Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Scylla Imports Reconstruction

Development and support forum for the Scylla project...

  1. DMichael
    Started by DMichael,

    i have made aquick patch till Aguila it self will fix the issues i mentioned here: https://forum.tuts4you.com/topic/36570-found-the-crash-bug/ https://forum.tuts4you.com/topic/36559-found-the-freeze-bug/ Scylla_x86.rar

      • Like
    • 10 replies
    • 11.6k views
  2. ByteReverser
    Started by ByteReverser,

    exception error while unpacking upx

    • 5 replies
    • 14.8k views
  3. DMichael
    Started by DMichael,

    i'm have debugged scylla and found the reason for frezee it happens here: void IATSearch::filterIATPointersList( std::set<DWORD_PTR> & iatPointers ) in this code: while(erased) { iter = iatPointers.begin(); lastPointer = *iter; iter++; for (; iter != iatPointers.end(); iter++) { if ((*iter - lastPointer) > 0x100) //check difference { if (isIATPointerValid(lastPointer, false) == false || isIATPointerValid(*iter, false) == false) { iter--; iatPointers.erase(iter); erased = true;…

    • 0 replies
    • 7.7k views
  4. GIV
    Started by GIV,

    When i try to fix a import on a simple ACProtect UnpackMe i get a Scylla crash. Here is a video of that (is not quite well made) and some info and files. Test.7z

      • Like
    • 5 replies
    • 12.7k views
  5. GIV
    Started by GIV,

    OS=XP SP3 = X86 The Scylla application crash on IAT search moment. Attached is the unpackme and A video witch describe the error. Scylla_Error_PEP_UnpackME_5.0.0.7z

    • 0 replies
    • 17.7k views
  6. GIV
    Started by GIV,

    Hi again. Today i have one problem following a LCF-AT tutorial in unpacking a Themida target. One API even is ok in the unpackme (TlsSetValue) in Kernel32 when the IAT is rebuilded via Scylla the API is put in oleaut32. the dump in consequence will not start. I put in attach all the things needed and a video of the problem. I did not do something alright or? See ya! TheMida v2.1.8.0 UnpackMe.7z

  7. zadow
    Started by zadow,

    Ive been testing this great tools about a week.And it does the jobb done. Ive would like to throw in some suggestions. I would like the option to to make a dump just like the Scullahide for the X64 debugger version. Would come in handy when dealing with Enigma protection. I looked at the Scylla source but i only found the one off dumping memory sections. Also suggestion to turn Scylla on/off maybe me just picky I know pretty much everything about ida , so if you need some help.just ask Regards Zadow aka StormShadow

    • 2 replies
    • 8.4k views
  8. Extreme Coders
    Started by Extreme Coders,

    The other day I was testing an Asprotect 1.2 target. Imprec 1.7e IAT Autosearch function successfully locates the IAT. ( Size 0x55C ) However Scylla v0.9.6b Autosearch fails. (Size : Garbage value ) See the image for comparsion. Imprec Scylla

    • 5 replies
    • 11.3k views
    Extreme Coders
  9. cypher
    Started by cypher,

    Hey there, as the available Scylla DLL by Aguila only supports dumping and I needed a good IAT fixing DLL/Lib, I made a wrapper around the Scylla source. Also because the available ImpRec DLL isnt such as easy to use as I wished. Check out the source on BitBucket https://bitbucket.org/cypherpunk/scylla_wrapper_dll or grab attached binaries: Debug x86 Release x86 Debug x64 Release x64 Its based on latest Scylla source. Basically it mimics all steps you do in the GUI version but also offers more detailed control if you need it. Features: IAT AutoSearch reading Imports validating Imports cutting Imports (if the corresponding module would be empty, its cut too…

    • 27 replies
    • 25.8k views
  10. GIV
    Started by GIV,

    Hi and sorry to bother. I tried by chance to unpack a PCGuard 5.xx unpackme. Scylla dumps and rebuild the imports but the import table is kinda messed up. Imports fixer do the job ok though. I have used a wrong settings or what? Here is a video in attach with the unpackme to take a look. Thank you! Question.7z

      • Like
    • 7 replies
    • 12k views
  11. mrexodia
    Started by mrexodia,

    after unpacking armadillo.exe (x64) dumping with Scylla_x64.dll (latest version) will generate the following exception message: http://rghost.net/53321438 ---------------------------Exception! Please report it!---------------------------ExceptionCode C0000005ExceptionFlags 00000000NumberParameters 00000002ExceptionAddress VA 000007FEE9F38FA5ExceptionAddress RVA 000007FDAABE8FA5rax=0x0000000000000000, rbx=0x00000000091BFF40, rdx=0x0000000140000000, rcx=0x00000000091BFF78, rsi=0x0000000008D0E110, rdi=0x00000000091BFF40, rbp=0x0000000008D0DF30, rsp=0x0000000008D0DDD0, rip=0x000007FEE9F38FA5---------------------------OK ---------------------------Greetings,Mr. eXoDia

      • Like
    • 2 replies
    • 7.9k views
  12. Aguila
    Started by Aguila,

    I'm currently working on Scylla and I want to implement a direct import scanner. It would be nice if we could collect the different direct import implementations of protectors. For example: eXPressor ------------- 5 byte CALL 0xFFFFFFFF + 1 byte bogus value Themida/Winlicense ------------- 5 byte JMP 0xFFFFFFFF + 1 byte bogus value are there any more?

      • Like
    • 19 replies
    • 8.9k views
  13. GIV
    Started by GIV,

    In short. Target have been protected with Armadillo 9.60 custom build. Protection options: 1. DebugBlocker 2. CodeSplicing 3. Iat Elimination I made a video of the problem. From the video i skipped the unpacking process and i'm at the OEP with DebugBlocker passed, IAT fixed, Splices removed. When i try to dump and fix with Scylla i get a nonworking dump (same with ImpRec) but when i try to fix with ImportsFixer the dump is running fine. Here is the video and the packed file. I have wondered many times what could be wrong...what i have failed to do... but in a apotheotic end was the dumping tool. Hope to get a solution for this problem. Scy…

      • Like
    • 15 replies
    • 10.1k views
  14. mudlord
    Started by mudlord,

    Found another bug, reproducible with UPX 3.04 unpackme on Win7 x64 SP1. Got to OEP. Dumped EXE using Scylla. Found imports using Scylla. Rebuilt IAT. Error message in target is: OS is Windows 7, x64 SP1

  15. Aguila
    Started by Aguila,

    I found a solution to create single binary that works as dll and exe. I don't know if there are any side effects. Somebody has a better solution? This is the entrypoint function: extern "C" BOOL WINAPI _CRT_INIT(HINSTANCE HinstDLL, DWORD FdwReason, LPVOID LpReserved);BOOL WINAPI DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { if ((fdwReason == DLL_PROCESS_ATTACH && lpReserved == NULL) || fdwReason == DLL_THREAD_ATTACH) { if (!_CRT_INIT(hinstDLL, fdwReason, lpReserved)) { return(FALSE); } } else if ((fdwReason == DLL_PROCESS_DETACH && lpReserved == NULL) || fdwReason == DLL_THREAD_DETACH) { if (!_CRT_INIT(hinstDLL, fdwReason, lpRese…

    • 11 replies
    • 11.5k views
  16. nullRd
    Started by nullRd,

    To see this bug yourself - grab any process (e.g. firefox.exe), then press "pick DLL" button. Then choose any module (e.g. kernel32.dll) Now press "IAT Autosearch" and "Get Imports". This is what I've got: 1. picked module - kernel32.dll 2. resolved imports are still belongs to main module... 3. ..but their RVA is calculated relative to base of selected module!bug tested on XPSP3, W7x64 Scylla ver 0.9.1 x32, x64

      • Like
    • 7 replies
    • 9.6k views
  17. Aguila
    Started by Aguila,

    What new features do you like/need in a such a tool. My plan is: - code scanner (e.g. find direct apis) - better dump engine - save/load import tree - GUI improvements - improve IAT Search - Some Options + options dialog - ImpREC plugin support Things I won't implement: - Hexeditor (Winhex, HxD) - PE Editor (CFF Explorer is perfect)

      • Like
    • 22 replies
    • 11.7k views
  18. Aguila
    Started by Aguila,

    I just uploaded a new version here: http://forum.tuts4yo...reconstruction/ new source is here: http://forum.tuts4yo...ruction-source/ But the most recent source is always here: https://github.com/NtQuery/Scylla If you download the files from any other source, please use the checksums to verify the binaries! 1st CRC32 2nd MD5 3rd SHA-1 0735d826 ?CRC32*Scylla_x64.dll 90a520f770bcb686e73c47013278ceb9 *Scylla_x64.dll d79222d0cf1bb2da414ced4c3a585b6be23aaeca ?SHA1*Scylla_x64.dll a3c0c79d ?CRC32*Scylla_x64.exe 9ee9fdeb5dd8ad076cae3d62f23f752a *Scylla_x64.exe e36a705f30fbeb4da92bc3312cebf6e7279ee52f ?SHA1*Scylla_x64.exe c9037d98 ?CRC32*Scylla_x86.dll 3294017322ce07aff9d5be56d8c…

    • 10 replies
    • 10.3k views
  19. ahmadmansoor
    Started by ahmadmansoor,

    Check the Picture please another thing : I think there are a problem in the list menu : (PID) (name of process) (Path) name of process is not the same name in the path of process 08D0 PEID.exe C:\Program Files\Corel\CorelDRAW Graphics Suite X5\Programs\CorelDRW.exe and it can't find the IAT when : 1- there are a separate in IAT Table 0040xxxx kernel32 API 0040xxxx kernel32 API 0040xxxx kernel32 API 0040xxxx ................... 0040xxxx ................... 0040xxxx ................... 0040xxxx ................... 0040xxxx ................... 0040xxxx user32 API 0040xxxx user32 API 0040xxxx user32 API 2- can't f…

      • Like
    • 1 reply
    • 7k views
  20. DMichael
    Started by DMichael,

    it happen when i tryed to dump Version: 0.9

    • 1 reply
    • 8k views
  21. mrexodia
    Started by mrexodia,

    Hi, For personal use I created a small launcher program that allows you to quickly select if you want to start Scylla_x86.exe or Scylla_x64.exe. This was useful in my case because I assign hotkeys to tools, which means that I should've assigned two hotkeys to scylla instead of one. Program+sources attached, please consider adding it to the official release, maybe more people have benefit from it. Screenshot: Greetings, Mr. eXoDia Scylla_Launcher.rar

      • Like
    • 7 replies
    • 8.4k views
  22. LaBBaLa
    Started by LaBBaLa,

    Hi, first let me say that this is looking like a greate tool!!! i'm trying to fix a dump of an old malware (so please run it on a isolated VM) the malware is very easy to get to the OEP and your tool is finding the IAT very currectly but since the application was virtual allocated into a diffrent memory you dump is wrong and also when i Dump it manually and try to fix, the fix is also done worng.. I have upload the malware to here: http://www.mediafire.com/?uk1xa5xoo4mqolu password: infected you will also need to change the file extension to: *.exe instead of *.txt there is a trick in the application thta cause an Access violation exception in Olly thats because it regist…

    • 5 replies
    • 12.5k views
  23. p0c
    Started by p0c,

    First of all: Thank you for that awsome project and making it open source! Second: In case anone has the same problem while trying to compile Scally Imports Reconstruction here are some hints: For x86 VisualStudio10: Follow instructions in Scylla\README-WTL additionally: set Platformtoolset to v100 instead of v90 for all 3 projects Download distorm.package3.1 and unpack it in the diStorm directory. Open diStorm\include\distorm.h and comment line 40 (#define SUPPORT_64BIT_OFFSET) to disable it (else i got linker errors) in "Linker --> Input -->additional Dependencies" add: psapi.lib and Imagehlp.lib Now to main part of my post: Imagine you have a IAT that…

    • 3 replies
    • 10.1k views
  24. waliedassar
    Started by waliedassar,

    If you try to FIX DUMP an executable with the IMAGE_NT_HEADERS structure overlapping the IMAGE_DOS_HEADER i.e. the e_lfanew field has a value less than or equal to 0x38 (and of course, greater than or equal to 0x2), the resulting executable is rejected by the windows PE loader. http://uploadpic.org...p?img=BdtSYOk9l This is due to Scylla moving the IMAGE_NT_HEADERS at offset 0x40 without updating the "e_lfanew" field. This was tested with Scylla v0.7 beta 7. Best Regards Waliedassar

    • 8 replies
    • 13.2k views
  25. 376408384
    Started by 376408384,

    I use UIF to move IAT Base Address and Sort IATs in New (other) Address After then Use Scylla Imports Reconstruction to fix dump file failed why?

    • 1 reply
    • 6.1k views

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.