Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #76  
Old 03-24-2014, 20:45
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 78 Times in 51 Posts
Syoma Reputation: 77
Very good release )
Could you please collapse all nodes after chunks merge at the end?
Also, if possible add option to set image header flag "relocations stripped" on Dump.
May be also option to automatically save tree on Dump as ModuleName-Tree.xml

Last edited by Syoma; 03-24-2014 at 20:50. Reason: extra options
Reply With Quote
  #77  
Old 03-24-2014, 21:17
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 78 Times in 51 Posts
Syoma Reputation: 77
Bug report:
Missed entries in the chunks. Check image.
http://rghost.ru/53312007/image.png
Reply With Quote
  #78  
Old 03-24-2014, 23:33
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Quote:
Originally Posted by Syoma View Post
Bug report:
Missed entries in the chunks. Check image.
http://rghost.ru/53312007/image.png
Thanks for the report. Are you sure that this is a mistake? What entry did scylla miss? Can you please show me the spot in olly with dump view "Long -> address with ascii dump".
Reply With Quote
  #79  
Old 03-25-2014, 00:00
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 78 Times in 51 Posts
Syoma Reputation: 77
Yes, I am sure it is mistake. The missed import entries are data-related, not functions. Like __declspec(dllexport) int i; and the same for structures instances.

Also, the same problem with msvcr90.dll import
150 __CppXcptFilter dd ?
154 _adjust_fdiv dd ? // <<----- this one was missed in chunk
158 _amsg_exit dd ?

I do not use Olly. So, not sure what you asking for.
Reply With Quote
  #80  
Old 03-25-2014, 00:30
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Thanks, I forgot that data exports exist... this should fix it.
Attached Files
File Type: rar Scylla_v0.9.6a.rar (853.0 KB, 187 views)
Reply With Quote
The Following 7 Users Gave Reputation+1 to Carbon For This Useful Post:
alekine322 (04-15-2014), chessgod101 (04-21-2014), Computer_Angel (03-25-2014), Dreamer (03-25-2014), giv (03-25-2014), Kla$ (03-25-2014), zeuscane (03-25-2014)
  #81  
Old 04-13-2014, 17:38
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 78 Times in 51 Posts
Syoma Reputation: 77
Bug report:
Consequent chunks merged to single branch (check attached image)

Feature request:
Often, especially in Delphi, you can see multiple kernel32.dll chunks with the same functions (which may be stolen). Could you please add extra loop to check all entries with the same address and fix them at once?
For example: suppose GetProcAddress stolen and we have 3 chunks where function redirected to stub 00112233. Select 00112233 entry in Scylla, resolve function manually - get it resolved in all 3 chunks.

Initialize function select dialog with default module name value.
For example: we process kernel32.dll chunk. DLL module name with very high probability would be the same as any chunk entry above current. For the first entry some heuristic possible by module names frequency calculation for all entries in the chunk.

Add option 'Save tree on exit' or Exit confirmation dialog.
It is quite terrible to find Scylla window closed by extra ESC when over 50 entries already processed.
Attached Images
File Type: png ChunksBug.png (28.0 KB, 10 views)
Reply With Quote
  #82  
Old 04-13-2014, 17:46
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 78 Times in 51 Posts
Syoma Reputation: 77
Bug report:
---------------------------
Exception! Please report it!
---------------------------
ExceptionCode C0000005
ExceptionFlags 00000000
NumberParameters 00000002
ExceptionAddress VA 77437419
ExceptionAddress RVA 77037419

eax=0x0012EE14, ebx=0x00000000, edx=0x00670601, ecx=0x7E429340, esi=0x0012EE14, edi=0x001AF5A8, ebp=0x0012EDF0, esp=0x0012EDB0, eip=0x77437419
---------------------------
OK
---------------------------

Got it on last chunk entry after manual GetProcAddress fix and press OK. WinXP/x86 SP3, Scylla 0.9.6a
Reply With Quote
  #83  
Old 04-13-2014, 18:05
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 78 Times in 51 Posts
Syoma Reputation: 77
Feature request:
Add Re-scan names button. Check attached image.
Add Export Tree for ImpRec.
Attached Images
File Type: png NamesBug.png (17.9 KB, 28 views)
Reply With Quote
The Following User Gave Reputation+1 to Syoma For This Useful Post:
Git (04-13-2014)
  #84  
Old 05-08-2014, 03:15
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Sorry for the late reply. I was busy with the ScyllaHide project.

How do you produce the view in NamesBug.png‎? Do you think this are valid api addresses?

Quote:
Add Export Tree for ImpRec.
I dont want to add this feature directly to scylla, but I coded a small standalone tool for this purpose. I thought about using the imprec format, but it is really terrible so I chose the "right way".


C#.NET, can convert scylla xml to imprec (crap) txt.
https://bitbucket.org/NtQuery/scyllatoimprectree
https://bitbucket.org/NtQuery/scyllatoimprectree/downloads/ScyllaToImprecTree.rar
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
  #85  
Old 05-08-2014, 05:15
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 78 Times in 51 Posts
Syoma Reputation: 77
Hi, it was some time ago. So, I forgot how I did that. But I think it was done in usual way using some protected application. Yes, that are valid API addresses. I think they are always the same for WinXP SP3/x86. So, you can check by yourself.
Most probable next few days I will do new version of that app and provide more details.
Do you have any information on other reports?
Reply With Quote
  #86  
Old 10-01-2014, 19:21
Utshiha's Avatar
Utshiha Utshiha is offline
Family
 
Join Date: Jul 2014
Posts: 169
Rept. Given: 67
Rept. Rcvd 151 Times in 52 Posts
Thanks Given: 36
Thanks Rcvd at 111 Times in 45 Posts
Utshiha Reputation: 100-199 Utshiha Reputation: 100-199
Scylla Imports Reconstruction 0.9.7b

Quote:
great tool to rebuild an import table same ImpREC, CHimpREC, Imports Fixer

Scylla's key benefits are:

x64 and x86 support
full unicode support
written in C/C++
plugin support (ImpREC plugins are supported)
works great with Windows 7
Currently there are only 2 plugins (PECompact, PESpin x64) in this release, full sourcecode for both is included.

................................
Attached Files
File Type: rar Scylla097.rar (189.9 KB, 68 views)
__________________
� ﬗ ~}|zyx☀&#171; Not Enought to Scare me -- I am Whitebeard &#187;☀~}|zyxﬗ


Last edited by Utshiha; 10-01-2014 at 19:48.
Reply With Quote
The Following 2 Users Gave Reputation+1 to Utshiha For This Useful Post:
sh3dow (10-06-2014), Zipdecode (10-01-2014)
  #87  
Old 12-21-2014, 15:22
DMichael's Avatar
DMichael DMichael is offline
Family
 
Join Date: Apr 2012
Location: Israel
Posts: 197
Rept. Given: 138
Rept. Rcvd 281 Times in 72 Posts
Thanks Given: 13
Thanks Rcvd at 31 Times in 25 Posts
DMichael Reputation: 200-299 DMichael Reputation: 200-299 DMichael Reputation: 200-299
Fixed Scylla 0.9.7b

i have made aquick patch till Aguila it self will fix the issues i mentioned:
1.Freeze bug under exe32protector
2.Crash bug under PEP protector
(more details in PM since im dont sure im can post other forum link)
Attached Files
File Type: rar Scylla_x86.rar (183.5 KB, 56 views)
Reply With Quote
The Following 5 Users Gave Reputation+1 to DMichael For This Useful Post:
computerline (12-21-2014), giv (12-21-2014), Storm Shadow (12-21-2014)
  #88  
Old 12-28-2014, 14:12
xtiaoshi's Avatar
xtiaoshi xtiaoshi is offline
bbs.pediy.com
 
Join Date: Feb 2005
Location: China. MainLand
Posts: 1,057
Rept. Given: 142
Rept. Rcvd 432 Times in 185 Posts
Thanks Given: 21
Thanks Rcvd at 212 Times in 99 Posts
xtiaoshi Reputation: 400-499 xtiaoshi Reputation: 400-499 xtiaoshi Reputation: 400-499 xtiaoshi Reputation: 400-499 xtiaoshi Reputation: 400-499
Scylla 0.9.7c
Attached Files
File Type: rar Scylla_v0.9.7c.rar (868.7 KB, 106 views)
__________________
�����ԧ�ѧާާߧ�� ��ҧ֧��֧�֧ߧڧ� �ӧ�����ܧ� �� Windows Crack ���ҧ��֧ߧڧ�
���ѧ�-Dabei Guanyin ����է�ڧ�ѧ��ӧ� ���ѧ� �ҧ֧� �ާڧ�ѧҧ��
Reply With Quote
The Following 6 Users Gave Reputation+1 to xtiaoshi For This Useful Post:
cjack (12-28-2014), nikkapedd (12-31-2014), nikre (12-29-2014), sh3dow (01-06-2015), smallfox (01-01-2015), zeuscane (12-28-2014)
  #89  
Old 05-03-2015, 20:09
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Version 0.9.8

- Bugfixes for x64, IAT Search
- diStorm3 update from Jan 3rd 2015
Attached Files
File Type: rar Scylla_v0.9.8.rar (985.9 KB, 165 views)
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 8 Users Gave Reputation+1 to Carbon For This Useful Post:
ahmadmansoor (05-04-2015), chessgod101 (05-09-2015), cjack (05-04-2015), Computer_Angel (05-04-2015), copyleft (05-04-2015), EHS4N (05-08-2015), Storm Shadow (05-05-2015), ZeNiX (05-04-2015)
The Following 14 Users Say Thank You to Carbon For This Useful Post:
ahmadmansoor (05-04-2015), chessgod101 (05-09-2015), EHS4N (05-08-2015), kienmanowar (05-03-2015), LordGarfio (01-06-2020), niculaita (05-05-2015), nikkapedd (05-03-2015), rooky2000 (05-04-2015), sendersu (05-06-2015), TechLord (06-18-2015), tonyweb (02-04-2018), Utshiha (05-04-2015)
  #90  
Old 06-03-2022, 08:49
dnvthv dnvthv is offline
Family
 
Join Date: Nov 2010
Posts: 90
Rept. Given: 121
Rept. Rcvd 35 Times in 19 Posts
Thanks Given: 89
Thanks Rcvd at 47 Times in 13 Posts
dnvthv Reputation: 35
Version 0.11.0

- Update `ScyllaIatFixAutoW` and `ScyllaIatSearch` to allow dumping DLLs
- `pyscylla.dump_pe` and `pyscylla.rebuild_pe` now return None and throw
exceptions on failure
- Generate Python bindings for Python 3.8+ (i.e., drop Python 3.7 support)

Version 0.10.0

- Update default configuration
- Add support for Windows 8.1 and Windows 10
- Switch build system to CMake
- Add bindings for Python 3
- Add a new `createNewIat` parameter to `ScyllaIatFixAutoW`
- Fix bad handling of instructions with a REX prefix in `IATReferenceScan:atchNewIat`
- Handle multiple imports that have the same address in `ApiReader::getApiByVirtualAddress`
- Add a Sphinx-generated documentation
- Update distorm to version 3.5.2
- Update WTL to version 10

https://github.com/ergrelet/Scylla
https://github.com/ergrelet/Scylla/releases
Reply With Quote
The Following 8 Users Say Thank You to dnvthv For This Useful Post:
besoeso (06-03-2022), darkBLACK (06-06-2022), niculaita (06-03-2022), Stingered (06-03-2022), val2032 (06-03-2022), WildGoblin (06-07-2022), wilson bibe (06-03-2022), WRP (06-03-2022)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Scylla IAT finder and Dumper Storm Shadow Source Code 6 05-05-2015 02:22
More Armadillo - import reconstruction FEARHQ General Discussion 8 09-19-2005 16:46


All times are GMT +8. The time now is 21:10.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )