Scylla Imports Reconstruction

View File Scylla Imports Reconstruction Source Scylla - x64/x86 Imports Reconstruction ImpREC, CHimpREC, Imports Fixer... this are all great tools to rebuild an import table, but they all have some major disadvantages, so I decided to create my own tool for this job. Scylla's key benefits are: x64 and x86 support full unicode support written in C/C++ plugin support works great with Windows 7 This tool was designed to be used with Windows 7 x64, so it is recommend to use this operating system. But it may work with XP and Vista, too. Source code is licensed under GNU GENERAL PUBLIC LICENSE…

I have made little research why ImpRec/Scylla sometimes cant redirect calls/jmp into new created IAT. Different reason for imprec and scylla.

Hello friends, I've created a Scylla plugin using the reference implementations for other packers. Does anyone have any recommendations for debugging the dll? I can't seem to break on the dll when it's injected to view it in Olly. More preferably, is there any way to debug it while in visual studio? I've not had any experience in debugging dlls in general, so any help is appreciated.

Hello, I have a problem with Scylla because Scylla cant find direct imports everytime no matter what I do I get information "Found 0 possible direct imports with 0 unique APIs!". I have try many targets, different Scylla versions and different OS and everytime is the same... I guess I am making something stupid but maybe you guys can point me whats wrong... below example: 004013A0 .- E9 9D78F67D JMP 7E368C42 ; user32.KillTimer 004013A5 FF DB FF 004013A6 .- E9 F17BF67D JMP 7E368F9C ; user32.GetSystemMetrics 004013AB FF DB FF 004013AC $- E9 45D5F77D JMP 7E37E8F6 ; user32.LoadIconA 004013B1 …

This is the last version for at least a week now, I promise Main difference between v0.6 is the more powerful disassembler. Can be accessed via Misc -> Disassembler. Try right click -> Follow...

https://github.com/GautamGreat/Scylla_Delphi_Plugin

I've tried all Import Reconstructors UIF (this one finds alot of imports but not helpful). Scylla ImpRec Imports Fixer 1.6 CHImpREC none of them can get me user32.dll from my target.. I rely on the IAT AutoSearch and even if it finds it, it comes out as a invalid thrunk. ImpRec 1.7f is the closest for me gets almost all imports just important ones I need are invalid.. Scylla x86 v0.9.8 gets crazy size for Imports when doing IAT AutoSearch.. like 0x68206c.. i let it run for 2 hours and its missing Autotrace so it doesn't fix the invalid…

Hello Guys, Recently I tried to build the scylla source from git, which unfortunately I was unsuccessful. I am trying to build it in visual studio 2013. Would someone guide me to do it right. Problem: I have upgraded the project to vs2013 and build it. But it won't fix the file properly, the dump doesn't work [which would work if fixed otherwise from the released scylla binary.] Solution Requested: 1. Correct GIT command to sync the project properly to local drive. 2. Additional advice to make the correct build on vs2013. Regards, Ben

I am unpacking AvaFind.exe, but scylla is getting wrong va and size via IAT autosearch. But when i try imprec it resolves correct address and size. Tried looking into scylla code but could not understand the issue. AvaFind.exe

Hi, there~ I just got a problem when using Scylla_x86.dll to dump a running process via C code. And here's the code. // read PEB address; PPEB peb = (PPEB)calloc(sizeof(PEB), 1); if (!ReadProcessMemory(hProcess, ProcessBasic->PebBaseAddress, peb, sizeof(PEB), &m_dwTemp)) { peb = (PPEB)calloc(m_dwTemp, 1); ReadProcessMemory(hProcess, ProcessBasic->PebBaseAddress, peb, sizeof(PEB), &m_dwTemp); } HMODULE m_hModule_Remote = peb->ImageBaseAddress; free(ProcessBasic); ProcessBasic = 0; free(peb); peb = 0; // read pe header LPVOID m_pMemory_Remote = VirtualAlloc(0, 0x1000, MEM_COMMIT, PAGE_READWRITE); if (!ReadProcessMemory(hProcess…

New versions will be announced here. https://forum.tuts4you.com/files/file/576-scylla-imports-reconstruction/ https://github.com/NtQuery/Scylla I really recommend to update due to the bug fixes. Direct import scanner fix methods: - Normal: Patch memory with jmp/call only - Universal: Works with everything, creates a jump table in the scylla section, watch for relocation information in the log file I also found some weird thing in Windows 7 x64. I don't know yet why this happens: Maybe this is AV related.

i cant understand how to use scylla a i cant find information about it

Hello. So I am unpacking some random stuff and found out a way to fix redirection. My question is - using scylla_wrapper APIs https://bitbucket.org/cypherpunk/scylla_wrapper_dll , how can I solve redirection on my binary? I.E. - I should walkthrough the binary (find API redirection calls, ez), then add to imports the emulated API - but then how can I know the IAT offset so that my API redirection call calls the IAT instead of the redirection code?. Tnx Btw auto importName = scylla_findImportNameByWriteLocation(0x00007FF87FAE8020); //Takes forever scylla_addImport(L"MessageBoxA", 0x00007FF87FAE8020); //just crashes

Hello, This is the first time I try to compile Scylla from source. However I could not find the Scylla_xxx.dll in build folder, only exe I could find. I use VSC++ 2015. Is there any additional step to make the dll files? Thank you.

hi I was using version 0.98 scylla. find some invalid imported,can auto trace the invalid imported? just like import rec [auto trace] or who can tell me how to use? thanks

I created this thread because of this thread: http://forum.tuts4yo...ction-question/ Some beginner still think that ImpREC works on Windows 7, this is simply not true. Here is a prove screenshot. The test application is a simple C++ application not packed/protected. Scylla is the only tool which can rebuild the IAT correctly. I guess this doesn't need any explanation just see for yourself. (Download the .zip for better resolution) compare_ir_.zip

Hi, I'm using v0.9.8 of Scylla. I found that Scylla changes the flags of .rdata section. Most time the original one is 0x40000040 but it gets changed to 0xC0000040. I experienced this with many application. Because some MSVC apps checks the flags of .rada, I have to fix that by hand or other tools. Does anyone here have same problem?

Hello. I've been using scylla for ages but today i encountered a very strange problem. The target is improting 3 APIs from "shlwapi.dll", and scylla shows one as "shlwapi.dll" correctly, and second with third as something like "api-ms-win-down..." and afetr dumping it says this dll does not exist. Well i checked the addresses myself and indeed all 3 functions are inside shlwapi.dll. Where is that problem coming from? Greetz

It is possible to make the unpacking Themida using Scylla rather than StrongOD?

Hi, I used Scylla 0.9.7c to dump an exe and then fix it, however I'm having trouble getting the exe to work. I'm using the Exception Logger tool by codecracker to identify the exception that's not allowing the exe to work. It appears to be a System.BadImageFormatException. The exception message is "Could not load file or assembly 'program.exe' or one of its dependencies. The module was expected to contain an assembly manifest.". Any idea what's causing the error and how to fix it?

Hi, I was using version 9.7c (don't jump on me to tell me 9.8 is released, I know !) and noticed that when listing a lot of imports (most of them are invalid), the app takes a lot of time. Same goes when trying to delete/cut a lot of thunks. So, I though it would be better to add "Disable listing" option to make the app faster in case it faces a lot of wrong pointers. BTW, 9.8 doesn't find these invalid pointers, but let's say that one can exploit this to trick 9.8 as well !

Hi, I create a plugin that use api ScyllaDumpProcessW,ScyllaIatSearch,ScyllaIatFixAutoW and ScyllaRebuildFileW to dump process. First time,the process was dumped correctly.but the next try failed. I have traced a little and found that it was 'ScyllaIatSearch' which crash OllyDbg. And I captured a video as the attatchment include the source code and the binary dll PS: Just FreeLibrary when using done. Thanks MT.

Scylla app is freezed when i press on get imports and windows 8 cant find all the iat address, some of them are wrong There are multiple bugs i noticed in scylla 1) some of the packers i tryed to get imports made the application freezed(i would attach some unpackme's later for it) 2) in windows 8 it cant find all the iat functions, some of the iat functions are wrong, but when you do the same on windows 7 and xp it works fine the second problem is detected in impreq aswell Here are the samples you could try https://tuts4you.com/download.php?view.971- nspack https://tuts4you.com/download.php?view.1075- eXPressor 1.2.0 - on this sample if i remem…

Hi. I recently discovered a new bug. The IAT is not located correct in both 0.9.7b and 0.9.7c Here is a video attached and the unpackme. 0.9.7.c_DotFix_3.7_IAT_Error.7z

member @GIV at this topic posted aunpackme that causes to crash im have debugged it and found it happen in this function: bool IATSearch::findIATStartAndSize(DWORD_PTR address, DWORD_PTR * addressIAT, DWORD * sizeIAT) in this code: dataBuffer = new BYTE[baseSize * (sizeof(DWORD_PTR)*3)]; if (!dataBuffer) return false; fix: dataBuffer = new (std::nothrow) BYTE[baseSize * (sizeof(DWORD_PTR)*3)]; if (!dataBuffer) return false;