This area is dedicated to code disassembly on intel and AMD processors. This project is a package with a multi-plateform x86 and x64 disassembler library (Solaris, MAC OSX, AIX, Irix, OS/2, Linux, Windows), tools under windows using this library (LookInside, plugin OllyDbg and ImmDbg), a Length Disassembler Engine (LDE64) and useful links to different documentations.

BeaEngine is a library coded in C respecting ISO C99 norm since 4.0.0 version (originally written with the IDE Code::Blocks and the compiler Pelles C). It has been developed to decode instructions from 16 bits, 32 bits and 64 bits intel architectures. Actually, the main function available is called Disasm. It includes standard instruction set and instruction set from FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, VMX, CLMUL, AES technologies. For those who like analyzing malicious codes and more generally obfuscated codes, BeaEngine decodes undocumented instructions called "alias" on the web site sandpile. In all scenarios, it sends back a complex structure that describes precisely the analyzed instructions.

You can use it in C/C++ (usable and compilable with Visual Studio, GCC, MinGW, DigitalMars, BorlandC, WatcomC, SunForte, Pelles C, LCC), in assembler (usable with masm32 and masm64, nasm, fasm, GoAsm) in C#, in Python, in Delphi, in PureBasic and in WinDev. You can use it in user mode and kernel mode. It has been thought to do a lot of tasks. First, you can retrieve mnemonic and operands according to the specified syntax : intel syntax for Nasm, masm32 and masm64, GoAsm32 and GoAsm64, fasm and AT&T syntax. Next, you can realize accurate analysis on data-flow and control-flow to generate slices or obfuscation patterns. This pack contains the library compiled in 32 bits and 64 bits for windows plateform, its source code under LGPL3 license with a "Makefile builder", numerous examples more or less complex including headers for following languages : C/C++, C#, Python, Delphi, PureBasic, masm32, masm64, nasm(x86 and x64), fasm(x86 and x64), GoAsm(x86 and x64).

BeaEngine has been implemented using opcode tables seen in the intel documentation completed by tables proposed by Christian Ludloff on his web site www.sandpile.org

Example 1 : decoding simple x86



For this example, we want to decode, on a 32 bits architecture, the following bytes sequence :

0x89, 0x94, 0x88, 0x00, 0x20, 0x40, 0x00

If you ask a MASM32 syntax, BeaEngine sends you back this :

mov dword ptr ds:[eax + ecx*4 + 402000h], edx

If you ask a AT&T syntax, BeaEngine sends you back this :

movd %edx, %ds:402000h(%eax, %ecx, 4)

If you ask a NASM syntax, BeaEngine sends you back this :

mov dword [ds:eax + ecx*4 + 0x402000], edx

Example 1 : complete analysis

For those who want to make a precise analysis of this instruction, BeaEngine proposes following fields :

  • MyDisasm.Instruction.Category == GENERAL_PURPOSE_INSTRUCTION + DATA_TRANSFER
  • MyDisasm.Instruction.Opcode == 0x89
  • MyDisasm.Instruction.Mnemonic == "mov "
  • MyDisasm.Argument1.ArgMnemonic == "eax + ecx*4 + 402000h"
  • MyDisasm.Argument1.ArgType == MEMORY_TYPE
  • MyDisasm.Argument1.ArgSize == 32
  • MyDisasm.Argument1.AccessMode == WRITE
  • MyDisasm.Argument1.Memory.BaseRegister == REG0
  • MyDisasm.Argument1.Memory.IndexRegister == REG1
  • MyDisasm.Argument1.Memory.Scale == 4
  • MyDisasm.Argument1.Memory.Displacement == 0x402000
  • MyDisasm.Argument1.SegmentReg == DSReg
  • MyDisasm.Argument2.ArgMnemonic == "edx"
  • MyDisasm.Argument2.ArgType == REGISTER_TYPE + GENERAL_REG + REG2
  • MyDisasm.Argument2.ArgSize == 32
  • MyDisasm.Argument2.AccessMode == READ

Example 2 : decoding simple x86-64



This time, we want to decode, on a 64 bits architecture, the following bytes sequence :

0x41, 0x80, 0x7E, 0x01, 0x22

If you ask a MASM64 syntax, BeaEngine sends you back this :

cmp byte ptr ds:[r14+01h], 22h

If you ask a AT&T syntax, BeaEngine sends you back :

cmpb $22h, %ds:01h(%r14)

If you ask a NASM syntax, BeaEngine sends you back :

cmp byte [ds:r14+0x01], 0x22

Example 2 : complete analysis

For those who want to make a complete analysis of this instruction, BeaEngine proposes following fields :

  • MyDisasm.Instruction.Category == GENERAL_PURPOSE_INSTRUCTION + COMPARISON_INSTRUCTION
  • MyDisasm.Instruction.Opcode == 0x80
  • MyDisasm.Instruction.Mnemonic == "cmp "
  • MyDisasm.Instruction.Immediat == 0x22
  • MyDisasm.Prefix.Number == 1
  • MyDisasm.Prefix.REX.state == InUsePrefix
  • MyDisasm.Prefix.REX.B_ == 1
  • MyDisasm.Argument1.ArgMnemonic == "r14+01h"
  • MyDisasm.Argument1.ArgType == MEMORY_TYPE
  • MyDisasm.Argument1.ArgSize == 8
  • MyDisasm.Argument1.AccessMode == READ
  • MyDisasm.Argument1.Memory.BaseRegister == REG14
  • MyDisasm.Argument1.Memory.Displacement == 0x01
  • MyDisasm.Argument1.SegmentReg == DSReg
  • MyDisasm.Argument2.ArgMnemonic == "22h"
  • MyDisasm.Argument2.ArgType == CONSTANT_TYPE + ABSOLUTE_
  • MyDisasm.Argument2.ArgSize == 8
  • MyDisasm.Argument2.AccessMode == READ

Performances

The Disasm function of BeaEngine (standard version) offers a quite comfortable rate. On an intel core 2 duo, you can decode a file of 50 Mb (containing 22 millions instructions) in less than 13 seconds. To make a quick comparison, the Disasm function of OllyDebugger 1.10 engine decodes the same file in 40 seconds.

If you want to speed up the disassembly, you can use BeaEngine (Cheetah version). With it, you can't display the disassembly but instead of 13 seconds, it spends only 5 sec to make the same job.