Results 1 to 2 of 2

Thread: ARTeam: xTracer 1.0 by deroko

  1. #1
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430

    ARTeam: xTracer 1.0 by deroko

    Hi all,
    a new release from deroko of ARTeam. A really powerful tool (you may experiment how powerful it is..)

    xtracer is TLB memory tracer. It tries to locate first break in code section of traced process using split TLB which is available in intel architecture.
    This code can be used to locate OEP of traced process easily. Currently only 1st break is reported, but you may modify code to handle more breaks as that's not a problem at all if you go trough ring3 program which actually controls driver. You may expect to get very good and fast results no matter which protection you are tracing. Time needed to locate OEP is equal to the time needed to execute protection layer without debugger, nor any tracer.

    I hope that you will enjoy this fine release from ARTeam, as we only try to bring quality releases to the RCE community. Of course, full source is included for learning purposes (code and tool released under GPL 3.0).

    Code can be customized to handle various scenarios. Eg. add more breaks on code sections, hooking more some native calls to keep control of almost every allocated buffers, but that's up to the user to implement if he needs it.

    To use this code simply type:

    xtracer.exe <applicaton to trace>

    wait a little bit. Also note that you must have internet connection as code is using my SymbolFinder class to locate some symbols from ntoskrnl.exe which makes this code compatible with windows versions from win2k to Vista SP1.

    http://www.accessroot.com/arteam/site/download.php?view.309
    (¯`·._.·[¯¨´*·~-.¸¸,.-~*´¨ Ŝħůβ¬Ňïĝµŕřāŧħ ₪¯¨´*·~-.¸¸,.-~*´¨]·._.·´¯)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Looks very nice indeed.

    CRCETL:
    http://www.woodmann.com/collaborative/tools/index.php/XTracer

    (and sorry for being a bit behind with CRCETL updates, but the again, that's exactly why we made it possible for anyone to add tools )
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

Similar Threads

  1. ARTeam: dealing with funny checksum tutorial by deroko
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: March 12th, 2013, 17:17
  2. ARTeam: IDA plugin to depack aplib/lzma statically compressed data into IDA by deroko
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: October 2nd, 2008, 12:52
  3. ARTeam: Hooking Services .exe to hide softice by deroko
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: August 8th, 2008, 12:10
  4. ARTeam: TheMida Loader (PEB dll hooker templates for MSVC) by deroko
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: August 8th, 2008, 12:09
  5. ARTeam: Special Issue for SecuRom 7.30.0014 Take2 VM Analysis, deroko, 2kAD
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 10
    Last Post: January 7th, 2008, 22:23

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •