Scylla x64/x86 Imports Reconstruction

[Carbon]

ahmadmansoor had a nice idea for a new IAT search algorithm. It seems that it is very accurate after some tweaks, but takes a little bit longer depending on your computer.

Use the option "advanced iat search" and test it.

If you like to support this project, BTC Address: 1GmVrhWwUhwLohaCLP4SKV5kkz8rd16N8h

Code:

Version 0.9.2

- Pick DLL -> Set DLL Entrypoint
- Advanced IAT Search Algorithm (Enable/Disable it in Options), thanks to ahmadmansoor
- Fixed bug in Options
- Added donate information, please feel free to donate some BTC to support this project

[Carbon]

new options added

Quote:

Version 0.9.4 beta

- direct import scan + fix: 5 byte CALL/JMP, junk byte must be after CALL/JMP
- create new iat in section
- fixed various bugs

Version 0.9.3
- new dll function: iat search
- new dll function: iat fix auto

[Carbon]

Quote:

Version 0.9.4 Final

- direct import scanner (LEA, MOV, PUSH, CALL, JMP) + fixer with 2 fix methods
- create new iat in section
- fixed various bugs

I really recommend to update due to the bug fixes.

Direct import scanner fix methods:
- Normal: Patch memory with jmp/call only
- Universal: Works with everything, creates a jump table in the scylla section, watch for relocation information in the log file

I also found some weird thing in Windows 7 x64. I don't know yet why this happens:

Quote:

### Windows 7 x64

Sometimes the API kernel32.dll GetProcAddress cannot be resolved, because the IAT has an entry from apphelp.dll
Solution? I don't know

[deepzero]

where do these new version come from? They are not mentioned on t4u, Scylla's home.

[Av0id]

deepzero, you can get them in t4u download area

[giv]

The 0.9.4 betra behaved strange on my latest attempts.
On simple unpackmes the resulted dump was invalid....
I home that 0.9.4 final does not have that behaviour.

[ahmadmansoor]

Lol .... my friend I have disable the "normal" fixer too.
I have use the default option when run Scylla first time .
check picture
http://postimg.org/image/umncnodiv/

[Carbon]

Quote:

Originally Posted by ahmadmansoor

Lol .... my friend I have disable the "normal" fixer too.
I have use the default option when run Scylla first time .
check picture
http://postimg.org/image/umncnodiv/

yes that are the correct settings. Now dump and fix and the direct imports will be resolved.

[ahmadmansoor]

I think I miss something ,so u keep the same size of (jmp or Call) and not make any changes

Quote:

E9 xxxxxx >>>> E9 API
not fixing it to
E9 xxxxxx >>>> FF25 xxxxxx

Ok let me do more checks .

[Carbon]

I change the jmp destination to a jmp table.

[Computer_Angel]

1.Scylla should have option to use PE Header of module on disk just like imprec .
right now, scylla read the pe header from memory and in some case the export directory is destroy make scylla crash.
You could try some target using cryengine sdk such as Warface to get this case/.

2. About apphelp.dll, we could resolve it using plugin to handle it.

[Carbon]

Quote:

Originally Posted by Computer_Angel

1.Scylla should have option to use PE Header of module on disk just like imprec .
right now, scylla read the pe header from memory and in some case the export directory is destroy make scylla crash.
You could try some target using cryengine sdk such as Warface to get this case/.

In the options you can choose between reading pe header from disk or from memory. It should work.

Quote:

the way of calculating functionName = (char*)(addressOfNamesArray[i] + deltaAddress) is not right if the address of names in the differ memory than the exportbuffer cover.

Thanks I will fix that.

Quote:

We could using plugin for apphelp.dll to solve the api. This is my small plugin for Imprec & Scylla.

I am more interested in how your plugin works. How do you resolve the functions?
GetProcAddress points to function rva FFF6 from apphelp.dll and this function address is NOT exported by apphelp.dll. This is my problem.

@Syoma
Thanks for the suggestions, I will fix that.

[Computer_Angel]

Quote:

Originally Posted by Carbon

I am more interested in how your plugin works. How do you resolve the functions?
GetProcAddress points to function rva FFF6 from apphelp.dll and this function address is NOT exported by apphelp.dll. This is my problem.

There're many way.
1.trace into the apphelp.dll function code then you'll get the correct api function by watching some special call,jmp such as call eax, call [eax+const], call [ecx+const], jmp eax.

2. Using debuging symbol of apphelp then we'll get the simillar correct name of api.

I got the same problem with aclayers.dll, but seem it's hard to make a tracer for that. Seem the best way is to hard-code the address value for these dll.

[deepzero]

i think scylla is always interested in crash reports, no matter why they happened.

[Syoma]

Some feedback
1. It does not remember the last folder used to store dump/fix, but always start from the module home folder.
2. It keeps separate adjacent chunks of functions related to the same module.
3. For dump naming would be better to follow ImpRec behavior: default dump name is module name + suffix.

Feature request
+ Add import manually. Now it can be done using XML editing, but need to recalc offsets, ordinals, etc.
+ Single -Dump & Fix- button