Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #61  
Old 02-10-2014, 22:51
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Europe
Posts: 218
Rept. Given: 99
Rept. Rcvd 60 Times in 38 Posts
Thanks Given: 83
Thanks Rcvd at 95 Times in 50 Posts
deepzero Reputation: 60
i think scylla is always interested in crash reports, no matter why they happened.
Reply With Quote
  #62  
Old 02-11-2014, 05:02
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 77 Times in 50 Posts
Syoma Reputation: 77
Some feedback
1. It does not remember the last folder used to store dump/fix, but always start from the module home folder.
2. It keeps separate adjacent chunks of functions related to the same module.
3. For dump naming would be better to follow ImpRec behavior: default dump name is module name + suffix.

Feature request
+ Add import manually. Now it can be done using XML editing, but need to recalc offsets, ordinals, etc.
+ Single -Dump & Fix- button
Reply With Quote
  #63  
Old 02-11-2014, 17:14
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 66
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Computer_Angel Reputation: 37
Quote:
Originally Posted by Carbon View Post
I also found some weird thing in Windows 7 x64. I don't know yet why this happens:
We could using plugin for apphelp.dll to solve the api. This is my small plugin for Imprec & Scylla.

About scylla crash, I had found that the function ApiReader:arseExportTable is parsing export not correct in some case, the way of calculating functionName = (char*)(addressOfNamesArray[i] + deltaAddress) is not right if the address of names in the differ memory than the exportbuffer cover.
Attached Files
File Type: rar Imprec_Apphelper.rar (62.2 KB, 35 views)
__________________
Welcome to my place http://www.reaonline.net
Reply With Quote
  #64  
Old 02-11-2014, 19:24
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Quote:
Originally Posted by Computer_Angel View Post
1.Scylla should have option to use PE Header of module on disk just like imprec .
right now, scylla read the pe header from memory and in some case the export directory is destroy make scylla crash.
You could try some target using cryengine sdk such as Warface to get this case/.
In the options you can choose between reading pe header from disk or from memory. It should work.
Quote:
the way of calculating functionName = (char*)(addressOfNamesArray[i] + deltaAddress) is not right if the address of names in the differ memory than the exportbuffer cover.
Thanks I will fix that.

Quote:
We could using plugin for apphelp.dll to solve the api. This is my small plugin for Imprec & Scylla.
I am more interested in how your plugin works. How do you resolve the functions?
GetProcAddress points to function rva FFF6 from apphelp.dll and this function address is NOT exported by apphelp.dll. This is my problem.

@Syoma
Thanks for the suggestions, I will fix that.
Reply With Quote
  #65  
Old 02-12-2014, 11:37
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 66
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Computer_Angel Reputation: 37
Quote:
Originally Posted by Carbon View Post
I am more interested in how your plugin works. How do you resolve the functions?
GetProcAddress points to function rva FFF6 from apphelp.dll and this function address is NOT exported by apphelp.dll. This is my problem.
There're many way.
1.trace into the apphelp.dll function code then you'll get the correct api function by watching some special call,jmp such as call eax, call [eax+const], call [ecx+const], jmp eax.

2. Using debuging symbol of apphelp then we'll get the simillar correct name of api.

I got the same problem with aclayers.dll, but seem it's hard to make a tracer for that. Seem the best way is to hard-code the address value for these dll.
__________________
Welcome to my place http://www.reaonline.net
Reply With Quote
  #66  
Old 02-12-2014, 19:27
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 1,006
Rept. Given: 462
Rept. Rcvd 361 Times in 134 Posts
Thanks Given: 186
Thanks Rcvd at 273 Times in 98 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
I know this is not a good Idea or stupid Idea ,but for unpacker when he work on unpack he can do this :
Quote:
when load apphelp.dll
search for
8B 4D 10 89 08 C7 45 E4 01 00 00 00 C7 45 FC FE FF FF FF 8B 45 E4
search for
75C63011 . 8B4D 10 mov ecx, dword ptr [ebp+0x10]
75C63014 8908 mov dword ptr [eax], ecx >>>> nop this
75C63016 . C745 E4 01000000 mov dword ptr [ebp-0x1C], 0x1
75C6301D > C745 FC FEFFFFFF mov dword ptr [ebp-0x4], -0x2
75C63024 . 8B45 E4 mov eax, dword ptr [ebp-0x1C]
and done . so no need to fix this .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #67  
Old 03-17-2014, 19:43
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
New version
Quote:
Version 0.9.5

- improved process lister
- improved module lister
- improved dump name
- improved IAT parser
@Computer_Angel
I cannot reproduce the crash, tested with crysis and far cry.

Last edited by Carbon; 03-20-2014 at 19:23.
Reply With Quote
The Following 7 Users Gave Reputation+1 to Carbon For This Useful Post:
ahmadmansoor (03-18-2014), Dreamer (03-19-2014), giv (03-17-2014), Kla$ (03-17-2014), MarcElBichon (03-18-2014), niculaita (03-19-2014), nikkapedd (03-18-2014)
  #68  
Old 03-19-2014, 22:03
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 66
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Computer_Angel Reputation: 37
Quote:
Originally Posted by Carbon View Post
New version


@Computer_Angel
I cannot reproduce the crash, tested with crysis and far cry.
1.Just test the new version, seem the module lister not list all the module in process.I'll check it more in next day.
2.I'll try to give you the examples about the crash.
__________________
Welcome to my place http://www.reaonline.net
Reply With Quote
  #69  
Old 03-19-2014, 22:53
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
There was a bug with virtual devices...

Last edited by Carbon; 03-20-2014 at 19:23.
Reply With Quote
The Following User Gave Reputation+1 to Carbon For This Useful Post:
uranus64 (03-19-2014)
  #70  
Old 03-20-2014, 12:12
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 66
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Computer_Angel Reputation: 37
Quote:
Originally Posted by Carbon View Post
There was a bug with virtual devices...
More buggy with lastest release. My binary is on Virtual devices and scylla could not define a correct pathname for it (it show unknow for path). When try to select the process with unknow path ---> crash happen
__________________
Welcome to my place http://www.reaonline.net
Reply With Quote
  #71  
Old 03-20-2014, 19:22
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Windows doesn't handle virtual devices like it should

This should work now, but the solution is bad...
Attached Files
File Type: rar Scylla_v0.9.5b.rar (850.8 KB, 80 views)
Reply With Quote
The Following User Gave Reputation+1 to Carbon For This Useful Post:
Kla$ (03-21-2014)
  #72  
Old 03-22-2014, 16:11
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 66
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Computer_Angel Reputation: 37
Here's the samples for scylla crash bug. Use Ollydbg2 load the scylla_.exe, then you'll stop at EP. Now using scylla to process the scylla_.exe module and scylla will crash. Hope this will help you
Attached Files
File Type: zip scyllacrash.zip (74.5 KB, 21 views)
__________________
Welcome to my place http://www.reaonline.net
Reply With Quote
  #73  
Old 03-23-2014, 03:01
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 1,006
Rept. Given: 462
Rept. Rcvd 361 Times in 134 Posts
Thanks Given: 186
Thanks Rcvd at 273 Times in 98 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Hi Carbon :
about Computer_Angel target don't care about it, scylla is the best and it Does not need any fix for handle virtual devices.
this sample is an tricky Target it write false size for IMAGE_EXPORT_DIRECTORY which make it very very big so can't handle it with
bufferExportTable = new BYTE[readSize];
so Computer_Angel it is as an anti scylla (or other IAT re builder ) technique .
Quote:
10001036 |. 50 push eax ; /pOldProtect
10001037 |. 6A 40 push 0x40 ; |NewProtect = PAGE_EXECUTE_READWRITE
10001039 |. 8B3E mov edi, dword ptr [esi] ; |
1000103B |. 6A 04 push 0x4 ; |Size = 0x4
1000103D |. 56 push esi ; |Address
1000103E |. FF15 0>call near dword ptr [<&KERNEL32.VirtualP>; \VirtualProtect
10001044 |. E8 AE0>call scyllacr.100010F7
10001049 |. 0FB6C0 movzx eax, al
1000104C |. 69C0 0>imul eax, eax, 0x1010101
10001052 |. 8906 mov dword ptr [esi], eax
10001054 |. 8946 0>mov dword ptr [esi+0x4], eax <<<<<< very bad
Computer_Angel just one thing ,pls where u get like this targets ,every time u surprise us with this kind of targets ,I work with a lot of targets never get my hand on targets like which u bring it to us .....
Computer_Angel
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following User Gave Reputation+1 to ahmadmansoor For This Useful Post:
niculaita (03-23-2014)
  #74  
Old 03-23-2014, 08:55
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 66
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Computer_Angel Reputation: 37
Ahmadmansoor , i get this problem when unpack warface game.
__________________
Welcome to my place http://www.reaonline.net
Reply With Quote
  #75  
Old 03-24-2014, 05:38
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Thanks for the file Computer_Angel and thanks for the help ahmadmansoor.

I added an option to read the export table always from disk. This is slower than reading it from the target process. I guess this is a rare case, so people should only enable it if needed.

Quote:
Version 0.9.6

- improved iat search
- fixed bug in api resolve engine
- new option: parse APIs always from disk -> slower, useful against pe header modifications
Attached Files
File Type: rar Scylla_v0.9.6.rar (852.0 KB, 68 views)
Reply With Quote
The Following 5 Users Gave Reputation+1 to Carbon For This Useful Post:
ahmadmansoor (03-24-2014), besoeso (03-24-2014), quygia128 (03-24-2014), Syoma (03-24-2014), wilson bibe (03-24-2014)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Scylla IAT finder and Dumper Storm Shadow Source Code 6 05-05-2015 02:22
More Armadillo - import reconstruction FEARHQ General Discussion 8 09-19-2005 16:46


All times are GMT +8. The time now is 16:22.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX