Scylla Imports Reconstruction
Development and support forum for the Scylla project...
61 topics in this forum
-
Scylla Imports Reconstruction Source
by Aguila- 14 replies
- 28.5k views
View File Scylla Imports Reconstruction Source Scylla - x64/x86 Imports Reconstruction ImpREC, CHimpREC, Imports Fixer... this are all great tools to rebuild an import table, but they all have some major disadvantages, so I decided to create my own tool for this job. Scylla's key benefits are: x64 and x86 support full unicode support written in C/C++ plugin support works great with Windows 7 This tool was designed to be used with Windows 7 x64, so it is recommend to use this operating system. But it may work with XP and Vista, too. Source code is licensed under GNU GENERAL PUBLIC LICENSE…
-
Bug in rebuilding IAT 1 2
by mudlord- 1 follower
- 30 replies
- 17.1k views
Found another bug, reproducible with UPX 3.04 unpackme on Win7 x64 SP1. Got to OEP. Dumped EXE using Scylla. Found imports using Scylla. Rebuilt IAT. Error message in target is: OS is Windows 7, x64 SP1
-
Version 0.7 Beta 1 2
by Aguila- 1 follower
- 28 replies
- 30.3k views
This is the last version for at least a week now, I promise Main difference between v0.6 is the more powerful disassembler. Can be accessed via Misc -> Disassembler. Try right click -> Follow...
-
- 28 replies
- 23.1k views
I created this thread because of this thread: http://forum.tuts4yo...ction-question/ Some beginner still think that ImpREC works on Windows 7, this is simply not true. Here is a prove screenshot. The test application is a simple C++ application not packed/protected. Scylla is the only tool which can rebuild the IAT correctly. I guess this doesn't need any explanation just see for yourself. (Download the .zip for better resolution) compare_ir_.zip
-
Scylla IAT fix functions as DLL/Lib 1 2
by cypher- 27 replies
- 22k views
Hey there, as the available Scylla DLL by Aguila only supports dumping and I needed a good IAT fixing DLL/Lib, I made a wrapper around the Scylla source. Also because the available ImpRec DLL isnt such as easy to use as I wished. Check out the source on BitBucket https://bitbucket.org/cypherpunk/scylla_wrapper_dll or grab attached binaries: Debug x86 Release x86 Debug x64 Release x64 Its based on latest Scylla source. Basically it mimics all steps you do in the GUI version but also offers more detailed control if you need it. Features: IAT AutoSearch reading Imports validating Imports cutting Imports (if the corresponding module would be empty, its cut too…
-
Scylla Feature Requests
by Aguila- 22 replies
- 10.7k views
What new features do you like/need in a such a tool. My plan is: - code scanner (e.g. find direct apis) - better dump engine - save/load import tree - GUI improvements - improve IAT Search - Some Options + options dialog - ImpREC plugin support Things I won't implement: - Hexeditor (Winhex, HxD) - PE Editor (CFF Explorer is perfect)
-
- 19 replies
- 7.9k views
I'm currently working on Scylla and I want to implement a direct import scanner. It would be nice if we could collect the different direct import implementations of protectors. For example: eXPressor ------------- 5 byte CALL 0xFFFFFFFF + 1 byte bogus value Themida/Winlicense ------------- 5 byte JMP 0xFFFFFFFF + 1 byte bogus value are there any more?
-
Version 0.6 Beta
by Aguila- 17 replies
- 16.9k views
Here is a new beta version of Scylla. Please test it. Changelog: - Dump memory feature - Bugfixes - Many core and source code improvements Beta 3: />http://forum.tuts4you.com/topic/28627-version-06-beta/page__view__findpost__p__135322
-
- 15 replies
- 8.9k views
In short. Target have been protected with Armadillo 9.60 custom build. Protection options: 1. DebugBlocker 2. CodeSplicing 3. Iat Elimination I made a video of the problem. From the video i skipped the unpacking process and i'm at the OEP with DebugBlocker passed, IAT fixed, Splices removed. When i try to dump and fix with Scylla i get a nonworking dump (same with ImpRec) but when i try to fix with ImportsFixer the dump is running fine. Here is the video and the packed file. I have wondered many times what could be wrong...what i have failed to do... but in a apotheotic end was the dumping tool. Hope to get a solution for this problem. Scy…
-
Scylla Imports Reconstruction
by Aguila- 1 follower
- 13 replies
- 11k views
OllyDbg 2 is here with improved Windows 7 support, so how about a new imports reconstructor tool? ImpREC, CHimpREC, Imports Fixer... this are all great tools to rebuild an import table, but they all have some major disadvantages, so I decided to create my own tool for this job. Scylla's key benefits are: x64 and x86 support full unicode support (probably some russian or chinese will like this :-) ) written in C/C++ plugin support works great with Windows 7 And the best: this tool will be open-source soon. First, I need to improve the code design. Currently there are only 2 plugins (PECompact, PESpin x64) in this release, full sourcecode for both is include…
-
Weird problem with Scylla x86
by Pancake- 12 replies
- 10.4k views
Hello. I've been using scylla for ages but today i encountered a very strange problem. The target is improting 3 APIs from "shlwapi.dll", and scylla shows one as "shlwapi.dll" correctly, and second with third as something like "api-ms-win-down..." and afetr dumping it says this dll does not exist. Well i checked the addresses myself and indeed all 3 functions are inside shlwapi.dll. Where is that problem coming from? Greetz
-
- 12 replies
- 9.6k views
Scylla app is freezed when i press on get imports and windows 8 cant find all the iat address, some of them are wrong There are multiple bugs i noticed in scylla 1) some of the packers i tryed to get imports made the application freezed(i would attach some unpackme's later for it) 2) in windows 8 it cant find all the iat functions, some of the iat functions are wrong, but when you do the same on windows 7 and xp it works fine the second problem is detected in impreq aswell Here are the samples you could try https://tuts4you.com/download.php?view.971- nspack https://tuts4you.com/download.php?view.1075- eXPressor 1.2.0 - on this sample if i remem…
-
Scylla Version Announcements
by Aguila- 12 replies
- 19.7k views
New versions will be announced here. https://forum.tuts4you.com/files/file/576-scylla-imports-reconstruction/ https://github.com/NtQuery/Scylla I really recommend to update due to the bug fixes. Direct import scanner fix methods: - Normal: Patch memory with jmp/call only - Universal: Works with everything, creates a jump table in the scylla section, watch for relocation information in the log file I also found some weird thing in Windows 7 x64. I don't know yet why this happens: Maybe this is AV related.
-
Scylla as DLL/EXE Version
by Aguila- 11 replies
- 10.4k views
I found a solution to create single binary that works as dll and exe. I don't know if there are any side effects. Somebody has a better solution? This is the entrypoint function: extern "C" BOOL WINAPI _CRT_INIT(HINSTANCE HinstDLL, DWORD FdwReason, LPVOID LpReserved);BOOL WINAPI DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { if ((fdwReason == DLL_PROCESS_ATTACH && lpReserved == NULL) || fdwReason == DLL_THREAD_ATTACH) { if (!_CRT_INIT(hinstDLL, fdwReason, lpReserved)) { return(FALSE); } } else if ((fdwReason == DLL_PROCESS_DETACH && lpReserved == NULL) || fdwReason == DLL_THREAD_DETACH) { if (!_CRT_INIT(hinstDLL, fdwReason, lpRese…
-
- 11 replies
- 7.7k views
Hello, I have a problem with Scylla because Scylla cant find direct imports everytime no matter what I do I get information "Found 0 possible direct imports with 0 unique APIs!". I have try many targets, different Scylla versions and different OS and everytime is the same... I guess I am making something stupid but maybe you guys can point me whats wrong... below example: 004013A0 .- E9 9D78F67D JMP 7E368C42 ; user32.KillTimer 004013A5 FF DB FF 004013A6 .- E9 F17BF67D JMP 7E368F9C ; user32.GetSystemMetrics 004013AB FF DB FF 004013AC $- E9 45D5F77D JMP 7E37E8F6 ; user32.LoadIconA 004013B1 …
-
Version 0.8
by Aguila- 10 replies
- 8.8k views
I just uploaded a new version here: http://forum.tuts4yo...reconstruction/ new source is here: http://forum.tuts4yo...ruction-source/ But the most recent source is always here: https://github.com/NtQuery/Scylla If you download the files from any other source, please use the checksums to verify the binaries! 1st CRC32 2nd MD5 3rd SHA-1 0735d826 ?CRC32*Scylla_x64.dll 90a520f770bcb686e73c47013278ceb9 *Scylla_x64.dll d79222d0cf1bb2da414ced4c3a585b6be23aaeca ?SHA1*Scylla_x64.dll a3c0c79d ?CRC32*Scylla_x64.exe 9ee9fdeb5dd8ad076cae3d62f23f752a *Scylla_x64.exe e36a705f30fbeb4da92bc3312cebf6e7279ee52f ?SHA1*Scylla_x64.exe c9037d98 ?CRC32*Scylla_x86.dll 3294017322ce07aff9d5be56d8c…
-
Bug When Fixing Dump
by waliedassar- 10 replies
- 9.6k views
It seems that Scylla has a bug when trying to fix a dump with an unusual SizeOfOptionalHeader value. For example (with Scylla 0.6): If the PE has the "SizeOfOptionalHeader" field set to 0x148 and the "NumberOfRvaAndSizes" field set to 0x1D, Scylla sets the "NumberOfRvaAndSizes" to 0x10 but leave the "SizeOfOptionalHeader" field as it is and this is why the fixed dumped is rejected by PE loader. Scylla 0.7 beta: If the PE has the "SizeOfOptionalHeader" field set to 0x148 and the "NumberOfRvaAndSizes" field set to 0x1D, Scylla moves the section table just after the 16th data directory without modifying the "SizeOfOptionalHeader" field. It should do the reverse, set the "Si…
-
Fixed Scylla 0.9.7b
by DMichael- 10 replies
- 10.4k views
i have made aquick patch till Aguila it self will fix the issues i mentioned here: https://forum.tuts4you.com/topic/36570-found-the-crash-bug/ https://forum.tuts4you.com/topic/36559-found-the-freeze-bug/ Scylla_x86.rar
-
Scylla cannot resolve user32.dll Imports
by pkedpker- 9 replies
- 8.8k views
I've tried all Import Reconstructors UIF (this one finds alot of imports but not helpful). Scylla ImpRec Imports Fixer 1.6 CHImpREC none of them can get me user32.dll from my target.. I rely on the IAT AutoSearch and even if it finds it, it comes out as a invalid thrunk. ImpRec 1.7f is the closest for me gets almost all imports just important ones I need are invalid.. Scylla x86 v0.9.8 gets crazy size for Imports when doing IAT AutoSearch.. like 0x68206c.. i let it run for 2 hours and its missing Autotrace so it doesn't fix the invalid…
-
- 9 replies
- 9.9k views
Hi. I recently discovered a new bug. The IAT is not located correct in both 0.9.7b and 0.9.7c Here is a video attached and the unpackme. 0.9.7.c_DotFix_3.7_IAT_Error.7z
-
- 1 follower
- 9 replies
- 21k views
Hi again. Today i have one problem following a LCF-AT tutorial in unpacking a Themida target. One API even is ok in the unpackme (TlsSetValue) in Kernel32 when the IAT is rebuilded via Scylla the API is put in oleaut32. the dump in consequence will not start. I put in attach all the things needed and a video of the problem. I did not do something alright or? See ya! TheMida v2.1.8.0 UnpackMe.7z
-
Scylla + Overlapped Headers
by waliedassar- 8 replies
- 11.1k views
If you try to FIX DUMP an executable with the IMAGE_NT_HEADERS structure overlapping the IMAGE_DOS_HEADER i.e. the e_lfanew field has a value less than or equal to 0x38 (and of course, greater than or equal to 0x2), the resulting executable is rejected by the windows PE loader. http://uploadpic.org...p?img=BdtSYOk9l This is due to Scylla moving the IMAGE_NT_HEADERS at offset 0x40 without updating the "e_lfanew" field. This was tested with Scylla v0.7 beta 7. Best Regards Waliedassar
-
EP not set
by deepzero- 7 replies
- 6.8k views
hi, a minor issue: when scylla is used to iat-fix a file, it will not set the OEP of the file to the value given in the "OEP:" textbox. d.
-
bug in "pick dll" operation
by nullRd- 7 replies
- 6.9k views
To see this bug yourself - grab any process (e.g. firefox.exe), then press "pick DLL" button. Then choose any module (e.g. kernel32.dll) Now press "IAT Autosearch" and "Get Imports". This is what I've got: 1. picked module - kernel32.dll 2. resolved imports are still belongs to main module... 3. ..but their RVA is calculated relative to base of selected module!bug tested on XPSP3, W7x64 Scylla ver 0.9.1 x32, x64
-
Little problem
by GIV- 7 replies
- 10.6k views
Hi and sorry to bother. I tried by chance to unpack a PCGuard 5.xx unpackme. Scylla dumps and rebuild the imports but the import table is kinda messed up. Imports fixer do the job ok though. I have used a wrong settings or what? Here is a video in attach with the unpackme to take a look. Thank you! Question.7z
