Aguila Posted August 29, 2011 Posted August 29, 2011 (edited) What new features do you like/need in a such a tool.My plan is:- code scanner (e.g. find direct apis)- better dump engine- save/load import tree- GUI improvements- improve IAT Search- Some Options + options dialog- ImpREC plugin supportThings I won't implement:- Hexeditor (Winhex, HxD)- PE Editor (CFF Explorer is perfect) Edited September 7, 2011 by Aguila 1
mudlord Posted September 1, 2011 Posted September 1, 2011 Wow, I don't think theres much that needs to be changed or added, apart from your plans. I love a tool that just focuses at what its good at. Tried on x64 Win7, works perfectly. 1
Teddy Rogers Posted September 5, 2011 Posted September 5, 2011 Possibly more dumping options so sections can be unchecked/checked added and deleted. Imports Fixer has a nice dumper tool, would be good to see something similar for x64 version of Scylla...Ted.
Killboy Posted September 5, 2011 Posted September 5, 2011 I don't see the point of another dumper, CFF Explorer does a great job. Plus, you can always remove sections in the PE header and rebuild the file.
Teddy Rogers Posted September 5, 2011 Posted September 5, 2011 Why reinvent the wheel? It is another imports rebuiliding tool. It is nice to just be able to add and remove sections from the one tool, also Imports Fixer can add sections from the process memory map which is nice...Ted.
Killboy Posted September 5, 2011 Posted September 5, 2011 Why reinvent the wheel? It is another imports rebuiliding tool.That's what I was trying to say, why add functionality that's already available in other tools?All it does is add bugs other people have invested hours to get rid of and steal the developer's time.Anyway, it's not my call, nor even my tool so I'll shut up
Teddy Rogers Posted September 5, 2011 Posted September 5, 2011 There is a feature to implement which is not in any x64 imports rebuilding tool such as the one I described above in IF. Anyway if the code for this project goes open source or something it would be nice to see a one tool fits all and I can't see CFF Explorer being developed much these days with Daniel on other projects...Ted.
Aguila Posted September 5, 2011 Author Posted September 5, 2011 In my opinion a better dump engine like the one in the Imports Fixer tool is a must have feature. This is really useful, because more and more protectors use the stupid "increase virtual size trick". http://forum.tuts4you.com/topic/26377-asprotect-increases-virtual-size/ x64 does support more than 4 GB RAM, so probably there will be soon some "smart" protector that will consume more than 4 GB. All it does is add bugs other people have invested hours to get rid of I don't think this is really difficult to implement... but I hate coding GUIs You don't want to help Killboy?
GaBoR Posted September 5, 2011 Posted September 5, 2011 You could use TitanEngine for dumper engine:/>http://www.reversinglabs.com/products/TitanEngine.php
LCF-AT Posted December 7, 2011 Posted December 7, 2011 @ Aguila Sp could you please add a new function where I can cut all invalid thunks at once away?Don't want to select always each block & cut all in single steps.Just add a another line with "cut all" which are selected.Normaly I use show invalid and then all are marked but I can't cut them away at once so you know this problem so I told you this already in version 0.5 and now 0.5a has still not this function. Thank Fuu
Killboy Posted December 7, 2011 Posted December 7, 2011 Click Show Invalid, then go Menu > Imports > Cut Selected (alternatively just hit DELETE)
LCF-AT Posted December 7, 2011 Posted December 7, 2011 "go Menu > Imports > Cut Selected" - Ah so!I have not seen this in the menu before so I only used always the right mouse button. Ok someone should told me this next time.Maybe you can also add this line also into the right mouse button registercard for dummys like me in this case. Thank you Killboy for this info and sorry for asking so I was really to blind. greetz
JeRRy Posted February 8, 2012 Posted February 8, 2012 (edited) +Create New IAT (Like ImpRec)+Don't forward functions to kernel32.dll (ntdll.RtlGetLastWin32Error to kernel32.GetLastError etc) in Misc > Option.My plan is:- code scanner (e.g. find direct apis)fingers crossed Edited February 8, 2012 by JeRRy
Aguila Posted February 8, 2012 Author Posted February 8, 2012 +Don't forward functions to kernel32.dll (ntdll.RtlGetLastWin32Error to kernel32.GetLastError etc) in Misc > Option.Why do you need such an option? This looks useless to me.
JeRRy Posted February 9, 2012 Posted February 9, 2012 Let's just say i don't want to make my unpacked file support for Win2000.
Killboy Posted February 9, 2012 Posted February 9, 2012 Then what about Vista an Win7? If you disable forward resolving you'll end up with the compat layer APIs in your import table, making it only work on that OS, or one up if you're lucky. If you want to restrict a file from running on a specific OS, use inline code. Using arbitrary options to restrict execution on some OS is not what Scylla is supposed to do.
LCF-AT Posted November 3, 2012 Posted November 3, 2012 Hi Aguila, questions: - Could you add a user-option to disable a raw size reducing in automode?So in some cases I have the trouble that your tool does overwrite codeparts which should be dumped too.Just a little option which you can keep disabled on original run. - Could you also add a manually IAT adding feature?Address xy & size xy to ADD it into the IAT list of your tool.In some cases I have some IAT blocks on diffrent sections which I want to add too and manually.So you can have a look on the ImportsFixer tool by SuperCracker which has this feature so it would be nice if you could add this too in your next version. Shank Foo
mm10121991 Posted November 3, 2012 Posted November 3, 2012 (edited) I hope you didn't forget my request of memory loaded DLLs Edited November 3, 2012 by mm10121991
LCF-AT Posted March 24, 2013 Posted March 24, 2013 Hi Aguila, short question.What do you think about to add a small info window where the user can see some infos directly after attaching the file about the filesizes. Read and show original filesize Calc and show dumped filesizes Full & optimized [dump size with your tool] So a full dump [RS same VS] will increase the dumped filesize if the Rawsize in PE will make same as virtualsize like ImpRec and other tools do it before you use them etc and if the VS is very high then the user wanna dump the file with any other tool etc then the dump size can have a lot megabytes [100 MB and much more] what the user maybe did not notice before etc and now it would be a nice feature to have the sizes infos in your Scylla tool so that the user can see...."What!Target has a size of 5 MB and after dumping 500 MB!Forget it not with me!" You know. OrigSize: 5.1 MB | FullSize: 521 MB | ScyllaDumpSize: 17 MBWould be nice if you could add this too in a next version. Normaly I add this scan also in my scripts to show this infos to the user.Packed Size: 812 KB +/- <=> UnPack Size: 3.840 MB +/- greetz 1
Newbie__Cracker Posted September 3, 2013 Posted September 3, 2013 It seems that Scylla does not read DLL OEP in case of DLL Unpacking. Am I right? Please add this feature.
LCF-AT Posted September 3, 2013 Posted September 3, 2013 Hi,what do you mean?Just pick the process and then pick your xy dll.All working so far or do you mean something else etc?greetz 1
mrexodia Posted September 5, 2013 Posted September 5, 2013 Hi, It would be cool if you can manually specify a VA/RVA to put the import table in (instead of creating a new section). Greetings 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now