Aguila Posted May 6, 2012 Posted May 6, 2012 (edited) This is the last version for at least a week now, I promise Main difference between v0.6 is the more powerful disassembler. Can be accessed via Misc -> Disassembler. Try right click -> Follow... Edited May 6, 2012 by Aguila 6
DeadAndGone Posted May 6, 2012 Posted May 6, 2012 (edited) Thanks for keep updating Edited May 6, 2012 by Silence
BOSCH Posted May 23, 2012 Posted May 23, 2012 I just tried scylla 0.7 beta,in some new games with armadillo protection,and the final size of executable is too small from ImpRec 1.7e.I can't figure out what's the problem...win 7 ultimate 64 bit...for example Scylla final size(5.465 Mb0,ImpRec 1.7e(6.789Mb)...something goes wrong...i don't know...Only Aguila can figure it out...Does it have to do any with dump first file?
Aguila Posted May 23, 2012 Author Posted May 23, 2012 I don't think there is something wrong. Scylla is optimizing the dumped file. The dump is as small as possible. You should compare the file section by section, if you still think there is something missing.
deepzero Posted May 23, 2012 Posted May 23, 2012 sounds more like an (anti-)dump issue to me. Anyways, 5 MB is probably what you want - what`s th problem?Unlikely to be an scylly/imprec issue. Check which section is large. WHat`s the filesize before iat fixing?
BOSCH Posted May 23, 2012 Posted May 23, 2012 From all that i can see,the Scylla fileis 5.76 Mb,and ImpRec is 6.13Mb...I fixed the same dump file from Scylla.Both files doesn't working...strange...there is not any codeslicing,nanomites protection enabled.I check them with ArmaFP 2.1.Files section looks identical.IAT is perfect...so...armadillo version 8.40...
LCF-AT Posted May 24, 2012 Posted May 24, 2012 Hi,yes something is going wrong in the latest version after dumping.Last time I have dumped the same file first with Scylla + fix and after this the dump was not startable / loadable in Olly [some error message] and then I have dump & fix with ImpRec [same process + same data] and this file was ok.So I had not checked the problem deeper at this moment.I think it was happend on the last unpackmes which I unpacked.Will check this again in the next days to force the same error problem then I can post some infos maybe.greetz 2
BOSCH Posted May 24, 2012 Posted May 24, 2012 What does it mean :"Runtime Error R6002 floating point support not loaded"?This is the message which i took in both fixed files...
BOSCH Posted May 24, 2012 Posted May 24, 2012 NilolayD,can you give a little explantion?How to do that?In Ollydbg i can't see any save executable option in header...
deepzero Posted May 24, 2012 Posted May 24, 2012 http://forum.tuts4you.com/topic/27059-r6002-floating-point-library-not-loaded/page__hl__%2Bfloating+%2Bpoint
BOSCH Posted May 24, 2012 Posted May 24, 2012 http://forum.tuts4yo...floating +pointdeepzero you are my Hero!Yes this was the problem!When i packed with UPX it started just fine.Now i will try to see which flag cause that...many thanks!...
Aguila Posted July 10, 2012 Author Posted July 10, 2012 (edited) - improved the disassembler a litte bit -> back/forward with unlimited addresses and some more- hopefully fixed bug http://forum.tuts4yo...re/#entry139034please test this new version LCF-AT. Edited July 10, 2012 by Aguila 1
LCF-AT Posted July 10, 2012 Posted July 10, 2012 Hi Aguila, thanks for the update but now we have a another big problem! - So now you dumped file does run [problem fixed so far] New Problem: raw size adjustment! So you tool does change the section raw sizes to reduce the filesize but this is not always the best to do it without to check the sections whether there are some used code you know.So you have to add more checks for this and also I want that you add a new option for this where I can enable & disable rawsize reducing so I wrote also a script where I change the PE & raw sizes and if I let fix this dump with Scylla then all my changed data will overwritten by your tool automatic so this is not good for me. Anyway so just add a option for this like.... * Rawsize Reducing ...and if this is disabled then dont change the PE data etc also not the FileAlignment & SizeOfHeaders. Or just add a option like... * Keep PE at OEP So I mean that your tool now just read the PE at OEP but it should not change the PE data like above you know what I mean right.So its very important for me to have this new option in your next version. RawSize Exsample: I used again this packed file which I had send to you. Scylla: 403000 | VS: 00001000 | RS: 00000000 ImpRec: 403000 | VS: 00001000 | RS: 00001000 Ok just wanna say that ImpRec does keep MY changed PE from Olly so I did set the size to same in that case and your tool does set the rawsize of this section to zero!!!After this the file does also run but not correctly..... Fixed Dump with ImpRec0012FAFC 004010E4 /CALL to SetDlgItemTextA from Packed_f.004010DF0012FB00 000D0536 |hWnd = 000D0536 ('This is a dialog with menu an...',class='#32770')0012FB04 000003EA |ControlID = 3EA (1002.)0012FB08 00403000 \Text = "This is a dialog with a menu and icon"Fixed Dump with new Scylla0012FAFC 004010E4 /CALL to SetDlgItemTextA from Packed_f.004010DF0012FB00 003C053C |hWnd = 003C053C ('This is a dialog with menu an...',class='#32770')0012FB04 000003EA |ControlID = 3EA (1002.)0012FB08 00403000 \Text = "" You see the text is nothing in your dump = overwritten = rawsize 00 Ok all clear now right? - improve rawsize scan adjustment etc so that you not overwrite some data which you still need later - Add new option "Keep PE at OEP" [MUST HAVE BABY] I hope you can do this quickly if you can and release a new version of my fav fixing tool. PS: Attached a new created dump with your new tool.Just run then press Show text and Get Text and you see the problem if you compare it with the original file. greetz Packed file - Dump_SCY.rar
Aguila Posted July 10, 2012 Author Posted July 10, 2012 (edited) I think the raw size reducing technique is pretty nice. I don't see any reason why somebody needs to disable this feature. About the problem: There was a BUG in the dump engine This has nothing to do with the technique. All should work perfectly now. Edited July 10, 2012 by Aguila
LCF-AT Posted July 10, 2012 Posted July 10, 2012 Sure I need to disable it! For some cases.Also its always better to keep the user the choice for all options.Ok I test your new version and now we have again a problem. Don't wanna be dependent about dumping with your tool you know so just add this extra option then all will working fine later. Scylla dump = ok Scylla fix = ok ------------------- Custom dump + Scylla fix = raw size 00 again = Same problem like before! Short question: So is it possible for you to create also a Scylla dll?Would be also cool to have a Scylla version as dll which I could handle directly with Olly + API parameters some kind like I can do it with other tools which are also to get as dll.Just talk about the main fixing dump & features only of course. PS: Hopp hopp jetzt Burli und komm aus'm Quark! greetz
Aguila Posted July 10, 2012 Author Posted July 10, 2012 Short question: So is it possible for you to create also a Scylla dll?Would be also cool to have a Scylla version as dll which I could handle directly with Olly + API parameters some kind like I can do it with other tools which are also to get as dll.Just talk about the main fixing dump & features only of course.I can export some functions if you like, but I don't want to create a seperate dll file.Try this:
LCF-AT Posted July 10, 2012 Posted July 10, 2012 Hi, ok works so far now but you did not add this new option for me!!!! Anyway maybe later right?If not then I have to use ImpRec again in some cases later.Man man man man DU!Muß mer hier alles selber machen oder wie?! Yes so I mean that you create a little Scylla dll which can dump / fix too or if dumping is not possible etc then only the fixing you know something like UIF so you know this tool right?So this tool can you use normaly with a gui and also just the UIF dll where you can enter some parameters. Just need something like this: push file ImageBase push IAT VA push IAT size push OEP VA push other values like option settings you know push 0 / 1 / 2 etc = option xy on or off call dumpfile optional .... call fixfile + return values in register or mem addr to check whether all was done fine.You know something like this would be great so you know what I mean right.So you dont need to add some specials or so just dump / fix is sounds already very good.So if you can do this then dont forget to write also all important infos in a txt file like push paras etc.Then I could add your dll into next script too if you don't mind. greetz
Aguila Posted July 11, 2012 Author Posted July 11, 2012 (edited) hm I can't get the exe working as a dll. If I export the functions (same as olly) you still can't load the exe with LoadLibrary in a new process. This sucks... I don't want to create a seperate dll file.I further improved the disassembler, api/module names are displayed. Any more suggestions here? Edited July 11, 2012 by Aguila
deepzero Posted July 11, 2012 Posted July 11, 2012 LoadLibrary() requires the IsDll flag to be set in the header. You can set up the project like a dll, declear DllMain as the entry point and compile it as an .exe file. It`ll work just fine as it does now, but if a user needs it as a dll file, it`s enough to flip the IsDll flag and it`ll behave like one.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now