Introduction to TitanEngine

Introduction to TitanEngine

当今逆向工程最大的挑战就是拆解、分析软件加密。上一个十年里出现了大量壳修改器。软件加密作一个工程，从用于保护可执行文件和数据两部分的简单保护加密，到现在的高复杂性的保护——利用技巧降低逆向过程的速度。这些技术每年都在不断的增长。因此我们需要问自己，我可以跟上这些工具的发展吗? 这几年防破觖速度提高了，但是逆向工上位机也在提高。有些工具今天仍在使用，这些工具是为了解决特定的问题或者是工具的一部分。然而，当用来脱壳时，这个过程没有进步多少。我们编写代码仅限于这个领域的每个场景。

One of the greatest challenges of modern reverse engineering is taking apart and analyzing software protections. During the last decade a vast number of such shell modifiers have appeared. Software Protection as an industry has come a long way from simple encryption that protects executable and data parts to current highly sophisticated protections that are packed with tricks aiming at slow down in the reversing process. Number of such techniques increases every year. Hence we need to ask ourselves, can we keep up with the tools that we have?

Protections have evolved over the last few years, but so have the reversers tools. Some of those tools are still in use today since they were written to solve a specific problem, or at least a part of it. Yet when it comes to writing unpackers this process hasn’t evolved much. We are limited to writing our own code for every scenario in the field.

我们设计TianEngine，它可以模拟分析师人工拆解进程。基础设置库将会成为框架，它有四种功能的通用工具应用于拆解过程程: debugger、dumper、importer和realigner。有了有执行的执行和一系列的回调函数，这些各自的模块以兼容的方式补充了他们，任何逆向工程用都有可选择的工具拆解文件。这创建了执行时间线，它阻挡了执行保护并收集信息，当引导到保护传递控制到原始代码的地方。当那个地方到达，文件获取废弃到磁盘，混合，因此它像原始，...。静态拆包器这种时尚问题已被解决。因此静态拆包很重要，因为这总是最安全，并且的情况下是最快速有效的方法。这上就是为什么我们既要讨论静态拆包又要讨论动态拆包。我们将会深入探讨在不清楚特定格式的情况下使普代码支持大量格式化。

We have designed TitanEngine in such fashion that writing unpackers would mimic analyst’s manual unpacking process. Basic set of libraries, which will later become the framework, had the functionality of the four most common tools used in the unpacking process: debugger, dumper, importer and realigner. With the guided execution and a set of callbacks these separate modules complement themselves in a manner compatible with the way any reverse engineer would use his tools of choice to unpack the file. This creates an execution timeline which parries the protection execution and gathers information from it while guided to the point from where the protection passes control to the original software code. When that point is reached file gets dumped to disk and fixed so it resembles the original to as great of a degree as possible. In this fashion problems of making static unpackers have been solved. Yet static unpacking is still important due to the fact that it will always be the most secure, and in some cases, fastest available method. That is why we will discuss both static and dynamic unpackers. We will also see into methods of making generic code to support large number of formats without knowing the format specifics.

TitanEngine 可以说是逆向工程界的瑞士军刀。有了250多个函数，现在创建的每个逆向工具已形成一个网络。TitanEngine最大的优点是可以实现自动化。它不仅仅适合文件拆解。TitanEngine可以用来创建新与PE文件相关的工具。支持32位和64位系统使该框架成为唯一支持PE32+文件的框架。因以上原因，它可以用来创建所有已知类型的拆包器。引擎是开源的，使得它可以被修改使得它可以轻松的集成到现有的解决方案，或者创建新的以适合不同工程需要。

TitanEngine can be described as Swiss army knife for reversers. With its 250 functions, every reverser tool created to this date has been covered through its fabric. Best yet, TitanEngine can be automated. It is suitable for more than just file unpacking. TitanEngine can be used to make new tools that work with PE files. Support for both x86 and x64 systems make this framework the only framework supporting work with PE32+ files. As such, it can be used to create all known types of unpackers. Engine is open source making it open to modifications that will only ease its integration into existing solutions and would enable creation of new ones suiting different project needs.

TitianEngine SDK包括:

Integrated x86/x64 debugger

 Integrated x86/x64 disassembler

 Integrated memory dumper

 Integrated import tracer & fixer

 Integrated relocation fixer

 Integrated file realigner

 Functions to work with TLS, Resources, Exports,...

TitanEngine SDK contains:

 Integrated x86/x64 debugger