Scylla Imports Reconstruction
Development and support forum for the Scylla project...
61 topics in this forum
-
Scylla Imports Reconstruction Source
by Aguila- 14 replies
- 28.5k views
View File Scylla Imports Reconstruction Source Scylla - x64/x86 Imports Reconstruction ImpREC, CHimpREC, Imports Fixer... this are all great tools to rebuild an import table, but they all have some major disadvantages, so I decided to create my own tool for this job. Scylla's key benefits are: x64 and x86 support full unicode support written in C/C++ plugin support works great with Windows 7 This tool was designed to be used with Windows 7 x64, so it is recommend to use this operating system. But it may work with XP and Vista, too. Source code is licensed under GNU GENERAL PUBLIC LICENSE…
-
- 1 reply
- 7.2k views
Hello Guys, Recently I tried to build the scylla source from git, which unfortunately I was unsuccessful. I am trying to build it in visual studio 2013. Would someone guide me to do it right. Problem: I have upgraded the project to vs2013 and build it. But it won't fix the file properly, the dump doesn't work [which would work if fixed otherwise from the released scylla binary.] Solution Requested: 1. Correct GIT command to sync the project properly to local drive. 2. Additional advice to make the correct build on vs2013. Regards, Ben
-
- 0 replies
- 7.9k views
Hi, I create a plugin that use api ScyllaDumpProcessW,ScyllaIatSearch,ScyllaIatFixAutoW and ScyllaRebuildFileW to dump process. First time,the process was dumped correctly.but the next try failed. I have traced a little and found that it was 'ScyllaIatSearch' which crash OllyDbg. And I captured a video as the attatchment include the source code and the binary dll PS: Just FreeLibrary when using done. Thanks MT.
-
[Suggestion]IDA ScyllaHide
by zadow- 2 replies
- 7.3k views
Ive been testing this great tools about a week.And it does the jobb done. Ive would like to throw in some suggestions. I would like the option to to make a dump just like the Scullahide for the X64 debugger version. Would come in handy when dealing with Enigma protection. I looked at the Scylla source but i only found the one off dumping memory sections. Also suggestion to turn Scylla on/off maybe me just picky I know pretty much everything about ida , so if you need some help.just ask Regards Zadow aka StormShadow
-
bug in "pick dll" operation
by nullRd- 7 replies
- 7.1k views
To see this bug yourself - grab any process (e.g. firefox.exe), then press "pick DLL" button. Then choose any module (e.g. kernel32.dll) Now press "IAT Autosearch" and "Get Imports". This is what I've got: 1. picked module - kernel32.dll 2. resolved imports are still belongs to main module... 3. ..but their RVA is calculated relative to base of selected module!bug tested on XPSP3, W7x64 Scylla ver 0.9.1 x32, x64
-
Bug in rebuilding IAT 1 2
by mudlord- 1 follower
- 30 replies
- 17.1k views
Found another bug, reproducible with UPX 3.04 unpackme on Win7 x64 SP1. Got to OEP. Dumped EXE using Scylla. Found imports using Scylla. Rebuilt IAT. Error message in target is: OS is Windows 7, x64 SP1
-
Bug When Fixing Dump
by waliedassar- 10 replies
- 9.6k views
It seems that Scylla has a bug when trying to fix a dump with an unusual SizeOfOptionalHeader value. For example (with Scylla 0.6): If the PE has the "SizeOfOptionalHeader" field set to 0x148 and the "NumberOfRvaAndSizes" field set to 0x1D, Scylla sets the "NumberOfRvaAndSizes" to 0x10 but leave the "SizeOfOptionalHeader" field as it is and this is why the fixed dumped is rejected by PE loader. Scylla 0.7 beta: If the PE has the "SizeOfOptionalHeader" field set to 0x148 and the "NumberOfRvaAndSizes" field set to 0x1D, Scylla moves the section table just after the 16th data directory without modifying the "SizeOfOptionalHeader" field. It should do the reverse, set the "Si…
-
- 19 replies
- 7.9k views
I'm currently working on Scylla and I want to implement a direct import scanner. It would be nice if we could collect the different direct import implementations of protectors. For example: eXPressor ------------- 5 byte CALL 0xFFFFFFFF + 1 byte bogus value Themida/Winlicense ------------- 5 byte JMP 0xFFFFFFFF + 1 byte bogus value are there any more?
-
Crash on getting imports.
by mudlord- 6 replies
- 6.2k views
Hi, Ran into a bug on a target which is using a modified UPX. On getting the imports after autosearching for IAT, Scylla crashes. I recall when on XP, ImpRec didnt have this problem. Not sure where to post the target since it is commercial, though. If it helps, using OllyDump which was ported by AORE for Olly2. Using one of the standard UPX 3.04 crackmes crashes on fixing the dump, if that helps.
-
crash reaport
by DMichael- 1 reply
- 7.3k views
it happen when i tryed to dump Version: 0.9
-
crash when dumping using Scylla_x64.dll GUI
by mrexodia- 2 replies
- 6.9k views
after unpacking armadillo.exe (x64) dumping with Scylla_x64.dll (latest version) will generate the following exception message: http://rghost.net/53321438 ---------------------------Exception! Please report it!---------------------------ExceptionCode C0000005ExceptionFlags 00000000NumberParameters 00000002ExceptionAddress VA 000007FEE9F38FA5ExceptionAddress RVA 000007FDAABE8FA5rax=0x0000000000000000, rbx=0x00000000091BFF40, rdx=0x0000000140000000, rcx=0x00000000091BFF78, rsi=0x0000000008D0E110, rdi=0x00000000091BFF40, rbp=0x0000000008D0DF30, rsp=0x0000000008D0DDD0, rip=0x000007FEE9F38FA5---------------------------OK ---------------------------Greetings,Mr. eXoDia
-
Debugging Plugin DLL
by shift- 3 replies
- 5.1k views
Hello friends, I've created a Scylla plugin using the reference implementations for other packers. Does anyone have any recommendations for debugging the dll? I can't seem to break on the dll when it's injected to view it in Olly. More preferably, is there any way to debug it while in visual studio? I've not had any experience in debugging dlls in general, so any help is appreciated.
-
DLL injection
by mm10121991- 1 reply
- 10.5k views
hello did anyone tried dll injection with last version scylla x86 0.7 it always hang trying loading dll.
-
Doubt
by Narsta- 1 reply
- 8.1k views
It is possible to make the unpacking Themida using Scylla rather than StrongOD?
-
Dump process with wrong iat
by Scotch- 1 reply
- 9.5k views
Hi, there~ I just got a problem when using Scylla_x86.dll to dump a running process via C code. And here's the code. // read PEB address; PPEB peb = (PPEB)calloc(sizeof(PEB), 1); if (!ReadProcessMemory(hProcess, ProcessBasic->PebBaseAddress, peb, sizeof(PEB), &m_dwTemp)) { peb = (PPEB)calloc(m_dwTemp, 1); ReadProcessMemory(hProcess, ProcessBasic->PebBaseAddress, peb, sizeof(PEB), &m_dwTemp); } HMODULE m_hModule_Remote = peb->ImageBaseAddress; free(ProcessBasic); ProcessBasic = 0; free(peb); peb = 0; // read pe header LPVOID m_pMemory_Remote = VirtualAlloc(0, 0x1000, MEM_COMMIT, PAGE_READWRITE); if (!ReadProcessMemory(hProcess…
-
EP not set
by deepzero- 7 replies
- 7k views
hi, a minor issue: when scylla is used to iat-fix a file, it will not set the OEP of the file to the value given in the "OEP:" textbox. d.
-
exception error
by ByteReverser- 5 replies
- 13.8k views
exception error while unpacking upx
-
Fixed Scylla 0.9.7b
by DMichael- 10 replies
- 10.6k views
i have made aquick patch till Aguila it self will fix the issues i mentioned here: https://forum.tuts4you.com/topic/36570-found-the-crash-bug/ https://forum.tuts4you.com/topic/36559-found-the-freeze-bug/ Scylla_x86.rar
-
Fixing a DLL Dump Appends Exe...
by Teddy Rogers- 1 reply
- 6.1k views
When fixing a DLL dump Scylla (0.2?) appends .exe to the end of the file name. Also I noticed in Downloads it says Scylla 0.2a but the title bar and info state version 0.1... />http://forum.tuts4you.com/files/file/576-scylla-imports-reconstruction/ Ted.
-
Fixing irregular IATs
by p0c- 3 replies
- 9k views
First of all: Thank you for that awsome project and making it open source! Second: In case anone has the same problem while trying to compile Scally Imports Reconstruction here are some hints: For x86 VisualStudio10: Follow instructions in Scylla\README-WTL additionally: set Platformtoolset to v100 instead of v90 for all 3 projects Download distorm.package3.1 and unpack it in the diStorm directory. Open diStorm\include\distorm.h and comment line 40 (#define SUPPORT_64BIT_OFFSET) to disable it (else i got linker errors) in "Linker --> Input -->additional Dependencies" add: psapi.lib and Imagehlp.lib Now to main part of my post: Imagine you have a IAT that…
-
Found the crash bug
by DMichael- 1 reply
- 8k views
member @GIV at this topic posted aunpackme that causes to crash im have debugged it and found it happen in this function: bool IATSearch::findIATStartAndSize(DWORD_PTR address, DWORD_PTR * addressIAT, DWORD * sizeIAT) in this code: dataBuffer = new BYTE[baseSize * (sizeof(DWORD_PTR)*3)]; if (!dataBuffer) return false; fix: dataBuffer = new (std::nothrow) BYTE[baseSize * (sizeof(DWORD_PTR)*3)]; if (!dataBuffer) return false;
-
Found the freeze bug
by DMichael- 0 replies
- 6.7k views
i'm have debugged scylla and found the reason for frezee it happens here: void IATSearch::filterIATPointersList( std::set<DWORD_PTR> & iatPointers ) in this code: while(erased) { iter = iatPointers.begin(); lastPointer = *iter; iter++; for (; iter != iatPointers.end(); iter++) { if ((*iter - lastPointer) > 0x100) //check difference { if (isIATPointerValid(lastPointer, false) == false || isIATPointerValid(*iter, false) == false) { iter--; iatPointers.erase(iter); erased = true;…
-
I can't access process in other Drivers
by ahmadmansoor- 1 reply
- 6.2k views
Check the Picture please another thing : I think there are a problem in the list menu : (PID) (name of process) (Path) name of process is not the same name in the path of process 08D0 PEID.exe C:\Program Files\Corel\CorelDRAW Graphics Suite X5\Programs\CorelDRW.exe and it can't find the IAT when : 1- there are a separate in IAT Table 0040xxxx kernel32 API 0040xxxx kernel32 API 0040xxxx kernel32 API 0040xxxx ................... 0040xxxx ................... 0040xxxx ................... 0040xxxx ................... 0040xxxx ................... 0040xxxx user32 API 0040xxxx user32 API 0040xxxx user32 API 2- can't f…
-
Issues with fixing a malware dump
by LaBBaLa- 5 replies
- 9.8k views
Hi, first let me say that this is looking like a greate tool!!! i'm trying to fix a dump of an old malware (so please run it on a isolated VM) the malware is very easy to get to the OEP and your tool is finding the IAT very currectly but since the application was virtual allocated into a diffrent memory you dump is wrong and also when i Dump it manually and try to fix, the fix is also done worng.. I have upload the malware to here: http://www.mediafire.com/?uk1xa5xoo4mqolu password: infected you will also need to change the file extension to: *.exe instead of *.txt there is a trick in the application thta cause an Access violation exception in Olly thats because it regist…
-
Little problem
by GIV- 7 replies
- 11k views
Hi and sorry to bother. I tried by chance to unpack a PCGuard 5.xx unpackme. Scylla dumps and rebuild the imports but the import table is kinda messed up. Imports fixer do the job ok though. I have used a wrong settings or what? Here is a video in attach with the unpackme to take a look. Thank you! Question.7z