News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

BeaEngine Disassembler extremely slow

Started by FlySky, October 07, 2012, 10:25:44 PM

Previous topic - Next topic

FlySky

Hey Guys,

I've been playing around a bit more with BEAEngine as a Disassembler Engine. According to the website it should be able to disassemble a file of 50 mb in less than 13 seconds.
Well for me it is taking ages (read hours) so I must be doing something wrong, although I have no idea what.

I included the neccesary BEAEngine files:

#Include BeaEngineGoAsm32.inc
Disasm = BeaEngine.lib:Disasm
InitVariables = BeaEngine.lib:InitVariables
AnalyzeOpcode = BeaEngine.lib:AnalyzeOpcode

In the data section I included the structure information:

;---------------------------------------------------------------------------------------------
; BEA Engine Variables
;---------------------------------------------------------------------------------------------
MyDisasm       _Disasm <>
szoutofblock    DB 'Security alert. Disasm tries to read unreadable memory', 0
//inlenght        DD 10000h                 ;The number of instructions to read

The thing I am doing is pretty simple. I have a running process. I attach the program which has BEAEngine to it and click the Disassemble button.
When clicking that button a thread runs a thread called DisassembleThread

DisassembleThread Frame
   Local PtrImageBase:D
;Read Process Memory to start disassembling
   invoke GlobalAlloc, GMEM_FIXED, [SizeOfImage]
   mov [tempExe], Eax
   invoke VirtualProtectEx, [ProcessHandle], [ImageBase], [SizeOfImage], PAGE_EXECUTE_READWRITE, Offset OldProtection
   invoke ReadProcessMemory, [ProcessHandle], [ImageBase], [tempExe], [SizeOfImage], 0
   invoke VirtualProtectEx, [ProcessHandle], [ImageBase], [SizeOfImage], [OldProtection], Offset OldProtection

   mov eax, [tempExe]
   add eax, [OEPRVA]
   mov [MyDisasm.EIP], eax

    mov eax, [tempExe]   
    add eax, [SizeOfImage]
    sub eax, [ImageBase]
    mov [MyDisasm.SecurityBlock], eax
   
    ; *********************** loop for disasm
MakeDisasm:
    push offset MyDisasm
    call Disasm
    cmp eax, OUT_OF_BLOCK
    jne >
        push offset szoutofblock
        call puts
        add esp, 4
         //  push 0
         //  call ExitProcess
         Ret
    :
    cmp eax, UNKNOWN_OPCODE
    jne >
        inc D[MyDisasm.EIP]
        jmp > Display
    :
        add [MyDisasm.EIP], eax
Display:       
//    push offset MyDisasm.CompleteInstr
//    call puts                 
//    add esp, 4
    invoke SendMessage, [DumpOutput], LB_ADDSTRING, NULL, Offset MyDisasm.CompleteInstr
      
      mov eax, [tempExe]
      add eax, [SizeOfImage]
      cmp D[MyDisasm.EIP], eax
    jne < MakeDisasm
    //push 0
    //call ExitProcess
Ret
EndF

It's going extremely slow like I said and I have no idea why. I am using the lastest BEAEngine revision 172 from the website.

Can someone explain to me what I am doing wrong, as 13 seconds for 50 mb is clearly not working for me;(.


qWord

Adding a huge number of strings to a list box can be very slow: use WM_SETREDRAW to lock the control while inserting the items.
MREAL macros - when you need floating point arithmetic while assembling!

jj2007


FlySky

Sorry for my late reply. It seems the listbox indeed was the problem.
It is running in just 3 seconds for a 17 mb file. Thanks for the tips.