Jump to content
Tuts 4 You

Version 0.7 Beta

Aguila

By Aguila
in Scylla Imports Reconstruction

Recommended Posts

Aguila

Aguila

Posted
Posted (edited)

This is the last version for at least a week now, I promise sweatdrop.gif

Main difference between v0.6 is the more powerful disassembler. Can be accessed via Misc -> Disassembler. Try right click -> Follow...

post-22354-0-74540500-1336310311_thumb.p

Edited by Aguila
  • Like 6
Link to comment
  • 2 weeks later...
BOSCH

BOSCH

Posted
Posted

I just tried scylla 0.7 beta,in some new games with armadillo protection,and the final size of executable is too small from ImpRec 1.7e.I can't figure out what's the problem...win 7 ultimate 64 bit...for example Scylla final size(5.465 Mb0,ImpRec 1.7e(6.789Mb)...something goes wrong...i don't know...Only Aguila can figure it out...Does it have to do any with dump first file?

Link to comment
Aguila

Aguila

Posted
  • Author
Posted

I don't think there is something wrong. Scylla is optimizing the dumped file. The dump is as small as possible. You should compare the file section by section, if you still think there is something missing.

Link to comment
deepzero

deepzero

Posted
Posted

sounds more like an (anti-)dump issue to me. Anyways, 5 MB is probably what you want - what`s th problem?

Unlikely to be an scylly/imprec issue. Check which section is large. WHat`s the filesize before iat fixing?

Link to comment
BOSCH

BOSCH

Posted
Posted

From all that i can see,the Scylla fileis 5.76 Mb,and ImpRec is 6.13Mb...I fixed the same dump file from Scylla.Both files doesn't working...strange...there is not any codeslicing,nanomites protection enabled.I check them with ArmaFP 2.1.Files section looks identical.IAT is perfect...so...armadillo version 8.40...

Link to comment
LCF-AT

LCF-AT

Posted
Posted

Hi,

yes something is going wrong in the latest version after dumping.Last time I have dumped the same file first with Scylla + fix and after this the dump was not startable / loadable in Olly [some error message] and then I have dump & fix with ImpRec [same process + same data] and this file was ok.So I had not checked the problem deeper at this moment.I think it was happend on the last unpackmes which I unpacked.Will check this again in the next days to force the same error problem then I can post some infos maybe.

greetz

  • Like 2
Link to comment
BOSCH

BOSCH

Posted
Posted

What does it mean :"Runtime Error R6002 floating point support not loaded"?This is the message which i took in both fixed files...

Link to comment
BOSCH

BOSCH

Posted
Posted

NilolayD,can you give a little explantion?How to do that?In Ollydbg i can't see any save executable option in header...

Link to comment
  • 1 month later...
LCF-AT

LCF-AT

Posted
Posted

Hi Aguila,

thanks for the update but now we have a another big problem! :)

- So now you dumped file does run [problem fixed so far]

New Problem: raw size adjustment!

So you tool does change the section raw sizes to reduce the filesize but this is not always the best to do it without to check the sections whether there are some used code you know.So you have to add more checks for this and also I want that you add a new option for this where I can enable & disable rawsize reducing so I wrote also a script where I change the PE & raw sizes and if I let fix this dump with Scylla then all my changed data will overwritten by your tool automatic so this is not good for me. :) Anyway so just add a option for this like....

* Rawsize Reducing

...and if this is disabled then dont change the PE data etc also not the FileAlignment & SizeOfHeaders. ;) Or just add a option like...

* Keep PE at OEP

So I mean that your tool now just read the PE at OEP but it should not change the PE data like above you know what I mean right.So its very important for me to have this new option in your next version.

RawSize Exsample: I used again this packed file which I had send to you.

Scylla: 403000 | VS: 00001000 | RS: 00000000

ImpRec: 403000 | VS: 00001000 | RS: 00001000

Ok just wanna say that ImpRec does keep MY changed PE from Olly so I did set the size to same in that case and your tool does set the rawsize of this section to zero!!!After this the file does also run but not correctly.....


Fixed Dump with ImpRec
0012FAFC 004010E4 /CALL to SetDlgItemTextA from Packed_f.004010DF
0012FB00 000D0536 |hWnd = 000D0536 ('This is a dialog with menu an...',class='#32770')
0012FB04 000003EA |ControlID = 3EA (1002.)
0012FB08 00403000 \Text = "This is a dialog with a menu and icon"Fixed Dump with new Scylla
0012FAFC 004010E4 /CALL to SetDlgItemTextA from Packed_f.004010DF
0012FB00 003C053C |hWnd = 003C053C ('This is a dialog with menu an...',class='#32770')
0012FB04 000003EA |ControlID = 3EA (1002.)
0012FB08 00403000 \Text = ""

You see the text is nothing in your dump = overwritten = rawsize 00

Ok all clear now right?

- improve rawsize scan adjustment etc so that you not overwrite some data which you still need later

- Add new option "Keep PE at OEP" [MUST HAVE BABY] :)

I hope you can do this quickly if you can and release a new version of my fav fixing tool. :)

PS: Attached a new created dump with your new tool.Just run then press Show text and Get Text and you see the problem if you compare it with the original file.

greetz

Packed file - Dump_SCY.rar

Link to comment
Aguila

Aguila

Posted
  • Author
Posted (edited)

I think the raw size reducing technique is pretty nice. I don't see any reason why somebody needs to disable this feature.

About the problem: There was a BUG in the dump engine :sorry: This has nothing to do with the technique.

All should work perfectly now.

Edited by Aguila
Link to comment
LCF-AT

LCF-AT

Posted
Posted

Sure I need to disable it! :) For some cases.Also its always better to keep the user the choice for all options.Ok I test your new version and now we have again a problem. :) Don't wanna be dependent about dumping with your tool you know so just add this extra option then all will working fine later.

Scylla dump = ok

Scylla fix = ok

-------------------

Custom dump + Scylla fix = raw size 00 again = Same problem like before!

Short question: So is it possible for you to create also a Scylla dll?Would be also cool to have a Scylla version as dll which I could handle directly with Olly + API parameters some kind like I can do it with other tools which are also to get as dll.Just talk about the main fixing dump & features only of course.

PS: Hopp hopp jetzt Burli und komm aus'm Quark! :)

greetz

Link to comment
Aguila

Aguila

Posted
  • Author
Posted
Short question: So is it possible for you to create also a Scylla dll?Would be also cool to have a Scylla version as dll which I could handle directly with Olly + API parameters some kind like I can do it with other tools which are also to get as dll.Just talk about the main fixing dump & features only of course.

I can export some functions if you like, but I don't want to create a seperate dll file.

Try this:

Link to comment
LCF-AT

LCF-AT

Posted
Posted

Hi,

ok works so far now but you did not add this new option for me!!!! Anyway maybe later right?If not then I have to use ImpRec again in some cases later.Man man man man DU!Muß mer hier alles selber machen oder wie?! :)

Yes so I mean that you create a little Scylla dll which can dump / fix too or if dumping is not possible etc then only the fixing you know something like UIF so you know this tool right?So this tool can you use normaly with a gui and also just the UIF dll where you can enter some parameters.

Just need something like this:

push file ImageBase

push IAT VA

push IAT size

push OEP VA

push other values like option settings you know

push 0 / 1 / 2 etc = option xy on or off

call dumpfile optional

....

call fixfile

+ return values in register or mem addr to check whether all was done fine.You know something like this would be great so you know what I mean right.So you dont need to add some specials or so just dump / fix is sounds already very good.So if you can do this then dont forget to write also all important infos in a txt file like push paras etc.Then I could add your dll into next script too if you don't mind. :)

greetz

Link to comment
Aguila

Aguila

Posted
  • Author
Posted (edited)

hm I can't get the exe working as a dll. If I export the functions (same as olly) you still can't load the exe with LoadLibrary in a new process. This sucks... I don't want to create a seperate dll file.

I further improved the disassembler, api/module names are displayed. Any more suggestions here?

Edited by Aguila
Link to comment
deepzero

deepzero

Posted
Posted

LoadLibrary() requires the IsDll flag to be set in the header.

You can set up the project like a dll, declear DllMain as the entry point and compile it as an .exe file. It`ll work just fine as it does now, but if a user needs it as a dll file, it`s enough to flip the IsDll flag and it`ll behave like one. :)

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...