Scylla Imports Reconstruction

i have made aquick patch till Aguila it self will fix the issues i mentioned here: https://forum.tuts4you.com/topic/36570-found-the-crash-bug/ https://forum.tuts4you.com/topic/36559-found-the-freeze-bug/ Scylla_x86.rar

exception error while unpacking upx

i'm have debugged scylla and found the reason for frezee it happens here: void IATSearch::filterIATPointersList( std::set<DWORD_PTR> & iatPointers ) in this code: while(erased) { iter = iatPointers.begin(); lastPointer = *iter; iter++; for (; iter != iatPointers.end(); iter++) { if ((*iter - lastPointer) > 0x100) //check difference { if (isIATPointerValid(lastPointer, false) == false || isIATPointerValid(*iter, false) == false) { iter--; iatPointers.erase(iter); erased = true;…

When i try to fix a import on a simple ACProtect UnpackMe i get a Scylla crash. Here is a video of that (is not quite well made) and some info and files. Test.7z

OS=XP SP3 = X86 The Scylla application crash on IAT search moment. Attached is the unpackme and A video witch describe the error. Scylla_Error_PEP_UnpackME_5.0.0.7z

Hi again. Today i have one problem following a LCF-AT tutorial in unpacking a Themida target. One API even is ok in the unpackme (TlsSetValue) in Kernel32 when the IAT is rebuilded via Scylla the API is put in oleaut32. the dump in consequence will not start. I put in attach all the things needed and a video of the problem. I did not do something alright or? See ya! TheMida v2.1.8.0 UnpackMe.7z

Ive been testing this great tools about a week.And it does the jobb done. Ive would like to throw in some suggestions. I would like the option to to make a dump just like the Scullahide for the X64 debugger version. Would come in handy when dealing with Enigma protection. I looked at the Scylla source but i only found the one off dumping memory sections. Also suggestion to turn Scylla on/off maybe me just picky I know pretty much everything about ida , so if you need some help.just ask Regards Zadow aka StormShadow

The other day I was testing an Asprotect 1.2 target. Imprec 1.7e IAT Autosearch function successfully locates the IAT. ( Size 0x55C ) However Scylla v0.9.6b Autosearch fails. (Size : Garbage value ) See the image for comparsion. Imprec Scylla

Hey there, as the available Scylla DLL by Aguila only supports dumping and I needed a good IAT fixing DLL/Lib, I made a wrapper around the Scylla source. Also because the available ImpRec DLL isnt such as easy to use as I wished. Check out the source on BitBucket https://bitbucket.org/cypherpunk/scylla_wrapper_dll or grab attached binaries: Debug x86 Release x86 Debug x64 Release x64 Its based on latest Scylla source. Basically it mimics all steps you do in the GUI version but also offers more detailed control if you need it. Features: IAT AutoSearch reading Imports validating Imports cutting Imports (if the corresponding module would be empty, its cut too…

Hi and sorry to bother. I tried by chance to unpack a PCGuard 5.xx unpackme. Scylla dumps and rebuild the imports but the import table is kinda messed up. Imports fixer do the job ok though. I have used a wrong settings or what? Here is a video in attach with the unpackme to take a look. Thank you! Question.7z

after unpacking armadillo.exe (x64) dumping with Scylla_x64.dll (latest version) will generate the following exception message: http://rghost.net/53321438 ---------------------------Exception! Please report it!---------------------------ExceptionCode C0000005ExceptionFlags 00000000NumberParameters 00000002ExceptionAddress VA 000007FEE9F38FA5ExceptionAddress RVA 000007FDAABE8FA5rax=0x0000000000000000, rbx=0x00000000091BFF40, rdx=0x0000000140000000, rcx=0x00000000091BFF78, rsi=0x0000000008D0E110, rdi=0x00000000091BFF40, rbp=0x0000000008D0DF30, rsp=0x0000000008D0DDD0, rip=0x000007FEE9F38FA5---------------------------OK ---------------------------Greetings,Mr. eXoDia

I'm currently working on Scylla and I want to implement a direct import scanner. It would be nice if we could collect the different direct import implementations of protectors. For example: eXPressor ------------- 5 byte CALL 0xFFFFFFFF + 1 byte bogus value Themida/Winlicense ------------- 5 byte JMP 0xFFFFFFFF + 1 byte bogus value are there any more?

In short. Target have been protected with Armadillo 9.60 custom build. Protection options: 1. DebugBlocker 2. CodeSplicing 3. Iat Elimination I made a video of the problem. From the video i skipped the unpacking process and i'm at the OEP with DebugBlocker passed, IAT fixed, Splices removed. When i try to dump and fix with Scylla i get a nonworking dump (same with ImpRec) but when i try to fix with ImportsFixer the dump is running fine. Here is the video and the packed file. I have wondered many times what could be wrong...what i have failed to do... but in a apotheotic end was the dumping tool. Hope to get a solution for this problem. Scy…

Found another bug, reproducible with UPX 3.04 unpackme on Win7 x64 SP1. Got to OEP. Dumped EXE using Scylla. Found imports using Scylla. Rebuilt IAT. Error message in target is: OS is Windows 7, x64 SP1

I found a solution to create single binary that works as dll and exe. I don't know if there are any side effects. Somebody has a better solution? This is the entrypoint function: extern "C" BOOL WINAPI _CRT_INIT(HINSTANCE HinstDLL, DWORD FdwReason, LPVOID LpReserved);BOOL WINAPI DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { if ((fdwReason == DLL_PROCESS_ATTACH && lpReserved == NULL) || fdwReason == DLL_THREAD_ATTACH) { if (!_CRT_INIT(hinstDLL, fdwReason, lpReserved)) { return(FALSE); } } else if ((fdwReason == DLL_PROCESS_DETACH && lpReserved == NULL) || fdwReason == DLL_THREAD_DETACH) { if (!_CRT_INIT(hinstDLL, fdwReason, lpRese…

To see this bug yourself - grab any process (e.g. firefox.exe), then press "pick DLL" button. Then choose any module (e.g. kernel32.dll) Now press "IAT Autosearch" and "Get Imports". This is what I've got: 1. picked module - kernel32.dll 2. resolved imports are still belongs to main module... 3. ..but their RVA is calculated relative to base of selected module!bug tested on XPSP3, W7x64 Scylla ver 0.9.1 x32, x64

What new features do you like/need in a such a tool. My plan is: - code scanner (e.g. find direct apis) - better dump engine - save/load import tree - GUI improvements - improve IAT Search - Some Options + options dialog - ImpREC plugin support Things I won't implement: - Hexeditor (Winhex, HxD) - PE Editor (CFF Explorer is perfect)

I just uploaded a new version here: http://forum.tuts4yo...reconstruction/ new source is here: http://forum.tuts4yo...ruction-source/ But the most recent source is always here: https://github.com/NtQuery/Scylla If you download the files from any other source, please use the checksums to verify the binaries! 1st CRC32 2nd MD5 3rd SHA-1 0735d826 ?CRC32*Scylla_x64.dll 90a520f770bcb686e73c47013278ceb9 *Scylla_x64.dll d79222d0cf1bb2da414ced4c3a585b6be23aaeca ?SHA1*Scylla_x64.dll a3c0c79d ?CRC32*Scylla_x64.exe 9ee9fdeb5dd8ad076cae3d62f23f752a *Scylla_x64.exe e36a705f30fbeb4da92bc3312cebf6e7279ee52f ?SHA1*Scylla_x64.exe c9037d98 ?CRC32*Scylla_x86.dll 3294017322ce07aff9d5be56d8c…

Check the Picture please another thing : I think there are a problem in the list menu : (PID) (name of process) (Path) name of process is not the same name in the path of process 08D0 PEID.exe C:\Program Files\Corel\CorelDRAW Graphics Suite X5\Programs\CorelDRW.exe and it can't find the IAT when : 1- there are a separate in IAT Table 0040xxxx kernel32 API 0040xxxx kernel32 API 0040xxxx kernel32 API 0040xxxx ................... 0040xxxx ................... 0040xxxx ................... 0040xxxx ................... 0040xxxx ................... 0040xxxx user32 API 0040xxxx user32 API 0040xxxx user32 API 2- can't f…

it happen when i tryed to dump Version: 0.9

Hi, For personal use I created a small launcher program that allows you to quickly select if you want to start Scylla_x86.exe or Scylla_x64.exe. This was useful in my case because I assign hotkeys to tools, which means that I should've assigned two hotkeys to scylla instead of one. Program+sources attached, please consider adding it to the official release, maybe more people have benefit from it. Screenshot: Greetings, Mr. eXoDia Scylla_Launcher.rar

Hi, first let me say that this is looking like a greate tool!!! i'm trying to fix a dump of an old malware (so please run it on a isolated VM) the malware is very easy to get to the OEP and your tool is finding the IAT very currectly but since the application was virtual allocated into a diffrent memory you dump is wrong and also when i Dump it manually and try to fix, the fix is also done worng.. I have upload the malware to here: http://www.mediafire.com/?uk1xa5xoo4mqolu password: infected you will also need to change the file extension to: *.exe instead of *.txt there is a trick in the application thta cause an Access violation exception in Olly thats because it regist…

First of all: Thank you for that awsome project and making it open source! Second: In case anone has the same problem while trying to compile Scally Imports Reconstruction here are some hints: For x86 VisualStudio10: Follow instructions in Scylla\README-WTL additionally: set Platformtoolset to v100 instead of v90 for all 3 projects Download distorm.package3.1 and unpack it in the diStorm directory. Open diStorm\include\distorm.h and comment line 40 (#define SUPPORT_64BIT_OFFSET) to disable it (else i got linker errors) in "Linker --> Input -->additional Dependencies" add: psapi.lib and Imagehlp.lib Now to main part of my post: Imagine you have a IAT that…

If you try to FIX DUMP an executable with the IMAGE_NT_HEADERS structure overlapping the IMAGE_DOS_HEADER i.e. the e_lfanew field has a value less than or equal to 0x38 (and of course, greater than or equal to 0x2), the resulting executable is rejected by the windows PE loader. http://uploadpic.org...p?img=BdtSYOk9l This is due to Scylla moving the IMAGE_NT_HEADERS at offset 0x40 without updating the "e_lfanew" field. This was tested with Scylla v0.7 beta 7. Best Regards Waliedassar

I use UIF to move IAT Base Address and Sort IATs in New (other) Address After then Use Scylla Imports Reconstruction to fix dump file failed why?