Welcome to the BeaEngine Sweet Home - x86 x86-64 disassembler library - (IA-32 & Intel64)

Home

This area is dedicated to code disassembly on intel and AMD processors. This project is a package with a disassembler library (BeaEngine.lib) for windows plateforms (tested under windows XP 32 bits,windows XP 64 bits,windows vista 32 bits, windows 7 32 bits), tools using this library (LookInside, plugin OllyDbg and ImmDbg), a Length Disassembler Engine (LDE64) and a french documentation about x86 and x86-64 instructions encoding.

BeaEngine.lib is a library coded in C (thanks to the IDE Code::Blocks and the compiler Pelles C ) created to decode instructions from 32 bits and 64 bits intel architectures. Actually, the only function available is called Disasm. It includes standard instruction set and instruction set from FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, VMX technologies. For those who like analyzing malicious codes and more generally obfuscated codes, BeaEngine decodes undocumented instructions called "alias" on the web site sandpile. In all scenarios, it sends back a complex structure that describes precisely the analyzed instructions.

You can use it in C (usable with Visual Studio, Pelles C , LCC or MingW), in assembler (usable with masm32, nasm, fasm, GoAsm) in Python and in Delphi. You can use it in ring3 and in ring0 because it does not use windows API. It had been thought to do a lot of tasks. First, you can retrieve mnemonic and operands according to the specified syntax : intel syntax for Nasm, masm32 et masm64, GoAsm32 and GoAsm64, fasm and AT&T syntax. Next, you can realize accurate analysis on data-flow and control-flow to generate slices or obfuscation patterns. This pack contains the library compiled in 32 bits and 64 bits, its source code under LGPL3 license, numerous examples more or less complex including headers for following langages : C, Python, Delphi, masm32, nasm, fasm ,GoAsm.

BeaEngine has been implemented using opcode tables seen in the intel documentation completed by tables proposed by Christian Ludloff on his web site www.sandpile.org

Example 1 : decoding simple x86

for this example, we want to decode , on a 32 bits architecture, the following bytes sequence :

0x89, 0x94, 0x88, 0x00, 0x20, 0x40, 0x00

If you ask a MASM32 syntax , BeaEngine sends you back this :

mov dword ptr ds:[eax + ecx*4 + 402000h], edx

If you ask a AT&T syntax, BeaEngine sends you back this :

movd %edx, %ds:402000h(%eax,%ecx,4)

If you ask a NASM syntax, BeaEngine sends you back this :

mov dword [ds:eax + ecx*4 + 0x402000], edx

Example 1 : complete analysis

For those who want to make a precise analysis of this instruction, BeaEngine proposes following fields :

Example 2 : decoding simple x86-64

This time, we want to decode , on a 64 bits architecture, the following bytes sequence :

0x41, 0x80, 0x7E, 0x01, 0x22

If yoy ask a MASM64 syntax, BeaEngine sends you back this :

cmp byte ptr ds:[r14+01h], 22h

If you ask a AT&T syntax, BeaEngine sends you back :

cmpb $22h, %ds:01h(%r14,)

If you ask a NASM syntax, BeaEngine sends you back :

cmp byte [ds:r14+0x01], 0x22

Example 2 : complete analysis

For those who want to make a complete analysis of this instruction, BeaEngine proposes following fields :

Performances

For a weight of approximatively 250 kb (for the dll version), the Disasm function offers a quite comfortable rate. On an intel core 2 duo, you can decode a file of 50 Mb (containing 22 millions instructions) in less than 13 seconds. To make a quick comparison, the Disasm function of OllyDebugger 1.10 engine decodes the same file in 40 seconds.

Contributors

A big thank you to all contributors who had spent their precious time to improve this library :