Scylla Imports Reconstruction
Development and support forum for the Scylla project...
61 topics in this forum
-
Scylla Imports Reconstruction Source
by Aguila- 14 replies
- 28.5k views
View File Scylla Imports Reconstruction Source Scylla - x64/x86 Imports Reconstruction ImpREC, CHimpREC, Imports Fixer... this are all great tools to rebuild an import table, but they all have some major disadvantages, so I decided to create my own tool for this job. Scylla's key benefits are: x64 and x86 support full unicode support written in C/C++ plugin support works great with Windows 7 This tool was designed to be used with Windows 7 x64, so it is recommend to use this operating system. But it may work with XP and Vista, too. Source code is licensed under GNU GENERAL PUBLIC LICENSE…
-
Version 0.7 Beta 1 2
by Aguila- 1 follower
- 28 replies
- 30.7k views
This is the last version for at least a week now, I promise Main difference between v0.6 is the more powerful disassembler. Can be accessed via Misc -> Disassembler. Try right click -> Follow...
-
scylla is getting wrong va and size.
by HellRaider- 4 replies
- 27.8k views
I am unpacking AvaFind.exe, but scylla is getting wrong va and size via IAT autosearch. But when i try imprec it resolves correct address and size. Tried looking into scylla code but could not understand the issue. AvaFind.exe
-
- 28 replies
- 23.1k views
I created this thread because of this thread: http://forum.tuts4yo...ction-question/ Some beginner still think that ImpREC works on Windows 7, this is simply not true. Here is a prove screenshot. The test application is a simple C++ application not packed/protected. Scylla is the only tool which can rebuild the IAT correctly. I guess this doesn't need any explanation just see for yourself. (Download the .zip for better resolution) compare_ir_.zip
-
Scylla IAT fix functions as DLL/Lib 1 2
by cypher- 27 replies
- 22k views
Hey there, as the available Scylla DLL by Aguila only supports dumping and I needed a good IAT fixing DLL/Lib, I made a wrapper around the Scylla source. Also because the available ImpRec DLL isnt such as easy to use as I wished. Check out the source on BitBucket https://bitbucket.org/cypherpunk/scylla_wrapper_dll or grab attached binaries: Debug x86 Release x86 Debug x64 Release x64 Its based on latest Scylla source. Basically it mimics all steps you do in the GUI version but also offers more detailed control if you need it. Features: IAT AutoSearch reading Imports validating Imports cutting Imports (if the corresponding module would be empty, its cut too…
-
- 1 follower
- 9 replies
- 21k views
Hi again. Today i have one problem following a LCF-AT tutorial in unpacking a Themida target. One API even is ok in the unpackme (TlsSetValue) in Kernel32 when the IAT is rebuilded via Scylla the API is put in oleaut32. the dump in consequence will not start. I put in attach all the things needed and a video of the problem. I did not do something alright or? See ya! TheMida v2.1.8.0 UnpackMe.7z
-
Scylla Version Announcements
by Aguila- 12 replies
- 19.7k views
New versions will be announced here. https://forum.tuts4you.com/files/file/576-scylla-imports-reconstruction/ https://github.com/NtQuery/Scylla I really recommend to update due to the bug fixes. Direct import scanner fix methods: - Normal: Patch memory with jmp/call only - Universal: Works with everything, creates a jump table in the scylla section, watch for relocation information in the log file I also found some weird thing in Windows 7 x64. I don't know yet why this happens: Maybe this is AV related.
-
Version 0.6 Beta
by Aguila- 17 replies
- 17.3k views
Here is a new beta version of Scylla. Please test it. Changelog: - Dump memory feature - Bugfixes - Many core and source code improvements Beta 3: />http://forum.tuts4you.com/topic/28627-version-06-beta/page__view__findpost__p__135322
-
Bug in rebuilding IAT 1 2
by mudlord- 1 follower
- 30 replies
- 17.1k views
Found another bug, reproducible with UPX 3.04 unpackme on Win7 x64 SP1. Got to OEP. Dumped EXE using Scylla. Found imports using Scylla. Rebuilt IAT. Error message in target is: OS is Windows 7, x64 SP1
-
- 0 replies
- 15.2k views
OS=XP SP3 = X86 The Scylla application crash on IAT search moment. Attached is the unpackme and A video witch describe the error. Scylla_Error_PEP_UnpackME_5.0.0.7z
-
- 2 replies
- 14.2k views
Hello, This is the first time I try to compile Scylla from source. However I could not find the Scylla_xxx.dll in build folder, only exe I could find. I use VSC++ 2015. Is there any additional step to make the dll files? Thank you.
-
exception error
by ByteReverser- 5 replies
- 13.8k views
exception error while unpacking upx
-
v0.98 can auto trace the invalid imported?
by testct01- 3 replies
- 12.3k views
hi I was using version 0.98 scylla. find some invalid imported,can auto trace the invalid imported? just like import rec [auto trace] or who can tell me how to use? thanks
-
scylla
by lazerman- 0 replies
- 12.2k views
i cant understand how to use scylla a i cant find information about it
-
Scylla APIs Confusion.
by xSRTsect- 0 replies
- 11.5k views
Hello. So I am unpacking some random stuff and found out a way to fix redirection. My question is - using scylla_wrapper APIs https://bitbucket.org/cypherpunk/scylla_wrapper_dll , how can I solve redirection on my binary? I.E. - I should walkthrough the binary (find API redirection calls, ez), then add to imports the emulated API - but then how can I know the IAT offset so that my API redirection call calls the IAT instead of the redirection code?. Tnx Btw auto importName = scylla_findImportNameByWriteLocation(0x00007FF87FAE8020); //Takes forever scylla_addImport(L"MessageBoxA", 0x00007FF87FAE8020); //just crashes
-
Scylla + Overlapped Headers
by waliedassar- 8 replies
- 11.2k views
If you try to FIX DUMP an executable with the IMAGE_NT_HEADERS structure overlapping the IMAGE_DOS_HEADER i.e. the e_lfanew field has a value less than or equal to 0x38 (and of course, greater than or equal to 0x2), the resulting executable is rejected by the windows PE loader. http://uploadpic.org...p?img=BdtSYOk9l This is due to Scylla moving the IMAGE_NT_HEADERS at offset 0x40 without updating the "e_lfanew" field. This was tested with Scylla v0.7 beta 7. Best Regards Waliedassar
-
Scylla Imports Reconstruction
by Aguila- 1 follower
- 13 replies
- 11k views
OllyDbg 2 is here with improved Windows 7 support, so how about a new imports reconstructor tool? ImpREC, CHimpREC, Imports Fixer... this are all great tools to rebuild an import table, but they all have some major disadvantages, so I decided to create my own tool for this job. Scylla's key benefits are: x64 and x86 support full unicode support (probably some russian or chinese will like this :-) ) written in C/C++ plugin support works great with Windows 7 And the best: this tool will be open-source soon. First, I need to improve the code design. Currently there are only 2 plugins (PECompact, PESpin x64) in this release, full sourcecode for both is include…
-
Little problem
by GIV- 7 replies
- 11k views
Hi and sorry to bother. I tried by chance to unpack a PCGuard 5.xx unpackme. Scylla dumps and rebuild the imports but the import table is kinda messed up. Imports fixer do the job ok though. I have used a wrong settings or what? Here is a video in attach with the unpackme to take a look. Thank you! Question.7z
-
Scylla Feature Requests
by Aguila- 22 replies
- 10.8k views
What new features do you like/need in a such a tool. My plan is: - code scanner (e.g. find direct apis) - better dump engine - save/load import tree - GUI improvements - improve IAT Search - Some Options + options dialog - ImpREC plugin support Things I won't implement: - Hexeditor (Winhex, HxD) - PE Editor (CFF Explorer is perfect)
-
DLL injection
by mm10121991- 1 reply
- 10.5k views
hello did anyone tried dll injection with last version scylla x86 0.7 it always hang trying loading dll.
-
Fixed Scylla 0.9.7b
by DMichael- 10 replies
- 10.4k views
i have made aquick patch till Aguila it self will fix the issues i mentioned here: https://forum.tuts4you.com/topic/36570-found-the-crash-bug/ https://forum.tuts4you.com/topic/36559-found-the-freeze-bug/ Scylla_x86.rar
-
Scylla as DLL/EXE Version
by Aguila- 11 replies
- 10.4k views
I found a solution to create single binary that works as dll and exe. I don't know if there are any side effects. Somebody has a better solution? This is the entrypoint function: extern "C" BOOL WINAPI _CRT_INIT(HINSTANCE HinstDLL, DWORD FdwReason, LPVOID LpReserved);BOOL WINAPI DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { if ((fdwReason == DLL_PROCESS_ATTACH && lpReserved == NULL) || fdwReason == DLL_THREAD_ATTACH) { if (!_CRT_INIT(hinstDLL, fdwReason, lpReserved)) { return(FALSE); } } else if ((fdwReason == DLL_PROCESS_DETACH && lpReserved == NULL) || fdwReason == DLL_THREAD_DETACH) { if (!_CRT_INIT(hinstDLL, fdwReason, lpRese…
-
Weird problem with Scylla x86
by Pancake- 12 replies
- 10.4k views
Hello. I've been using scylla for ages but today i encountered a very strange problem. The target is improting 3 APIs from "shlwapi.dll", and scylla shows one as "shlwapi.dll" correctly, and second with third as something like "api-ms-win-down..." and afetr dumping it says this dll does not exist. Well i checked the addresses myself and indeed all 3 functions are inside shlwapi.dll. Where is that problem coming from? Greetz
-
Scylla IAT AutoSearch
by Extreme Coders- 5 replies
- 10.3k views
The other day I was testing an Asprotect 1.2 target. Imprec 1.7e IAT Autosearch function successfully locates the IAT. ( Size 0x55C ) However Scylla v0.9.6b Autosearch fails. (Size : Garbage value ) See the image for comparsion. Imprec Scylla
-
New Feature
by mm10121991- 4 replies
- 10.2k views
Hello Aguila Can you Add support to memory loaded Dll : Dll That are in memory but not loaded via LoadLibrary can you Add feature to fix the import table of those dll given the Dll Base Address.
