hi,

a minor issue: when scylla is used to iat-fix a file, it will not set the OEP of the file to the value given in the "OEP:" textbox.

d.

i complained before and i got answer that it works if you dump file with scylla.. you can change oep with any pe tool manually .my guess is that you need to change the characteristics in sections before rebuilding but i have never tried it...

post #4 an on
/>http://forum.tuts4you.com/topic/27579-prove-other-import-tools-dont-work-correctly-with-win-7/

Edited May 5, 201213 yr by donny

I still think that OEP correction and iat rebuilding are two separate workflows. They don't fit together. A dump tool should fix the OEP! Probably people are used to imprec, but it is the wrong way. Why should it be required to enter an OEP to fix an IAT? It doesnt make sense.

why would the dump tool fix it? as far as the pe header is concerned (both on disk and in memory) the EP is the EP of the stub, not the OEP.

The dump tool cant know the OEP. Thus, there are 3 basic steps to unpacking a packer: 1) dump 2) fix iat 3) fix OEP.

Traditionally 2) and 3) are done by the IAT fixing tool, saving people the time of adjusting the RP themselves; as usually the OEP was given to the IAT fixing tool anyways.

And even if iat address & size were entered manually, people are used to this behavior from ImpRec/chimprec/.... and i see nothing wrong with that.

maybe we can have an option for that?

But hey, thankfully it`s opensource, so people can enhance i themselves.

Thus, there are 3 basic steps to unpacking a packer: 1) dump 2) fix iat 3) fix OEP.

That is funny. I thought this are the steps:

1) use debugger, go to OEP

2) dump at OEP, your debugger must point to the OEP

3) fix iat, your debugger doesn't need to be at the OEP

But I will add an option to the options dialog

Edited May 5, 201213 yr by Aguila

Updated the file version 0.6b: http://forum.tuts4you.com/files/file/576-scylla-imports-reconstruction/

so this was not a BUG it was a FEATURE! great update BIG THX