OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: May 6, 2006 15:50 CDT by cseagle .

Version 0.9.2 is available at sourceforge.

http://sourceforge.net/project/showfiles.php?group_id=93016

It fixes many bugs, offers better handling of imported functions and automatically builds a "header" segment for loaded binaries.

Chris

Sellmi		May 8, 2006 12:12.34 CDT
Thank you for this excellent piece of code. I probably will use this in my diploma thesis. btw. which sdk do you use? i had to adapt some workarounds to compile it with sdk 4.8 best regards, Stefan

cseagle		May 9, 2006 10:36.33 CDT
I use sdk 5.0, but I have recently added #if blocks to account for sdk difference back to sdk 4.6 so hopefully you will no longer need to do workarounds. I will be posting an updated version soon to account for some bug fixes dealing with import tables. Chris

rjohnson		May 9, 2006 21:16.38 CDT
Sweet! This might inspire me to release updates to idastruct. Chris - have you done any benchmarks against other emu's? Anyone else out there plz comment if they've seen emu lib benchmarks anywhere else. -rj

cseagle		May 10, 2006 00:35.48 CDT
Rich, I just put 0.9.3 up at sourceforge. It now compiles on all sdk versions back to 4.6. Here are the highlights for this release: It parses the import table and attempts to locate all related dlls. For each imported dll, it maps the dll's PE headers and export directory into the Ida database by creating new segments at the appropriate addresses, it then makes IAT entries for all imported symbols. When emulating, it catches all calls to LoadLibrary and will load new dll fragments into the database as well. The net result is that the emulator can trap all calls to imported functions and offer the user a chance to intervene. As for bechmarking against other emulators, it is pretty stinking slow. I think a large part of the penalty comes from doing database interactions for every instruction executed. Unfortunately, I really don't know how to squeeze much more performance out of it. I did manage to get the time to unpack Skype down from 20 hours to about 1 hour though, so that is some improvement. Regards, Chris

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit