Hey Guys,
I've been playing around a bit more with BEAEngine as a Disassembler Engine. According to the website it should be able to disassemble a file of 50 mb in less than 13 seconds.
Well for me it is taking ages (read hours) so I must be doing something wrong, although I have no idea what.
I included the neccesary BEAEngine files:
#Include BeaEngineGoAsm32.inc
Disasm = BeaEngine.lib:Disasm
InitVariables = BeaEngine.lib:InitVariables
AnalyzeOpcode = BeaEngine.lib:AnalyzeOpcode
In the data section I included the structure information:
;---------------------------------------------------------------------------------------------
; BEA Engine Variables
;---------------------------------------------------------------------------------------------
MyDisasm _Disasm <>
szoutofblock DB 'Security alert. Disasm tries to read unreadable memory', 0
//inlenght DD 10000h ;The number of instructions to read
The thing I am doing is pretty simple. I have a running process. I attach the program which has BEAEngine to it and click the Disassemble button.
When clicking that button a thread runs a thread called DisassembleThread
DisassembleThread Frame
Local PtrImageBase:D
;Read Process Memory to start disassembling
invoke GlobalAlloc, GMEM_FIXED, [SizeOfImage]
mov [tempExe], Eax
invoke VirtualProtectEx, [ProcessHandle], [ImageBase], [SizeOfImage], PAGE_EXECUTE_READWRITE, Offset OldProtection
invoke ReadProcessMemory, [ProcessHandle], [ImageBase], [tempExe], [SizeOfImage], 0
invoke VirtualProtectEx, [ProcessHandle], [ImageBase], [SizeOfImage], [OldProtection], Offset OldProtection
mov eax, [tempExe]
add eax, [OEPRVA]
mov [MyDisasm.EIP], eax
mov eax, [tempExe]
add eax, [SizeOfImage]
sub eax, [ImageBase]
mov [MyDisasm.SecurityBlock], eax
; *********************** loop for disasm
MakeDisasm:
push offset MyDisasm
call Disasm
cmp eax, OUT_OF_BLOCK
jne >
push offset szoutofblock
call puts
add esp, 4
// push 0
// call ExitProcess
Ret
:
cmp eax, UNKNOWN_OPCODE
jne >
inc D[MyDisasm.EIP]
jmp > Display
:
add [MyDisasm.EIP], eax
Display:
// push offset MyDisasm.CompleteInstr
// call puts
// add esp, 4
invoke SendMessage, [DumpOutput], LB_ADDSTRING, NULL, Offset MyDisasm.CompleteInstr
mov eax, [tempExe]
add eax, [SizeOfImage]
cmp D[MyDisasm.EIP], eax
jne < MakeDisasm
//push 0
//call ExitProcess
Ret
EndF
It's going extremely slow like I said and I have no idea why. I am using the lastest BEAEngine revision 172 from the website.
Can someone explain to me what I am doing wrong, as 13 seconds for 50 mb is clearly not working for me;(.
