OpenRCE: Blog

TitanEngine 2.0.3

Mon, 03 May 2010 16:48:03 -0500

TitanEngine 2.0.3 release covered by a special edition of our blog.
Download: http://www.reversinglabs.com/products/TitanEngine.php

TitanEngine 2.0.2

Mon, 14 Dec 2009 07:07:11 -0600

TitanEngine 2.0.2 release covered by a special edition of our blog.
Download: http://www.reversinglabs.com/products/TitanEngine.php

TitanEngine 2.0.1

Wed, 02 Sep 2009 06:57:04 -0500

TitanEngine 2.0.1 is now online at http://www.reversinglabs.com/products/TitanEngine.php

Change log:

SDK: Extended SDK headers to support Delphi
SDK: Changes to SDK.h to support non MSVC compilers
SDK: Changed the file/folder layout and fixed relative paths in RC file
DOCS: Removed type-o mistakes and bad function definitions
BUG: Fixed some mistakes in SDK.h
BUG: Added missing entries in TitanEngine.def
BUG: FindEx searched only 0x1000 bytes
BUG: Fixed a minor bug inside injectTerminator
BUG: EngineExtractForwarderData crash on invalid input
BUG: RelocaterGrabRelocationTableEx doesn't grab whole table
BUG: RelocaterCompareTwoSnapshots crash when first DWORD of the snapshot is relocated
BUG: RelocaterCompareTwoSnapshots doesn't correctly compare two snapshots for some packers
BUG: ImporterAutoFixIATEx very rare crash handled by handler but it makes import table invalid
BUG: ImporterAutoFixIATEx incorrect import fixing if import is only exported by ordinal
BUG: ImporterAutoFixIATEx incorrect stepping if step is greater than one
BUG: Fixed StaticLoadFile & StaticUnloadFile to be compatible with x64
BUG: Fixed a problem with imports and WinSxS folder
BUG: Fixed a crash with Librarian on Windows XP x64
BUG: Fixed problem with NtdllDefWindowProc on Vista x64
BUG: Fixed problem with deleting temp files: DLLLoader.exe & *.module base reserve file
BUG: Fixed problem with DumpProcess on x64 systems
BUG: Fixed problem with DumpProcess and empty last PE sections
BUG: Fixed problem with DumpProcess and files with non default SectionAlignment
BUG: Fixed problem with DumpProcess and dumping PAGE_GUARD protected memory
BUG: Fixed UPX unpacker sample not working on files packed with --lzma option
BUG: Fixed problem with Exporter module and building new export table under x64 systems
BUG: Fixed problem with Importer module and Windows 7 kernelbase.dll MiniWin
BUG: Fixed problem with RealignPE/RealignPEEx and files with non default SectionAlignment
SAMPLE: Unpacking ASPack 2.12, features usage of: RelocaterGrabRelocationTableEx and GetRemoteString
SAMPLE: Unpacking FSG 2.0, features usage of: overlay detection
SAMPLE: Unpacking PeCompact 2.0 - 3.x, features usage of: ImporterAutoFixIATEx with custom callback for fixing redirections
SAMPLE: Unpacking DEF 1.0, features usage of: static unpacker functions
SAMPLE: Unpacking LameCrypt 1.0, features usage of: static unpacker functions
NEW: Fill & FillEx now have a default fill byte value of 0x90 if no fill byte is supplied
NEW: SetHardwareBreakPointEx function for setting breakpoints in custom threads
NEW: Global variable UE_ENGINE_RESET_CUSTOM_HANDLER set to TRUE resetting custom handler on debug init
NEW: Improved speed of API & DLL data resolving
NEW: Added function: ImporterAddNewOrdinalAPI
NEW: Added function: ImporterGetAPIOrdinalNumber
NEW: Added function: ImporterGetAPIOrdinalNumberFromDebugee
NEW: Added function: ImporterGetForwardedAPIOrdinalNumber
NEW: Added function: ImporterGetLastAddedDLLName
NEW: Added function: ImporterGetDLLName
NEW: Added function: GetUnusedHardwareBreakPointRegister
NEW: Changed function: HideDebugger, less parameters and x64 compliant
NEW: Added function: UnHideDebugger
NEW: Added function: GetPEBLocation

TitanEngine at BlackHat USA 09

Tue, 28 Jul 2009 08:50:50 -0500

One of the greatest challenges of modern reverse engineering is taking apart and analyzing software protections. During the last decade a vast number of such shell modifiers have appeared. Software Protection as an industry has come a long way from simple encryption that protects executable and data parts to current highly sophisticated protections that are packed with tricks aiming at slow down in the reversing process. Number of such techniques increases every year. Hence we need to ask ourselves, can we keep up with the tools that we have?

Protections have evolved over the last few years, but so have the reverser tools. Some of those tools are still in use today since they were written to solve a specific problem, or at least a part of it. Yet when it comes to writing unpackers this process hasn�t evolved much. We are limited to writing our own code for every scenario in the field.

We have designed TitanEngine in such fashion that writing unpackers would mimic analyst�s manual unpacking process. Basic set of libraries, which will later become the framework, had the functionality of the four most common tools used in the unpacking process: debugger, dumper, importer and realigner. With the guided execution and a set of callbacks these separate modules complement themselves in a manner compatible with the way any reverse engineer would use his tools of choice to unpack the file. This creates an execution timeline which parries the protection execution and gathers information from it while guided to the point from where the protection passes control to the original software code. When that point is reached file gets dumped to disk and fixed so it resembles the original to as great of a degree as possible. In this fashion problems of making static unpackers have been solved. Yet static unpacking is still important due to the fact that it will always be the most secure, and in some cases, fastest available method.

TitanEngine can be described as Swiss army knife for reversers. With its 250 functions, every reverser tool created to this date has been covered through its fabric.  Best yet, TitanEngine can be automated.  It is suitable for more than just file unpacking.  TitanEngine can be used to make new tools that work with PE files. Support for both x86 and x64 systems make this framework the only framework supporting work with PE32+ files.  As such, it can be used to create all known types of unpackers. Engine is open source making it open to modifications that will only ease its integration into existing solutions and would enable creation of new ones suiting different project needs.

Features:

      Integrated x86/x64 debugger
      Integrated x86/x64 disassembler
      Integrated memory dumper
      Integrated import tracer & fixer
      Integrated relocation fixer
      Integrated file realigner
      Functions to work with TLS, Resources, Exports,�

Link: http://www.reversinglabs.com/products/TitanEngine.php

RL!dePacker

Mon, 09 Apr 2007 06:56:36 -0500

...is a generic unpacker that supports 92+ packer/crypter/protector formats. It is based on ap0x unpack engine SDK 1.3 and it can be downloaded from http://ap0x.jezgra.net/unpackers.html

Enjoy, ap0x