📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> ap0x's Blog

Created: Tuesday, July 28 2009 08:50.50 CDT Modified: Tuesday, July 28 2009 14:18.13 CDT
Printer Friendly ...
TitanEngine at BlackHat USA 09
Author: ap0x # Views: 14158

One of the greatest challenges of modern reverse engineering is taking apart and analyzing software protections. During the last decade a vast number of such shell modifiers have appeared. Software Protection as an industry has come a long way from simple encryption that protects executable and data parts to current highly sophisticated protections that are packed with tricks aiming at slow down in the reversing process. Number of such techniques increases every year. Hence we need to ask ourselves, can we keep up with the tools that we have?

Protections have evolved over the last few years, but so have the reverser tools. Some of those tools are still in use today since they were written to solve a specific problem, or at least a part of it. Yet when it comes to writing unpackers this process hasn�t evolved much. We are limited to writing our own code for every scenario in the field.

We have designed TitanEngine in such fashion that writing unpackers would mimic analyst�s manual unpacking process. Basic set of libraries, which will later become the framework, had the functionality of the four most common tools used in the unpacking process: debugger, dumper, importer and realigner. With the guided execution and a set of callbacks these separate modules complement themselves in a manner compatible with the way any reverse engineer would use his tools of choice to unpack the file. This creates an execution timeline which parries the protection execution and gathers information from it while guided to the point from where the protection passes control to the original software code. When that point is reached file gets dumped to disk and fixed so it resembles the original to as great of a degree as possible. In this fashion problems of making static unpackers have been solved. Yet static unpacking is still important due to the fact that it will always be the most secure, and in some cases, fastest available method.

TitanEngine can be described as Swiss army knife for reversers. With its 250 functions, every reverser tool created to this date has been covered through its fabric.  Best yet, TitanEngine can be automated.  It is suitable for more than just file unpacking.  TitanEngine can be used to make new tools that work with PE files. Support for both x86 and x64 systems make this framework the only framework supporting work with PE32+ files.  As such, it can be used to create all known types of unpackers. Engine is open source making it open to modifications that will only ease its integration into existing solutions and would enable creation of new ones suiting different project needs.

Features:

      Integrated x86/x64 debugger
      Integrated x86/x64 disassembler
      Integrated memory dumper
      Integrated import tracer & fixer
      Integrated relocation fixer
      Integrated file realigner
      Functions to work with TLS, Resources, Exports,�

Link: http://www.reversinglabs.com/products/TitanEngine.php


Blog Comments
frankboldewin Posted: Wednesday, July 29 2009 02:10.44 CDT
sounds great dude!
looking forward to test it.

GynvaelColdwind Posted: Wednesday, July 29 2009 02:46.38 CDT
Sounds really cool! Can't wait to get my hands on it ;>

ap0x Posted: Thursday, July 30 2009 21:58.26 CDT
TitanEngine is online now, download it from: http://forum.reversinglabs.com

wishi Posted: Friday, July 31 2009 03:10.33 CDT
No it's not. It says it'll be available.

edit: whopps it's a forum's attachment.

anoirel Posted: Sunday, August 2 2009 15:00.30 CDT
This is by far one of the most serious and extremely useful project in the modern RCE scene ever presented to the public.
I'm reading the disassembled code and i just can't stop.

Thanks a lot!

ap0x Posted: Sunday, August 2 2009 21:35.19 CDT
Thank you so much, we are already working on the next version.

trufae Posted: Monday, August 17 2009 09:43.06 CDT
Good job



Add New Comment
Comment:









There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit