Hi,

I am having troubles with getting BeaEngine to work. i am using the files (lib+.dll) given in "\beaengine-win32\Win32\Dll\" and this code:

#include <Windows.h>
#include <stdio.h>
#include <string.h>
//#define BEA_ENGINE_STATIC  /* specify the usage of a static version of BeaEngine */
#define BEA_USE_STDCALL	/* specify the usage of a stdcall version of BeaEngine */
#include "BeaEngine.h"#pragma comment(lib, "BeaEngine.lib")int main()
{
	DISASM di;
	ZeroMemory(&di,sizeof(di));	di.EIP = (UIntPtr)main;
	di.EIP = (UIntPtr)0x00412130; //!
	int len;	for(int i=0; i<20; i++)
	{
		len = Disasm(&di);
		di.EIP += len;
	}	Sleep(10000);
}

It`s supposed to disassemble the 20 instructions @0x00412130. This works fine, BUT the ARGTYPE substructs are not filled.

According to the documentation, these structs are supposed to contain information on the different arguments, and this can also be seen in "LookInside", the a demo application using BeaEngine. The other parts of the structs are filled correctly, including the MEMORY sub-struct of ARGTYPEs.

BeaEngine:

http://www.beaengine.org

According to the dll, i am using Bea v4.1 revisiong 171 (the latest). My compiler is MSVC++2008.

I also posted this in the actal BeaEngine forum, but there isnt too much going on there and since it does seem to be widely used, i thought someone might now something...

d.

edit:

i have added the full project i am using, incl. bea`s dll.

beatest2.rar

Edited November 19, 201113 yr by deepzero

From a quick glance at the BeaEngine source I can't find any obvious bugs.

The routine for PUSH BYTE fills some of the values, so they have to be changed afterwards.

On a sidenote, the VS debugger can produce lots of horse**** in its variables view. Maybe it gets confused by the struct packing BeaEngine has, and the values are actually ok. Have you checked in Olly?

It seems something is indeed broken, be it BeaEngine or VS:

the value of IndexRegister in my screenshot:

1179010630 -to hex-> 46464646 -to ascii> FFFF (the value being pushed....)

And why was the memory struct filled in the first place?

It should be empty, there is no SMB byte involved in a "push const"...really strange.

Look, I don't code in C, but maybe this could be the reason.

From "1 - How to decode 100 lines of code (basic example) ?":

MyDisasm.EIP = (UIntPtr) &main;

Your code:

di.EIP = (UIntPtr)0x00412130; //!

Shouldn't it be like this instead?

di.EIP = (UIntPtr) &0x00412130; //!

So the fix would be assigning pointer instead of variable content...

Cheers

Nacho_dj

0x00412130 is not a variable, it's an immediate value (a constant).

This code assigns the address 0x00412130 to the pointer, so BeaEngine starts reading at this exact VA in the process memory.

You shouldn't be doing this in production code but here it's an easy way to test BeaEngine on the code of the process.

Oh yes Killboy, I see it, I have explained myself very bad (mash potatoes explanation!), what I was trying to state is this value is being assigned, but the needed value might be its pointed content... but forget it, hehe

Anyway, why don't get the imagebase and then add to the OEP? Maybe the reason ImageBase is not being 0x400000 at execution time, who knows.

got it.

now, what in the name of god is this doing in the INSTRTYPE definition:

   UInt32 len;
   char instr[OPCODE_LENGTH];

How did it get there?

What is it doing there?

Did i ...?

#investigating...

From a quick glance at the BeaEngine source I can't find any obvious bugs.

The routine for PUSH BYTE fills some of the values, so they have to be changed afterwards.

On a sidenote, the VS debugger can produce lots of banana**** in its variables view. Maybe it gets confused by the struct packing BeaEngine has, and the values are actually ok. Have you checked in Olly?

Cool, someone else noticed my MSVS bug I found when writing up mudpack. Do you know any version which doesn't have said bug with struct/variable tracing?