In short.

Target have been protected with Armadillo 9.60 custom build.

 

Protection options:

1. DebugBlocker

2. CodeSplicing

3. Iat Elimination

 

I made a video of the problem.

 

From the video i skipped the unpacking process and i'm at the OEP with DebugBlocker passed, IAT fixed, Splices removed.

 

When i try to dump and fix with Scylla i get a nonworking dump (same with ImpRec) but when i try to fix with ImportsFixer the dump is running fine.

 

Here is the video and the packed file.

 

I have wondered many times what could be wrong...what i have failed to do... but in a apotheotic end was the dumping tool.

 

Hope to get a solution for this problem.

Scylla bug report GIV.7z

Thanks for the bug report.

 

Can you please post the scylla dumped file + the file with iat rebuild by scylla + the dump from import fixer + the file with iat rebuild by imports fixer

 

Have you tried dumping with scylla and using imports fixer to rebuild the iat?

I will try tomorrow when i get back to office.

Here it is:

 

Armadillo.7z

Edited January 31, 201411 yr by GIV

I tryed to dump with Scylla and rebuild IATwith Imports Fixer 1.6.

It works.

Ok thanks. The problem is: the IAT is outside the PE file memory space. It is on a dynamically allocated memory page.

 

Import Fixer is rebasing the IAT, Scylla cannot do this right now.

We can fix that?

Yes I will work on it, but there are a lot of standalone tools with this feature. Imprec can't do it either, I guess, and this is why they exist. I guess the tool you used in the video ArmInLine can do it too.

Yes indeed. Arminline have such a feature. It will be handy to do all things with your great software. What is the point to do one task with multiple tools. I don't really need this feature but i felt the need to report this problem to you so you maybe come with a solution.

Have a nice evening!

What is the point to do one task with multiple tools.

Hehe, I know one reason. Unpacking is art and unpacking should never be easy, because it isn't. Scripts/Tools can make it very easy. Don't get me wrong here this is not an insult or anything, but your first post proves that you don't really know what your tools are doing. Imports Fixer is secretly doing a complicated task and you don't even need to know what it is doing. This is perfectly fine, nobody knows everything, but for example it makes people think that armadillo is ****ing easy, but it isn't really.

 

Thank you very much for your bug report. I really need bug reports here.

Edited January 31, 201411 yr by Aguila

Well maybe was a bad idea to write about that... 

Now you misunderstood me. I am really thankful for every input.

 

I just noticed that imprec has this feature too. Options -> New IAT. I guess I will add it like that.

I uploaded a new version:

http://forum.tuts4you.com/files/file/576-scylla-imports-reconstruction/

 

it should now be possible to fix this kind of problem.

 

enable in Options -> new iat in section

Sorry to bother you again but this time i'm stuck with simple UPX.

Report.7z

@GIV

 

Thanks again for the report.

 

You are using the wrong OEP in Scylla. Please see the screenshot below.

 

Another tipp:

Please use advanced iat search for more accurate results. Imprec is using wrong IAT information in your video too (because the normal search in scylla is using the imprec algorithm).

Indeed.

In Olly was ok, in Log window was wrong and i copy from log.

Now i changed in script from

log $RESULT, ""

to

log eip, ""

And is ok now.

Is just a matter of fact with IAT search because in genere i load manual the values of IAT start and size.

Thank you!

Edited February 3, 201411 yr by GIV