Exetools
Page 6 of 8 « First 45 6 78
Show 40 post(s) from this thread on one page

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   ScyllaHide (https://forum.exetools.com/showthread.php?t=15712)

Storm Shadow 08-30-2016 23:33
Quote:
Originally Posted by sendersu (Post 106772)
The error comes from idaserver.cpp:
Code:
int main(int argc, char *argv[])
{
        LogWrap = LogWrapper;
        LogErrorWrap = LogWrapper;

        if (sizeof(IDA_SERVER_EXCHANGE) != IDA_SERVER_EXCHANGE_STRUCT_SIZE)
        {
                printf("WRONG!!! Size of IDA_SERVER_EXCHANGE %d == %d?\n\n", sizeof(IDA_SERVER_EXCHANGE), IDA_SERVER_EXCHANGE_STRUCT_SIZE);
                getchar();
                return 0;
        }
changing https://github.com/x64dbg/ScyllaHide/blob/b76835ab75ac384bedccb59119d972997c6d61aa/ScyllaHideIDAServer/IdaServerExchange.h#L89 to 648 will fix this error.
However it will break it for those that don't use the same ida version as you.
So one would need to do a pull request with a loop for making it work with each new version.


Quote:
Please fix bug on update Windows 10 in ollydbg1 and ollydbg2
thank you in advance

---------------------------
Error
---------------------------
Windows 10 SysWowSpecialJmpAddress was not found!
Last aniversary update made alot of changes to win 10.So it wont work on win 10.

Storm Shadow 08-31-2016 01:51
Little update

after crash with ida and after debugging it.
it seem to make a x64 hook first in a x86 app and idaserverx86
and some more problems

1 bug)
it crashes cause it attempts to make x64 connection in a x86 app

fails on
Code:
IDAServerx86.exe!DetourCreateRemoteNativeSysWow64(void * hProcess, void * lpFuncOrig, void * lpFuncDetour, bool createTramp, unsigned long * backupSize)  Line 356 + 0x5 bytes
but not on

Code:
IDAServerx86.exe!DetourCreateRemoteNative32(void * hProcess, void * lpFuncOrig, void * lpFuncDetour, bool createTramp, unsigned long * backupSize)  Line 532 + 0x1a bytes  C++
i forwarded line 350-354 for spaces
https://github.com/x64dbg/ScyllaHide...k.cpp#L350-354
Not sure why , but i am a python guy.
It seems to jump to x86 hook insteed of the x64, but a smart person told me that it should not matter in c++.

suggestions:
Maybe dev should use

Code:
If __EA64__
    call x64

else:
    call x86

2 bug)
also i saw port access violation


In win 10 even if you have a firewall you bought you have to open ports in the internal win 10 one, even if disabled.
in start menu type WF.msc open udp-tcp port 1337.

3 bug)
and for fixing the structure error for now
untick NTQueryInformationprocess in scyllahide settings

result
Code:
Listening on port 1337...
Accepted Client 1
[ScyllaHide] Hook Injection successful, Imagebase 001D0000

nocturo 09-20-2016 22:45
I thought I was doing something wrong, then I found out this thread! Win10 (anniversary update) + x64dbg doesn't crash, but gives:
NT APIs missing section
060200000109_x86_0000A830
file NtApiCollection.ini.

I used scyllahide from link on x64dbg page (bitbucket link). Hopefully someone can make win10 a platform for RE. Thanks!

mudlord 10-05-2016 13:05
I did some testing.

https://github.com/x64dbg/ScyllaHide/issues/2

Seems there is junk bytes at Win10 Anniversary's NtQueryInformationProcess call as well as a different signature. The code leading to the gateway is a JMP to the jmp (so two jmps) to the gateway, whereas Win8.1 is a simple jmp. More details are at that issue link.

Quote:
Originally Posted by Kla$ (Post 106828)
Please fix bug on update Windows 10 in ollydbg1 and ollydbg2
thank you in advance

---------------------------
Error
---------------------------
Windows 10 SysWowSpecialJmpAddress was not found!
---------------------------
§°§¬
---------------------------

---------------------------
ERROR
---------------------------
Unknown syscall structure!
---------------------------
§°§¬
---------------------------
That bug I managed to fix, but I haven't checked the remaining ones. There was also changes for 3 APIs that are enough for Obsidium and Themida targets to be detected. So far for me, managed to get VMP debugged.

SKiLLa 10-20-2016 00:01
It seems last month's Windows Updates for 8.1 (x64) also broke the NtApiCollection.ini PDB resolvers. It was working fine until I ran the updates, rebooted and started x64dbg. When it complained about missing "NTUser* API addresses, Section: 060300000109_x86_000158A0" I ran both PDB resolvers (as admin) and copied over the fresh .ini file, but not all API addresses were resolved properly. Just to be sure I also updated x64dbg to the latest commit, but without success ...

mr.exodia 10-20-2016 18:57
There have been massive issues with the Microsoft symbol servers recently... This was collected (took about 10 minutes) on the latest Windows 8.1 x64 https://gist.github.com/mrexodia/8aea202c1177892b4577a32927cef3bf

SKiLLa 10-24-2016 18:26
Thanks mr. Exodia. I did notice some symbol-server issues, but after a few retries it 'completed'. As it turns out; I got returned an incorrect version-tag when running PDBReader and the network-issues weren't messing things up after all (except having me to retry it a couple of times):

[060200000109_x86_000158A0]

instead of:

[060300000109_x86_000158A0]

whilst I do have Windows 8.1 x64 (=v6.3). I changed this manually in the .ini file, after which ScyllaHide seems to work perfectly. Not sure if this is an issue with PDBReader or not, but I should provide more info, please let me know ...

PS: Kindy silly I didn't notice before ... where's the shame-on-me-smiley when you need it ?

TheEnd 10-29-2016 10:46
NT APIs missing
section
060200000109_x64_0000BAB0
file
X:\x64dbg\plugins\NtApiCollection.ini

mr.exodia 10-30-2016 03:50
Everything appears to work fine here. If Microsoft doesn't provide symbols there is not much you can do. What SKiLLa did is not a real solution, for me the problem was solved by running NtApiTool.exe again.

mudlord 11-15-2016 07:46
Seems the Anniversary update problems I documented and reversed are now fixed by another person, and is now in latest Git :)

Which is super cool.

kienmanowar 11-15-2016 09:54
Quote:
Originally Posted by mudlord (Post 107673)
Seems the Anniversary update problems I documented and reversed are now fixed by another person, and is now in latest Git :)

Which is super cool.
ScyllaHideIDA.p64 is missing?

Storm Shadow 11-15-2016 22:06
1 Attachment(s)
Quote:
Originally Posted by kienmanowar (Post 107674)
ScyllaHideIDA.p64 is missing?
here

Attachment 9084
Also remind that the x64 version is a win32 build but with a different extension name.

kienmanowar 11-16-2016 17:44
Quote:
Originally Posted by Storm Shadow (Post 107680)
here

Attachment 9084
Also remind that the x64 version is a win32 build but with a different extension name.
Can you mirror it? I dont have permissions to download the attachment :(

Regards,

Storm Shadow 11-16-2016 18:20
Quote:
Originally Posted by kienmanowar (Post 107689)
Can you mirror it? I dont have permissions to download the attachment :(

Regards,
https://mega.nz/#!rxsjmBhb!OaRLJnutaPGqf9jQUntJKs6ficb9U7m2XZ57JEWrtd0

Mendax47 11-27-2016 21:23
Quote:
Originally Posted by Storm Shadow (Post 107680)
here

Attachment 9084
Also remind that the x64 version is a win32 build but with a different extension name.
Hey Bro Can you Upload The Latest One (.p64)...? I Haven't VS To Compile It.... :(


All times are GMT +8. The time now is 12:12.
Page 6 of 8 « First 45 6 78
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX