From Collaborative RCE Tool Library

Jump to: navigation, search

ap0x Unpack Engine SDK

Tool name: ap0x Unpack Engine SDK
Rating: 5.0 (1 vote)
Author: ap0x                        
Current version: 1.5
Last updated: May 20, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: This unpack engine covers everything one unpacker needs.


Integrated x86/x64 debugger
Integrated x86/x64 disassembler
Integrated memory dumper
Integrated import tracer & fixer
Integrated relocation fixer
Integrated file realigner
Functions to work with TLS, Resources, Exports,…

SDK is free and can be used by anyone but make sure you mention my name or include logo.bmp somewhere in About dialog.

Protections have evolved over the last few years, but so have the reversers tools. Some of those tools are still in use today since they were written to solve a specific problem, or at least a part of it. Yet when it comes to writing unpackers this process hasn’t evolved much. We are limited to writing our own code for every scenario in the field.

We have designed TitanEngine in such fashion that writing unpackers would mimic analyst’s manual unpacking process. Basic set of libraries, which will later become the framework, had the functionality of the four most common tools used in the unpacking process: debugger, dumper, importer and realigner. With the guided execution and a set of callbacks these separate modules complement themselves in a manner compatible with the way any reverse engineer would use his tools of choice to unpack the file. This creates an execution timeline which parries the protection execution and gathers information from it while guided to the point from where the protection passes control to the original software code. When that point is reached file gets dumped to disk and fixed so it resembles the original to as great of a degree as possible. In this fashion problems of making static unpackers have been solved. Yet static unpacking is still important due to the fact that it will always be the most secure, and in some cases, fastest available method.

TitanEngine can be described as Swiss army knife for reversers. With its 250 functions, every reverser tool created to this date has been covered through its fabric. Best yet, TitanEngine can be automated. It is suitable for more than just file unpacking. TitanEngine can be used to make new tools that work with PE files. Support for both x86 and x64 systems make this framework the only framework supporting work with PE32+ files. As such, it can be used to create all known types of unpackers. Engine is open source making it open to modifications that will only ease its integration into existing solutions and would enable creation of new ones suiting different project needs.

SDK v.1.5
- Added C SDK
- Updated Delphi and MASM SDK
- Fixed all .dll LIB files in Engine folder
- Fixed memory problems for all modules
- Tested on over 100+ unpackers build on it!
- Listing major changes only...

v.1.7 [Debugger.dll]
- Added new API: GetExitCode
- Added new API: DebugLoopEx
- Added new API: GetDebugData
- Added new API: AttachDebugger
- Added new API: DetachDebugger
- Added new API: GetTerminationData
- Added new API: LengthDisassembleEx
- Added new API: GetDebuggedDLLBaseAddress
- Added new API: GetDebuggedFileBaseAddress
- Fixed: CommandLine parameter passing for InitDebug
- Fixed: Wrong hex to dec conversion for some numbers
- Fixed: LengthDisassemble crashing while getting length for some addresses
- Fixed: Not releasing open handles for some files

v.1.6 [Dumper.dll]
- Added new API: IsFileDLL
- Added new API: DumpProcessEx
- Added new API: PastePEHeaderEx
- Added new API: DeleteLastSection
- Added new API: SetSharedOverlay
- Added new API: GetSharedOverlay
- Added new API: StaticLengthDisassemble
- Fixed: Crashes releated to overlay when trying to extract the overlay
- Fixed: ConvertVAtoFileOffset not converting addresses correctly with some files
- Fixed: Crashes with PastePEHeader when PE32 header is not below 0x1000
- Fixed: Not releasing open handles for some files

v.1.6 [Importer.dll]
- Added new API: ImporterAutoSearchIATEx
- Added new API: ImporterGetRemoteAPIAddress
- Added new API: ImporterRelocateWriteLocation
- Added new API: ImporterGetDLLNameFromDebugee
- Fixed: ImporterGetAPINameFromDebugee not returning names for APIs
- Fixed: ImporterFindAPIWriteLocation returning wrong values if API is not found

v.1.1 [Tracer.dll]
- Added support for following redirections: SVK Protector 1.x, tELock 0.8x-0.99
- Fixed: Memory leak for tracing large ammount of data in the same session
- Improved tracing for all levels (added a trace into near jumps)

v.1.0 [Realigner.dll]
- Added new API: RealignPE
- Added new API: IsPE32FileValid

v.1.0 [Relocater.dll]
- Added new API: RelocaterInit
- Added new API: RelocaterAddNewRelocation
- Added new API: RelocaterExportRelocation
- Added new API: RelocaterChangeFileBase
- Added new API: RelocaterEstimatedSize
- Added new API: RelocaterMakeSnapshoot
- Added new API: RelocaterCompareTwoSnapshots
- Added new API: RelocaterGrabRelocationTable
- Added new API: RelocaterGrabRelocationTableEx

v.1.1 [HideDebugger.dll]
- Added check for Windows version before patching APIs
- Fixed: ASLR and Vista compatibility (Importer must be present)

v.1.2 [Updater.dll]
- Added return value to UpdateEngine
- Added support for Tracer.dll updating
- Added support for Realigner.dll updating
- Added support for Relocater.dll updating
- Changed update location to
Related URLs:
More thorough presentation of the underlying TitanEngine:

RSS feed Feed containing all updates for this tool.

You are welcome to add your own useful notes about this tool, for others to see!

If you find that any information for the tool above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)

Category Navigation Tree
   Needs New Category  (3)