Bug in rebuilding IAT

[mudlord]

Found another bug, reproducible with UPX 3.04 unpackme on Win7 x64 SP1.

Got to OEP. Dumped EXE using Scylla. Found imports using Scylla. Rebuilt IAT.

Error message in target is:

OS is Windows 7, x64 SP1

[Aguila]

can you please provide the upx unpackme? I found an UPX 3.04 unpackme at tuts4you and this works fine.

[mudlord]

Weird, that was the same unpack me I tried :/

[ghandi]

RtlSizeHeap is a function from NTDLL, it is forwarded from HeapSize in Kernel32, could it be a problem with identifying forwarded references?

HR,

Ghandi

[Aguila]

@mudlord

Can you please upload your dumped and your rebuilded file? Maybe I can where the problem is.

And it is this unpackme? http://tuts4you.com/download.php?view.2819

@ghandi

I am working all the time with win 7 x64 sp1 so I really don't know what the problem is.

[mudlord]

sure

Desktop.rar

[Aguila]

hmm the imports are totally corrupt. I still don't know why. I tested it with 2 different win 7 x64 systems and everything is fine.

Do you use some special Olly plugins? Maybe some plugin is ****ing up the imports.

Or maybe you are infected by some rootkit/trojan? This could be possible...

I attached a screenshot of scylla, probably your output looks a lot of different.

[LCF-AT]

Hi,

like ghandi already said.

aaa_SCY.exe
-------------004609F0  7C8226A9  kernel32.SetEnvironmentVariableA
-------------
004609F4  7C9209ED  ntdll.RtlSizeHeap
004609F8  7C9279FD  ntdll.RtlReAllocateHeap
004609FC  7C9205D4  ntdll.RtlAllocateHeap
00460A00  7C92043D  ntdll.RtlFreeHeap
------------
00460A04  7C81E82A  kernel32.GetOEMCP
LORD_PE in kernel.dll Block = not fixed!
-------------
RtlSizeHeap        - HeapSize
RtlReAllocateHeap  - HeapReAlloc
RtlAllocateHeap    - HeapAlloc
RtlFreeHeap        - HeapFree

Fixing with Scylla under XP SP2 get no problem.

So I think also that your ntdll is maybe hooked by some trash [trojan etc] mudlord.So check this APIs above in Olly or use IceSword or kernel detective and show into the SSDT table there you can see the hooked stuff too.Maybe you see something bad there etc.

greetz

[mudlord]

Fixed, same results as Aguila now.

Did a clean reformat, fixed it.

[LCF-AT]

@ Aguila

So today I have test your tool a little and I got a crash durring Fixing a dump file.

Infos:

-------------------

IAT VA:    013D4000 <--- Memsection
IAT Size:  0000DD04

Yes its a very high IAT size.

getAPI by VirtualAddress: There is a big bug
IAT parsing finished,found 7072 valid APIs, missed 0 APIs

Dumping works

Fix Dump = Crash

AppName: scylla.exe
AppVer: 0.0.0.0
ModName: ntdll.dll
ModVer: 5.1.2600.2180
Offset: 0001142e$ ==>    7C92142E      8B39                    MOV EDI,DWORD PTR DS:[ECX]
$+2      7C921430      3B78 04                 CMP EDI,DWORD PTR DS:[EAX+4]Next API below to find
$+45C    7C92188A RtlDeleteCriticalSection     6A 1C                   PUSH 1CException InformationCode: 0xc0000005	
Flags: 0x00000000Record: 0x0000000000000000	
Address: 0x000000007c92142eSystem Information
Windows NT 5.1 Build: 2600Module 1
Scylla.exe
Image Base: 0x00400000	Image Size: 0x00000000
Checksum: 0x0003ef58	Time Stamp: 0x4e777da2Thread 1
Thread ID: 0x00000a14
Context:
EDI: 0x7ffd6000  ESI: 0x00000000  EAX: 0x02220000
EBX: 0x0012d414  ECX: 0x00001000  EDX: 0x7c91eb94
EIP: 0x7c91eb94  EBP: 0x0012d488  SegCs: 0x0000001b
EFlags: 0x00000246  ESP: 0x0012d3ec  SegSs: 0x00000023Stack:
0x0012d3e8: 00000000 7c91e9ab 7c8094f2 00000002 .......|...|....
0x0012d3f8: 0012d414 00000001 00000000 0012d448 ............H...
0x0012d408: 7c802530 011c0000 7c920331 000000b0 0%.|....1..|....
0x0012d418: 000000a4 00005eab 0012d52c 7c91ee18 .....^..,......|

Ok thats a big problem.Maybe you see the reason why and you can fix it soon. So try to make your tool compatible to work also with very large IAT sizes + Memsections.

Dump

Add Mem IAT sec

FixDump = Crash in this case.

ImpRec does not crash but unfortunately ImpRec need very much time to load big IAT sizes but your tool has not this problem and can load large sizes in turbo mode. This is a big advantage to ImpRec.

PS: What about the IAT tree files?So its to see but not active so I can't get a tree file.Please add this soon.But for the moment try to fix this bug above.

Testet under winXP SP2

Scylla | Version 0.3

greetz

[Killboy]

Try version 0.4, maybe it's already fixed.

If not, upload the dump/app (or PM it to Aguila) so the bug can be reproduced. A crash address in ntdll is not very useful I'm afraid.

[Aguila]

yes Killboy is right. Please try the latest version, there are some bugs fixed, otherwise please pm the target, but please with a little unpack tut

The problem with save/load tree is: I am still thinking about a nice format, but probably i will add support for imprec files, although the imprec format sucks (stupid formatted txt file). xml would be better, but imprec support is more useful.

[LCF-AT]

Ah ok but where is the DL link?A whole section for Scylla and no quick DL link to find here so this is a bit strange. So better you craete a new topic where you post every new version.I only find this source and no exe file.

/>http://forum.tuts4you.com/files/file/577-scylla-imports-reconstruction-source/

Please post me the link for the new version to test this one.

Ok found this on internet now!
/>http://forum.tuts4you.com/files/download/576-scylla-imports-reconstruction/

Version 0.4 works BUT.......what is this?

So your tool changes normal API pointer to other APIs!

Also your tool collect the module blocks to reduce the size - Let user choose this feature manually.

0041360C   JMP DWORD PTR DS:[13D54B8]  ; USER32.SetLayeredWindowAttributes
after Scylla
0041360C  JMP DWORD PTR DS:[13D54B8]   ;  USER32.LoadCursorWWhyOriginal API locations
------------------------
013D54B8  77D201B3  USER32.SetLayeredWindowAttributes
013D54BC  00000000
013D54C0  77D19B69  USER32.LoadCursorW
013D54C4  00000000
013D54C8  77D19D06  USER32.SystemParametersInfoW
013D54CC  00000000
013D54D0  7C80AA66  kernel32.FreeLibrary
013D54D4  00000000
013D54D8  7C81FA55  kernel32.GetSystemDirectoryW
013D54DC  00000000
013D54E0  77EF7BF5  GDI32.GetTextMetricsW
013D54E4  00000000After using Scylla
-----------------------
013D54B8 77D19B69  USER32.LoadCursorW
013D54BC 77D19D06  USER32.SystemParametersInfoW
013D54C0 00000000
013D54C4 00000000
013D54C8 77D19D06  USER32.SystemParametersInfoW
013D54CC 00000000
013D54D0 7C80AA66  kernel32.FreeLibrary
013D54D4 7C81FA55  kernel32.GetSystemDirectoryW
013D54D8 00000000
013D54DC 00000000
013D54E0 77EF7BF5  GDI32.GetTextMetricsW
013D54E4  00000000

So your tool moves the APIs to single module blocks without to adapt the API commands! Hhhmmm there's a BUG in da house.

Long Exsample:

Original:

Found commands
Address Disassembly Comment
004021E3 JMP DWORD PTR DS:[13D40B8] USER32.PostQuitMessage
004056E7 JMP DWORD PTR DS:[13D42B0] ADVAPI32.RegOpenKeyExW
0040574C JMP DWORD PTR DS:[13D42C8] ADVAPI32.RegCreateKeyExW
004077A0 JMP DWORD PTR DS:[13D45A0] ADVAPI32.RegDeleteKeyW
0041360C JMP DWORD PTR DS:[13D54B8] USER32.SetLayeredWindowAttributes
004158C2 JMP DWORD PTR DS:[13D5728] kernel32.LocalFree
0045E968 JMP DWORD PTR DS:[13D8EB0] kernel32.GetFileAttributesExW
0047B8CE JMP DWORD PTR DS:[13DA950] USER32.ReleaseCapture
0049A3F6 JMP DWORD PTR DS:[13DC000] USER32.SetRectEmpty
0049BA0B JMP DWORD PTR DS:[13DC080] ole32.OleFlushClipboard
004EE3A7 JMP DWORD PTR DS:[13DFF08] USER32.ReleaseCapture
0051B90E JMP DWORD PTR DS:[13E18D0] ntdll.RtlUnwind
0051B914 JMP DWORD PTR DS:[13E18D8] USER32.ReuseDDElParam
0051B91A JMP DWORD PTR DS:[13E18E0] USER32.UnpackDDElParam
0051B920 JMP DWORD PTR DS:[13E18E8] WINSPOOL.ClosePrinter
0051B926 JMP DWORD PTR DS:[13E18F0] WINSPOOL.DocumentPropertiesW
0051B92C JMP DWORD PTR DS:[13E18F8] WINSPOOL.OpenPrinterW
0051BA54 JMP DWORD PTR DS:[13E1930] oledlg.OleUIBusyW
0051BA5A JMP DWORD PTR DS:[13E1938] gdiplus.GdipFree
0051BA60 JMP DWORD PTR DS:[13E1940] gdiplus.GdipAlloc
0051BA66 JMP DWORD PTR DS:[13E1948] gdiplus.GdipDeleteGraphics
0051BA6C JMP DWORD PTR DS:[13E1950] gdiplus.GdipDisposeImage
0051BA72 JMP DWORD PTR DS:[13E1958] gdiplus.GdipGetImageWidth
0051BA78 JMP DWORD PTR DS:[13E1960] gdiplus.GdipGetImageHeight
0051BA7E JMP DWORD PTR DS:[13E1968] gdiplus.GdipGetImagePixelFormat
0051BA84 JMP DWORD PTR DS:[13E1970] gdiplus.GdipGetImagePaletteSize
0051BA8A JMP DWORD PTR DS:[13E1978] gdiplus.GdipGetImagePalette
0051BA90 JMP DWORD PTR DS:[13E1980] gdiplus.GdipCreateBitmapFromStream
0051BA96 JMP DWORD PTR DS:[13E1988] gdiplus.GdipCreateBitmapFromScan0
0051BA9C JMP DWORD PTR DS:[13E1990] gdiplus.GdipBitmapLockBits
0051BAA2 JMP DWORD PTR DS:[13E1998] gdiplus.GdipBitmapUnlockBits
0051BAA8 JMP DWORD PTR DS:[13E19A0] gdiplus.GdiplusStartup
0051BAAE JMP DWORD PTR DS:[13E19A8] gdiplus.GdiplusShutdown
0051BAB4 JMP DWORD PTR DS:[13E19B0] gdiplus.GdipGetImageGraphicsContext
0051BABA JMP DWORD PTR DS:[13E19B8] gdiplus.GdipDrawImageI
0051BAC0 JMP DWORD PTR DS:[13E19C0] gdiplus.GdipCloneImage
0051BAC6 JMP DWORD PTR DS:[13E19C8] gdiplus.GdipCreateBitmapFromHBITMAP
0051BACC JMP DWORD PTR DS:[13E19D0] gdiplus.GdipCreateFromHDC
0051BAD2 JMP DWORD PTR DS:[13E19D8] gdiplus.GdipSetInterpolationMode
0051BAD8 JMP DWORD PTR DS:[13E19E0] gdiplus.GdipDrawImageRectI
0051BADE JMP DWORD PTR DS:[13E19E8] OLEACC.CreateStdAccessibleObject
0051BAE4 JMP DWORD PTR DS:[13E19F0] OLEACC.AccessibleObjectFromWindow
0051BAEA JMP DWORD PTR DS:[13E19F8] OLEACC.LresultFromObject
0051BAF0 JMP DWORD PTR DS:[13E1A00] IMM32.ImmReleaseContext
0051BAF6 JMP DWORD PTR DS:[13E1A08] IMM32.ImmGetOpenStatus
0051BAFC JMP DWORD PTR DS:[13E1A10] IMM32.ImmGetContext

After Scylla:

Address Disassembly Comment
004021E3 JMP DWORD PTR DS:[13D40B8] USER32.PostQuitMessage
004056E7 JMP DWORD PTR DS:[13D42B0] ADVAPI32.RegOpenKeyExW
0040574C JMP DWORD PTR DS:[13D42C8] ADVAPI32.RegCreateKeyExW
004077A0 JMP DWORD PTR DS:[13D45A0] ADVAPI32.RegDeleteKeyW
0041360C JMP DWORD PTR DS:[13D54B8] USER32.LoadCursorW
004158C2 JMP DWORD PTR DS:[13D5728] ntdll.RtlEnterCriticalSection
0045E968 JMP DWORD PTR DS:[13D8EB0] kernel32.FileTimeToSystemTime
0047B8CE JMP DWORD PTR DS:[13DA950] USER32.ReleaseCapture
0049A3F6 JMP DWORD PTR DS:[13DC000] USER32.SetRectEmpty
0049BA0B JMP DWORD PTR DS:[13DC080] ole32.OleFlushClipboard
004EE3A7 JMP DWORD PTR DS:[13DFF08] USER32.ReleaseCapture
0051B90E JMP DWORD PTR DS:[13E18D0] ntdll.RtlUnwind
0051B914 JMP DWORD PTR DS:[13E18D8] USER32.ReuseDDElParam
0051B91A JMP DWORD PTR DS:[13E18E0] DS:[013E18E0]=00000000
0051B920 JMP DWORD PTR DS:[13E18E8] WINSPOOL.ClosePrinter
0051B926 JMP DWORD PTR DS:[13E18F0] WINSPOOL.OpenPrinterW
0051B92C JMP DWORD PTR DS:[13E18F8] WINSPOOL.OpenPrinterW
0051BA54 JMP DWORD PTR DS:[13E1930] oledlg.OleUIBusyW
0051BA5A JMP DWORD PTR DS:[13E1938] gdiplus.GdipFree
0051BA60 JMP DWORD PTR DS:[13E1940] gdiplus.GdipDeleteGraphics
0051BA66 JMP DWORD PTR DS:[13E1948] gdiplus.GdipGetImageWidth
0051BA6C JMP DWORD PTR DS:[13E1950] gdiplus.GdipGetImagePixelFormat
0051BA72 JMP DWORD PTR DS:[13E1958] gdiplus.GdipGetImagePalette
0051BA78 JMP DWORD PTR DS:[13E1960] gdiplus.GdipCreateBitmapFromScan0
0051BA7E JMP DWORD PTR DS:[13E1968] gdiplus.GdipBitmapUnlockBits
0051BA84 JMP DWORD PTR DS:[13E1970] gdiplus.GdiplusShutdown
0051BA8A JMP DWORD PTR DS:[13E1978] gdiplus.GdipDrawImageI
0051BA90 JMP DWORD PTR DS:[13E1980] gdiplus.GdipCreateBitmapFromHBITMAP
0051BA96 JMP DWORD PTR DS:[13E1988] gdiplus.GdipSetInterpolationMode
0051BA9C JMP DWORD PTR DS:[13E1990] DS:[013E1990]=00000000
0051BAA2 JMP DWORD PTR DS:[13E1998] gdiplus.GdipBitmapUnlockBits
0051BAA8 JMP DWORD PTR DS:[13E19A0] gdiplus.GdiplusStartup
0051BAAE JMP DWORD PTR DS:[13E19A8] gdiplus.GdiplusShutdown
0051BAB4 JMP DWORD PTR DS:[13E19B0] gdiplus.GdipGetImageGraphicsContext
0051BABA JMP DWORD PTR DS:[13E19B8] gdiplus.GdipDrawImageI
0051BAC0 JMP DWORD PTR DS:[13E19C0] gdiplus.GdipCloneImage
0051BAC6 JMP DWORD PTR DS:[13E19C8] gdiplus.GdipCreateBitmapFromHBITMAP
0051BACC JMP DWORD PTR DS:[13E19D0] gdiplus.GdipCreateFromHDC
0051BAD2 JMP DWORD PTR DS:[13E19D8] gdiplus.GdipSetInterpolationMode
0051BAD8 JMP DWORD PTR DS:[13E19E0] gdiplus.GdipDrawImageRectI
0051BADE JMP DWORD PTR DS:[13E19E8] OLEACC.CreateStdAccessibleObject
0051BAE4 JMP DWORD PTR DS:[13E19F0] OLEACC.LresultFromObject
0051BAEA JMP DWORD PTR DS:[13E19F8] OLEACC.LresultFromObject
0051BAF0 JMP DWORD PTR DS:[13E1A00] IMM32.ImmReleaseContext
0051BAF6 JMP DWORD PTR DS:[13E1A08] IMM32.ImmGetContext
0051BAFC JMP DWORD PTR DS:[13E1A10] IMM32.ImmGetContext

Found commands

Quick overview

0041360C JMP DWORD PTR DS:[13D54B8] ; USER32.SetLayeredWindowAttributesScylla
0041360C JMP DWORD PTR DS:[13D54B8] ; USER32.LoadCursorW
---------------------------------------------------------------------------
004158C2 JMP DWORD PTR DS:[13D5728] ; kernel32.LocalFree004158C2 JMP DWORD PTR DS:[13D5728] ; ntdll.RtlEnterCriticalSection
---------------------------------------------------------------------------
0045E968 JMP DWORD PTR DS:[13D8EB0] ; kernel32.GetFileAttributesExW0045E968 JMP DWORD PTR DS:[13D8EB0] ; kernel32.FileTimeToSystemTime
---------------------------------------------------------------------------
0051B91A JMP DWORD PTR DS:[13E18E0] ; USER32.UnpackDDElParam0051B91A JMP DWORD PTR DS:[13E18E0] ; 00000000 <--- Nothing!
---------------------------------------------------------------------------
0051BA9C JMP DWORD PTR DS:[13E1990] ; gdiplus.GdipBitmapLockBits0051BA9C JMP DWORD PTR DS:[13E1990] ; 00000000 <--- Nothing!
---------------------------------------------------------------------------
And many more!
---------------------------------------------------------------------------
00401300 MOV EBX,DWORD PTR DS:[13D4018] ; USER32.AppendMenuW00401300 MOV EBX,DWORD PTR DS:[13D4018] ; USER32.IsIconic
---------------------------------------------------------------------------
00401295 CALL DWORD PTR DS:[13D4010] ; GetSystemMenu00401295 CALL DWORD PTR DS:[13D4010] ; AppendMenuW
---------------------------------------------------------------------------

Original

Ok that a big BUG.

I also see that your tool has NO create new IAT feature like ImpRec.So better add this feature to give the user the decision whether the user want a new and collect IAT location or not.

Note:

--------------------

Keep APIs on same location durring fixing

You can add a options like create new IAT where you can collect the APIs to single module blocks but then you also have to change the API command pointers too - UIF normal basic fixing style

--------------------

CALL DWORD [ADDR] ; API
JMP DWORD [ADDR] ; API
mov r32,DWORD [ADDR] ; API

--------------------

So you see you have forgot some things to note.Start fixing now. Will wait for your next version.

PS: I have also a NEW IDEA which you can add to make your tool more advanced but for the moment you have first this problem to solve.

greetz

[Aguila]

Nice find LCF-AT, I know what the problem is. Scylla haven't been tested against some scattered IATs, Scylla handles this scenario totally wrong, so it is just a missing feature Do you have an unpackme with such an IAT for testing purpose? or a fixed dump with a still scattered IAT is enough.

Edited October 7, 2011 by Aguila

[LCF-AT]

No problem. Was only testing your tool versus ImpRec.

Ok here a test file for you with the added IAT as highmem section.

Infos: Scratch IAT for Scylla.rar

IAT START | SIZE

013D4000  773A407E  comctl32.InitCommonControlsEx
-------------------
$+DD00    4EBD42A2  gdiplus.GdipDisposeImage
$+DD04    00000000
$+DD08    00000000Extra JMP TABLE for API caller's | calls & movs
-------------------
013D0000  JMP DWORD PTR DS:[13E1B78]  ; winspool.OpenPrinterW
-------------------
$+11A     JMP DWORD PTR DS:[13E1D00]  ; gdiplus.GdipDisposeImage
$+120     

Any API at every 8 bytes to find.API 0 API 0 etc...

Note: This file need a little time to load in Olly or if you want to run it outside because large IAT size with 1 module for 1 API. Just wait a bit.

Ok I send you also a clean small & sortet IAT fixed version of the same file by me.Starts quick.

Infos: Clean small sort IAT to codesection.rar

IAT START / SIZE

005857F0  7C920331  ntdll.RtlGetLastWin32Error
-------------------
$+940     76AF4657  winmm.PlaySoundW
$+944     00000000

PS: What is your name on gRn?

greetz

Test files.rar

[Aguila]

thanks for the files.

which protectors are producing such IATs?

Scratch IAT for Scylla.exe -> there are some wrong APIs. Forwarded APIs are not handled correctly e.g. ntdll / RtlDeleteCriticalSection.

Right now I will add two possible solve options:

1) rebuild with dummy API to reduce the import descriptors -> better speed

2) rebuild it normally with a lot of import descriptors like in Scratch IAT for Scylla.exe

What is your name on gRn?

just contact me here

[LCF-AT]

@ Aguila

"Scratch IAT for Scylla.exe -> there are some wrong APIs. Forwarded APIs are not handled correctly e.g. ntdll / RtlDeleteCriticalSection." - What do you mean?I see no problems in this file.

-------------------------------
0040BF7C   Scratch_    Always        CALL DWORD PTR DS:[13D4A50]
00415F3F   Scratch_    Always        CALL DWORD PTR DS:[13D5858]
00449C9C   Scratch_    Always        MOV EDI,DWORD PTR DS:[13D7CE0]
0050E309   Scratch_    Always        MOV EBX,DWORD PTR DS:[13E1610]
005186C7   Scratch_    Always        CALL DWORD PTR DS:[13E1888]
0051B9AA   Scratch_    Always        CALL DWORD PTR DS:[13E1910]
0052969D   Scratch_    Always        CALL DWORD PTR DS:[13E1B70]
-------------------------------
013D4A50 >7C92188A  ntdll.RtlDeleteCriticalSection
013D5858 >7C92188A  ntdll.RtlDeleteCriticalSection
013D7CE0 >7C92188A  ntdll.RtlDeleteCriticalSection
013E1610 >7C92188A  ntdll.RtlDeleteCriticalSection
013E1888 >7C92188A  ntdll.RtlDeleteCriticalSection
013E1910 >7C92188A  ntdll.RtlDeleteCriticalSection
013E1B70 >7C92188A  ntdll.RtlDeleteCriticalSection
-------------------------------
-------------------------------
0040BF7C   Clean_sm   Always         CALL DWORD PTR DS:[5857F8]
00415F3F   Clean_sm   Always         CALL DWORD PTR DS:[5857F8]
00449C9C   Clean_sm   Always         MOV EDI,DWORD PTR DS:[5857F8]
0050E309   Clean_sm   Always         MOV EBX,DWORD PTR DS:[5857F8]
005186C7   Clean_sm   Always         CALL DWORD PTR DS:[5857F8]
0051B9AA   Clean_sm   Always         CALL DWORD PTR DS:[5857F8]
0052969D   Clean_sm   Always         CALL DWORD PTR DS:[5857F8]005857F8 >7C92188A  ntdll.RtlDeleteCriticalSection
-------------------------------
-------------------------------

1) rebuild with dummy API to reduce the import descriptors -> better speed

2) rebuild it normally with a lot of import descriptors like in Scratch IAT for Scylla.exe

Sounds very good. Keep going. Hop hop jetzt!

"which protectors are producing such IATs?" - It was only a test by me.IAT was created by me in such way to save time without to move them into single module blocks.

Ok send me a PM with your name to prevent long searching.

greetz

[Aguila]

What do you mean?I see no problems in this file.

ntdll / RtlDeleteCriticalSection -> should be unforwarded to kernel32.dll in the import table, but doesnt matter now

The idea with the dummy api to fill the gap was not good, because it is probably not common that the gap between imports is exactly 4*x bytes.

Should work now with such IATs, please test it.

[LCF-AT]

@ Aguila

So I have test your new version and see again some new problems.

"The idea with the dummy api to fill the gap was not good, because it is probably not common that the gap between imports is exactly 4*x bytes"

So the main thing is that you should give the user more handling what to do.

- read IAT on normal way (read IAT direct | NO collecting of module blocks if APIs are not together in the list.If 4 bytes are free after API then one block has ended)

- create new IAT (look ImpRec)

- fix IAT with collecting

Bugs:

- Found out that your Invalid show button not works when no APIs was found

- Wrong Module collecting of VAs & API together!Mixed! <-- In this case the VA block will works as module.

VA Module <-- invalid no delete chance in your tool = usless fix!

- API <-- no fix with VA block of course

- API

So you have also to add a better reading process of the imports + the bytes between which can be everything like normal VAs or whatever.Also show this bytes as invalid and only show real module like dlls as block holder and now usless VAs etc.

I have create some exsample pics for you.

PS: So do you know what I mean?I hope the pics will help you.

013D42A0  7C80E63C  kernel32.GetModuleHandleW
013D42A4  00000000
013D42A8  7C80AC28  kernel32.GetProcAddress
013D42AC  00000000
---------------------
= 2 kernel blocks with each API per block = no auto collect to one single block with 2 APIs

013D42A4  7C80E63C  kernel32.GetModuleHandleW
013D42A8  7C80AC28  kernel32.GetProcAddress
013D42AC  00000000
---------------------
= 1 kernel block with 2 APIs = ok

$ ==>    >77D3563B  USER32.SetWindowContextHelpId <--- USER32 1
$+4      >00000000
$+8      >0050538C  Scratch_.0050538C            <---- VA Block 2
$+C      >00000000
$+10     >0050538C  Scratch_.0050538C            <---- VA Block 3
$+14     >00000000
$+18     >77D3563B  USER32.SetWindowContextHelpId <--- USER32 4
$+1C     >00000000
$+20     >77DA6A78  ADVAPI32.RegOpenKeyExW <--- ADVAPI32 5
$+24     >00000000
---------------------
= 3 dll blocks and 2 invalid VA blocks betweenYour tool record 3 blocks in this case one user32 1 one VA block 2 and one advapi block 5.Problem here is again the same like on the pics to see.1 is OK and block 2 collect the 2 invaild VAs + one valid API of block 4.One invalid block with 1 valid API into = trash now.Problem is that the API used the same dll like the first dll.So thats one bug in your tool which you have to fix.If you let not collect the blocks on your way [use single read] then the problem would not happend in this case.

greetz

[Killboy]

What's up with your icons? o_O

Did you set your Windows to 24-bit mode?

I tested on XP and the icons look normal for me, what XP version are you using?

EDIT: I reproduced it, can be easily fixed

Edited October 10, 2011 by Killboy

[Aguila]

@lcf-at

I don't see any reason why api blocks are bad?

the gui is under construction, this is just a beta build

try this file, deleting imports should work now.

[LCF-AT]

Hi,

hmmm no idea why the icons for me have a black background.I use 16 bit color res.

Ok now it works.

One bug: If you let show all invalids then all will shown + selected but you can not cut them all away at once.Only single cut are possible.Maybe you can fix this too next time to cut them all invalids away at once.

greetz

[Aguila]

hmmm no idea why the icons for me have a black background.I use 16 bit color res.

you should really buy a new PC, costs only ~500€. Your PC and computer monitor is probably torture for a reverser, I guess you just don't realize that. I have a 24" TFT thing and this is only acceptable. Probably I gonna buy soon something bigger...

But the black icons will be fixed in the next version...

About the multi-cut... the multi-select is not yet working correctly, but should be fixed in the next version.

Scylla will be soon much better than ImpREC I guess it is already better than ChimpREC.

[LCF-AT]

"you should really buy a new PC" - I heard this already many time.

"Your PC and computer monitor is probably torture for a reverser" - Monitor is ok so far but the PC NERVT die olle Hutsche!

"costs only ~500€" - You can send me if you want. {Gimme gimme more gimme more gimme gimme more lalalalalaaaa...}

"Scylla will be soon much better than ImpREC" - Hola!Lets wait for your final release.

PS: Found some kind of unload problems in your tool.Lets say you have a BIG IAT and then you press get imports then you get the infos very quick thats ok so far but if you clean the list and press again get imports [get & clean] a few time then it need longer and longer to get the IAT in your tool.So I think there is a memory unload issue or so.Maybe you can check this too later if you want.

greetz

[Aguila]

PS: Found some kind of unload problems in your tool.Lets say you have a BIG IAT and then you press get imports then you get the infos very quick thats ok so far but if you clean the list and press again get imports [get & clean] a few time then it need longer and longer to get the IAT in your tool.So I think there is a memory unload issue or so.Maybe you can check this too later if you want.

Hmm this is weird.

I tried it with your test file, iat size DD4, I guess this is hugh? And I don't see any memory problem. Tried it a few times, always the same memory usage +/- 1MB.

But I noticed a fantastic new feature:

Scylla needs about 12 MB RAM.... ImpREC needs, for the same file and IAT, about 70 MB RAM lol. This is amazing! 7 times more RAM usage, stupid old tool

Try this new file LCF-AT, the icons should work now.