Release Notes

Version 0.20

• Introducing new Angr plugin that allows you to pick up an angr state at virtually any point in execution

• Thread now shows breakpoint register information when at a breakpoint instead of actual internal state

• You can now register a plugin to specifically be a Thread plugin the same way as modules

• Better Windows handling

  • Automatically breaks at process exit (like linux)

  • Unbuffers stdout (like linux)

  • Exposed revenge.modules.Module.pe to manually use PEFile

  • Implemented entrypoint finding

  • Properly handle radare2 not being installed

• Created revenge.process.Process.resume() to generically allow resuming of all paused threads

• Created new technique for NativeInstructionCounter to more easily allow counting instructions executed

• General updates and bug fixes

Version 0.19

• Added exception catching for the main thread. Any exceptions encountered will now be added to exceptions

• You can now expect output by supplying a string or bytes to stdout() or stderr()

• Added ability to kill() your thread more easily

• Modules can now have plugins registered with _register_plugin()

• The radare2 plugin is now a Module plugin

• Added initial DWARF decompiler

• All remote file loads will use a local cache, speeding up access times

• Backend updates to batch sending and timeless tracer

• Updated for frida api changing

Version 0.18

• Added ability to programmatically talk to stdin(), stdout(), and stderr()

• Added new plugin for enhancing reversing with Radare2

  • Ability to highlight() execution paths for view in V and VV modes

  • Integrated ghidra decompiler

• Added Decompiler plugin to allow for requesting decompiled code and doing thing such as highlighting paths

• Added plugin to support enumerating/reading and writing to Handles

• Added helper to discover what file an address belongs to as well as it’s relative offset from the beginning of that file: lookup_offset()

Version 0.17

• Added support for ARMContext (Android on ARM emulator works now)

• Drastically improved performance for NativeTimelessTracer

• Updates to contexts

  • Tracking changed registers in changed_registers

  • Auto highlighting changed registers when printing cpu context

  • Consolidated and simplified handling of CPU contexts

• Lookups of the form “mod:sym:offset” work now

• New LocalDevice class

• Bunch of restructuring to eventually support multiple engines

Version 0.16

• Initial NativeTimelessTracer implementation is here! For more information, checkout NativeTimelessTracer

• Exposed frida’s on_enter() to allow for more easily monitoring functions rather than replacing them

• Overhaul of Telescope

  • Implemented int/hex/bitand and rshift

  • Telescopes are now implemented via hash consing. This is drastically reduces the memory utilization when using the new NativeTimelessTracer.

  • Refactor of underlying js code for handling telescoping

• CPU Contexts now handle and print telescoping register values

• NativeException now telescopes the CPU reigsters when returning an exception

• Updated travis tests to enable testing on Android 10

• Updated coveralls to merge results

Version 0.15

• Implemented ability to call native function in it’s own thread, instead of from frida’s core thread

  • This will be done transparently, but can be done manually by calling revenge.memory.MemoryBytes._call_as_thread()

• Implemented Techniques to make common sets of actions more generic

• InstructionTracer is now NativeInstructionTracer

• NativeInstructionTracer now supports two new options

  • include_function allows you to specify a specific function to trace. This will cause revenge to ignore any trace before or after that function call.

  • exclude_ranges allows you to specify ranges of memory to be ignored from the trace

• Created NativeError class to generically handle errno.

• Technique mixin now also has optional method of _technique_code_range() that will get passed any known revenge/frida specific code ranges that can be ignored

• Thread changes

  • Implemented join() to allow for retrieving thread exit codes

  • Threads will now have pthread_id attribute if they were spawned on Linux.

  • Bugfix in create()

• Implemented batch_send js include to make it easier to handle pushing lots of data back

Version 0.14

• argv and envp options added to Process spawning

• Added revenge.threads.Threads.create() to simplify kicking off a thread

• Simplified symbol resolution, you can now use process.memory['symbol'] directly as well as process.memory['symbol+offset']

• threads is now a submodule

• Can now create dummy thread for hidden Frida thread

• CPUContexts have been moved to revenge.cpu.contexts

• Tracer assembly has been moved to revenge.cpu.assembly

Version 0.13

• Implemented Frida’s new CModule support as create_c_function().

  • Also added support to make calling dynamic functions easier by passing them as kwargs to the constructor. See examples in code doc.

• Added js_include option to run_script_generic() to enable javascript library/code reuse type things

• Implemented telescope.js and Telescope for initial telescoping variable support

• revenge.device_types is now called devices.

• Added quit() to enable closing the process explicitly.

• Travis test cases are a bit more stable now.

• Implemented _from_frida_find_json() to allow for loading of MemoryRange objects directly from Frida json.

Version 0.12

• Added __call__ to Symbol allowing for symbol() function call directly from the symbol class.

• Added Symbol memory() as a shortcut to get the MemoryBytes object for said symbol.

• Implemented new type for Struct. It’s now much easier to both define, set, and read memory structures.

• Implemented Memory __setitem__, allowing for setting memory implicitly based on type. Example:

  process.memory[0x12345] = types.Int16(5)
  

• Implemented MemoryBytes cast(), allowing for more programmatic retrieval based on type.

• Stability improvements

Version 0.11

• Updated revenge.threads.Threads.__repr__() to use descriptive addresses

• Added 0.5 second cache to Modules to improve performance.

• Many updates to revenge.tracer.instruction_tracer.Trace.__str__() to improve readabiliy (descriptive addrs, indentation, programmatic spacing)

• Implemented plt() to identify the base of the Procedure Lookup Table in ELF.

• Implemented and incorporated GOT and PLT symbols into symbols(). They will also now resolve on traces i.e.: symbol[‘got.printf’] or symbol[‘plt.printf’]

• Symbols returned from symbols() are now actually an object: Symbol.

• Updated slice for Trace so that trace[:12], for instance, now returns a new Trace object with those instructions instead of just a list.

• entrypoint_rebased no longer exists. Now, just use entrypoint()

• Tests/docs updates

Version 0.10

• Added revenge.memory.MemoryBytes.argument_types() to allow a single or list/tuple of argument types for the function

• Added revenge.memory.MemoryBytes.replace() javascript string option. Now, you also have the option to set the replace to a javascript string that will replace the given function.

• Added original global variable for MemoryBytes.replace to allow you to more easily chain a call into the original native function.

• Aliased revenge.memory.MemoryBytes.implementation() to MemoryBytes.replace to standardize the naming convention with JavaClass.implementation.