Bea Engine Disassembler

[luis]

For windows, I suppose it can be easily adapted for other platform downloading the appropriate libs.

; Bea Engine
; http://www.beaengine.org/
; PB 5.31 / Bea Engine 4.1.175
; Luis, Feb 2015

; Thanks to Helle for the original wrapper/example.
; http://www.purebasic.fr/english/viewtop ... 80#p356880

; With this include you can use the Bea Engine with its native commands (see example1.pb)
; or in compatibility mode with the same syntax of the original PB disassembler commands (see example2.pb).
; The replaced PB commands have a "Bea_" prefix:

; Bea_ExamineAssembly (*start_code, *end_code = -1)
; Bea_NextInstruction()
; Bea_InstructionString()
; Bea_InstructionAddress()

; Should be ascii/unicode/x86/x64 compatible

; 1.01
; Now you can link against the DLL (#BEA_DLL = 1) or the STATIC LIB (#BEA_DLL = 0).
; If you use the DLL you have to call BeaLoad() and BeaUnload().
; See the examples.

; 1.02
; Updated for 4.1.175
; Corrected an offset error in example1.pb

Download [... from someone who got a copy at the time].

[Didelphodon]

BEA is good - I'm already using it in my code-analyzer for years now.

[ultralazor]

You can do it with ExamineAssembly and PE structs just as easily..I'm not sure what the analytical differences are, but I do know all dissemblers can be fooled.

[ts-soft]

thx

i have made a version using static libs and with shorter include
http://dl.dropbox.com/u/3086026/BeaEngine.zip

[luis]

@ts-soft, oh right, the only difference in the two includes was EIP as .q instead of .l right ?
Well we have the .i type now, good catch

At this point I'm a little puzzled about the reason to make two includes in the first place in the original Bea distribution instead of using Compilerif ... BOH !

Uhm, I'll make a single include me too working with both dll and static lib and I'll update the first post.

Thanks !

[Zach]

n00b Alert!


...What would I use this tool for? What would it help me do? Or is it just for more curious people who like to peek inside things?

[luis]

@zach

It's a disassembler exactly like the stand-alone disassemblers you may have seen before.

The difference it's you can use it programmatically (dynamically) and act doing different things based on the result of what you are disassembling.

For example in the program featured on this thread -> http://www.purebasic.fr/english/viewtop ... 14&t=16179

a similar lib was used to determine the number of params of a dll function loaded in memory at a certain time, disassembling it and checking the number after its RET instruction.

[Zach]

So in other words...

Too advanced for my brain

[ultralazor]

it's for reverse engineering x86 code in PE files or dumps.

PB has one built into it, static tracing and/or emulating with it produces the same results, both are useless against obfuscation though, for that you'll also need the debug api to dump memory after processing..

You could also just download ollydbg and not try to to reinvent the wheel..unless you can do it for more than intel..

[xorc1zt]

ollydgb suck pretty hard on x64

[ultralazor]

ollydgb suck pretty hard on x64

only if you need to hide it..I've used it a lot on x64 XP and 7.

RE tools are scarce outside of IDA and olly, mainly because there is no serious market in it outside of malware analysis which is super time consuming and vendors won't even consider you if you don't have paper credentials and can get domestic security clearance..

[fsw]

Here is the one I use on 64 bit:
Visual DuxDebugger
fsw

[xorc1zt]

recently, ida got leaked from ESET (nod32) but the best for me is windgb or ida with virtualkd on virtualbox

http://virtualkd.sysprogs.org
https://www.virtualbox.org/
http://msdn.microsoft.com/en-us/windows ... e/gg463009
http://msdn.microsoft.com/en-us/library/ff551063.aspx
http://www.hexblog.com/?p=123

[oldefoxx]

Decades back, I learned m.l. and asm first. But I pretty much left that behind, and
went with higher level languages. CPUs are all different now, so I'm pretty much
out of touch. Found there Assemblers that produce different results under different
circumstances. so decided I needed a way to verify one over another. Looked like
going with a Disassembler or two would bring more votes to the table. Got the
free versions of IDA Pro, and BEAengine, and Nasm comes with a dissembler of its
own. Now following this thread, I see a few more choices.

But having them and knowing how to use them is not the same thing. My idea is
to read the contents of portions of the files and see how much they agree. The
file with be .obj or ,bin, produced by one of the assemblers. I will have two flag
instructions to generate a sequence of 4 bytes to mark where the disassembly
should start and the same four bytes at the point where the disassembly should
stop. To avoid possible confusion by the assembler/disassembler efforts, the
two instructions are mov cl,cl and mov ch,ch, one before the other. Mov does not
change the flags, moving registers to themselves does not change their contents,
and working with byte-size registers I avoid some issues with handling words and
dwords, which not all assemblers treat the same way.

Since most of you are way ahead of me on something like this, and since I presently
know so little about PureBasic or working with the disassemblers, you have a
chance to jump in here and plant a few ideas in my noggin.

What am I looking for? I'm looking for the assembler that gets it right, even in some
oddball cases. What do I mean by oddball? Something like add eax,1. Why do an add
when you could do an inc eax? Because it is the type of instruction that might not be
expected or handled right. And all three assemblers disagreed on this one.

[luis]

Updated to PB 5.31 / Bea Engine 4.1.175 and fixed an error in the first example.