Hi.

I recently discovered a new bug.

The IAT is not located correct in both 0.9.7b and 0.9.7c

Here is a video attached and the unpackme.

 

0.9.7.c_DotFix_3.7_IAT_Error.7z

Just a question: is it located with some older version of scylla?

0.9.7b/c

Huh, but in your main topic you state:

The IAT is not located correct in both 0.9.7b and 0.9.7c

My question was if it worked with 0.8 for example

Edited December 29, 201410 yr by Mr. eXoDia

I did not try with older versions.

I did not try with Imprec or Import Fixer.

Try it I think this will help..

For what?

I can find IAT by myself.

I want the tool to find the right spot.

I cannot bounce between versions.

It will be no real use.

@GIV: Probably you don't understand what I mean. If you test 0.8 and it works, this means there was a 'fix' in the iat search algorithm that didn't work. For developers it is much easier if you supply better information.

lol.

And do you think i keep all backward versions to make  a test each time something is wrong?

The developer have the project and run in debug mode straight to the problem.

And on other hand maybe the code from 0.8.xx version is not compatible anymore with the latest build.

And even more if i go into your logic i will solve the bug myself once the sources are public.

But think a little with me:

What is the point for me to do that?

In this sense i will be transposed in author skin.

And where many get their hands on it results a mess.

So i leave the author to "sew" his method.

Or i have another option to keep my mind safe.

Just don't report any issue.

Hey GIV,

 

thanks for the bug and sorry for the late reply. I think this should not be fixed, because this is only the VM OEP. If you recover the real OEP, this will work. It is hard to find the IAT, because this protector removed all "call dword ptr" instructions. There is no IAT reference in the code.

 

The only generic solution for this kind of stuff is: scan all memory for API addresses...