0

i using BeaEngine for dissassembly my exe file but i can't set correct EIP and my result is different by OllyDBG result

how can set correct EIP ?

void dis()
{
    listBox1.Items.Add("Version: " + BeaEngine.Version);
    listBox1.Items.Add("Revision: " + BeaEngine.Revision);

    UnmanagedBuffer buffer = new UnmanagedBuffer(File.ReadAllBytes("JetAudio.exe"));

    var disasm = new Disasm();
    disasm.EIP = new IntPtr(buffer.Ptr.ToInt64() + 0x400);
    //disasm.EIP = new IntPtr( 0x401000);

    for (int counter = 0; counter < 100; ++counter)
    {
        int result = BeaEngine.Disasm(disasm);

        if (result == (int)BeaConstants.SpecialInfo.UNKNOWN_OPCODE)
            break;

        listBox1.Items.Add("0x" + disasm.EIP.ToString("X") + " "+disasm.CompleteInstr);

        disasm.EIP = new IntPtr(disasm.EIP.ToInt64() + result);
    }
}
Hadi Ranji
  • 203
  • 1
  • 2
  • 11

1 Answers1

0

There are a big difference here.

You are comparing a Dynamic Analysis with a Static analysis.

Before i want to explain what is EIP, EIP is the Extended Instruction Pointer, that points to the next line that will be run by the processor.

What i mean is that, disassemblers don't run the code so you don't have an EIP because the code is not being run by the processor. basically what they do is take the compiled code (machine code) and translate it to assembly directly from the disk.

Ollydbg does this disassembly dynamically and run the code so you can manipulate the code including the actual EIP.

I never used BeaEngine, but i think this is your problem.

Ollegn
  • 2,294
  • 2
  • 16
  • 22