Scylla Feature Requests

[Aguila]

What new features do you like/need in a such a tool.

My plan is:

- code scanner (e.g. find direct apis)

- better dump engine

- save/load import tree

- GUI improvements

- improve IAT Search

- Some Options + options dialog

- ImpREC plugin support

Things I won't implement:

- Hexeditor (Winhex, HxD)

- PE Editor (CFF Explorer is perfect)

Edited September 7, 2011 by Aguila

[mudlord]

Wow, I don't think theres much that needs to be changed or added, apart from your plans.

I love a tool that just focuses at what its good at.

Tried on x64 Win7, works perfectly.

[Teddy Rogers]

Possibly more dumping options so sections can be unchecked/checked added and deleted. Imports Fixer has a nice dumper tool, would be good to see something similar for x64 version of Scylla...

Ted.

[Killboy]

I don't see the point of another dumper, CFF Explorer does a great job. Plus, you can always remove sections in the PE header and rebuild the file.

[Teddy Rogers]

Why reinvent the wheel? It is another imports rebuiliding tool. It is nice to just be able to add and remove sections from the one tool, also Imports Fixer can add sections from the process memory map which is nice...

Ted.

[Killboy]

Why reinvent the wheel? It is another imports rebuiliding tool.

That's what I was trying to say, why add functionality that's already available in other tools?All it does is add bugs other people have invested hours to get rid of and steal the developer's time.Anyway, it's not my call, nor even my tool so I'll shut up

[Teddy Rogers]

There is a feature to implement which is not in any x64 imports rebuilding tool such as the one I described above in IF. Anyway if the code for this project goes open source or something it would be nice to see a one tool fits all and I can't see CFF Explorer being developed much these days with Daniel on other projects...

Ted.

[Aguila]

In my opinion a better dump engine like the one in the Imports Fixer tool is a must have feature. This is really useful, because more and more protectors use the stupid "increase virtual size trick". http://forum.tuts4you.com/topic/26377-asprotect-increases-virtual-size/

x64 does support more than 4 GB RAM, so probably there will be soon some "smart" protector that will consume more than 4 GB.

All it does is add bugs other people have invested hours to get rid of

I don't think this is really difficult to implement... but I hate coding GUIs You don't want to help Killboy?

[Killboy]

Hit me up

[GaBoR]

You could use TitanEngine for dumper engine:
/>http://www.reversinglabs.com/products/TitanEngine.php

[LCF-AT]

@ Aguila

Sp could you please add a new function where I can cut all invalid thunks at once away?Don't want to select always each block & cut all in single steps.Just add a another line with "cut all" which are selected.Normaly I use show invalid and then all are marked but I can't cut them away at once so you know this problem so I told you this already in version 0.5 and now 0.5a has still not this function.

Thank Fuu

[Killboy]

Click Show Invalid, then go Menu > Imports > Cut Selected (alternatively just hit DELETE)

[LCF-AT]

"go Menu > Imports > Cut Selected" -

Ah so!I have not seen this in the menu before so I only used always the right mouse button. Ok someone should told me this next time.Maybe you can also add this line also into the right mouse button registercard for dummys like me in this case.

Thank you Killboy for this info and sorry for asking so I was really to blind.

greetz

[JeRRy]

+Create New IAT (Like ImpRec)

+Don't forward functions to kernel32.dll (ntdll.RtlGetLastWin32Error to kernel32.GetLastError etc) in Misc > Option.

My plan is:

- code scanner (e.g. find direct apis)

fingers crossed

Edited February 8, 2012 by JeRRy

[Aguila]

+Don't forward functions to kernel32.dll (ntdll.RtlGetLastWin32Error to kernel32.GetLastError etc) in Misc > Option.

Why do you need such an option? This looks useless to me.

[JeRRy]

Let's just say i don't want to make my unpacked file support for Win2000.

[Killboy]

Then what about Vista an Win7? If you disable forward resolving you'll end up with the compat layer APIs in your import table, making it only work on that OS, or one up if you're lucky.

If you want to restrict a file from running on a specific OS, use inline code. Using arbitrary options to restrict execution on some OS is not what Scylla is supposed to do.

[LCF-AT]

Hi Aguila,

questions:

- Could you add a user-option to disable a raw size reducing in automode?So in some cases I have the trouble that your tool does overwrite codeparts which should be dumped too.Just a little option which you can keep disabled on original run.

- Could you also add a manually IAT adding feature?Address xy & size xy to ADD it into the IAT list of your tool.In some cases I have some IAT blocks on diffrent sections which I want to add too and manually.So you can have a look on the ImportsFixer tool by SuperCracker which has this feature so it would be nice if you could add this too in your next version.

Shank Foo

[mm10121991]

I hope you didn't forget my request of memory loaded DLLs

Edited November 3, 2012 by mm10121991

[LCF-AT]

Hi Aguila,

short question.What do you think about to add a small info window where the user can see some infos directly after attaching the file about the filesizes.

Read and show original filesize

Calc and show dumped filesizes Full & optimized [dump size with your tool]

So a full dump [RS same VS] will increase the dumped filesize if the Rawsize in PE will make same as virtualsize like ImpRec and other tools do it before you use them etc and if the VS is very high then the user wanna dump the file with any other tool etc then the dump size can have a lot megabytes [100 MB and much more] what the user maybe did not notice before etc and now it would be a nice feature to have the sizes infos in your Scylla tool so that the user can see...."What!Target has a size of 5 MB and after dumping 500 MB!Forget it not with me!" You know.

OrigSize: 5.1 MB  |  FullSize: 521 MB  |  ScyllaDumpSize: 17 MB

Would be nice if you could add this too in a next version. Normaly I add this scan also in my scripts to show this infos to the user.

Packed Size: 812 KB +/-     <=>     UnPack Size: 3.840 MB +/-

greetz

[Newbie__Cracker]

It seems that Scylla does not read DLL OEP in case of DLL Unpacking.

 

Am I right?

 

Please add this feature.

[LCF-AT]

Hi,

what do you mean?Just pick the process and then pick your xy dll.All working so far or do you mean something else etc?

greetz

[mrexodia]

Hi,

It would be cool if you can manually specify a VA/RVA to put the import table in (instead of creating a new section).

Greetings