALIDATION equ 8
ISC_REQ_SEQUENCE_DETECT equ 8
ISC_REQ_REPLAY_DETECT equ 4
ISC_REQ_CONFIDENTIALITY equ 10h
ISC_RET_EXTENDED_ERROR equ 4000h
ISC_REQ_ALLOCATE_MEMORY equ 100h
ISC_REQ_STREAM equ 8000h
ISC_RET_EXTENDED_ERROR equ 4000h
SECURITY_NATIVE_DREP equ 10h
IO_BUFFER_SIZE equ 8000h
SEC_I_INCOMPLETE_CREDENTIALS equ 90320h
SEC_I_CONTINUE_NEEDED equ 90312h
SEC_E_INCOMPLETE_MESSAGE equ 80090318h
SCHANNEL_CRED STRUCT
dwVersion dd ?
cCreds dd ?
paCred dd ?
hRootStore dd ?
cMappers dd ?
aphMappers dd ?
cSupportedAlgs dd ?
palgSupportedAlgs dd ?
grbitEnabledProtocols dd ?
dwMinimumCipherStrength dd ?
dwMaximumCipherStrength dd ?
dwSessionLifespan dd ?
dwFlags dd ?
dwCredFormat dd ?
SCHANNEL_CRED ENDS
SecBufferDesc STRUCT
ulVersion dd ?
cBuffers dd ?
pBuffers dd ?
SecBufferDesc ENDS
SecBuffer STRUCT
cbBuffer dd ?
BufferType dd ?
pvBuffer dd ?
SecBuffer ENDS
CERT_CONTEXT STRUCT
dwCertEncodingType dd ?
pbCertEncoded dd ?
cbCertEncoded dd ?
pCertInfo dd ?
hCertStore dd ?
CERT_CONTEXT ENDS
local credentials : SCHANNEL_CRED
local sSocket : dword
local sin : sockaddr_in
local iMode : dword
local fd : fds_set
local dwSSPIFlags : dword
local out_buffer_desc : SecBufferDesc
local _out_buffer : SecBuffer
local in_buffer_desc : SecBufferDesc
local _in_buffer[2] : SecBuffer
local dwSSPIOutFlags : dword
local IoBuffer : dword
local cbIoBuffer : dword
local fDoRead : dword
local scRet : dword
local ExtraData : SecBuffer
lea ecx, [ebp - 3 * 4]
sub ecx, esp
invoke ZeroMemory, addr [esp + 3 * 4 + 4], ecx
mov credentials.dwVersion, SCHANNEL_CRED_VERSION
mov credentials.dwFlags, SCH_CRED_NO_DEFAULT_CREDS or SCH_CRED_MANUAL_CRED_VALIDATION
invoke AcquireCredentialsHandleA, NULL, _T("Microsoft Unified Security Protocol Provider"), SECPKG_CRED_OUTBOUND, NULL, addr credentials, NULL, NULL, dword ptr [pCredHandle], NULL
.if eax == 0
invoke socket, AF_INET, SOCK_STREAM, IPPROTO_TCP
mov dword ptr [sSocket], eax
invoke copydata, addr sSocket, dword ptr [cSocket], sizeof dword
invoke isip, dword ptr [_host]
.if eax != 0
mov eax, dword ptr [_host]
jmp #f
.endif
invoke xgethostbyname, dword ptr [_host], AF_INET
invoke inet_ntoa, eax
##:
invoke inet_addr, eax
mov sin.sin_addr, eax
mov eax, dword ptr [_port]
cmp eax, 65536
jna #f
invoke atoi, eax
##:
invoke htons, eax
mov sin.sin_port, ax
mov sin.sin_family, AF_INET ;???????? ???? ? ??? "AF_INET"
mov iMode, 1
invoke setsockopt, dword ptr [sSocket], IPPROTO_TCP, TCP_NODELAY, addr iMode, 4
mov iMode, 1
invoke ioctlsocket, dword ptr [sSocket], FIONBIO, addr iMode
invoke connect, dword ptr [sSocket], addr sin, sizeof sin ;??????????? ?????? ????????
invoke fd_set_, dword ptr [sSocket], 0, addr fd, 10, 0
invoke select, 0, 0, addr fd, 0, addr [fd + 4 * 3]
cmp eax, 1
jnz close
mov iMode, 0
invoke ioctlsocket, dword ptr [sSocket], FIONBIO, addr iMode
mov dword ptr [dwSSPIFlags], ISC_REQ_SEQUENCE_DETECT or ISC_REQ_REPLAY_DETECT or ISC_REQ_CONFIDENTIALITY or ISC_RET_EXTENDED_ERROR or ISC_REQ_ALLOCATE_MEMORY or ISC_REQ_STREAM
mov _out_buffer.cbBuffer, 0
mov _out_buffer.BufferType, SECBUFFER_TOKEN
mov _out_buffer.pvBuffer, NULL
mov out_buffer_desc.ulVersion, SECBUFFER_VERSION
mov out_buffer_desc.cBuffers, 1
lea eax, _out_buffer
mov out_buffer_desc.pBuffers, eax
invoke InitializeSecurityContextA, dword ptr [pCredHandle], NULL, dword ptr [_host], dword ptr [dwSSPIFlags], 0, SECURITY_NATIVE_DREP, NULL, 0, dword ptr [phContext], addr out_buffer_desc, addr dwSSPIOutFlags, NULL
.if _out_buffer.cbBuffer != 0 && _out_buffer.pvBuffer != NULL
invoke synsend, dword ptr [sSocket], _out_buffer.pvBuffer, _out_buffer.cbBuffer, NULL
invoke FreeContextBuffer, dword ptr [_out_buffer.pvBuffer]
invoke VirtualAlloc, 0, IO_BUFFER_SIZE, MEM_COMMIT or MEM_RESERVE, PAGE_READWRITE
test eax, eax
jz close
mov dword ptr [IoBuffer], eax
mov dword ptr [scRet], SEC_I_CONTINUE_NEEDED
mov dword ptr [cbIoBuffer], 0
mov dword ptr [fDoRead], TRUE
.while dword ptr [scRet] == SEC_I_CONTINUE_NEEDED || dword ptr [scRet] == SEC_E_INCOMPLETE_MESSAGE || dword ptr [scRet] == SEC_I_INCOMPLETE_CREDENTIALS
.if dword ptr [cbIoBuffer] == 0 || dword ptr [scRet] == SEC_E_INCOMPLETE_MESSAGE
.if dword ptr [fDoRead] == TRUE
mov eax, dword ptr [IoBuffer]
add eax, dword ptr [cbIoBuffer]
mov ecx, IO_BUFFER_SIZE
sub ecx, dword ptr [cbIoBuffer]
invoke recv_, dword ptr [sSocket], eax, ecx, 10
.break .if eax == 0 || sdword ptr eax < 0
add dword ptr [cbIoBuffer], eax
.else
mov dword ptr [fDoRead], TRUE
.endif
.endif
mov _out_buffer.cbBuffer, 0
mov _out_buffer.BufferType, SECBUFFER_TOKEN
mov _out_buffer.pvBuffer, NULL
mov out_buffer_desc.ulVersion, SECBUFFER_VERSION
mov out_buffer_desc.cBuffers, 1
lea eax, _out_buffer
mov out_buffer_desc.pBuffers, eax
mov eax, dword ptr [IoBuffer]
mov ecx, dword ptr [cbIoBuffer]
mov (0Ch * 0) + _in_buffer.cbBuffer, ecx
mov (0Ch * 0) + _in_buffer.BufferType, SECBUFFER_TOKEN
mov (0Ch * 0) + _in_buffer.pvBuffer, eax
mov (0Ch * 1) + _in_buffer.cbBuffer, 0
mov (0Ch * 1) + _in_buffer.BufferType, SECBUFFER_EMPTY
mov (0Ch * 1) + _in_buffer.pvBuffer, NULL
mov in_buffer_desc.ulVersion, SECBUFFER_VERSION
mov in_buffer_desc.cBuffers, 2
lea eax, _in_buffer
mov in_buffer_desc.pBuffers, eax
invoke InitializeSecurityContextA, dword ptr [pCredHandle], dword ptr [phContext], NULL, dword ptr [dwSSPIFlags], 0, SECURITY_NATIVE_DREP, addr in_buffer_desc, 0, NULL, addr out_buffer_desc, addr dwSSPIOutFlags, NULL
mov dword ptr [scRet], eax
.continue .if dword ptr [scRet] == SEC_E_INCOMPLETE_MESSAGE
.break .if sdword ptr [scRet] < 0
.if dword ptr [scRet] == SEC_E_OK || dword ptr [scRet] == SEC_I_CONTINUE_NEEDED && _out_buffer.cbBuffer != 0 && _out_buffer.pvBuffer != NULL
invoke synsend, dword ptr [sSocket], _out_buffer.pvBuffer, _out_buffer.cbBuffer, NULL
invoke FreeContextBuffer, dword ptr [_out_buffer.pvBuffer]
.endif
.if dword ptr [scRet] == SEC_I_INCOMPLETE_CREDENTIALS
invoke MessageBoxA, 0, _T("SEC_I_INCOMPLETE_CREDENTIALS"), 0, 0
;//GetNewClientCredentials(phCreds, dword ptr [phContext]);
;// Повторная попытка.
;fDoRead = FALSE;
;scRet = SEC_I_CONTINUE_NEEDED;
;// Исправляем ошибку Platform SDK!
;// Считаем, что за этим сообщением не может следовать другое
;cbIoBuffer = 0;
;.continue
.endif
.if dword ptr [(0Ch * 1) + _in_buffer.BufferType] == SECBUFFER_EXTRA
mov eax, dword ptr [IoBuffer]
add eax, dword ptr [cbIoBuffer]
mov ecx, (0Ch * 1) + _in_buffer.cbBuffer
mov dword ptr [cbIoBuffer], ecx
sub eax, ecx
invoke copydata, eax, dword ptr [IoBuffer], (0Ch * 1) + _in_buffer.cbBuffer
.else
mov dword ptr [cbIoBuffer], 0
.endif
.endw
invoke VirtualFree, dword ptr [IoBuffer], 0, MEM_RELEASE
cmp dword ptr [scRet], SEC_E_OK
jnz close
mov eax, dword ptr [sSocket]
jmp _ret
.endif
.endif
close:
xor eax, eax
_ret:
ret
SecureConnect endp
decryptmessage
cryptrecv proc uses ebx edi esi, _socket: dword, rbuffer: dword, phContext: dword
IO_BUFFER_SIZE equ 8000h
SecBufferDesc STRUCT
ulVersion dd ?
cBuffers dd ?
pBuffers dd ?
SecBufferDesc ENDS
SecBuffer STRUCT
cbBuffer dd ?
BufferType dd ?
pvBuffer dd ?
SecBuffer ENDS
local Cbuffer : dword
local cb : dword
local _edx : dword
local in_buffer_desc : SecBufferDesc
local _in_buffer[4] : SecBuffer
local scRet : dword
local _result : dword
lea ecx, [ebp - 3 * 4]
sub ecx, esp
invoke ZeroMemory, addr [esp + 3 * 4 + 4], ecx
invoke ZeroMemory, dword ptr [rbuffer], 4
mov edi, dword ptr [rbuffer]
mov dword ptr [_edx], IO_BUFFER_SIZE
invoke VirtualAlloc, 0, dword ptr [_edx], MEM_COMMIT or MEM_RESERVE, PAGE_READWRITE
test eax, eax
jz close
mov dword ptr [Cbuffer], eax
_recv:
.if dword ptr [cb] == 0 || dword ptr [scRet] == SEC_E_INCOMPLETE_MESSAGE
##:
mov eax, dword ptr [Cbuffer]
add eax, dword ptr [cb]
mov ecx, dword ptr [_edx]
sub ecx, dword ptr [cb]
test ecx, ecx
jnz #f
add dword ptr [_edx], IO_BUFFER_SIZE
invoke VirtualAlloc, 0, dword ptr [_edx], MEM_COMMIT or MEM_RESERVE, PAGE_READWRITE
test eax, eax
jz close
mov esi, eax
invoke copydata, dword ptr [Cbuffer], esi, dword ptr [cb]
invoke VirtualFree, dword ptr [Cbuffer], 0, MEM_RELEASE
mov dword ptr [Cbuffer], esi
jmp #b
##:
invoke recv, dword ptr [_socket], eax, ecx, 0
test eax, eax
jle close
add dword ptr [cb], eax
.endif
invoke copydata, addr cb, addr [(0Ch * 0) + _in_buffer.cbBuffer], 4
mov (0Ch * 0) + _in_buffer.BufferType, SECBUFFER_DATA
invoke copydata, addr Cbuffer, addr [(0Ch * 0) + _in_buffer.pvBuffer], 4
mov (0Ch * 1) + _in_buffer.cbBuffer, 0
mov (0Ch * 1) + _in_buffer.BufferType, SECBUFFER_EMPTY
mov (0Ch * 1) + _in_buffer.pvBuffer, NULL
mov (0Ch * 2) + _in_buffer.cbBuffer, 0
mov (0Ch * 2) + _in_buffer.BufferType, SECBUFFER_EMPTY
mov (0Ch * 2) + _in_buffer.pvBuffer, NULL
mov (0Ch * 3) + _in_buffer.cbBuffer, 0
mov (0Ch * 3) + _in_buffer.BufferType, SECBUFFER_EMPTY
mov (0Ch * 3) + _in_buffer.pvBuffer, NULL
lea eax, _in_buffer
mov in_buffer_desc.pBuffers, eax
mov in_buffer_desc.ulVersion, SECBUFFER_VERSION
mov in_buffer_desc.cBuffers, 4
invoke DecryptMessage, dword ptr [phContext], addr in_buffer_desc, 0, NULL
mov dword ptr [scRet], eax
cmp dword ptr [scRet], SEC_E_INCOMPLETE_MESSAGE
jz _recv
cmp dword ptr [scRet], SEC_I_CONTEXT_EXPIRED
jz close
.if dword ptr [scRet] == SEC_I_RENEGOTIATE
invoke MessageBoxA, 0, _T("SEC_I_RENEGOTIATE"), 0, 0
jmp close
.endif
cmp eax, SEC_E_OK
jnz close
mov dword ptr [cb], 0
mov ebx, 1
.while ebx <= 3
imul ecx, ebx, 0Ch
lea esi, [ecx + _in_buffer]
.if dword ptr [esi + SecBuffer.BufferType] == SECBUFFER_DATA && dword ptr [esi + SecBuffer.cbBuffer] != 0
.if dword ptr [edi] == NULL
invoke VirtualAlloc, 0, dword ptr [esi + SecBuffer.cbBuffer], MEM_COMMIT or MEM_RESERVE, PAGE_READWRITE
test eax, eax
jz close
mov dword ptr [edi], eax
invoke copydata, dword ptr [esi + SecBuffer.pvBuffer], dword ptr [edi], dword ptr [esi + SecBuffer.cbBuffer]
.else
mov ecx, dword ptr [_result]
add ecx, dword ptr [esi + SecBuffer.cbBuffer]
invoke VirtualAlloc, 0, ecx, MEM_COMMIT or MEM_RESERVE, PAGE_READWRITE
test eax, eax
jz close
mov edx, dword ptr [edi]
mov dword ptr [edi], eax
invoke copydata, edx, eax, dword ptr [_result]
invoke VirtualFree, edx, 0, MEM_RELEASE
mov eax, dword ptr [edi]
add eax, dword ptr [_result]
invoke copydata, dword ptr [esi + SecBuffer.pvBuffer], eax, dword ptr [esi + SecBuffer.cbBuffer]
.endif
mov eax, dword ptr [esi + SecBuffer.cbBuffer]
add dword ptr [_result], eax
.elseif dword ptr [esi + SecBuffer.BufferType] == SECBUFFER_EXTRA
mov edx, dword ptr [Cbuffer]
add edx, dword ptr [cb]
mov ecx, dword ptr [esi + SecBuffer.cbBuffer]
add dword ptr [cb], ecx
mov dword ptr [scRet], SEC_I_CONTINUE_NEEDED
invoke copydata, dword ptr [esi + SecBuffer.pvBuffer], edx, dword ptr [esi + SecBuffer.cbBuffer]
.endif
inc ebx
.endw
cmp dword ptr [scRet], SEC_I_CONTINUE_NEEDED
jz _recv
jmp _ret
close:
invoke VirtualFree, dword ptr [edi], 0, MEM_RELEASE
mov dword ptr [_result], NULL
_ret:
invoke VirtualFree, dword ptr [Cbuffer], 0, MEM_RELEASE
mov eax, dword ptr [_result]
ret
cryptrecv endp
this code work good. but sometime DecryptMessage fail with access violation. it cant read data from dword ptr [Cbuffer]
i am see it in debugger. and after error it say me that memory from dword ptr [Cbuffer] not allocated
access violation has occured inside DecryptMessage windows api function.
instruction that occure
movzx ecx, byte ptr [edi + 3]
in edi placed address that have dword ptr [Cbuffer]
Related
How to deal with "undefined label XXX" in Go assembly for libc functions like malloc?
I found a project c2goasm that can convert assembly from a C compiler into Golang assembly, but I'm currently having some problems.
such as "linkedlist.c" :
void ListNodeCreat(int val, struct ListNode* ret) {
struct ListNode * node = (struct ListNode *)malloc(sizeof(struct ListNode));
node->val = val;
node->next = NULL;
ret = node;
}
The generated C assembly file "linkedlist.s" is as follows, in GNU assembler .intel_syntax noprefix
ListNodeCreat: # #ListNodeCreat
push rbp
mov rbp, rsp
and rsp, -16
sub rsp, 32
mov dword ptr [rsp + 28], edi
mov qword ptr [rsp + 16], rsi
mov edi, 16
call malloc
mov qword ptr [rsp + 8], rax
mov ecx, dword ptr [rsp + 28]
mov rax, qword ptr [rsp + 8]
mov dword ptr [rax], ecx
mov rax, qword ptr [rsp + 8]
mov qword ptr [rax + 8], 0
mov rax, qword ptr [rsp + 8]
mov qword ptr [rsp + 16], rax
mov rsp, rbp
pop rbp
ret
Pay attention to the "call malloc" in it,when using c2goasm to get go assembly "linkedlist_amd64.s", it still exists:
TEXT ·_ListNodeCreat(SB), $40-16
MOVQ val+0(FP), DI
MOVQ ret+8(FP), SI
ADDQ $8, SP
LONG $0x1c247c89 // mov dword [rsp + 28], edi
LONG $0x24748948; BYTE $0x10 // mov qword [rsp + 16], rsi
LONG $0x000010bf; BYTE $0x00 // mov edi, 16
CALL malloc
LONG $0x24448948; BYTE $0x08 // mov qword [rsp + 8], rax
LONG $0x1c244c8b // mov ecx, dword [rsp + 28]
LONG $0x24448b48; BYTE $0x08 // mov rax, qword [rsp + 8]
WORD $0x0889 // mov dword [rax], ecx
LONG $0x24448b48; BYTE $0x08 // mov rax, qword [rsp + 8]
QUAD $0x000000000840c748 // mov qword [rax + 8], 0
LONG $0x24448b48; BYTE $0x08 // mov rax, qword [rsp + 8]
LONG $0x24448948; BYTE $0x10 // mov qword [rsp + 16], rax
SUBQ $8, SP
RET
so when I run "go build" or "go tool asm linkedlist_amd64.s", I got:
linkedlist_amd64.s:28: undefined label malloc
asm: assembly of linkedlist_amd64.s failed
Does anyone know how to deal with it?
frame pointer register 'ebx' modified by inline assembly code
Unfortunately, I had to re-image my laptop to install Visual Studio 2012. My project build but with above warning. Previously I had Visual Studio 2010 and I never got the above warning. The code is as follows:
__asm
{
//Initialize pointers on matrices
mov eax, dword ptr [this]
mov ebx, dword ptr [eax+UPkk]
mov dword ptr [UPkk_ptr],ebx
mov ebx, dword ptr [eax+UPk1k]
mov dword ptr [UPk1k_ptr],ebx
mov ebx, dword ptr [eax+DPk1k]
mov dword ptr [DPk1k_ptr],ebx
mov ebx, dword ptr [eax+DPkk]
mov dword ptr [DPkk_ptr],ebx
mov ebx, dword ptr [eax+mat_A]
mov dword ptr [mat_A_ptr],ebx
mov ebx, dword ptr [eax+vec_a]
mov dword ptr [vec_a_ptr],ebx
mov ebx, dword ptr [eax+vec_b]
mov dword ptr [vec_b_ptr],ebx
}
Do I need to change any settings in the project?
Best Regards
Chintan
Edit: In the above code when I replace ebx with ecx, the warnings go away and the code works fine. However, there is another piece of code where I have used ebx and ecx and in that case my program crashes. Here is the code:
__asm
{
//Initialize UPk1k[idx_4] pointer
mov eax, dword ptr [UPk1k_ptr]
mov ebx, dword ptr [idx_4]
imul ebx,8
add eax,ebx
mov dword ptr [UPk1k_id4_ptr],eax
//Initialize UPkk[idx_4] pointer
mov eax, dword ptr [UPkk_ptr]
mov ebx, dword ptr [idx_4]
imul ebx,8
add eax,ebx
mov dword ptr [UPkk_id4_ptr],eax
//Initialize UPk1k[idx_4] pointer
mov eax, dword ptr [vec_b_ptr]
mov ebx, dword ptr [idx_1]
imul ebx,8
add eax,ebx
mov dword ptr [vec_b_id1_ptr],eax
mov edi, dword ptr [idx_1] //Load idx_1 in edi
mov esi, 0 //initialize loop counter
jmp start_proc11
start_for11:inc esi //idx_2++
start_proc11:cmp esi, edi //idx_2<idx_1 ?
jge end_for11 //If yes so end of the loop
mov eax, UPk1k_id4_ptr //load UPk1k[idx_4] adress
mov ebx, vec_b_ptr //load vec_b adress
mov ecx, esi
imul ecx,8
add eax, ecx //UPk1k[idx_4+idx_2] in eax
add ebx, ecx //vec_b[idx_2] in eax
fld qword ptr [eax]//push UPk1k[idx_4+idx_2]
fld qword ptr [ebx] //push vec_b[idx_2]
mov edx,dword ptr [Sd_ptr]
fmul qword ptr [edx] //vec_b[idx_2]*Sd
fadd //pop UPk1k[idx_4+idx_2]+vec_b[idx_2]*Sd
mov edx,dword ptr [UPkk_id4_ptr]
fstp qword ptr [edx+esi*8] //pop UPkk[idx_4+idx_2]=UPk1k[idx_4+idx_2]+vec_b[idx_2]*Sd
fld qword ptr [ebx] //push vec_b[idx_2]
mov edx,dword ptr [vec_b_id1_ptr]
fld qword ptr [edx] //push vec_b[idx_2]
fmul qword ptr [eax]
fadd
fstp qword ptr [ebx]
jmp start_for11 //end of the loop
end_for11:
}
Many Thanks
Best Regards
CS
See MSDN about registers and that warning. They explain why the warning is produced: it forces the compiler to preserve value of EBX, which might be counter-productive to performance, the usual reason inline asm is used. Relevant quote: In addition, by using EBX, ESI or EDI in inline assembly code, you force the compiler to save and restore those registers in the function prologue and epilogue. To disable the warning, I think the syntax is #pragma warning( disable : 4731 ) However, I'd try to use some other register instead, because the warning is there for a good reason, really, like most warnings. In fact, Looking at your asm code, simply replace ebx With ecx, that should solve the problem.
What syntax does a disassembled .s file is not acceptable in nasm?
This code is a C program (bubble sort) disassembled into assembly. How can I make the following code run if I put it in a .asm file and use nasm to assemble? If you know what needs changing, please say what to change it to. For instance I understand that nasm won't accept DWORD PTR, but I haven't found out what to do instead. Thanks .file "sort.c" .intel_syntax noprefix .text .globl sort .type sort, #function sort: .LFB0: .cfi_startproc push rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 mov rbp, rsp .cfi_def_cfa_register 6 mov QWORD PTR [rbp-24], rdi mov DWORD PTR [rbp-28], esi mov DWORD PTR [rbp-12], 0 jmp .L2 .L6: mov DWORD PTR [rbp-8], 0 jmp .L3 .L5: mov eax, DWORD PTR [rbp-8] cdqe sal rax, 2 add rax, QWORD PTR [rbp-24] mov edx, DWORD PTR [rax] mov eax, DWORD PTR [rbp-8] cdqe add rax, 1 sal rax, 2 add rax, QWORD PTR [rbp-24] mov eax, DWORD PTR [rax] cmp edx, eax jle .L4 mov eax, DWORD PTR [rbp-8] cdqe sal rax, 2 add rax, QWORD PTR [rbp-24] mov eax, DWORD PTR [rax] mov DWORD PTR [rbp-4], eax mov eax, DWORD PTR [rbp-8] cdqe sal rax, 2 add rax, QWORD PTR [rbp-24] mov edx, DWORD PTR [rbp-8] movsx rdx, edx add rdx, 1 sal rdx, 2 add rdx, QWORD PTR [rbp-24] mov edx, DWORD PTR [rdx] mov DWORD PTR [rax], edx mov eax, DWORD PTR [rbp-8] cdqe add rax, 1 sal rax, 2 add rax, QWORD PTR [rbp-24] mov edx, DWORD PTR [rbp-4] mov DWORD PTR [rax], edx .L4: add DWORD PTR [rbp-8], 1 .L3: mov eax, DWORD PTR [rbp-28] sub eax, 1 sub eax, DWORD PTR [rbp-12] cmp eax, DWORD PTR [rbp-8] jg .L5 add DWORD PTR [rbp-12], 1 .L2: mov eax, DWORD PTR [rbp-28] sub eax, 1 cmp eax, DWORD PTR [rbp-12] jg .L6 pop rbp .cfi_def_cfa 7, 8 ret .cfi_endproc .LFE0: .size sort, .-sort .ident "GCC: (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3" .section .note.GNU-stack,"",#progbits
Just remove PTR and all nonsensical .somethings. This assembles just fine: ; file: gas-nasm-sort.asm bits 64 sort: push rbp mov rbp, rsp mov QWORD [rbp-24], rdi mov DWORD [rbp-28], esi mov DWORD [rbp-12], 0 jmp .L2 .L6: mov DWORD [rbp-8], 0 jmp .L3 .L5: mov eax, DWORD [rbp-8] cdqe sal rax, 2 add rax, QWORD [rbp-24] mov edx, DWORD [rax] mov eax, DWORD [rbp-8] cdqe add rax, 1 sal rax, 2 add rax, QWORD [rbp-24] mov eax, DWORD [rax] cmp edx, eax jle .L4 mov eax, DWORD [rbp-8] cdqe sal rax, 2 add rax, QWORD [rbp-24] mov eax, DWORD [rax] mov DWORD [rbp-4], eax mov eax, DWORD [rbp-8] cdqe sal rax, 2 add rax, QWORD [rbp-24] mov edx, DWORD [rbp-8] movsx rdx, edx add rdx, 1 sal rdx, 2 add rdx, QWORD [rbp-24] mov edx, DWORD [rdx] mov DWORD [rax], edx mov eax, DWORD [rbp-8] cdqe add rax, 1 sal rax, 2 add rax, QWORD [rbp-24] mov edx, DWORD [rbp-4] mov DWORD [rax], edx .L4: add DWORD [rbp-8], 1 .L3: mov eax, DWORD [rbp-28] sub eax, 1 sub eax, DWORD [rbp-12] cmp eax, DWORD [rbp-8] jg .L5 add DWORD [rbp-12], 1 .L2: mov eax, DWORD [rbp-28] sub eax, 1 cmp eax, DWORD [rbp-12] jg .L6 pop rbp ret Command: nasm gas-nasm-sort.asm -f bin -o gas-nasm-sort.bin But again, there's NASM documentation. Read it. In particular these sections: 2.2.2 NASM Requires Square Brackets For Memory References 2.2.3 NASM Doesn't Store Variable Types
Disassembling CGContextReplacePathWithShapePath()?
I am beginner at dis-assembly. Below is the disassembly of CGContextReplacePathWithShapePath from IDA pro. I am trying to figure out the parameters to the routine. Any help is highly appreciated. Also please post some pointers/hints on how to attack the dis-assembly. __text:00024D1F ; =============== S U B R O U T I N E ======================================= __text:00024D1F __text:00024D1F ; Attributes: bp-based frame __text:00024D1F __text:00024D1F public _CGContextReplacePathWithShapePath __text:00024D1F _CGContextReplacePathWithShapePath proc near __text:00024D1F __text:00024D1F var_2C = dword ptr -2Ch __text:00024D1F var_20 = dword ptr -20h __text:00024D1F var_1C = dword ptr -1Ch __text:00024D1F arg_0 = dword ptr 8 __text:00024D1F arg_4 = dword ptr 0Ch __text:00024D1F __text:00024D1F push ebp __text:00024D20 mov ebp, esp __text:00024D22 push edi __text:00024D23 push esi __text:00024D24 push ebx __text:00024D25 sub esp, 3Ch __text:00024D28 call $+5 __text:00024D2D pop ebx __text:00024D2E mov esi, [ebp+arg_0] __text:00024D31 test esi, esi __text:00024D33 jz short loc_24D3E __text:00024D35 cmp dword ptr [esi+8], 43545854h __text:00024D3C jz short loc_24D5F __text:00024D3E __text:00024D3E loc_24D3E: ; CODE XREF: _CGContextReplacePathWithShapePath+14j __text:00024D3E mov [esp+8], esi __text:00024D42 lea eax, (___func___26084 - 24D2Dh)[ebx] ; "CGContextReplacePathWithShapePath" __text:00024D48 mov [esp+4], eax __text:00024D4C lea eax, (aSInvalidContex - 24D2Dh)[ebx] ; "%s: invalid context %p" __text:00024D52 mov [esp], eax __text:00024D55 call _CGPostError __text:00024D5A jmp loc_24DF2 __text:00024D5F ; --------------------------------------------------------------------------- __text:00024D5F __text:00024D5F loc_24D5F: ; CODE XREF: _CGContextReplacePathWithShapePath+1Dj __text:00024D5F mov eax, [esi+58h] __text:00024D62 test eax, eax __text:00024D64 jz short loc_24D75 __text:00024D66 mov [esp], eax __text:00024D69 call _CGPathRelease __text:00024D6E mov dword ptr [esi+58h], 0 __text:00024D75 __text:00024D75 loc_24D75: ; CODE XREF: _CGContextReplacePathWithShapePath+45j __text:00024D75 mov eax, [ebp+arg_4] __text:00024D78 mov [esp], eax __text:00024D7B call _CGSRegionPathEnumerator __text:00024D80 mov edi, eax __text:00024D82 xor ebx, ebx __text:00024D84 lea eax, [ebp+var_20] __text:00024D87 mov [ebp+var_2C], eax __text:00024D8A jmp short loc_24DCA __text:00024D8C ; --------------------------------------------------------------------------- __text:00024D8C __text:00024D8C loc_24D8C: ; CODE XREF: _CGContextReplacePathWithShapePath+BDj __text:00024D8C jge short loc_24DB4 __text:00024D8E inc ebx __text:00024D8F cmp ebx, 1 __text:00024D92 jz short loc_24D9C __text:00024D94 mov [esp], esi __text:00024D97 call _CGContextClosePath __text:00024D9C __text:00024D9C loc_24D9C: ; CODE XREF: _CGContextReplacePathWithShapePath+73j __text:00024D9C mov eax, [ebp+var_1C] __text:00024D9F mov [esp+8], eax __text:00024DA3 mov eax, [ebp+var_20] __text:00024DA6 mov [esp+4], eax __text:00024DAA mov [esp], esi __text:00024DAD call _CGContextMoveToPoint __text:00024DB2 jmp short loc_24DCA __text:00024DB4 ; --------------------------------------------------------------------------- __text:00024DB4 __text:00024DB4 loc_24DB4: ; CODE XREF: _CGContextReplacePathWithShapePath:loc_24D8Cj __text:00024DB4 mov eax, [ebp+var_1C] __text:00024DB7 mov [esp+8], eax __text:00024DBB mov eax, [ebp+var_20] __text:00024DBE mov [esp+4], eax __text:00024DC2 mov [esp], esi __text:00024DC5 call _CGContextAddLineToPoint __text:00024DCA __text:00024DCA loc_24DCA: ; CODE XREF: _CGContextReplacePathWithShapePath+6Bj __text:00024DCA ; _CGContextReplacePathWithShapePath+93j __text:00024DCA mov eax, [ebp+var_2C] __text:00024DCD mov [esp+4], eax __text:00024DD1 mov [esp], edi __text:00024DD4 call _CGSNextPoint __text:00024DD9 cmp eax, 0 __text:00024DDC jnz short loc_24D8C __text:00024DDE test ebx, ebx __text:00024DE0 jz short loc_24DEA __text:00024DE2 mov [esp], esi __text:00024DE5 call _CGContextClosePath __text:00024DEA __text:00024DEA loc_24DEA: ; CODE XREF: _CGContextReplacePathWithShapePath+C1j __text:00024DEA mov [esp], edi __text:00024DED call _CGSReleaseRegionEnumerator __text:00024DF2 __text:00024DF2 loc_24DF2: ; CODE XREF: _CGContextReplacePathWithShapePath+3Bj __text:00024DF2 add esp, 3Ch __text:00024DF5 pop ebx __text:00024DF6 pop esi __text:00024DF7 pop edi __text:00024DF8 leave __text:00024DF9 retn __text:00024DF9 _CGContextReplacePathWithShapePath endp
The first parameter is a context parameter of some sort.
The function checks to see if it's NULL and in that case jumps to loc_24D3E (where you can see it calls an error function _CGPostError with the format string "%s: invalid context %p"). BTW: Right after it checks a magic value in the context (at context+8) to see if it is valid otherwise it exits through the same error path. The magic value43545854h is CTXT as chars btw.
__text:00024D2E mov esi, [ebp+arg_0]
__text:00024D31 test esi, esi
__text:00024D33 jz short loc_24D3E
As for the second parameter, it looks to be some kind of path as it is used as the sole parameter to CGSRegionPathEnumerator.
__text:00024D75 mov eax, [ebp+arg_4]
__text:00024D78 mov [esp], eax
__text:00024D7B call _CGSRegionPathEnumerator
In C the function would look something like this:
void CGContextReplacePathWithShapePath(Context* context, Path* path) {
if(context == NULL || context->magic != 0x43545854) {
CGPostError("%s: invalid context %p", "CGContextReplacePathWithShapePath", context);
return;
}
// loc_24D5F
if (context->path != NULL) {
CGPathRelease(context->path);
context->path = NULL;
}
// loc_24D75
RegionPathEnumerator* rpe = CGSRegionPathEnumerator(path);
// ....
}
Reversing of _PrepareMenuWindow() subroutine
Can some one help me with reversing of _PrepareMenuWindow() subroutine? I am trying to find the signature of the method. __text:000639A7 _PrepareMenuWindow proc near ; CODE XREF: DrawTheMenu(MenuSelectData *,__CFArray **,uchar,uchar *)+274p __text:000639A7 ; PopUpMenuSelectCore(MenuData *,Point,double,Point,ushort,uint,Rect const*,ushort,ulong,Rect const*,Rect const*,__CFString const*,OpaqueMenuRef **,ushort *)+528p __text:000639A7 __text:000639A7 var_44 = dword ptr -44h __text:000639A7 var_40 = dword ptr -40h __text:000639A7 var_3C = dword ptr -3Ch __text:000639A7 var_34 = dword ptr -34h __text:000639A7 var_30 = dword ptr -30h __text:000639A7 var_2C = dword ptr -2Ch __text:000639A7 var_28 = dword ptr -28h __text:000639A7 var_24 = word ptr -24h __text:000639A7 var_20 = dword ptr -20h __text:000639A7 var_1A = word ptr -1Ah __text:000639A7 arg_0 = dword ptr 8 __text:000639A7 arg_4 = dword ptr 0Ch __text:000639A7 arg_8 = dword ptr 10h __text:000639A7 __text:000639A7 push ebp __text:000639A8 mov ebp, esp __text:000639AA push edi __text:000639AB push esi __text:000639AC push ebx __text:000639AD sub esp, 5Ch __text:000639B0 xor edi, edi __text:000639B2 mov eax, [ebp+arg_0] __text:000639B5 test eax, eax __text:000639B7 jz short loc_639C6 __text:000639B9 mov eax, [ebp+arg_0] __text:000639BC mov [esp], eax __text:000639BF call __ZNK8HIObject13GetEncodedRefEv ; HIObject::GetEncodedRef(void) __text:000639C4 mov edi, eax __text:000639C6 __text:000639C6 loc_639C6: ; CODE XREF: _PrepareMenuWindow+10j __text:000639C6 mov ecx, [ebp+arg_4] __text:000639C9 mov eax, [ecx] __text:000639CB mov edx, [ecx+4] __text:000639CE mov [ebp+var_2C], eax __text:000639D1 mov [ebp+var_28], edx __text:000639D4 lea eax, [ebp+var_1A] __text:000639D7 mov [ebp+var_40], eax __text:000639DA mov [esp+4], eax __text:000639DE mov [esp], edi __text:000639E1 call _GetMenuType __text:000639E6 mov dword ptr [esp+4], 0 __text:000639EE mov [esp], edi __text:000639F1 call _IsMenuItemEnabled __text:000639F6 movzx edx, [ebp+var_1A] __text:000639FA or dh, 1 __text:000639FD test al, al __text:000639FF movzx ebx, [ebp+var_1A] __text:00063A03 cmovz ebx, edx __text:00063A06 mov [ebp+var_1A], bx __text:00063A0A mov eax, [ebp+arg_8] __text:00063A0D mov [esp+0Ch], eax __text:00063A11 lea ecx, [ebp+var_2C] __text:00063A14 mov [ebp+var_44], ecx __text:00063A17 mov [esp+8], ecx __text:00063A1B mov eax, [ebp+arg_4] __text:00063A1E mov [esp+4], eax __text:00063A22 mov [esp], edi __text:00063A25 call __AddOpenMenu __text:00063A2A mov ecx, [ebp+var_44] __text:00063A2D mov [esp], ecx __text:00063A30 call _EmptyRect __text:00063A35 test al, al __text:00063A37 jnz loc_63B94 __text:00063A3D mov [esp], edi __text:00063A40 call __Z11GetMenuDataP13OpaqueMenuRef ; GetMenuData(OpaqueMenuRef *) __text:00063A45 mov [ebp+var_3C], eax __text:00063A48 call _NewRgn __text:00063A4D mov esi, eax __text:00063A4F test eax, eax __text:00063A51 jz loc_63BDD __text:00063A57 movzx ebx, bx __text:00063A5A mov eax, [ebp+var_3C] __text:00063A5D mov eax, [eax+40h] __text:00063A60 test eax, eax __text:00063A62 jnz loc_63B23 __text:00063A68 mov [ebp+var_1A], 0 __text:00063A6E mov eax, [ebp+var_2C] __text:00063A71 mov edx, [ebp+var_28] __text:00063A74 mov [ebp+var_34], eax __text:00063A77 mov [ebp+var_30], edx __text:00063A7A mov ecx, [ebp+var_40] __text:00063A7D mov [esp+10h], ecx __text:00063A81 mov dword ptr [esp+0Ch], 0 __text:00063A89 lea eax, [ebp+var_34] __text:00063A8C mov [esp+8], eax __text:00063A90 mov dword ptr [esp+4], 7 __text:00063A98 mov eax, [ebp+var_3C] __text:00063A9B mov [esp], eax __text:00063A9E call __Z12_CallMenuDefP8MenuDatasP4Rect5PointPs ; _CallMenuDef(MenuData *,short,Rect *,Point,short *) __text:00063AA3 cmp [ebp+var_1A], 7473h __text:00063AA9 jz short loc_63ADC __text:00063AAB add word ptr [ebp+var_2C], 3 __text:00063AB0 mov dword ptr [esp+8], 0FFFFFFFCh __text:00063AB8 mov dword ptr [esp+4], 0FFFFFFFCh __text:00063AC0 mov ecx, [ebp+var_44] __text:00063AC3 mov [esp], ecx __text:00063AC6 call _InsetRect __text:00063ACB mov eax, [ebp+var_44] __text:00063ACE mov [esp+4], eax __text:00063AD2 mov [esp], esi __text:00063AD5 call _RectRgn __text:00063ADA jmp short loc_63B23 __text:00063ADC ; --------------------------------------------------------------------------- __text:00063ADC __text:00063ADC loc_63ADC: ; CODE XREF: _PrepareMenuWindow+102j __text:00063ADC lea eax, [ebp+var_24] __text:00063ADF mov [esp+8], eax __text:00063AE3 lea eax, [ebp+var_20] __text:00063AE6 mov [esp+4], eax __text:00063AEA mov [esp], edi __text:00063AED call __GetMenuCallout __text:00063AF2 movsx eax, [ebp+var_24] __text:00063AF6 mov [esp+10h], eax __text:00063AFA mov eax, [ebp+var_20] __text:00063AFD mov [esp+0Ch], eax __text:00063B01 mov [esp+8], esi __text:00063B05 mov [esp+4], ebx __text:00063B09 mov ecx, [ebp+var_44] __text:00063B0C mov [esp], ecx __text:00063B0F call __GetThemeMenuBackgroundRegionWithCallout __text:00063B14 mov eax, [ebp+var_44] __text:00063B17 mov [esp+4], eax __text:00063B1B mov [esp], esi __text:00063B1E call _GetRegionBounds __text:00063B23 __text:00063B23 loc_63B23: ; CODE XREF: _PrepareMenuWindow+BBj __text:00063B23 ; _PrepareMenuWindow+133j __text:00063B23 mov [esp+0Ch], esi __text:00063B27 mov ecx, [ebp+var_44] __text:00063B2A mov [esp+8], ecx __text:00063B2E mov [esp+4], ebx __text:00063B32 mov [esp], edi __text:00063B35 call __ZL13GetMenuWindowP13OpaqueMenuReftPK4RectP15OpaqueRgnHandle ; GetMenuWindow(OpaqueMenuRef *,ushort,Rect const*,OpaqueRgnHandle *) __text:00063B3A test eax, eax __text:00063B3C jz short loc_63BA1 __text:00063B3E mov [esp], eax __text:00063B41 call _GetWindowPort __text:00063B46 mov [esp], eax __text:00063B49 call _SetPortWrapper __text:00063B4E mov [esp], esi __text:00063B51 call _SetClipWrapper __text:00063B56 mov [esp], esi __text:00063B59 call _DisposeRgn __text:00063B5E mov eax, [ebp+var_3C] __text:00063B61 mov eax, [eax+40h] __text:00063B64 test eax, eax __text:00063B66 jnz short loc_63BDD __text:00063B68 mov dword ptr [esp+14h], 0 __text:00063B70 mov dword ptr [esp+10h], 0 __text:00063B78 mov [esp+0Ch], ebx __text:00063B7C mov ecx, [ebp+arg_4] __text:00063B7F mov [esp+8], ecx __text:00063B83 mov eax, [ebp+var_44] __text:00063B86 mov [esp+4], eax __text:00063B8A mov [esp], edi __text:00063B8D call __Z18DrawMenuBackgroundP13OpaqueMenuRefRK4RectS3_thPv ; DrawMenuBackground(OpaqueMenuRef *,Rect const&,Rect const&,ushort,uchar,void *) __text:00063B92 jmp short loc_63BDD __text:00063B94 ; --------------------------------------------------------------------------- __text:00063B94 __text:00063B94 loc_63B94: ; CODE XREF: _PrepareMenuWindow+90j __text:00063B94 mov ecx, [ebp+arg_0] __text:00063B97 mov [esp], ecx __text:00063B9A call _DisposeMenuWindow __text:00063B9F jmp short loc_63BDD __text:00063BA1 ; --------------------------------------------------------------------------- __text:00063BA1 __text:00063BA1 loc_63BA1: ; CODE XREF: _PrepareMenuWindow+195j __text:00063BA1 mov eax, [ebp+arg_0] __text:00063BA4 mov [esp], eax __text:00063BA7 call __Z11FindMBEntryP8MenuData ; FindMBEntry(MenuData *) __text:00063BAC mov ecx, eax __text:00063BAE test eax, eax __text:00063BB0 jz short loc_63BD5 __text:00063BB2 mov word ptr [eax+1Eh], 0 __text:00063BB8 mov word ptr [eax+1Ch], 0 __text:00063BBE mov word ptr [eax+1Ah], 0 __text:00063BC4 mov word ptr [eax+18h], 0 __text:00063BCA mov eax, [eax+18h] __text:00063BCD mov edx, [ecx+1Ch] __text:00063BD0 mov [ecx], eax __text:00063BD2 mov [ecx+4], edx __text:00063BD5 __text:00063BD5 loc_63BD5: ; CODE XREF: _PrepareMenuWindow+209j __text:00063BD5 mov [esp], esi __text:00063BD8 call _DisposeRgn __text:00063BDD __text:00063BDD loc_63BDD: ; CODE XREF: _PrepareMenuWindow+AAj __text:00063BDD ; _PrepareMenuWindow+1BFj ... __text:00063BDD xor eax, eax __text:00063BDF add esp, 5Ch __text:00063BE2 pop ebx __text:00063BE3 pop esi __text:00063BE4 pop edi __text:00063BE5 leave __text:00063BE6 retn __text:00063BE6 _PrepareMenuWindow endp
What have you got so far that isn't generated by IDA? (ie: your analysis of the function). From the looks of it its a __cdecl function that always returns NULL/false/0. It also seems to take 3 arguments(which can be confirmed by looking at what cleanup is by the caller, if there is any). Arg 0 is a MenuData*, arg 4 seems to be a Rect&(which is secretly just Rect*), arg 8 would be whatever type __AddOpenMenu takes as its fourth argument. So i'd assume something along the lines of typedef BOOL(__cdecl*)(MenuData*,Rect&,void*)