Release Notes

Version 0.20

  • Introducing new Angr plugin that allows you to pick up an angr state at virtually any point in execution

  • Thread now shows breakpoint register information when at a breakpoint instead of actual internal state

  • You can now register a plugin to specifically be a Thread plugin the same way as modules

  • Better Windows handling

    • Automatically breaks at process exit (like linux)

    • Unbuffers stdout (like linux)

    • Exposed revenge.modules.Module.pe to manually use PEFile

    • Implemented entrypoint finding

    • Properly handle radare2 not being installed

  • Created revenge.process.Process.resume() to generically allow resuming of all paused threads

  • Created new technique for NativeInstructionCounter to more easily allow counting instructions executed

  • General updates and bug fixes

Version 0.19

  • Added exception catching for the main thread. Any exceptions encountered will now be added to exceptions

  • You can now expect output by supplying a string or bytes to stdout() or stderr()

  • Added ability to kill() your thread more easily

  • Modules can now have plugins registered with _register_plugin()

  • The radare2 plugin is now a Module plugin

  • Added initial DWARF decompiler

  • All remote file loads will use a local cache, speeding up access times

  • Backend updates to batch sending and timeless tracer

  • Updated for frida api changing

Version 0.18

  • Added ability to programmatically talk to stdin(), stdout(), and stderr()

  • Added new plugin for enhancing reversing with Radare2

    • Ability to highlight() execution paths for view in V and VV modes

    • Integrated ghidra decompiler

  • Added Decompiler plugin to allow for requesting decompiled code and doing thing such as highlighting paths

  • Added plugin to support enumerating/reading and writing to Handles

  • Added helper to discover what file an address belongs to as well as it’s relative offset from the beginning of that file: lookup_offset()

Version 0.17

  • Added support for ARMContext (Android on ARM emulator works now)

  • Drastically improved performance for NativeTimelessTracer

  • Updates to contexts

    • Tracking changed registers in changed_registers

    • Auto highlighting changed registers when printing cpu context

    • Consolidated and simplified handling of CPU contexts

  • Lookups of the form “mod:sym:offset” work now

  • New LocalDevice class

  • Bunch of restructuring to eventually support multiple engines

Version 0.16

  • Initial NativeTimelessTracer implementation is here! For more information, checkout NativeTimelessTracer

  • Exposed frida’s on_enter() to allow for more easily monitoring functions rather than replacing them

  • Overhaul of Telescope

    • Implemented int/hex/bitand and rshift

    • Telescopes are now implemented via hash consing. This is drastically reduces the memory utilization when using the new NativeTimelessTracer.

    • Refactor of underlying js code for handling telescoping

  • CPU Contexts now handle and print telescoping register values

  • NativeException now telescopes the CPU reigsters when returning an exception

  • Updated travis tests to enable testing on Android 10

  • Updated coveralls to merge results

Version 0.15

  • Implemented ability to call native function in it’s own thread, instead of from frida’s core thread

    • This will be done transparently, but can be done manually by calling revenge.memory.MemoryBytes._call_as_thread()

  • Implemented Techniques to make common sets of actions more generic

  • InstructionTracer is now NativeInstructionTracer

  • NativeInstructionTracer now supports two new options

    • include_function allows you to specify a specific function to trace. This will cause revenge to ignore any trace before or after that function call.

    • exclude_ranges allows you to specify ranges of memory to be ignored from the trace

  • Created NativeError class to generically handle errno.

  • Technique mixin now also has optional method of _technique_code_range() that will get passed any known revenge/frida specific code ranges that can be ignored

  • Thread changes

    • Implemented join() to allow for retrieving thread exit codes

    • Threads will now have pthread_id attribute if they were spawned on Linux.

    • Bugfix in create()

  • Implemented batch_send js include to make it easier to handle pushing lots of data back

Version 0.14

  • argv and envp options added to Process spawning

  • Added revenge.threads.Threads.create() to simplify kicking off a thread

  • Simplified symbol resolution, you can now use process.memory['symbol'] directly as well as process.memory['symbol+offset']

  • threads is now a submodule

  • Can now create dummy thread for hidden Frida thread

  • CPUContexts have been moved to revenge.cpu.contexts

  • Tracer assembly has been moved to revenge.cpu.assembly

Version 0.13

  • Implemented Frida’s new CModule support as create_c_function().

    • Also added support to make calling dynamic functions easier by passing them as kwargs to the constructor. See examples in code doc.

  • Added js_include option to run_script_generic() to enable javascript library/code reuse type things

  • Implemented telescope.js and Telescope for initial telescoping variable support

  • revenge.device_types is now called devices.

  • Added quit() to enable closing the process explicitly.

  • Travis test cases are a bit more stable now.

  • Implemented _from_frida_find_json() to allow for loading of MemoryRange objects directly from Frida json.

Version 0.12

  • Added __call__ to Symbol allowing for symbol() function call directly from the symbol class.

  • Added Symbol memory() as a shortcut to get the MemoryBytes object for said symbol.

  • Implemented new type for Struct. It’s now much easier to both define, set, and read memory structures.

  • Implemented Memory __setitem__, allowing for setting memory implicitly based on type. Example:

    process.memory[0x12345] = types.Int16(5)
    
  • Implemented MemoryBytes cast(), allowing for more programmatic retrieval based on type.

  • Stability improvements

Version 0.11

  • Updated revenge.threads.Threads.__repr__() to use descriptive addresses

  • Added 0.5 second cache to Modules to improve performance.

  • Many updates to revenge.tracer.instruction_tracer.Trace.__str__() to improve readabiliy (descriptive addrs, indentation, programmatic spacing)

  • Implemented plt() to identify the base of the Procedure Lookup Table in ELF.

  • Implemented and incorporated GOT and PLT symbols into symbols(). They will also now resolve on traces i.e.: symbol[‘got.printf’] or symbol[‘plt.printf’]

  • Symbols returned from symbols() are now actually an object: Symbol.

  • Updated slice for Trace so that trace[:12], for instance, now returns a new Trace object with those instructions instead of just a list.

  • entrypoint_rebased no longer exists. Now, just use entrypoint()

  • Tests/docs updates

Version 0.10