Jump to content
Tuts 4 You

TitanEngine Community Edition


mrexodia

Recommended Posts

mrexodia

Hello everyone,Together with cypher I started working on an update for the famous TitanEngine. The main intention for the 'community edition' is bugfixing, but there are also several features added. We want to keep the original function names and arguments of TitanEngine v2, but in some cases the function arguments were for example incompatible with 64-bit systems.
 
Various changes:

  • Fixed hardware breakpoints (various problems in x32 and not working in x64);
  • Fixed memory breakpoints (still needs some checks);
  • Changed exception handling (now only non-debugger-handled exceptions are reported);
  • Fixed TitanEngine64 (never started debugging);
  • Pieces of code rewritten;
  • Fixed DumpProcessExW (found/fixed by Aguila);
  • Added various callbacks (SetCustomHandler);
  • Added memory breakpoint on execute;
  • Added QWORD hardware breakpoints;
  • Smaller and cleaner DLL Loaders (written in NASM);
  • Support for multiple calling conventions (TITCALL), default changed to _cdecl;
  • MinGW import libraries (for compatibility with x64_dbg);
  • Fixed exception handling;
  • Import reconstruction -> Scylla (cypher);
  • Various other bugfixes too small to mention;
  • StepOver calls StepInto when needed (RET, JMP, REP).
  • StepInto calls StepOver when needed (PUSHFD)

Find downloads on the repository.
 
Please report bugs/feature suggestions in another thread in this forum.
 
If you want to contribute, just send me and/or cypher a private message.
 
Greetings,
 
Mr. eXoDia & cypher

Edited by Mr. eXoDia (see edit history)
  • Like 9
Link to post

I now (nearly) finished integrating Scylla into TE as its IAT-Engine. Reason for this: TE's own IAT engine is buggy and not accurate enough.


Its working amazingly good. The IAT-Autosearch is now as accurate as Scylla and fixed dumps work perfectly. Tested with an Armadillo 8.60 unpacker.


 


For now the changes are living here on a seperate branch but will probably soon be merged to master.


It uses a custom made wrapper around scylla which you can also use standalone without TE: see this topic


 


There were some necessary changes to the SDK, C/C++ headers haven been updated



ImporterAutoSearchIAT
ImporterAutoSearchIATW
ImporterAutoSearchIATEx
- these now have process ID as first param, not handle
- parameter imagebase is obsolete for non-Ex functions and has been removed ImporterAutoFixIATEx
ImporterAutoFixIATExW
ImporterAutoFixIAT
ImporterAutoFixIATW
- first param now DWORD pid
- params searchSize, searchStep now obsolete and removed
- param imagebase obsolete for non-Ex functions and removed ImporterExportIATEx
ImporterExportIATExW
- new param: wchar_t* dumpfilename ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap)
- new param: HANDLE hFileMap
//all other Importer:: functions that have to do with IAT reconstruction are NOT scylla-enabled, as they dont need to be and are obsolete

Testing is easy, have a dump then



DWORD iatStart = 0xDEADBEEF;
DWORD iatSize = 0xDEADBEEF;
Importer::AutoSearchIAT(processId, DumpFileName, codeSectionAddr, &iatStart, &iatSize); //should fill up iatStart,iatSize if successful
Importer::ExportIATEx(DumpFileName, IatFixFileName, _T(".t4you")); //returns true on success and a shiny new file should appear

Edited by cypher (see edit history)
  • Like 1
Link to post

Hi,


 


so why do you not include a new compiled titan.dll for users who don't work with any program language etc you know?


 


Question: So why do you guys not start a project to create a almost all in one dll which has many features & functions of other dlls so this would be nice if there are already some sources to get.


 


MultiFunction.dll


--------------------------


Add Titan


Add beaEngine


Add Disasm


Add Scylla


Add etc...


Add Custom functions by other users by request / ideas etc


--------------------------


So at the end you will have a all in one dll.So I think this kind of project would be a very interesting one or?So I am no coder but for me it sounds to be a good idea and if I could do this then I would also try to do this if possible. :)


 


greetz


Link to post

Nice.

 

How do we contribute? Make an account and send pull requests?
 

 

this probably wont work as expected:

        __try        {            if(Plugin[i].TitanResetPlugin != NULL)            {                myPluginResetExec = (fPluginResetExec)Plugin[i].TitanResetPlugin;                myPluginResetExec();            }        }

__try is for c++ exceptions, not like windows' catch-all SEHs or VEHs.

 

 

Also, how does this handle 32/64 files? Looking at methond "EngineValidateHeader" i only see 64 bit code. (the method probably should be called "isHeaderValid", too.)

 

 

Lastly, do you think it would make sense to split this into several files? A single 30K line file is not much fun to manage when several people are contributing.

Link to post
mrexodia

@LCF-AT: The latest 'stable' binary can be downloaded from https://bitbucket.org/mrexodia/titanengine-update/downloads. I attached the latest dev build + C header here. About the super-DLL you mentioned: it could be a good idea, but managing such a project would suck. Next to that, it would be 10mb for only BeaEngine/Scylla if you need it, which seems kind of big to me. You can request custom functions as long as they are related to the purpose of TitanEngine...

@deepzero: Yea, contributing could go like this, but I could also add you to the repo when you like...

As for the issues, I added them to the repo, because I don't know the answer for them right now. EngineValidateHeader seems valid, as DumpProcess for example works fine..

Splitting the file was my idea too, but there are some nasty global variables etc, which make it kind of time-consuming to do.

Greetings

TitanEngineDev.rar

Edited by Mr. eXoDia (see edit history)
  • Like 1
Link to post
but there are some nasty global variables

 

o_O dear lord, i didnt even see those.

 

 

and what is this madness:

// Global.Engine.Constants:

#define UE_MODULEx86 0x2000;

#define UE_MODULEx64 0x2000;

I just created a bitbucket account, if you could add me to the repo, that'd be great. I'll then branch off and fix the bugs that jumped into my face when scrolling over it.

Truth be told, though: this piece of chaos and mayhem could really use a major refactoring.

Link to post

I take back what i said about the __try block: you are using __try .. __except, which is a MSVC compiler extension ... which is using SEH, it seems.


Link to post
mrexodia

those are the RVAs that the custom DLL loader reads for the filename to load :)

It works surprisingly well and the executables are really small and clean.

the code indeed needs much refactoring.. I did some already, but the debugloop for example is terribly hard to read.

Greetings

edit: you have repo access

Edited by Mr. eXoDia (see edit history)
  • Like 2
Link to post

@LCF-AT: TE is more or less a complete multi-function DLL. Many of the functions can be used without initializing the debugger.


Disasm and scylla is already integrated.


We will also be providing pre-compiled binaries whenever we made changes that are worth being released.


 


Here is a quick overview over the Classes that are already in TE with every function you may think of for their respective topic:



- Dumper
- Debugger
- Importer
- Realigner
- Relocater
- Tracer
- Exporter
- Librarian
- TLS
- Static
- Threader
- Resourcer
- Hooks
- Process
- Handler

@deepzero: For validating use Realigner::IsPE32FileValidEx function. There isnt a 64bit version (yet). mr.exodia is adding 64bit functions whereever we come across or get pointed to.


 


Splitting TE isnt sth that can be done easily unfortunately. Therefore everyone should work on branches for bigger changes. Maybe we should Git-Flow enable the repo for better dev/feature/bugfix/release maintenance.


 


TE is a great framework but still has alot bugs yet to be fixed or even be discovered. We welcome everyone to help improve it.


Edited by cypher (see edit history)
Link to post
  • 2 weeks later...
mrexodia

Quick V0002 release is here. Far from bug free, but imports reconstruction (using scylla_wrapper) is quite stable and memory breakpoints are finally working again. Also many changes made by deepzero were added.

Changelog:

https://bitbucket.org/mrexodia/titanengine-update/commits

Download:

https://bitbucket.org/mrexodia/titanengine-update/downloads

Also attached the binaries.

Greetings,

Mr. eXoDia

PS This is not really a release, more like a snapshot for users that don't wanna compile everything.

TitanEngineUpdate_0002.rar

Edited by Mr. eXoDia (see edit history)
  • Like 3
Link to post
  • 2 weeks later...
mrexodia

Changelog V0003:

- fixed some anti-debug tricks (DBG_RIPEXCEPTION and DBG_PRINTEXCEPTION_C)

- fixed a massive bug in exception handling (almost all exceptions were swallowed by the debugger)

- added a callback for the RIP_EVENT debug event

Greetings,

Mr. eXoDia

TitanEngineUpdate_0003.rar

  • Like 2
Link to post
  • 4 weeks later...
  • 2 weeks later...
  • 1 month later...
mrexodia

V0008 is out!

Changelog:

- fixed TitanEngine.Handler

- fixed TitanEngine.Debugger.Context

- updated scylla_wrapper

- ULONG_PTR instead of long long

- Debug privilege option

- added export TitanOpenProcess (opens a process with debug privilege when the option is enabled)

- fixed various deadlocks (hopefully)

- fixed closing a handle that shouldn't be closed

- fixed breakpoint filters

- added UE_CH_DEBUGEVENT custom handler

- removed UE_CH_ALLEVENTS custom handler

- rewrote GetPE32SectionNumberFromVA

- fixed a bug with UE_SECTIONNAME on x64

- hardware breakpoints are not set on all threads

Download:

https://bitbucket.org/mrexodia/titanengine-update/downloads

Enjoy,

TitanEngineCE Team

  • Like 4
Link to post
  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...