Cannot decode 0f c7 64 24 40 in Intel x64 and returns error = -1;
which should be xsavec [rsp+0x10] decoded by https://onlinedisassembler.com/odaweb/

in headers/BeaEngine.h

typedef struct {
char ArgMnemonic[64];
Int32 ArgType;
Int32 ArgSize;
Int32 ArgPosition;
UInt32 AccessMode;
MEMORYTYPE Memory;
UInt32 SegmentReg;
} ARGTYPE;

pragma pack()

while in include/baeengine/BaeEngine.h

pragma pack(1)

typedef struct {
char ArgMnemonic[64];
UInt64 ArgType;
Int32 ArgSize;
Int32 ArgPosition;
UInt32 AccessMode;
MEMORYTYPE Memory;
UInt32 SegmentReg;
} ARGTYPE;

pragma pack()

which one should I use...
(I think the one in "headers" should be generated by the one in "include")

Hi ! Sir,

I use BeaEngine V4 and Delphi 2010.

var
MyDisasm: TDISASM;

MyDisasm.VirtualAddr:=xxxxxxxx;
MyDisasm.EIP:=xxxxxxxx;

BeaEngine always got wrong address on ALL CALL/JMP/JNE/JE/..........

Why ??

The AccessMode property is set to READ for the first argument for the following instructions, although the first argument is modified:

• btc / btr / bts
• cmpxchg8b/16b
• pmulhw/lw
• pmaddwd
• por
• pssl*
• psrl*
• psra*
• psub* (including psubs* and psubus*)
• punpck*
• pxor

Hello,

The following bytes '\x44\x0f\xf8\x41\x8b' (disassembled as psubb mm0,mmword ptr [rcx-75h] by windbg) triggers an off-by-one in the RegistersMMX global variable:

void __bea_callspec__ fillRegister(int index, OPTYPE* pMyOperand, PDISASM pMyDisasm)
{
    size_t i = 0;
    switch(GV.Register_) {
      // ...
      case MMX_REG:
        #ifndef BEA_LIGHT_DISASSEMBLY
           (void) strcpy ((char*) pMyOperand->OpMnemonic+i, RegistersMMX[index]);
        #endif

The index variable is off-by-one:

08 0000002f`75dfce10 00007ff7`b1172f2a     rp_win_x64!fillRegister(int index = 0n8, struct OPTYPE * pMyOperand = 0x0000002f`75dfe06c, struct _Disasm * pMyDisasm = 0x0000002f`75dfdecc)+0x598 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_ModRM.c @ 105] 

Cheers

With BeaEngine 5.3 64 bit DLL, when disassembling 64bit, F20F5E142534120000 is being decoded as divsd xmm2, qword ptr [00007FF4FD806425h] while it should be something like divsd xmm2, qword ptr [0000000000001234h]

I'm trying to compile a static library under visual studio on Windows so its linked against the MSVCRuntimes. CMake-GUI throws errors with the included makefile and manually creating the project gives me a slew of errors.

Theres got to be an easier, more straightforward way to do this, its advertised on the readme that it supports VS compilation but I can't find any docs covering it.

"
For online documentation, visit :

www.beaengine.org
"
But When I visit this URL ,my browser said "Forbidden"

unknown instruction: xsaveopt

disinfo.CompleteInstr: bts qword ptr ds:[rcx], 08h
disinfo.Instruction.Category: 10005
disinfo.AccessMode: 1

I think the access mode of this instruction should be READ+WRITE

Hello,

I'm hitting an OOB read access in the below code:

void __bea_callspec__ FixOpSizeForMemoryOperand (PDISASM pMyDisasm)
{
  int i = GV.MemDecoration / 100;
  if (ArgsSize[GV.MemDecoration - (i*100+1)] != 0) {

Basically, the following arithmetic GV.MemDecoration - (i*100+1) is equal to -1 which makes it access 4 bytes before the array:

0:004> ?? pMyDisasm->Reserved_.MemDecoration
int 0n0
0:004> ?? i
int 0n0

This has been caught using address-sanitizer on Windows:

=================================================================
==16444==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7ff67bf4dbfc at pc 0x7ff67bbd3a36 bp 0x002bd7cfd680 sp 0x002bd7cfd688
READ of size 4 at 0x7ff67bf4dbfc thread T16777215
    #0 0x7ff67bbd3a35 in FixOpSizeForMemoryOperand C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_Disasm.c:192
    #1 0x7ff67bce538d in Disasm C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_Disasm.c:35
    #2 0x7ff67ba75cfd in IntelBeaEngine::disass(unsigned char const *, unsigned __int64, unsigned __int64, enum DisassEngineReturn &) C:\work\codes\rp\src\rp\intelbeaengine.hpp:28

Cheers

The vp instructions does not decode well.
For example:
"c5 f1 ef c9" should be decoded to "vpxor xmm1,xmm1,xmm1" (instead of "lds...").
"c5 f5 74 01" should be decoded to "vpcmpeqb ymm0,ymm1,ymmword ptr [ecx]" (instead of "lds...").

In Routine_ModRM.c, there are 2 lines with "char str[2],,.", and then sprintf is writing to it 2 chars + NULL termination byte, which currupts the stack.

Hi,
Could you please add standard LICENSE file?

In #2 you applied a change that broke decoding of pop dword ptr [esp+displ].

• 8F0F24 must be disassembled to pop dword ptr [esp], not pop dword ptr [esp+4]
• 8F442404 must be disassembled to pop dword ptr [esp+4], not pop dword ptr [esp+8]
• 8F8424F0000000 must be disassembled to pop dword ptr [esp+F0], not pop dword ptr [esp+F4]
• and so on

While the current output might seem more "logical", it's a discrepancy from all other disassemblers and assemblers. Copying output from BeaEngine into an x86 assembler will result in a broken program.

My code:

/*
 * mov rax,qword ptr ds:[2D40D36016C]
 * mov qword ptr ds:[2D4127C48A2],rax
 * lea rdx,qword ptr ds:[2D40DB7449C]
*/
unsigned char Ins[]="\x48\x8B\x05\x65\x01\x00\x00\x48\x89\x05\x94\x48\x46\x05\x48\x8D\x15\x87\x44\x81\x00";
DISASM disAsm = {0};
int len;
unsigned char* pEnd = Ins + Size;

disAsm.VirtualAddr = 0x18100000000;
disAsm.EIP = (UInt64)Ins;
disAsm.Archi = 0x40;		// 0x40 = x64,0x20 = x86
disAsm.Options = MasmSyntax | ShowSegmentRegs  | PrefixedNumeral;

while (!disAsm.Error)
{
disAsm.SecurityBlock = (UInt64)(pEnd - disAsm.EIP);
if (disAsm.SecurityBlock <= 0) break;

len = Disasm(&disAsm);

switch (disAsm.Error)
{
case OUT_OF_BLOCK:
	break;
case UNKNOWN_OPCODE:
	printf("%s \n", &disAsm.CompleteInstr);
	disAsm.EIP += 1;
	disAsm.Error = 0;
	break;
default:
	
	printf("%s \n", &disAsm.CompleteInstr);
	disAsm.EIP += len;
	break;
}
}

Output:

mov rax, qword ptr ??:[0x000001810000016C]
mov qword ptr ??:[0x000001810546489B], rax
lea rdx, qword ptr ??:[0x000001810081448E]

MEMORY_TYPE = NO_ARGUMENT|REGISTER_TYPE
this may lead to mistake when use bit test (e.g. Asm.Argument2.ArgType&NO_ARGUMENT)

For example：pop dword ptr [esp+4].
In this instruction execution is divided into three steps：
temp <= [esp]
esp <= esp + 4
[esp + 4] <= temp
so,in fact the destination address is “[esp+8]”.

Example:

int main()
{
    BYTE instr[] = { 0x75, 0x01 };

    DISASM disasm;
    ZeroMemory(&disasm, sizeof(disasm));
    disasm.EIP = (UIntPtr)instr;
    disasm.VirtualAddr = 0x401000;

    Disasm(&disasm);
    printf("%s\n", disasm.CompleteInstr);
    printf("%d\n", disasm.Argument1.ArgSize);
    printf("%d\n", disasm.Argument2.ArgSize);
    return 0;
}

Output

jne 00401003h
32
0

The disassembly of \xf0\x48\x89\xce\xc3 is mov rsi, rcx ; ret when it should be actually be prefixed by the lock prefix. I've done a bit of debugging and BeaEngine sees the lock prefix but tags it as InvalidPrefix.

Also note that BeaEngine seems to behave the same way on the same bytes disassembled as x86.

A workaround would be appreciated!

Cheers

Hi, there are a couple issues with the BeaEngineDelphi64 header

• TREGISTERTYPE declares a "type" field but that is a reserved keyword, it should be renamed or prefixed with '&' as an escape

• ESReg, DSReg, etc. use C '0x' prefix, while it should be '$'

  ESReg = $1;
  DSReg = $2;
  FSReg = $4;
  GSReg = $8;
  CSReg = $10;
  SSReg = $20;
  

Right：mov r8b, 0x1 》》》》wrong： mov al, 0x01
Right：mov r9b, 0x1 》》》》wrong： mov cl, 0x01
Wait a lot。。。。。
Right：fstsw ax 》》》》wrong：wait fstsw
And so on, a series of things。。。。。。
Right：add rax, 0xFFFFFFFFAF1DD900 》》》》wrong：add rax, 0x00000000AF1DD900
Right：movsxd rax, edx 》》》》wrong：movsxd rax, rdx
Wait a lot。。。。。。。。。。。

Incorrect operand parsing:

x64 assembly: xor r11b, 0
in binary: 41 80 f3 00

Here is a part of test code:

DISASM infos;
int len;
BYTE buf[4] = { 0x41, 0x80, 0xf3, 0x00 };
// init
memset(&infos, 0, sizeof(DISASM));
infos.EIP = (UINT64)buf;
infos.VirtualAddr = 0;
// disasm
len = Disasm(&infos);
cout << infos.Operand1.AccessMode << endl;

I expect the result to be infos.Operand1.AccessMode = 3 (3 = READ | WRITE)
But it print 2 (2 = WRITE)

I check xor rcx, Imm, the result is 3, which means rcx will be read and than write.
But when it disasm xor r11b, Imm, the result is 2, means r11 only be write.
I think the result should be the same as the former as 3.

As the title, it only provides a few basic branches。This is a complete branch of other projects

hahah

Could you please use ${CMAKE_BINARY_DIR} instead of ${CMAKE_SOURCE_DIR} for lib and bin directories in CMakeLists.txt?

set (myLIB_OUTPUT "${CMAKE_SOURCE_DIR}/lib/${myQualification}" )
set (myBIN_OUTPUT "${CMAKE_SOURCE_DIR}/bin/${myQualification}")

Could you create tag for v4.1.175?

The vextract128 family destination register is disassembled in reversed order with a spurious ymm0 register, for instance

c4 c3 7d 19 c0 01 vextractf128 xmm8,ymm0,0x1

is disassembled as

vextractf128 ymm0, ymm0, xmm8, 01h

vaddss with 3 xmm registers is decoded with the last register as a memory access, for instance

c5 fa 58 c4 vaddss xmm0,xmm0,xmm4

is disassembled as

vaddss xmm0, xmm0, dword ptr [xmm4]

custome project use static lib can print unresolved external symbol __imp_Disasm

I see <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary> in .vcxproj file for static linking for Release config. Command line:
cmake -G "Visual Studio 12 2013" -DoptBUILD_LITE=ON -DoptHAS_SYMBOLS=OFF -DoptBUILD_64BIT=OFF -DoptHAS_OPTIMIZED=ON

P.S. CMake 3.3.2

headers\include\basic_types.h is not up to date, as include\beaengine\basic_types.h.
BeaEngine.h has 3 different versions in the repo.

And, why duplication of the same file in the first place (also valid for export.h)

I think i need the lib for it, but I don't got it. anyone has the lib?

Hi.

The issue is quite hard to explain so here is a video of the issue: https://gofile.io/?c=WcAWBd

The tool used in the video: https://overlayhack.com/cheat-tool-set

Hello,

I installed the BeaEnginePython via pip and was going to test out the python examples, specifically this one:

#!/usr/bin/python3

from BeaEnginePython import *

instr = Disasm(bytes.fromhex('90'))
instr.read()
print(instr.repr())

However, I immediately got the following error:

Traceback (most recent call last):
  File "c:/Users/Michael/Desktop/python/Test.py", line 5, in <module>
    instr = Disasm(bytes.fromhex('90'))
OSError: exception: access violation reading 0x00000090

It appears to be interpreting the bytes as an address. Perhaps there is a structure that needs to be pre-set similar to the C wrapper?
Thanks.