Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #76  
Old 03-24-2014, 20:45
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 77 Times in 50 Posts
Syoma Reputation: 77
Very good release )
Could you please collapse all nodes after chunks merge at the end?
Also, if possible add option to set image header flag "relocations stripped" on Dump.
May be also option to automatically save tree on Dump as ModuleName-Tree.xml

Last edited by Syoma; 03-24-2014 at 20:50. Reason: extra options
Reply With Quote
  #77  
Old 03-24-2014, 21:17
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 77 Times in 50 Posts
Syoma Reputation: 77
Bug report:
Missed entries in the chunks. Check image.
http://rghost.ru/53312007/image.png
Reply With Quote
  #78  
Old 03-24-2014, 23:33
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Quote:
Originally Posted by Syoma View Post
Bug report:
Missed entries in the chunks. Check image.
http://rghost.ru/53312007/image.png
Thanks for the report. Are you sure that this is a mistake? What entry did scylla miss? Can you please show me the spot in olly with dump view "Long -> address with ascii dump".
Reply With Quote
  #79  
Old 03-25-2014, 00:00
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 77 Times in 50 Posts
Syoma Reputation: 77
Yes, I am sure it is mistake. The missed import entries are data-related, not functions. Like __declspec(dllexport) int i; and the same for structures instances.

Also, the same problem with msvcr90.dll import
150 __CppXcptFilter dd ?
154 _adjust_fdiv dd ? // <<----- this one was missed in chunk
158 _amsg_exit dd ?

I do not use Olly. So, not sure what you asking for.
Reply With Quote
  #80  
Old 03-25-2014, 00:30
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Thanks, I forgot that data exports exist... this should fix it.
Attached Files
File Type: rar Scylla_v0.9.6a.rar (853.0 KB, 186 views)
Reply With Quote
The Following 7 Users Gave Reputation+1 to Carbon For This Useful Post:
alekine322 (04-15-2014), chessgod101 (04-21-2014), Computer_Angel (03-25-2014), Dreamer (03-25-2014), giv (03-25-2014), Kla$ (03-25-2014), zeuscane (03-25-2014)
  #81  
Old 04-13-2014, 17:38
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 77 Times in 50 Posts
Syoma Reputation: 77
Bug report:
Consequent chunks merged to single branch (check attached image)

Feature request:
Often, especially in Delphi, you can see multiple kernel32.dll chunks with the same functions (which may be stolen). Could you please add extra loop to check all entries with the same address and fix them at once?
For example: suppose GetProcAddress stolen and we have 3 chunks where function redirected to stub 00112233. Select 00112233 entry in Scylla, resolve function manually - get it resolved in all 3 chunks.

Initialize function select dialog with default module name value.
For example: we process kernel32.dll chunk. DLL module name with very high probability would be the same as any chunk entry above current. For the first entry some heuristic possible by module names frequency calculation for all entries in the chunk.

Add option 'Save tree on exit' or Exit confirmation dialog.
It is quite terrible to find Scylla window closed by extra ESC when over 50 entries already processed.
Attached Images
File Type: png ChunksBug.png (28.0 KB, 10 views)
Reply With Quote
  #82  
Old 04-13-2014, 17:46
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 77 Times in 50 Posts
Syoma Reputation: 77
Bug report:
---------------------------
Exception! Please report it!
---------------------------
ExceptionCode C0000005
ExceptionFlags 00000000
NumberParameters 00000002
ExceptionAddress VA 77437419
ExceptionAddress RVA 77037419

eax=0x0012EE14, ebx=0x00000000, edx=0x00670601, ecx=0x7E429340, esi=0x0012EE14, edi=0x001AF5A8, ebp=0x0012EDF0, esp=0x0012EDB0, eip=0x77437419
---------------------------
OK
---------------------------

Got it on last chunk entry after manual GetProcAddress fix and press OK. WinXP/x86 SP3, Scylla 0.9.6a
Reply With Quote
  #83  
Old 04-13-2014, 18:05
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 77 Times in 50 Posts
Syoma Reputation: 77
Feature request:
Add Re-scan names button. Check attached image.
Add Export Tree for ImpRec.
Attached Images
File Type: png NamesBug.png (17.9 KB, 28 views)
Reply With Quote
The Following User Gave Reputation+1 to Syoma For This Useful Post:
Git (04-13-2014)
  #84  
Old 05-08-2014, 03:15
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Sorry for the late reply. I was busy with the ScyllaHide project.

How do you produce the view in NamesBug.png‎? Do you think this are valid api addresses?

Quote:
Add Export Tree for ImpRec.
I dont want to add this feature directly to scylla, but I coded a small standalone tool for this purpose. I thought about using the imprec format, but it is really terrible so I chose the "right way".


C#.NET, can convert scylla xml to imprec (crap) txt.
https://bitbucket.org/NtQuery/scyllatoimprectree
https://bitbucket.org/NtQuery/scyllatoimprectree/downloads/ScyllaToImprecTree.rar
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
  #85  
Old 05-08-2014, 05:15
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 77 Times in 50 Posts
Syoma Reputation: 77
Hi, it was some time ago. So, I forgot how I did that. But I think it was done in usual way using some protected application. Yes, that are valid API addresses. I think they are always the same for WinXP SP3/x86. So, you can check by yourself.
Most probable next few days I will do new version of that app and provide more details.
Do you have any information on other reports?
Reply With Quote
  #86  
Old 10-01-2014, 19:21
Utshiha's Avatar
Utshiha Utshiha is offline
Family
 
Join Date: Jul 2014
Posts: 142
Rept. Given: 64
Rept. Rcvd 151 Times in 52 Posts
Thanks Given: 17
Thanks Rcvd at 97 Times in 36 Posts
Utshiha Reputation: 100-199 Utshiha Reputation: 100-199
Scylla Imports Reconstruction 0.9.7b

Quote:
great tool to rebuild an import table same ImpREC, CHimpREC, Imports Fixer

Scylla's key benefits are:

x64 and x86 support
full unicode support
written in C/C++
plugin support (ImpREC plugins are supported)
works great with Windows 7
Currently there are only 2 plugins (PECompact, PESpin x64) in this release, full sourcecode for both is included.

................................
Attached Files
File Type: rar Scylla097.rar (189.9 KB, 67 views)
__________________
� ﬗ ~}|zyx☀&#171; Not Enought to Scare me -- I am Whitebeard &#187;☀~}|zyxﬗ


Last edited by Utshiha; 10-01-2014 at 19:48.
Reply With Quote
The Following 2 Users Gave Reputation+1 to Utshiha For This Useful Post:
sh3dow (10-06-2014), Zipdecode (10-01-2014)
  #87  
Old 12-21-2014, 15:22
DMichael's Avatar
DMichael DMichael is offline
Family
 
Join Date: Apr 2012
Location: Israel
Posts: 199
Rept. Given: 139
Rept. Rcvd 281 Times in 72 Posts
Thanks Given: 13
Thanks Rcvd at 30 Times in 24 Posts
DMichael Reputation: 200-299 DMichael Reputation: 200-299 DMichael Reputation: 200-299
Fixed Scylla 0.9.7b

i have made aquick patch till Aguila it self will fix the issues i mentioned:
1.Freeze bug under exe32protector
2.Crash bug under PEP protector
(more details in PM since im dont sure im can post other forum link)
Attached Files
File Type: rar Scylla_x86.rar (183.5 KB, 54 views)
Reply With Quote
The Following 5 Users Gave Reputation+1 to DMichael For This Useful Post:
computerline (12-21-2014), giv (12-21-2014), Storm Shadow (12-21-2014)
  #88  
Old 12-28-2014, 14:12
xtiaoshi's Avatar
xtiaoshi xtiaoshi is offline
bbs.pediy.com
 
Join Date: Feb 2005
Location: China. MainLand
Posts: 1,041
Rept. Given: 140
Rept. Rcvd 429 Times in 184 Posts
Thanks Given: 17
Thanks Rcvd at 168 Times in 87 Posts
xtiaoshi Reputation: 400-499 xtiaoshi Reputation: 400-499 xtiaoshi Reputation: 400-499 xtiaoshi Reputation: 400-499 xtiaoshi Reputation: 400-499
Scylla 0.9.7c
Attached Files
File Type: rar Scylla_v0.9.7c.rar (868.7 KB, 105 views)
__________________
�����ԧ�ѧާާߧ�� ��ҧ֧��֧�֧ߧڧ� �ӧ�����ܧ� �� Windows Crack ���ҧ��֧ߧڧ�
���ѧ�-Dabei Guanyin ����է�ڧ�ѧ��ӧ� ���ѧ� �ҧ֧� �ާڧ�ѧҧ��
Reply With Quote
The Following 6 Users Gave Reputation+1 to xtiaoshi For This Useful Post:
cjack (12-28-2014), nikkapedd (12-31-2014), nikre (12-29-2014), sh3dow (01-06-2015), smallfox (01-01-2015), zeuscane (12-28-2014)
  #89  
Old 05-03-2015, 20:09
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Version 0.9.8

- Bugfixes for x64, IAT Search
- diStorm3 update from Jan 3rd 2015
Attached Files
File Type: rar Scylla_v0.9.8.rar (985.9 KB, 157 views)
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 8 Users Gave Reputation+1 to Carbon For This Useful Post:
ahmadmansoor (05-04-2015), chessgod101 (05-09-2015), cjack (05-04-2015), Computer_Angel (05-04-2015), copyleft (05-04-2015), EHS4N (05-08-2015), Storm Shadow (05-05-2015), ZeNiX (05-04-2015)
The Following 13 Users Say Thank You to Carbon For This Useful Post:
ahmadmansoor (05-04-2015), chessgod101 (05-09-2015), EHS4N (05-08-2015), kienmanowar (05-03-2015), niculaita (05-05-2015), nikkapedd (05-03-2015), rooky2000 (05-04-2015), sendersu (05-06-2015), TechLord (06-18-2015), tonyweb (02-04-2018), Utshiha (05-04-2015)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Scylla IAT finder and Dumper Storm Shadow Source Code 6 05-05-2015 02:22
More Armadillo - import reconstruction FEARHQ General Discussion 8 09-19-2005 16:46


All times are GMT +8. The time now is 17:28.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX