Linux BeaEngine反汇编引擎使用

上一节讲了capstone，这一节一起学习一下beaengine的使用；

code 来自github:https://github.com/BeaEngine/beaengine

0x01:下载好代码并进行编译环境搭建；

//解压source code
curits@curits-virtual-machine:~/Desktop$ unzip beaengine-master.zip 
//或者安装git后直接拉取
curits@curits-virtual-machine:~/Desktop$ sudo apt-get install git
curits@curits-virtual-machine:~/Desktop$ git clone https://github.com/BeaEngine/beaengine.git
//安装cmake
curits@curits-virtual-machine:~/Desktop/beaengine-master$ sudo apt-get install cmake

0x02:把代码下载完成和编译环境搭建完之后，第二步就是编译生成linux 库文件；

//编译代码
curits@curits-virtual-machine:~/Desktop$ cmake beaengine
curits@curits-virtual-machine:~/Desktop$ make

//编译共享库文件 xxx.a & xxx.so
curits@curits-virtual-machine:~/Desktop$ cmake -DoptBUILD_DLL=ON beaengine
curits@curits-virtual-machine:~/Desktop$ make

//动态库静态库均已生成
curits@curits-virtual-machine:~/Desktop$ ls lib/Linux.gnu.Debug/
libBeaEngine_d_l.so  libBeaEngine_s_d_l.a

//生成库文件大小
curits@curits-virtual-machine:~/Desktop/lib/Linux.gnu.Debug$ ls -alh
total 1.4M
drwxr-xr-x 3 curits curits 4.0K 10月 27 16:26 .
drwxr-xr-x 3 curits curits 4.0K 10月 27 15:10 ..
drwxr-xr-x 2 curits curits 4.0K 10月 27 15:26 beaengine  --> BeaEngine包含的头文件
-rw-r--r-- 1 curits curits  10K 10月 27 15:58 BeaEngine.h
-rwxr-xr-x 1 curits curits 611K 10月 27 15:12 libBeaEngine_d_l.so
-rw-r--r-- 1 curits curits 775K 10月 27 15:10 libBeaEngine_s_d_l.a
-rw-r--r-- 1 curits curits  399 10月 27 15:46 tcc.c

0x03:生成库文件之后，就是如何使用这两个库文件
github给的示例代码：https://github.com/BeaEngine/beaengine/blob/master/doc/examples.md

示例一：BeaEngine不需要特殊的初始化。 Disasm功能可为您完成。 您唯一需要执行的任务是将_Disasm结构设置为零并填充字段infos.EIP（您要反汇编的偏移量)；

//tcc.c
#include <stdio.h>
#include <string.h>
#include "BeaEngine.h"

int main(void)
{
    
    
  DISASM infos;
  int len, i = 0;

  (void) memset (&infos, 0, sizeof(DISASM));
  infos.EIP = (UInt64) main;

  while ((infos.Error == 0) && (i < 100)){
    
    
    len = Disasm(&infos);
    if (infos.Error != UNKNOWN_OPCODE) {
    
    
      (void) puts(infos.CompleteInstr);
      infos.EIP += len;
      i++;
    }
  }
  return 0;
}

//从代码中可以看到该例程需要使用BeaEngine.h这个头文件
curits@curits-virtual-machine:~/Desktop/beaengine/include/beaengine$ cp -rf BeaEngine.h /home/curits/Desktop/lib/Linux.gnu.Debug/
curits@curits-virtual-machine:~/Desktop/lib/Linux.gnu.Debug$ ls
BeaEngine.h  libBeaEngine_d_l.so  libBeaEngine_s_d_l.a  tcc.c

//尝试使用静态库
curits@curits-virtual-machine:~/Desktop/lib/Linux.gnu.Debug$ g++ -o tcc tcc.c libBeaEngine_s_d_l.a 
In file included from tcc.c:3:0:
BeaEngine.h:8:10: fatal error: beaengine/macros.h: No such file or directory
 #include <beaengine/macros.h>
          ^~~~~~~~~~~~~~~~~~~~
compilation terminated

原因分析，BeaEngine.h头文件还包含其他头文件，将源代码include文件夹下的include/beaengine文件夹拷贝到/home/curits/Desktop/lib/Linux.gnu.Debug，也就是我们需要编译测试代码的文件夹；

//复制好文件之后继续尝试编译
curits@curits-virtual-machine:~/Desktop/beaengine/include$ cp -rf beaengine/ /home/curits/Desktop/lib/Linux.gnu.Debug/
curits@curits-virtual-machine:~/Desktop/beaengine/include$ ls /home/curits/Desktop/lib/Linux.gnu.Debug/
beaengine  BeaEngine.h  libBeaEngine_d_l.so  libBeaEngine_s_d_l.a  tcc.c
//编译
curits@curits-virtual-machine:~/Desktop/lib/Linux.gnu.Debug$ g++ -o tcc tcc.c libBeaEngine_s_d_l.a
In file included from tcc.c:3:0:
BeaEngine.h:8:10: fatal error: beaengine/macros.h: No such file or directory
 #include <beaengine/macros.h>
          ^~~~~~~~~~~~~~~~~~~~
compilation terminated.

这里就要说到头文件包含的问题：
#include < > ： 直接到系统指定的某些目录中去找某些头文件；
#include " "： 先到源文件所在文件夹去找，然后再到系统指定的某些目录中去找某些头文件；

那么对应的就有两种办法：
1.修改头文件#include <> --> #include " path"；
2.将头文件拷贝到系统/usr/include；

//生成tcc可执行文件
curits@curits-virtual-machine:~/Desktop/lib/Linux.gnu.Debug$ g++ -o tcc tcc.c libBeaEngine_s_d_l.a
curits@curits-virtual-machine:~/Desktop/lib/Linux.gnu.Debug$ ls
beaengine  BeaEngine.h  libBeaEngine_d_l.so  libBeaEngine_s_d_l.a  tcc  tcc.c
//执行可执行文件，成功生成反汇编代码
curits@curits-virtual-machine:~/Desktop/lib/Linux.gnu.Debug$ ./tcc 
push rbp
mov rbp, rsp
sub rsp, 00000000000004F0h
mov rax, qword ptr fs:[00000028h]
mov qword ptr [rbp-08h], rax
xor eax, eax
mov dword ptr [rbp-000004E8h], 00000000h
lea rax, qword ptr [rbp-000004E0h]
mov edx, 000004CEh
mov esi, 00000000h
mov rdi, rax
call 000055AE36310A30h
lea rax, qword ptr [000055AE36310B7Ah]
mov qword ptr [rbp-000004E0h], rax
mov eax, dword ptr [rbp-000000C4h]
test eax, eax
jne 000055AE36310C2Dh
cmp dword ptr [rbp-000004E8h], 63h
jnle 000055AE36310C2Dh
lea rax, qword ptr [rbp-000004E0h]
mov rdi, rax
call 000055AE363632A6h

//前面讲了动态库的使用方法，这里讲讲so动态库的使用方法
curits@curits-virtual-machine:~/Desktop/lib/Linux.gnu.Debug$ g++ -o tcc tcc.c libBeaEngine_d_l.so 
curits@curits-virtual-machine:~/Desktop/lib/Linux.gnu.Debug$ ./tcc 
//报错没有找到共享库，在跑程序的时候会去找共享so库
./tcc: error while loading shared libraries: libBeaEngine_d_l.so: cannot open shared object file: No such file or directory
//把库路径定义为当前路径
curits@curits-virtual-machine:~/Desktop/lib/Linux.gnu.Debug$ export LD_LIBRARY_PATH=./
curits@curits-virtual-machine:~/Desktop/lib/Linux.gnu.Debug$ g++ -o tcc tcc.c libBeaEngine_d_l.so 
curits@curits-virtual-machine:~/Desktop/lib/Linux.gnu.Debug$ ./tcc 
push rbp
mov rbp, rsp
sub rsp, 00000000000004F0h
mov rax, qword ptr fs:[00000028h]
mov qword ptr [rbp-08h], rax
xor eax, eax
mov dword ptr [rbp-000004E8h], 00000000h
lea rax, qword ptr [rbp-000004E0h]
mov edx, 000004CEh
mov esi, 00000000h
mov rdi, rax

这个引擎还支持使Python,这里就不做介绍了；