小生我怕怕 发表于 2009-8-2 14:25

RL!dePacker v1.5 release (包括TitanEngine)


From: ReversingLabs
Author: tpericin

Tehnical info:
   RL!dePacker has a build in option to detect OEP. However this option does not work with VB (always use FindOEP! function with VB applications and Force to manual OEP?) and some packers. So if RL!dePacker can not unpack the file use FindOEP! function to detect correct OEP, but use it only as a second resort since it can be jammed!
° Option Force OEP to manual address is used to force stopping on manual OEP address, use this option ONLY if packer can not be unpacked (the target runs instead of breaking at OEP or dumps at wrong OEP).
° Option Correct OEP to manual address is used correct OEP in PE header of the unpacked file.
° Option Hide unpacker from detection is used hide debugger from being detected by antiTricks. Option Use tracer to correct IAT is used to remove all known redirection types.
° Option Fix Import elimination is used on applications that relocate import table in memory outside PE32 file. This option has been tested with AlexProtector 1.0 and RLPack TE 1.18. Please note that even dow this option is in testing it should give good results on all known redirection types (see TitanEngine).
° Option Paste PE.Header from disk is used correct paste original PE header to the unpacked file.

   Generic unpacker can unpack ONLY packers that do not use IAT redirection, that don’t steal APIs and which fill out IAT table in correct order. All ordinals that can be converted to API names are converted, others are inserted into IAT as ordinals! Designed for NT systems, Windows 2000 or later but it should work on Windows Millenium if you have psapi.dll file!
   Please note that this unpacker does NOT work with AV/FW software (this means Kaspersky) which hooks LoadLibrary and GetProcAddress in ring3. If you do not want to change your AV/FW solution run this unpacker in VM. Then it should work fine.

What is new:
- Updated engine parts with unrealeased SDK 1.5 libraries
- Tested with even more packers
- Minor unpacker changes

RL!dePacker is tested with 101+ packers:
aUS 0.4 - 0.5
ASPack 1.x - 2.x
ASPack Scrambler 0.1
ASDPack 2.0
AHPack 1.x
AlexProtector 1.x
ARMProtector 0.x
BJFNT 1.3
BeRoEXEPacker 1.x
BamBam 0.x
CryptoPeProtector 0.9x
Crunch x.x
CodeCrypt 0.16x
dot Fake Signer 3.x
dePack
eXPressor 1.2.x - 1.5.x
EZip 1.0
EP Protector 0.3
Escargot 0.x
EXEStealth 2.x
ExeSax 0.9x
FSG 1.xx & 2.0
Fusion x.x
Goat's PE Mutilator 1.6
hmimys-Packer 1.x
Hmimys PePack 1.0
HidePX 1.4
HidePE 2.1
ID Application Protector 1.2
JDPack 1.x
JDProtect 0.9
Just Another Pe Packer 0.5
KByS Packer 0.2x
Krypton 0.x
LameCrypt 1.0
MEW 1.x
mkfpack
NackedPack 1.0
nSPack 2.x - 3.x
nPack 1.x
NeoLite 1.x - 2.0
NWCC
OrIEN 2.1x
PECompact 1.x - 2.x
PeX 0.99
PC Shrink 0.71
Polyene 0.01
PackMan 0.0.0.1 & 1.0
PE Diminisher 0.1
PolyCrypt PE 2.1.5
PeTite 1.x
PEStubOEP 1.6
PELockNT 2.x
PePack 1.0
PC PE Encryptor alpha
PackItBitch
PEncrypt 4.0
PEnguinCrypt 1.0
PeLockNt 2.x
PeLock 1.0x
PESHiELD 0.25
Perplex PE-Protector 1.x
PeTite 1.0 - 1.3
PKLITE32 1.x
RLP 0.6.9 - 0.7.x
RLPack Basic Edition 1.x
RLPack Modifier Edition 1.x
ReCrypt 0.15 - 0.80
Stone`s PE Encryptor 2.0
StealthPE 2.1
Software Compress 1.x
SPLayer 0.08
ShrinkWarp 1.4
SPEC b3
SmokesCrypt 1.2
Simple UPX-Scrambler
SimplePack 1.x
SLVc0deProtector 1.x
tELock 0.x
UPX 0.8x - 2.x
UPXRedir
UPXCrypt
UPX Inkvizitor
UPXFreak 0.1
UPolyX 0.x
UPXLock 1.x
UG Chruncher 0.x
UPX-Scrambler RC 1.x
UPX Protector 1.0x
UPXShit 0.06 & 0.0.1
UPXScramb 2.x
VirogenCrypt 0.75
VPacker 0.02.10
WWPack32 1.x
WinUPack 0.2x - 0.3x
Winkript 1.0
yC 1.x
yZPack 1.x - 2.x
32Lite 0.3a
!EP (ExE Pack) 1.x
`s Protector 1.2


TitanEngine v2.0

One of the greatest challenges of modern reverse engineering is taking apart and analyzing software protections. During the last decade a vast number of such shell modifiers have appeared. Software Protection as an industry has come a long way from simple encryption that protects executable and data parts to current highly sophisticated protections that are packed with tricks aiming at slow down in the reversing process. Number of such techniques increases every year. Hence we need to ask ourselves, can we keep up with the tools that we have?

Protections have evolved over the last few years, but so have the reverser tools. Some of those tools are still in use today since they were written to solve a specific problem, or at least a part of it. Yet when it comes to writing unpackers this process hasn’t evolved much. We are limited to writing our own code for every scenario in the field.

We have designed TitanEngine in such fashion that writing unpackers would mimic analyst’s manual unpacking process. Basic set of libraries, which will later become the framework, had the functionality of the four most common tools used in the unpacking process: debugger, dumper, importer and realigner. With the guided execution and a set of callbacks these separate modules complement themselves in a manner compatible with the way any reverse engineer would use his tools of choice to unpack the file. This creates an execution timeline which parries the protection execution and gathers information from it while guided to the point from where the protection passes control to the original software code. When that point is reached file gets dumped to disk and fixed so it resembles the original to as great of a degree as possible. In this fashion problems of making static unpackers have been solved. Yet static unpacking is still important due to the fact that it will always be the most secure, and in some cases, fastest available method.

TitanEngine can be described as Swiss army knife for reversers. With its 250 functions, every reverser tool created to this date has been covered through its fabric.Best yet, TitanEngine can be automated.It is suitable for more than just file unpacking.TitanEngine can be used to make new tools that work with PE files. Support for both x86 and x64 systems make this framework the only framework supporting work with PE32+ files.As such, it can be used to create all known types of unpackers. Engine is open source making it open to modifications that will only ease its integration into existing solutions and would enable creation of new ones suiting different project needs.

Features:
      Integrated x86/x64 debugger
      Integrated x86/x64 disassembler
      Integrated memory dumper
      Integrated import tracer & fixer
      Integrated relocation fixer
      Integrated file realigner
      Functions to work with TLS, Resources, Exports,…

Link:
http://www.reversinglabs.com/products/TitanEngine.php

TitanEngine:
http://www.reversinglabs.com/download/TitanEngine.rar
BlackHat USA 09 whitepaper:
http://www.reversinglabs.com/blackhat/TitanEngine_BlackHat-USA-09-Whitepaper.pdf
BlackHat USA 09 presentation:
http://www.reversinglabs.com/blackhat/TitanEngine_BlackHat-USA-09-Slides.pdf

UnPacK.Engine.SDK.V1.5.By.ap0x:
http://www.unpack.cn/viewthread.php?tid=37186

Hmily 发表于 2009-8-3 00:56

http://www.52pojie.cn/thread-29888-1-2.html

先前我也发了一份~

vienna 发表于 2009-8-8 10:38

不错的脱壳工具

a2213572 发表于 2009-8-9 16:36

下載收藏!感恩.

dxzok 发表于 2009-8-20 10:33

刚想用这个工具总算找到了

huruidedd 发表于 2009-8-21 20:18

收下了~~~谢谢

chn-2000 发表于 2009-8-23 04:18

一款不错的通用脱壳工具!

liuxiaofengyun 发表于 2009-10-30 12:04

实用的工具

zx06zx 发表于 2009-10-31 16:12

不知裡頭有多加什麼嗎:funk:eweqw

odovo 发表于 2009-11-1 21:55

感谢分享。但是不知道为什么我用老提示 run time error。这个和软件无关。是我自己系统地问题。
页: [1] 2 3
查看完整版本: RL!dePacker v1.5 release (包括TitanEngine)