i think scylla is always interested in crash reports, no matter why they happened. :)

Some feedback
1. It does not remember the last folder used to store dump/fix, but always start from the module home folder.
2. It keeps separate adjacent chunks of functions related to the same module.
3. For dump naming would be better to follow ImpRec behavior: default dump name is module name + suffix.

Feature request
+ Add import manually. Now it can be done using XML editing, but need to recalc offsets, ordinals, etc.
+ Single -Dump & Fix- button :)

We could using plugin for apphelp.dll to solve the api. This is my small plugin for Imprec & Scylla.

About scylla crash, I had found that the function ApiReader::parseExportTable is parsing export not correct in some case, the way of calculating functionName = (char*)(addressOfNamesArray[i] + deltaAddress) is not right if the address of names in the differ memory than the exportbuffer cover.

In the options you can choose between reading pe header from disk or from memory. It should work.
Thanks I will fix that.

I am more interested in how your plugin works. How do you resolve the functions?
GetProcAddress points to function rva FFF6 from apphelp.dll and this function address is NOT exported by apphelp.dll. This is my problem.

@Syoma
Thanks for the suggestions, I will fix that.

There're many way.
1.trace into the apphelp.dll function code then you'll get the correct api function by watching some special call,jmp such as call eax, call [eax+const], call [ecx+const], jmp eax.

2. Using debuging symbol of apphelp then we'll get the simillar correct name of api.

I got the same problem with aclayers.dll, but seem it's hard to make a tracer for that. Seem the best way is to hard-code the address value for these dll.

I know this is not a good Idea or stupid Idea ,but for unpacker when he work on unpack he can do this :
and done . so no need to fix this .

New version
@Computer_Angel
I cannot reproduce the crash, tested with crysis and far cry.

1.Just test the new version, seem the module lister not list all the module in process.I'll check it more in next day.
2.I'll try to give you the examples about the crash.

There was a bug with virtual devices...

More buggy with lastest release. My binary is on Virtual devices and scylla could not define a correct pathname for it (it show unknow for path). When try to select the process with unknow path ---> crash happen

Windows doesn't handle virtual devices like it should :(

This should work now, but the solution is bad...

Here's the samples for scylla crash bug. Use Ollydbg2 load the scylla_.exe, then you'll stop at EP. Now using scylla to process the scylla_.exe module and scylla will crash. Hope this will help you :D

Hi Carbon :
about Computer_Angel target don't care about it, scylla is the best and it Does not need any fix for handle virtual devices.
this sample is an tricky Target :rolleyes: it write false size for IMAGE_EXPORT_DIRECTORY which make it very very big so can't handle it with
bufferExportTable = new BYTE[readSize];
so Computer_Angel it is as an anti scylla (or other IAT re builder ) technique ;) .
Computer_Angel just one thing ,pls where u get like this targets ,every time u surprise us with this kind of targets ,I work with a lot of targets never get my hand on targets like which u bring it to us .....
Computer_Angel :cool:

Ahmadmansoor , i get this problem when unpack warface game.

Thanks for the file Computer_Angel and thanks for the help ahmadmansoor.

I added an option to read the export table always from disk. This is slower than reading it from the target process. I guess this is a rare case, so people should only enable it if needed.