Jump to content
Tuts 4 You

Scylla fail to rebuild a dump from a Arma 9.64 target


GIV

Recommended Posts

In short.


Target have been protected with Armadillo 9.60 custom build.


 


Protection options:


1. DebugBlocker


2. CodeSplicing


3. Iat Elimination


 


I made a video of the problem.


 


From the video i skipped the unpacking process and i'm at the OEP with DebugBlocker passed, IAT fixed, Splices removed.


 


When i try to dump and fix with Scylla i get a nonworking dump (same with ImpRec) but when i try to fix with ImportsFixer the dump is running fine.


 


Here is the video and the packed file.


 


I have wondered many times what could be wrong...what i have failed to do... but in a apotheotic end was the dumping tool.


 


Hope to get a solution for this problem.


Scylla bug report GIV.7z

Link to comment

Thanks for the bug report.


 


Can you please post the scylla dumped file + the file with iat rebuild by scylla + the dump from import fixer + the file with iat rebuild by imports fixer


 


Have you tried dumping with scylla and using imports fixer to rebuild the iat?


Link to comment

Ok thanks. The problem is: the IAT is outside the PE file memory space. It is on a dynamically allocated memory page.


 


Import Fixer is rebasing the IAT, Scylla cannot do this right now.


  • Like 1
Link to comment

Yes I will work on it, but there are a lot of standalone tools with this feature. Imprec can't do it either, I guess, and this is why they exist. I guess the tool you used in the video ArmInLine can do it too.


Link to comment

Yes indeed. Arminline have such a feature. It will be handy to do all things with your great software. What is the point to do one task with multiple tools. I don't really need this feature but i felt the need to report this problem to you so you maybe come with a solution.


Have a nice evening!


Link to comment

What is the point to do one task with multiple tools.

Hehe, I know one reason. Unpacking is art and unpacking should never be easy, because it isn't. Scripts/Tools can make it very easy. Don't get me wrong here this is not an insult or anything, but your first post proves that you don't really know what your tools are doing. Imports Fixer is secretly doing a complicated task and you don't even need to know what it is doing. This is perfectly fine, nobody knows everything, but for example it makes people think that armadillo is ****ing easy, but it isn't really.

 

Thank you very much for your bug report. I really need bug reports here.

Edited by Aguila
  • Like 1
Link to comment

Now you misunderstood me. I am really thankful for every input.


 


I just noticed that imprec has this feature too. Options -> New IAT. I guess I will add it like that.


Link to comment

@GIV


 


Thanks again for the report.


 


You are using the wrong OEP in Scylla. Please see the screenshot below.


 


Another tipp:


Please use advanced iat search for more accurate results. Imprec is using wrong IAT information in your video too (because the normal search in scylla is using the imprec algorithm).


post-22354-0-14931900-1391433680_thumb.p

  • Like 1
Link to comment

Indeed.


In Olly was ok, in Log window was wrong and i copy from log.


Now i changed in script from



log $RESULT, ""

to



log eip, ""

And is ok now.


Is just a matter of fact with IAT search because in genere i load manual the values of IAT start and size.


Thank you!


Edited by GIV
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...