Jump to content
Tuts 4 You

Prove: Other import tools don't work correctly with Win 7

Aguila

By Aguila
in Scylla Imports Reconstruction

Recommended Posts

Aguila

Aguila

Posted
Posted (edited)

I created this thread because of this thread: http://forum.tuts4yo...ction-question/

Some beginner still think that ImpREC works on Windows 7, this is simply not true. Here is a prove screenshot. The test application is a simple C++ application not packed/protected. Scylla is the only tool which can rebuild the IAT correctly.

I guess this doesn't need any explanation just see for yourself.

(Download the .zip for better resolution)

post-22354-0-66894500-1319299110_thumb.p

compare_ir_.zip

Edited by Aguila
  • Like 2
BondCracked

BondCracked

Posted
Posted

Imprec works very bad with Win7 64 bits and we have to search for wrong functions etc.

Chimprec seems to be abandoned.

Scylla is in active development, works very well, makes correct dump, uses imprec plugins (yes, they work here) and rebuilds the PE.

This is a very good tool. Thanks Aguila.

quosego

quosego

Posted
Posted

Good point and excellent tool.. However I must admit I use XP for RE. ;)

  • 2 months later...
ala_borbe

ala_borbe

Posted
Posted

Confirmed that ImpRec acts a little crazy on win7 x64... sometimes exe works on same machine after rebuild, but not on other pc (win7 32 or 64), but Scylla sometimes does not correct OEP of unpacked file so it has to be done by hand or some pe editor

Aguila

Aguila

Posted
  • Author
Posted
but Scylla sometimes does not correct OEP of unpacked file so it has to be done by hand or some pe editor

I need more detailed information to fix this issue.

ala_borbe

ala_borbe

Posted
Posted

this target


/>http://forum.tuts4you.com/topic/27357-unpackme-simple-nag-remove/

Aguila

Aguila

Posted
  • Author
Posted (edited)

Scylla works here. The OEP is corrected if you dump the file with scylla. The import rebuilding doesn't fix the oep in the dump. OEP correction and import rebuilding should not be in one workflow, because you don't need to enter the OEP if you try to rebuild the imports.

edit:

maybe an option would be nice here, so you can choose what you want.

Edited by Aguila
mrexodia

mrexodia

Posted
Posted

Quite funny: You promote your tools in the way Dutch ad makers do sometimes (my product is good because other products fail) duhh, the "other projects" (eg ImpRec) are from 2007, yours is almost 5 years newer..

Anyways: This tool is good! only strange/:( I have to hit the del button to remove all selected invalid thunks and that cut thunk(s) doesnt work like it did in ImpRec (see Armadillo targets)

Mr. eXoDia

Aguila

Aguila

Posted
  • Author
Posted

I don't earn any money with it and it is open source. I just want that everyone is replacing imprec/chimprec/imports fixer with this tool. If there is a problem/bug I can fix it. The point is, I am really annoyed because of closed-source reversing apps. This is one reason why the "scene" is almost dead.

look at ollydbg, closed source crap, no x64 support. the author should make it open-source OR tell everyone that the project is finally dead. people have been waiting since 2005 for v2. +7 years development is not an option.

chimprec/imprec are great, but due to closed source and dead development they are not usable on win 7. I still don't understand why PEiD is closed source.

You can find many examples of great outdated tools.

What will happen on windows 8? Released this year I think. Windows XP is dead too, using this is even dangerous due to malware.

mrexodia

mrexodia

Posted
Posted

I understand your point... But the main point I wont step over to your tool (which is great) is that I'm used to the GUI of ImpREC v1.6 (I used a GUI patch on v1.7)

My suggestion: GUI switch...

And please dont tell me to do it myself, I can still use imprec after all.

Greetings

deepzero

deepzero

Posted
Posted (edited)

just wanted to say i greatly admire this project, especially the avalbailiry of its source. smile.png

two things:

*change "cut thunk" to "cut thunks", making it remove ALL selected thunks (like hitting delete).

*the process list is ordered from first created to last created. Since one is usually interested in a process started recently, and rarely in critical system processes, would it be possible to inverse the list?

(imprec implements this...wink.png )

What exactly do the buttons "fix dump" and "PE rebuild" do? What`s the difference?

Maybe you can mention that in the readme file... smile.png

aia, thanks for this great project, i am currently in the process of switching imprec tools.

d.

p.s. why is the "unload dll after injection" option checked by default? i would expect people to use it for hooks most of the time...

p.p.s. in times of ASLR truncating relocations is probably unwanted...

Edited by deepzero
Killboy

Killboy

Posted
Posted (edited)

The point of cut thunk is to be able to cut the API that was right-clicked, even if you have multiple selected.

To cut all selected, either press DEL or use Imports > Cut selected in the main menu.

In general, if you rightclick something, any action you select from the menu works on the rightclicked item only. One of these days this should also apply to plugins but it's a little trickier to fix.

PE Rebuild rebuilds the PE (like LordPE - trim sections, etc.)

Fix dump is the same as in ImpRec

I wont step over to your tool (which is great) is that I'm used to the GUI of ImpREC

Seriously, is it that hard to get used to a slightly different interface? You manage to switch to new Windows versions, what's different here?

The motivation behind the GUI was that ImpRec always was a major PITA to use, it did its job but the work flow was astonishingly ****ed up.

  • To cut a single thunk, you have to first click on it, then right click and select cut thunks
  • If you have multiple items selected, and selected disassemble, it always disassembled the first selected item, no matter which one you rightclicked on.

Do you consider that good? It's no problem to add that **** back, but why? So someone who used ImpRec in the past can now use it without even putting in minimal effort?

Anyone new to RE shouldnt be using ImpRec anyway, so being an exact ImpRec clone isn't much of a selling point.

Edited by Killboy
deepzero

deepzero

Posted
Posted

makes sense now that you say it.

I would still welcome a sub-cateogry "invalidate all" + "cut all thunk".

and sorry for the questions about the two buttons, should have been obvious. :S

(as an excuse, i am having a bad headache, heading to bed now :( )

mrexodia

mrexodia

Posted
Posted

GUI can be a really big point... My dad is still on win98 because he doesnt like the winxp gui, not even the classic mode. No flaming/hate on this tool. It's very, very good! I'm used to ImpRec since I'm 13, and why would I change to other tools when I don't have to (I'm on winxp, win7 sucks because its feckin slow on my pc...)

deepzero

deepzero

Posted
Posted (edited)
I'm used to ImpRec since I'm 13

me too, my friend, and i did manage to switch (i hope). smile.png

Since your skill goes beyond "first click this button, then that one", it shouldnt be a problem. You`ll get used to it.

My dad is still on win98

then this is something he should change. now. O_O

Edited by deepzero
Aguila

Aguila

Posted
  • Author
Posted

Sooner or later you must switch to scylla. x64 and probably ARM will be dominating soon. I don't want to change the gui, because I like it.

p.p.s. in times of ASLR truncating relocations is probably unwanted...

the pe rebuilder doesnt remove relocs.

p.s. why is the "unload dll after injection" option checked by default? i would expect people to use it for hooks most of the time...

It depends on what you want to do. yes for hooks you dont want it to be unloaded, but maybe you have an unpack engine in your dll?

Teddy Rogers

Teddy Rogers

Posted
Posted
My dad is still on win98 because he doesnt like the winxp gui, not even the classic mode.

You can't really use that as an argument to justify making new tools act like dated tools because a small minority in the world want to hold back 14 years of GUI development. Some people loved DOS but the world has to move on.

Anyway... it is good that Scylla is open source because it means that people can help to improve it. It's also good to see people putting forward suggestions and ideas... :thumbs:

Ted.

mrexodia

mrexodia

Posted
Posted (edited)

OK,

I realized that wining about the GUI doesn't make lots of sense , so I decided to do some code changes myself (Thanks for making this open source!!)

My changed codes:

Inverse the process list:

//MainGui.cpp
void MainGui::fillProcessListComboBox(CComboBox& hCombo)
{
	hCombo.ResetContent();	std::vector<Process>& processList = processLister.getProcessListSnapshot();	//for (size_t i = 0; i < processList.size(); i++)
	for(size_t i=processList.size()-1;i!=-1;i--)
	{
		swprintf_s(stringBuffer, _countof(stringBuffer),TEXT("0x%04X - %s - %s"),processList[i].PID,processList[i].filename,processList[i].fullPath);
		hCombo.AddString(stringBuffer);
	}
}

Not only the list, also the function:

//MainGui.cpp
void MainGui::OnProcessListSelected(UINT uNotifyCode, int nID, CWindow wndCtl)
{
    processSelectedActionHandler(ComboProcessList.GetCount() - 1 - ComboProcessList.GetCurSel());
}

wanna-be ImpRec v1.6 GUI:

//MainGui.rc
IDD_DLG_MAIN DIALOGEX 0, 0, 389, 278
STYLE DS_CENTER | DS_SETFONT | WS_CAPTION | WS_VISIBLE | WS_GROUP | WS_POPUP | WS_SYSMENU
CAPTION "Scylla"
MENU IDR_MENU_DLG_MAIN
FONT 8, "MS Sans Serif", 400, 0, 0x1
BEGIN
	GROUPBOX		"Attach to an active Process",IDC_GROUP_ATTACH,13, 2, 364, 27,BS_CENTER,WS_EX_TRANSPARENT
	COMBOBOX		IDC_CBO_PROCESSLIST,18, 11, 300, 100,CBS_DROPDOWNLIST | WS_VSCROLL | WS_TABSTOP
	PUSHBUTTON	  "Pick DLL",IDC_BTN_PICKDLL,329, 11, 43, 12
	GROUPBOX		"Imports",IDC_GROUP_IMPORTS,7, 32, 308, 107,BS_CENTER,WS_EX_TRANSPARENT
	CONTROL		 "",IDC_TREE_IMPORTS,"SysTreeView32",TVS_HASBUTTONS | TVS_HASLINES | TVS_LINESATROOT | TVS_SHOWSELALWAYS | TVS_TRACKSELECT | WS_BORDER | WS_HSCROLL | WS_TABSTOP,12, 41, 297, 91
	PUSHBUTTON	  "Show Invalid",IDC_BTN_INVALIDIMPORTS,326, 43, 50, 14
	PUSHBUTTON	  "Show Suspect",IDC_BTN_SUSPECTIMPORTS,326, 63, 50, 14
	PUSHBUTTON	  "Clear Imports",IDC_BTN_CLEARIMPORTS,326, 117, 50, 14
	GROUPBOX		"IAT Info",IDC_GROUP_IATINFO,11, 211, 145, 43,BS_CENTER,WS_EX_TRANSPARENT
	LTEXT		   "OEP",IDC_STATIC_OEPADDRESS,17, 223, 15, 8,SS_CENTERIMAGE
	EDITTEXT		IDC_EDIT_OEPADDRESS,35, 221, 43, 12,ES_AUTOHSCROLL
	LTEXT		   "VA",IDC_STATIC_IATADDRESS,17, 241, 15, 8,SS_CENTERIMAGE
	EDITTEXT		IDC_EDIT_IATADDRESS,35, 239, 43, 12,ES_AUTOHSCROLL
	LTEXT		   "Size",IDC_STATIC_IATSIZE,88, 241, 15, 8,SS_CENTERIMAGE
	EDITTEXT		IDC_EDIT_IATSIZE,105, 239, 43, 12,ES_AUTOHSCROLL
	DEFPUSHBUTTON   "IAT Autosearch",IDC_BTN_IATAUTOSEARCH,85, 221, 64, 14
	PUSHBUTTON	  "Get Imports",IDC_BTN_GETIMPORTS,107, 257, 50, 14
	PUSHBUTTON	  "Autotrace",IDC_BTN_AUTOTRACE,326, 90, 50, 14
	GROUPBOX		"Dump",IDC_GROUP_DUMP,165, 211, 106, 43,BS_CENTER,WS_EX_TRANSPARENT
	PUSHBUTTON	  "Dump",IDC_BTN_DUMP,175, 227, 34, 14
	PUSHBUTTON	  "PE Rebuild",IDC_BTN_PEREBUILD,213, 227, 49, 14
	PUSHBUTTON	  "Fix Dump",IDC_BTN_FIXDUMP,213, 258, 50, 14
	GROUPBOX		"Log",IDC_GROUP_LOG,7, 140, 308, 67,BS_CENTER,WS_EX_TRANSPARENT
	LISTBOX		 IDC_LIST_LOG,12, 150, 297, 51,LBS_NOINTEGRALHEIGHT | WS_VSCROLL | WS_HSCROLL | WS_TABSTOP
	GROUPBOX		"",0,319, 32, 63, 107,BS_CENTER,WS_EX_TRANSPARENT
END

Attached the binary in case someone bothers.

Mr. eXoDia

Scylla_mrexodia.rar

Updated (and my final) version, I really like this tool now :)

Edited by Mr. eXoDia
Gogs

Gogs

Posted
Posted (edited)

I got this problem using scylla, so if somebody could explain it to me

actually i didn't use it for import reconstruction, i just attached to random process , and i saw that some process are not being

displayed when using certain version (×86, ×64) so i have to use both and switch between them.

Also sometimes i got this message when loading in process ,and it seems same to me as when i tried using ImpRec 1.7 where some modules didn't get loaded

it just saying "no exports for this module", or in Scylla "no export table"

My OS is windows 7 ×64

clarification would be appreciated

Edited by Gogs
Aguila

Aguila

Posted
  • Author
Posted (edited)

You need to start Scylla as administrator to see a complete process list. Also the x64 edition can only access x64 processes and the x86 can only access x86 processes. There is nothing suspicious with modules without export table. They exist, although they are uncommon. I know a firewall software which injects such a dll in every process. Also malware is using dll injection for process infection. Maybe check your pc.

Edited by Aguila
Gogs

Gogs

Posted
Posted

Thanks for replying i just needed clarification, because it took me some time to find tools that will work under win7 properly,

i hold high hopes for this one

mrexodia

mrexodia

Posted
Posted

@Gogs: This one works under Win7 properly! And it's a very good tool, except for the inverted process list maybe...

Greetings

Accede

Accede

Posted
Posted

It dont work for me i unpack the new version of aspack(asprotect packed).

oep=4693B4 = Scylla invalid oep?

Scylla tells me at this oep no iat found

Adress of iat=46e154

rva of iat = 6e154

Size of iat= 6a4

ragdog

ragdog

Posted
Posted

Aspack last version


IAT not found at OEP 0040D001!
IAT found at VA 004072DC RVA 000072DC Size 0x0048 (72)
IAT parsing finished, found 17 valid APIs, missed 0 APIs

AsProtect last version


IAT found at VA 004072DC RVA 000072DC Size 0x0048 (72)
IAT parsing finished, found 17 valid APIs, missed 0 APIs
Accede

Accede

Posted
Posted

The fixed exe dont start on my system.

Her is the log:

IAT parsing finished, found 409 valid APIs, missed 0 APIs

Loading modules done.

Imagebase: 00400000 Size: 000BC000

Va=46E154

Size=6A4

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...