deepzero Posted May 5, 2012 Posted May 5, 2012 hi, a minor issue: when scylla is used to iat-fix a file, it will not set the OEP of the file to the value given in the "OEP:" textbox. d.
ala_borbe Posted May 5, 2012 Posted May 5, 2012 (edited) i complained before and i got answer that it works if you dump file with scylla.. you can change oep with any pe tool manually .my guess is that you need to change the characteristics in sections before rebuilding but i have never tried it... post #4 an on/>http://forum.tuts4you.com/topic/27579-prove-other-import-tools-dont-work-correctly-with-win-7/ Edited May 5, 2012 by donny
Aguila Posted May 5, 2012 Posted May 5, 2012 I still think that OEP correction and iat rebuilding are two separate workflows. They don't fit together. A dump tool should fix the OEP! Probably people are used to imprec, but it is the wrong way. Why should it be required to enter an OEP to fix an IAT? It doesnt make sense.
deepzero Posted May 5, 2012 Author Posted May 5, 2012 why would the dump tool fix it? as far as the pe header is concerned (both on disk and in memory) the EP is the EP of the stub, not the OEP. The dump tool cant know the OEP. Thus, there are 3 basic steps to unpacking a packer: 1) dump 2) fix iat 3) fix OEP. Traditionally 2) and 3) are done by the IAT fixing tool, saving people the time of adjusting the RP themselves; as usually the OEP was given to the IAT fixing tool anyways. And even if iat address & size were entered manually, people are used to this behavior from ImpRec/chimprec/.... and i see nothing wrong with that. maybe we can have an option for that? But hey, thankfully it`s opensource, so people can enhance i themselves.
Aguila Posted May 5, 2012 Posted May 5, 2012 (edited) Thus, there are 3 basic steps to unpacking a packer: 1) dump 2) fix iat 3) fix OEP. That is funny. I thought this are the steps: 1) use debugger, go to OEP 2) dump at OEP, your debugger must point to the OEP 3) fix iat, your debugger doesn't need to be at the OEP But I will add an option to the options dialog Edited May 5, 2012 by Aguila
Aguila Posted May 5, 2012 Posted May 5, 2012 Updated the file version 0.6b: http://forum.tuts4you.com/files/file/576-scylla-imports-reconstruction/
ala_borbe Posted May 6, 2012 Posted May 6, 2012 so this was not a BUG it was a FEATURE! great update BIG THX
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now