Scylla strange problem with direct imports

[Priboi]

Hello, I have a problem with Scylla because Scylla cant find direct imports everytime no matter what I do I get information "Found 0 possible direct imports with 0 unique APIs!". I have try many targets, different Scylla versions and different OS and everytime is the same... I guess I am making something stupid but maybe you guys can point me whats wrong... below example:

004013A0   .- E9 9D78F67D     JMP 7E368C42        ;  user32.KillTimer
004013A5      FF              DB FF
004013A6   .- E9 F17BF67D     JMP 7E368F9C        ;  user32.GetSystemMetrics
004013AB      FF              DB FF
004013AC   $- E9 45D5F77D     JMP 7E37E8F6        ;  user32.LoadIconA
004013B1      FF              DB FF
004013B2   .- E9 9C01F87D     JMP 7E381553        ;  user32.LoadAcceleratorsA
004013B7      FF              DB FF
004013B8   $- E9 2DF4F97D     JMP 7E3A07EA        ;  user32.MessageBoxA
004013BD      FF              DB FF
004013BE   .- E9 F17CF77D     JMP 7E3790B4        ;  user32.GetWindowRect
004013C3      FF              DB FF
004013C4   .- E9 B20BF87D     JMP 7E381F7B        ;  user32.MessageBeep
004013C9      FF              DB FF
004013CA   .- E9 B4E6F97D     JMP 7E39FA83        ;  user32.LoadMenuA
004013CF      FF              DB FF
004013D0   $- E9 69BFF77D     JMP 7E37D33E        ;  user32.LoadCursorA
004013D5      FF              DB FF

 

[CodeExplorer]

Not a Scylla problem. It is a protection, Themida I presume.
004013A0   .- E9 9D78F67D     JMP 7E368C42        ;  user32.KillTimer
this has to be jmp dword ptr [thunk...]  // jump to user32.KillTimer
I think that the import table was actually destroyed, so you got to reconstruct it from scratch.
 

[PoorPlayer]

Hello

Can you check my case, is it a bug or am I doing something wrong?

00407660 | FF25 44785300            | jmp dword ptr ds:[<&_NtdllDefWindowProc_A@0>]

[Priboi]

No, its not Themida but PeSpin and that what you can see is code after preventing api redirecting by magic jump. Here what I want to accomplish is to understand option direct imports in scylla because I have always this enable and scylla never found any direct imports even if they exist and that user32.KillTimer is direct import right? And scylla should handle that and others instructions like source code says:

        if (ref->type == IAT_REFERENCE_DIRECT_CALL)
        {
            type = L"CALL";
        }
        else if (ref->type == IAT_REFERENCE_DIRECT_JMP)
        {
            type = L"JMP";
        }
        else if (ref->type == IAT_REFERENCE_DIRECT_MOV)
        {
            type = L"MOV";
        }
        else if (ref->type == IAT_REFERENCE_DIRECT_PUSH)
        {
            type = L"PUSH";
        }
        else if (ref->type == IAT_REFERENCE_DIRECT_LEA)
        {
            type = L"LEA";
        }

Universal Import Fixer can find such JMP xxxxxxxx and works great and change them to JMP [xxxxxxxx] and scylla should also like source code says:

void IATReferenceScan::patchDirectImportInMemory( IATReference * ref )
{
    DWORD patchBytes = 0;
    BYTE patchPreBytes[2];

    if (ref->targetPointer)
    {
        patchPreBytes[0] = 0xFF;

        if (ref->type == IAT_REFERENCE_DIRECT_CALL) //FF15
        {
            patchPreBytes[1] = 0x15;
        }
        else if (ref->type == IAT_REFERENCE_DIRECT_JMP) //FF25
        {
            patchPreBytes[1] = 0x25;
        }
        else
        {
            return;
        }

but I will repeat myself I am pretty sure that I am doing something stupid and something is beyond my sight.

[Priboi]

@PoorPlayer

Hello, address 53782C this is in the middle of your IAT but I cant see on your picture begin of IAT so scroll it and find begin and type this address in box VA and type Size of IAT then click Get Imports

Edited May 15, 2021 by Priboi

[CodeExplorer]

14 minutes ago, PoorPlayer said:

00407660 | FF25 44785300            | jmp dword ptr ds:[<&_NtdllDefWindowProc_A@0>]

This api is user32.lDefWindowProc_A, fowarded from use32.dll to ntdll.dll
obviously ntdll.dll is not imported.
So you have to fix the Api manually under Scylla.
 

 

[PoorPlayer]

@ Priboi: I don't understand what you mean, but anyway thanks for the reply

6 minutes ago, CodeExplorer said:

So you have to fix the Api manually under Scylla

Oh my god

[Priboi]

Please give me someone unpackme to play around. Unpackme which will make scylla find direct imports. Like I said I try many unpackmes and NEVER scylla show differ value than "found 0 direct imports".

[PoorPlayer]

You can try Lena's tutorial part 26

[Priboi]

@PoorPlayer

No, in this tutorial I am sure direct imports dont exist. Even UIF after reparing api redirection doesnt show any direct imports but anyway thanks for trying to help me. 

ps: Did you solve your problem which you mention in this topic?

[PoorPlayer]

I solved my problem, just manually define the Api in scylla

[fanfan]

On 5/29/2021 at 8:22 AM, PoorPlayer said:

I solved my problem, just manually define the Api in scylla

How do you do that?