Scylla IAT AutoSearch

Posted April 11, 201411 yr

The other day I was testing an Asprotect 1.2 target.

Imprec 1.7e IAT Autosearch function successfully locates the IAT. ( Size 0x55C )

However Scylla v0.9.6b Autosearch fails. (Size : Garbage value )

See the image for comparsion.

Imprec

Scylla

Edited April 11, 201411 yr by Extreme Coders

April 11, 201411 yr

hm I dont know. Can you give me the target?

The only explaination I have is that distorm fails to resolve the call dword ptr instructions. Is it somehow obfuscated?

April 12, 201411 yr

Author

@Aguila Sent you the target. The target is the protector binary itself.

I do not see any obfuscation in it.

It can be easily dumped and rebuilded in Imprec 1.7e. Although you have to trace (Level 1 -> disasm ) some calls.

Edited April 12, 201411 yr by Extreme Coders

April 12, 201411 yr

Don't rely on autosearch. ALWAYS check the IAT manualy. Then you will not have any errors. These tools can put wrong start/end. The tools are ok but might have some problems sometimes.

Edited April 12, 201411 yr by GIV

April 12, 201411 yr

I know why it doesn't work. The target is too old. This target is not DEP compatible: https://en.wikipedia.org/wiki/Data_Execution_Prevention Maybe I will not fix this, because I don't really like to support such old operating systems.

http://pixs.ru/showimage/CapturePNG_1732868_11659177.png

Thanks for the bug report.

April 12, 201411 yr

Author

Thanks

Anyways the target is quite old, so bug fixing is not a priority.

Edited April 28, 201411 yr by Extreme Coders

Sign In

Scylla IAT AutoSearch

Featured Replies

Create an account or sign in to comment

Account

Navigation

Search

Configure browser push notifications

Chrome (Android)

Chrome (Desktop)

Safari (iOS 16.4+)

Safari (macOS)

Edge (Android)

Edge (Desktop)

Firefox (Android)

Firefox (Desktop)