Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #46  
Old 09-06-2013, 19:57
Av0id Av0id is offline
VIP
 
Join Date: Jan 2006
Posts: 399
Rept. Given: 112
Rept. Rcvd 111 Times in 69 Posts
Thanks Given: 0
Thanks Rcvd at 15 Times in 15 Posts
Av0id Reputation: 100-199 Av0id Reputation: 100-199
deepzero, you can get them in t4u download area
Reply With Quote
The Following User Gave Reputation+1 to Av0id For This Useful Post:
deepzero (09-06-2013)
  #47  
Old 09-07-2013, 00:36
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Quote:
Originally Posted by ahmadmansoor View Post
just one thing pls upload the distorm 3.1 folder which u use .
I can't access it .
is there a problem to compile it with v10 instead of v9.0 of VS 2010
Thanks
Sorry, I don't want to include the distorm project. Just download the latest distorm from the official website and extract it in this folder.
I updated the project files: https://github.com/NtQuery/Scylla/commit/133a8fac409940012ee97d46d4955203bf4421bb

It should work with Visual Studio 2010. I compile it with platform toolset v90 to get WIN XP SP0/1 support. If you compile it with v10, you can execute it only on XP SP2+

@Newbie_Cracker
OK thx, I added it. See attachment.

Last edited by Carbon; 03-20-2014 at 19:23.
Reply With Quote
The Following 3 Users Gave Reputation+1 to Carbon For This Useful Post:
ahmadmansoor (09-08-2013), lordi (09-17-2013), Newbie_Cracker (09-22-2013)
  #48  
Old 09-27-2013, 08:00
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
ahmadmansoor had a nice idea for a new IAT search algorithm. It seems that it is very accurate after some tweaks, but takes a little bit longer depending on your computer.

Use the option "advanced iat search" and test it.

If you like to support this project, BTC Address: 1GmVrhWwUhwLohaCLP4SKV5kkz8rd16N8h

Code:
Version 0.9.2

- Pick DLL -> Set DLL Entrypoint
- Advanced IAT Search Algorithm (Enable/Disable it in Options), thanks to ahmadmansoor
- Fixed bug in Options
- Added donate information, please feel free to donate some BTC to support this project
Attached Files
File Type: rar Scylla_v0.9.2.rar (738.1 KB, 124 views)
Reply With Quote
The Following 7 Users Gave Reputation+1 to Carbon For This Useful Post:
ahmadmansoor (09-27-2013), alekine322 (09-29-2013), DMichael (09-27-2013), nikkapedd (09-30-2013), sendersu (09-27-2013), the_beginner (09-28-2013), wilson bibe (09-27-2013)
  #49  
Old 02-03-2014, 05:54
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
new options added

Quote:
Version 0.9.4 beta

- direct import scan + fix: 5 byte CALL/JMP, junk byte must be after CALL/JMP
- create new iat in section
- fixed various bugs

Version 0.9.3
- new dll function: iat search
- new dll function: iat fix auto

Last edited by Carbon; 03-20-2014 at 19:23.
Reply With Quote
The Following 8 Users Gave Reputation+1 to Carbon For This Useful Post:
ahmadmansoor (02-03-2014), alekine322 (02-03-2014), DMichael (02-03-2014), h8er (02-05-2014), niculaita (02-03-2014), nikkapedd (02-03-2014), winndy (02-03-2014), ZeNiX (02-03-2014)
  #50  
Old 02-05-2014, 07:08
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Quote:
Version 0.9.4 Final

- direct import scanner (LEA, MOV, PUSH, CALL, JMP) + fixer with 2 fix methods
- create new iat in section
- fixed various bugs
I really recommend to update due to the bug fixes.

Direct import scanner fix methods:
- Normal: Patch memory with jmp/call only
- Universal: Works with everything, creates a jump table in the scylla section, watch for relocation information in the log file

I also found some weird thing in Windows 7 x64. I don't know yet why this happens:
Quote:
### Windows 7 x64

Sometimes the API kernel32.dll GetProcAddress cannot be resolved, because the IAT has an entry from apphelp.dll
Solution? I don't know
Attached Files
File Type: rar Scylla_v0.9.4_Final.rar (848.8 KB, 79 views)
Reply With Quote
The Following 5 Users Gave Reputation+1 to Carbon For This Useful Post:
ahmadmansoor (02-06-2014), copyleft (02-08-2014), giv (02-05-2014), h8er (02-05-2014), Kla$ (02-05-2014)
  #51  
Old 02-05-2014, 14:46
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,653
Rept. Given: 801
Rept. Rcvd 1,281 Times in 559 Posts
Thanks Given: 209
Thanks Rcvd at 539 Times in 226 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
The 0.9.4 betra behaved strange on my latest attempts.
On simple unpackmes the resulted dump was invalid....
I home that 0.9.4 final does not have that behaviour.
Reply With Quote
  #52  
Old 02-06-2014, 09:05
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 1,006
Rept. Given: 462
Rept. Rcvd 361 Times in 134 Posts
Thanks Given: 186
Thanks Rcvd at 273 Times in 98 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Lightbulb

Quote:
Originally Posted by Carbon View Post
I really recommend to update due to the bug fixes.

Direct import scanner fix methods:
- Normal: Patch memory with jmp/call only
- Universal: Works with everything, creates a jump table in the scylla section, watch for relocation information in the log file
:
I was watch ur update ,My friend Universal import scanner fix is a Good Idea .
but it is limited with some Protector ,in other it is Difficult to handle it .
Let take the Themida/Winlicense : through the unpacked rutine ,it pass through IAT Table rebuild which write the API to the file .here it decide to write the
Quote:
NOP
Jmp xxxxx
or
Call xxxxx
Nop
so this nop it Defined through this rutine ,and I think it is random .
Quote:
00412893 CC int3
00412894 > 90 nop
00412895 .- E9 96287477 jmp msvcr100.__set_app_type
0041289A > 90 nop
0041289B .- E9 60587477 jmp msvcr100._amsg_exit
004128A0 > 90 nop
004128A1 .- E9 3A647477 jmp msvcr100.__wgetmainargs
004128A6 CC int3
+++++++++++++++++++++++++++++++++++++
004129C7 CC int3
004129C8 > 90 nop
004129C9 .- E9 D2567477 jmp msvcr100._exit
004129CE > 90 nop
004129CF .- E9 BCA68177 jmp msvcr100._XcptFilter
004129D4 >- E9 E7567477 jmp msvcr100._cexit
004129D9 . 6F outs dx, dword ptr es:[edi]
004129DA >- E9 A1567477 jmp msvcr100.exit
004129DF 13 db 13
004129E0 > 90 nop
004129E1 .- E9 DA708177 jmp msvcr100._CrtSetCheckCount
004129E6 CC int3
so guessing which NOP is the right to replce for Fix This import will fault by 70%

pls check this Image :
http://postimg.org/image/6fzu4kr8v/
and u will see what I was talking about .I have write a lot of tut on rebuild IAT for Themedi I can send it to u and through this tut u will see when and where the nop is written .
and so on for other Protector ,which each one his privacy .

Quote:
I also found some weird thing in Windows 7 x64. I don't know yet why this happens
can u give example (code or File ) ?

Thanks for ur great work ,pls keep up.
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #53  
Old 02-06-2014, 17:41
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
@giv
feel free to report bugs.

@ahmadmansoor
Try the "universal" direct import fixer (enable in options). It will work with Themida and any other protector.

I don't think I can give an example. It is still weird. It has probably something to do with this https://forum.tuts4you.com/topic/34548-scylla-version-announcements/#entry159332
Reply With Quote
  #54  
Old 02-06-2014, 17:49
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 1,006
Rept. Given: 462
Rept. Rcvd 361 Times in 134 Posts
Thanks Given: 186
Thanks Rcvd at 273 Times in 98 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Quote:
Originally Posted by Carbon View Post
@ahmadmansoor
Try the "universal" direct import fixer (enable in options). It will work with Themida and any other protector.
my friend the example which I gave u in the Picture was universal enable in options I will upload the files when back to home .

Quote:
I don't think I can give an example. It is still weird. It has probably something to do with this https://forum.tuts4you.com/topic/34548-scylla-version-announcements/#entry159332
I will check this
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #55  
Old 02-06-2014, 18:53
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Quote:
Originally Posted by ahmadmansoor View Post
my friend the example which I gave u in the Picture was universal enable in options I will upload the files when back to home .
Now I see there is a bug. You must disable the "normal" fixer otherwise the "universal" will not work. And it is fixed only in the dumped and fixed file. Not in memory.
Reply With Quote
  #56  
Old 02-06-2014, 19:05
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 1,006
Rept. Given: 462
Rept. Rcvd 361 Times in 134 Posts
Thanks Given: 186
Thanks Rcvd at 273 Times in 98 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Lol .... my friend I have disable the "normal" fixer too.
I have use the default option when run Scylla first time .
check picture
http://postimg.org/image/umncnodiv/
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #57  
Old 02-06-2014, 19:22
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Quote:
Originally Posted by ahmadmansoor View Post
Lol .... my friend I have disable the "normal" fixer too.
I have use the default option when run Scylla first time .
check picture
http://postimg.org/image/umncnodiv/
yes that are the correct settings. Now dump and fix and the direct imports will be resolved.
Reply With Quote
  #58  
Old 02-06-2014, 19:42
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 1,006
Rept. Given: 462
Rept. Rcvd 361 Times in 134 Posts
Thanks Given: 186
Thanks Rcvd at 273 Times in 98 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
I think I miss something ,so u keep the same size of (jmp or Call) and not make any changes
Quote:
E9 xxxxxx >>>> E9 API
not fixing it to
E9 xxxxxx >>>> FF25 xxxxxx
Ok let me do more checks .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #59  
Old 02-06-2014, 20:08
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
I change the jmp destination to a jmp table.
Reply With Quote
  #60  
Old 02-10-2014, 21:51
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 66
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Computer_Angel Reputation: 37
1.Scylla should have option to use PE Header of module on disk just like imprec .
right now, scylla read the pe header from memory and in some case the export directory is destroy make scylla crash.
You could try some target using cryengine sdk such as Warface to get this case/.

2. About apphelp.dll, we could resolve it using plugin to handle it.
__________________
Welcome to my place http://www.reaonline.net
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Scylla IAT finder and Dumper Storm Shadow Source Code 6 05-05-2015 02:22
More Armadillo - import reconstruction FEARHQ General Discussion 8 09-19-2005 16:46


All times are GMT +8. The time now is 00:30.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX