ReversingLabs | Blog

TitanEngine just got its new major update we labeled as TitanEngine 2.0.2. Even though the version incrementation is small the number of changes and the pure size of the code is vast. That is why we dedicate today's blog for listing all additions and changes done to the engine.

Unicode support

Possibly the biggest overall change done to the engine is accommodation of all existing functions to support unicode file names and paths. To preserve compatibility with all previous versions we have retained all function definitions and just added new functions to work with unicode input parameters. Such functions can be easily recognized by the appendix “W” which they have. For specific function definitions please refer to the documentation and SDK header files.

Linux support

As we mentioned in our blog earlier TitanEngine can now be run on any Linux platform under WINE. This change ensures maximum safe environment for live malware analysis for those reverse engineers that make Linux their platform of choice.

Plugin extensions

With this update we introduced the possibility of extending TitanEngine core functionality by writing plugins for it. We have included four samples with our TitanEngine PDK. Most interesting one is called Nexus which hooks internal TitanEngine functions and automatically enables unpacking of all samples which can't be run on the system because one or more DLL's they import is missing on the system. Other plugins show data and ASM extraction with an interesting example called lynxImpRec which shows how to import and export IAT data from and to ImpRec tree files.

MASM32 SDK

Header files that come with the engine now include an SDK for MASM. It is our intent to provide header files for as much programming languages as possible so that you can use TitanEngine in any way that you desire. Each new TitanEngine major release such as this one will include support for at least one more programming language. Until we run out of languages to support.

New functions

Not counting the new functions added for unicode compatibility TitanEngine has been increased by 43 new functions. We extended functionality of Relocater, Resourcer, Threader, Static and Engine modules and added two new ones called Extension and Hooks. Most important changes to the existing modules are the ones done to the Static module. These new functions enable compressed content decompression (supporting: aplib and lzma), new types of memory decryption and copying, file and memory hashing. Regarding new modules the most interesting one in the module called Hooks. This module is used to insert hooks (supports: API and IAT hooking) in its loading process. We were aware of the fact that sometimes you won't need the whole TitanEngine functionality for your project and that is why we have created TitaniumHooks which only consists of the Hooks module.

Samples

On its original release date TitanEngine came with only two samples, unpackers for UPX and BeroExePacker. Today with the release of version 2.0.2 we ship TitanEngine with 28 code samples listed in following categories: Plugins, Tools, Unpackers and Hooks. Samples are sorted by programming languages they are written in. We try to equally grow sample code base for all programming languages TitanEngine SDK supports but the most dominant one is still C/C++.

Bug fixes

Any release without this is unimaginable. In this release we fixed all bugs that we are aware of. Thank you for all your reports, you keep TitanEngine with as little bugs as possible.

TitanEngine 2.0.2 in numbers

• 385 functions
• 25,000 lines of code
• 28 usage samples
• 4 supported programming languages
• 365 pages of documentation
• 1 download waiting to happen...