nullRd Posted September 25, 2013 Share Posted September 25, 2013 To see this bug yourself - grab any process (e.g. firefox.exe), then press "pick DLL" button.Then choose any module (e.g. kernel32.dll)Now press "IAT Autosearch" and "Get Imports".This is what I've got: 1. picked module - kernel32.dll2. resolved imports are still belongs to main module...3. ..but their RVA is calculated relative to base of selected module!bug tested on XPSP3, W7x64Scylla ver 0.9.1 x32, x64 Link to comment
redblkjck Posted September 25, 2013 Share Posted September 25, 2013 Looks like you are selecting the OEP of firefox.exe and not the DLL. Try selecting the DLL then use the OEP of the DLL instead. Address Entry Point + the ImageBase loaded at detected by Scylla. On my system XP MSVPC image, the EP is 0000B64E, Scylla detected image base as 7C800000, So OEP = 7C80B64EVA 7C801000 Size 00000620 392 Valid APIs Remember when selecting the EXE process, the Imports (all the DLL API entries) you are seeing are pointing to the Exports of those DLLs. Not the DLL's Imports. - jack 2 Link to comment
nullRd Posted September 25, 2013 Author Share Posted September 25, 2013 Thank you! Now I see..I've just lately started to use Scylla instead of ImpRec, so this thing was unclear to me.I'm really thought that was a bug. Forgive me for a false alarm Link to comment
redblkjck Posted September 25, 2013 Share Posted September 25, 2013 Only a small adjustment when starting to use Scylla. Cheers - jack Link to comment
Aguila Posted September 27, 2013 Share Posted September 27, 2013 This little bug was fixed with version 0.9.2 Version 0.9.2 - Pick DLL -> Set DLL Entrypoint - Advanced IAT Search Algorithm (Enable/Disable it in Options), thanks to ahmadmansoor - Fixed bug in Options - Added donate information, please feel free to donate some BTC to support this project 1 Link to comment
Jada^AoC Posted September 28, 2013 Share Posted September 28, 2013 Where to download the current version? In this section there isn't any up to date thread... Best regards, Jada^AoC Link to comment
Dreamer Posted September 28, 2013 Share Posted September 28, 2013 http://forum.tuts4you.com/files/file/576-scylla-imports-reconstruction/ Link to comment
Aguila Posted September 29, 2013 Share Posted September 29, 2013 you can "follow this file" and receive update notifications. Source is always here https://github.com/NtQuery/Scylla 1 Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now