Jump to content
Tuts 4 You

Scylla 0.9.7.c error on DotFix Nice Protect 3.7

GIV

By GIV
in Scylla Imports Reconstruction

Recommended Posts

mrexodia

mrexodia

Posted
Posted

Just a question: is it located with some older version of scylla?

mrexodia

mrexodia

Posted
Posted (edited)

Huh, but in your main topic you state:

The IAT is not located correct in both 0.9.7b and 0.9.7c

My question was if it worked with 0.8 for example

Edited by Mr. eXoDia
GIV

GIV

Posted
  • Author
Posted

I did not try with older versions.


I did not try with Imprec or Import Fixer.

mrexodia

mrexodia

Posted
Posted

Try it :) I think this will help..

GIV

GIV

Posted
  • Author
Posted

For what?


I can find IAT by myself.


I want the tool to find the right spot.


I cannot bounce between versions.


It will be no real use.


:)

  • Like 1
mrexodia

mrexodia

Posted
Posted

@GIV: Probably you don't understand what I mean. If you test 0.8 and it works, this means there was a 'fix' in the iat search algorithm that didn't work. For developers it is much easier if you supply better information.

  • Like 1
GIV

GIV

Posted
  • Author
Posted

lol.


And do you think i keep all backward versions to make  a test each time something is wrong?


The developer have the project and run in debug mode straight to the problem.


And on other hand maybe the code from 0.8.xx version is not compatible anymore with the latest build.


And even more if i go into your logic i will solve the bug myself once the sources are public.


But think a little with me:


What is the point for me to do that?


In this sense i will be transposed in author skin.


And where many get their hands on it results a mess.


So i leave the author to "sew" his method.


Or i have another option to keep my mind safe.


Just don't report any issue.

  • 4 months later...
Aguila

Aguila

Posted
Posted

Hey GIV,


 


thanks for the bug and sorry for the late reply. I think this should not be fixed, because this is only the VM OEP. If you recover the real OEP, this will work. It is hard to find the IAT, because this protector removed all "call dword ptr" instructions. There is no IAT reference in the code.


 


The only generic solution for this kind of stuff is: scan all memory for API addresses...


Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...