Text only | Text with Images

The MASM Forum

Projects => Rarely Used Projects => GoAsm => Topic started by: FlySky on October 07, 2012, 10:25:44 PM

Title: BeaEngine Disassembler extremely slow
Post by: FlySky on October 07, 2012, 10:25:44 PM
Hey Guys,

I've been playing around a bit more with BEAEngine as a Disassembler Engine. According to the website it should be able to disassemble a file of 50 mb in less than 13 seconds.
Well for me it is taking ages (read hours) so I must be doing something wrong, although I have no idea what.

I included the neccesary BEAEngine files:

#Include BeaEngineGoAsm32.inc
Disasm = BeaEngine.lib:Disasm
InitVariables = BeaEngine.lib:InitVariables
AnalyzeOpcode = BeaEngine.lib:AnalyzeOpcode

In the data section I included the structure information:

;---------------------------------------------------------------------------------------------
; BEA Engine Variables
;---------------------------------------------------------------------------------------------
MyDisasm       _Disasm <>
szoutofblock    DB 'Security alert. Disasm tries to read unreadable memory', 0
//inlenght        DD 10000h                 ;The number of instructions to read

The thing I am doing is pretty simple. I have a running process. I attach the program which has BEAEngine to it and click the Disassemble button.
When clicking that button a thread runs a thread called DisassembleThread

DisassembleThread Frame
   Local PtrImageBase:D
;Read Process Memory to start disassembling
   invoke GlobalAlloc, GMEM_FIXED, [SizeOfImage]
   mov [tempExe], Eax
   invoke VirtualProtectEx, [ProcessHandle], [ImageBase], [SizeOfImage], PAGE_EXECUTE_READWRITE, Offset OldProtection
   invoke ReadProcessMemory, [ProcessHandle], [ImageBase], [tempExe], [SizeOfImage], 0
   invoke VirtualProtectEx, [ProcessHandle], [ImageBase], [SizeOfImage], [OldProtection], Offset OldProtection

   mov eax, [tempExe]
   add eax, [OEPRVA]
   mov [MyDisasm.EIP], eax

    mov eax, [tempExe]   
    add eax, [SizeOfImage]
    sub eax, [ImageBase]
    mov [MyDisasm.SecurityBlock], eax
   
    ; *********************** loop for disasm
MakeDisasm:
    push offset MyDisasm
    call Disasm
    cmp eax, OUT_OF_BLOCK
    jne >
        push offset szoutofblock
        call puts
        add esp, 4
         //  push 0
         //  call ExitProcess
         Ret
    :
    cmp eax, UNKNOWN_OPCODE
    jne >
        inc D[MyDisasm.EIP]
        jmp > Display
    :
        add [MyDisasm.EIP], eax
Display:       
//    push offset MyDisasm.CompleteInstr
//    call puts                 
//    add esp, 4
    invoke SendMessage, [DumpOutput], LB_ADDSTRING, NULL, Offset MyDisasm.CompleteInstr
      
      mov eax, [tempExe]
      add eax, [SizeOfImage]
      cmp D[MyDisasm.EIP], eax
    jne < MakeDisasm
    //push 0
    //call ExitProcess
Ret
EndF

It's going extremely slow like I said and I have no idea why. I am using the lastest BEAEngine revision 172 from the website.

Can someone explain to me what I am doing wrong, as 13 seconds for 50 mb is clearly not working for me;(.

Title: Re: BeaEngine Disassembler extremely slow
Post by: qWord on October 08, 2012, 12:00:52 AM
Adding a huge number of strings to a list box can be very slow: use WM_SETREDRAW (http://msdn.microsoft.com/en-us/library/windows/desktop/dd145219(v=vs.85).aspx) to lock the control while inserting the items.
Title: Re: BeaEngine Disassembler extremely slow
Post by: jj2007 on October 08, 2012, 02:50:19 AM
Indeed. See also the Fill a listbox 40*faster (http://www.movsd.com/board/index.php?topic=12802.0) thread in the old forum.
Title: Re: BeaEngine Disassembler extremely slow
Post by: FlySky on October 14, 2012, 06:05:26 PM
Sorry for my late reply. It seems the listbox indeed was the problem.
It is running in just 3 seconds for a 17 mb file. Thanks for the tips.
Text only | Text with Images