Saturday, January 10, 2015

Practical Reverse Engineering p. 36 #12

Question number 12 on page 36 of Practical Reverse Engineering is as follows:

Bruce's favorite x86/x64 disassembly library is BeaEngine by BeatriX ( Experiment with it by writing a program to disassemble a binary at its entry point.

This program is called the Burdensome Arbitrary Disassembler (BAD). You must supply the file name and address of the entry point as arguments. Parsing PE and ELF files is pretty trivial, but then it wouldn't be BAD.

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>

#define BEA_USE_STDCALL    
#include "headers/BeaEngine.h"

void *read_file(void *dest, char *file_name, long *file_size)
    FILE *fp;

    fp = fopen(file_name, "rb");
    fseek(fp, 0, SEEK_END);

    *file_size = ftell(fp);
    dest = malloc(*file_size);

    fread(dest, 1, *file_size, fp);

    return dest;

void disassemble(char *file_name, uint64_t offset)
    DISASM dsBea;
    uint16_t len = 0;
    uint8_t *pe_file = 0;
    long file_size;
    memset(&dsBea, 0, sizeof(DISASM));
    dsBea.Archi = 64;

    pe_file = read_file(pe_file, file_name, &file_size);

    file_size -= (long) offset;
    dsBea.EIP = (uint64_t) &*&*(pe_file + offset);
    while(file_size > 0)
         len = Disasm(&dsBea);

         if (len == UNKNOWN_OPCODE)

         dsBea.EIP += (uint64_t) len;
         file_size -= (long) len;



int main(int argc, char *argv[])
    disassemble(argv[1], atoi(argv[2]));
    return 0;

Here is an example of disassembly:

C:\BAD\x64\Debug>bad test.exe 3312

sub rsp, 28h
call 0047BCB0h
call 0047AB50h
add rsp, 28h

This matches IDA's output (besides mapping address offsets):

No comments :

Post a Comment