Jump to content
Tuts 4 You

Scylla strange problem with direct imports


Recommended Posts

Priboi

Hello, I have a problem with Scylla because Scylla cant find direct imports everytime no matter what I do I get information "Found 0 possible direct imports with 0 unique APIs!". I have try many targets, different Scylla versions and different OS and everytime is the same... I guess I am making something stupid but maybe you guys can point me whats wrong... below example:

004013A0   .- E9 9D78F67D     JMP 7E368C42        ;  user32.KillTimer
004013A5      FF              DB FF
004013A6   .- E9 F17BF67D     JMP 7E368F9C        ;  user32.GetSystemMetrics
004013AB      FF              DB FF
004013AC   $- E9 45D5F77D     JMP 7E37E8F6        ;  user32.LoadIconA
004013B1      FF              DB FF
004013B2   .- E9 9C01F87D     JMP 7E381553        ;  user32.LoadAcceleratorsA
004013B7      FF              DB FF
004013B8   $- E9 2DF4F97D     JMP 7E3A07EA        ;  user32.MessageBoxA
004013BD      FF              DB FF
004013BE   .- E9 F17CF77D     JMP 7E3790B4        ;  user32.GetWindowRect
004013C3      FF              DB FF
004013C4   .- E9 B20BF87D     JMP 7E381F7B        ;  user32.MessageBeep
004013C9      FF              DB FF
004013CA   .- E9 B4E6F97D     JMP 7E39FA83        ;  user32.LoadMenuA
004013CF      FF              DB FF
004013D0   $- E9 69BFF77D     JMP 7E37D33E        ;  user32.LoadCursorA
004013D5      FF              DB FF

 

Link to post
CodeExplorer

Not a Scylla problem. It is a protection, Themida I presume.
004013A0   .- E9 9D78F67D     JMP 7E368C42        ;  user32.KillTimer
this has to be jmp dword ptr [thunk...]  // jump to user32.KillTimer
I think that the import table was actually destroyed, so you got to reconstruct it from scratch.
 

Link to post
PoorPlayer

Hello

Can you check my case, is it a bug or am I doing something wrong?

00407660 | FF25 44785300            | jmp dword ptr ds:[<&_NtdllDefWindowProc_A@0>]

FThunk.png

Link to post
Priboi

No, its not Themida but PeSpin and that what you can see is code after preventing api redirecting by magic jump. Here what I want to accomplish is to understand option direct imports in scylla because I have always this enable and scylla never found any direct imports even if they exist and that user32.KillTimer is direct import right? And scylla should handle that and others instructions like source code says:

        if (ref->type == IAT_REFERENCE_DIRECT_CALL)
        {
            type = L"CALL";
        }
        else if (ref->type == IAT_REFERENCE_DIRECT_JMP)
        {
            type = L"JMP";
        }
        else if (ref->type == IAT_REFERENCE_DIRECT_MOV)
        {
            type = L"MOV";
        }
        else if (ref->type == IAT_REFERENCE_DIRECT_PUSH)
        {
            type = L"PUSH";
        }
        else if (ref->type == IAT_REFERENCE_DIRECT_LEA)
        {
            type = L"LEA";
        }

Universal Import Fixer can find such JMP xxxxxxxx and works great and change them to JMP [xxxxxxxx] and scylla should also like source code says:

void IATReferenceScan::patchDirectImportInMemory( IATReference * ref )
{
    DWORD patchBytes = 0;
    BYTE patchPreBytes[2];

    if (ref->targetPointer)
    {
        patchPreBytes[0] = 0xFF;

        if (ref->type == IAT_REFERENCE_DIRECT_CALL) //FF15
        {
            patchPreBytes[1] = 0x15;
        }
        else if (ref->type == IAT_REFERENCE_DIRECT_JMP) //FF25
        {
            patchPreBytes[1] = 0x25;
        }
        else
        {
            return;
        }

but I will repeat myself I am pretty sure that I am doing something stupid and something is beyond my sight.

Link to post
Priboi
Posted (edited)

@PoorPlayer

Hello, address 53782C this is in the middle of your IAT but I cant see on your picture begin of IAT so scroll it and find begin and type this address in box VA and type Size of IAT then click Get Imports

Edited by Priboi (see edit history)
Link to post
CodeExplorer
14 minutes ago, PoorPlayer said:

00407660 | FF25 44785300            | jmp dword ptr ds:[<&_NtdllDefWindowProc_A@0>]

This api is user32.lDefWindowProc_A, fowarded from use32.dll to ntdll.dll
obviously ntdll.dll is not imported.
So you have to fix the Api manually under Scylla.
 

 

Link to post
PoorPlayer

@ Priboi: I don't understand what you mean, but anyway thanks for the reply

6 minutes ago, CodeExplorer said:

So you have to fix the Api manually under Scylla

Oh my god

Link to post
  • 2 weeks later...
Priboi

Please give me someone unpackme to play around. Unpackme which will make scylla find direct imports. Like I said I try many unpackmes and NEVER scylla show differ value than "found 0 direct imports".

Link to post
Priboi

@PoorPlayer

No, in this tutorial I am sure direct imports dont exist. Even UIF after reparing api redirection doesnt show any direct imports but anyway thanks for trying to help me. 

ps: Did you solve your problem which you mention in this topic?

  • Like 1
Link to post
PoorPlayer

I solved my problem, just manually define the Api in scylla

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...