Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #76  
Old 08-30-2016, 23:33
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 281
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 138
Thanks Rcvd at 245 Times in 97 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Quote:
Originally Posted by sendersu View Post
The error comes from idaserver.cpp:
Code:
int main(int argc, char *argv[])
{
	LogWrap = LogWrapper;
	LogErrorWrap = LogWrapper;

	if (sizeof(IDA_SERVER_EXCHANGE) != IDA_SERVER_EXCHANGE_STRUCT_SIZE)
	{
		printf("WRONG!!! Size of IDA_SERVER_EXCHANGE %d == %d?\n\n", sizeof(IDA_SERVER_EXCHANGE), IDA_SERVER_EXCHANGE_STRUCT_SIZE);
		getchar();
		return 0;
	}
changing https://github.com/x64dbg/ScyllaHide/blob/b76835ab75ac384bedccb59119d972997c6d61aa/ScyllaHideIDAServer/IdaServerExchange.h#L89 to 648 will fix this error.
However it will break it for those that don't use the same ida version as you.
So one would need to do a pull request with a loop for making it work with each new version.


Quote:
Please fix bug on update Windows 10 in ollydbg1 and ollydbg2
thank you in advance

---------------------------
Error
---------------------------
Windows 10 SysWowSpecialJmpAddress was not found!
Last aniversary update made alot of changes to win 10.So it wont work on win 10.
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm."

Today I whispered in the devils ear, "I am the storm."
Reply With Quote
  #77  
Old 08-31-2016, 01:51
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 281
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 138
Thanks Rcvd at 245 Times in 97 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Little update

after crash with ida and after debugging it.
it seem to make a x64 hook first in a x86 app and idaserverx86
and some more problems

1 bug)
it crashes cause it attempts to make x64 connection in a x86 app

fails on
Code:
IDAServerx86.exe!DetourCreateRemoteNativeSysWow64(void * hProcess, void * lpFuncOrig, void * lpFuncDetour, bool createTramp, unsigned long * backupSize)  Line 356 + 0x5 bytes
but not on

Code:
 IDAServerx86.exe!DetourCreateRemoteNative32(void * hProcess, void * lpFuncOrig, void * lpFuncDetour, bool createTramp, unsigned long * backupSize)  Line 532 + 0x1a bytes  C++
i forwarded line 350-354 for spaces
https://github.com/x64dbg/ScyllaHide...k.cpp#L350-354
Not sure why , but i am a python guy.
It seems to jump to x86 hook insteed of the x64, but a smart person told me that it should not matter in c++.

suggestions:
Maybe dev should use

Code:
If __EA64__ 
    call x64

else:
    call x86

2 bug)
also i saw port access violation


In win 10 even if you have a firewall you bought you have to open ports in the internal win 10 one, even if disabled.
in start menu type WF.msc open udp-tcp port 1337.

3 bug)
and for fixing the structure error for now
untick NTQueryInformationprocess in scyllahide settings

result
Code:
Listening on port 1337...
Accepted Client 1
[ScyllaHide] Hook Injection successful, Imagebase 001D0000
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm."

Today I whispered in the devils ear, "I am the storm."

Last edited by Storm Shadow; 08-31-2016 at 02:24.
Reply With Quote
The Following User Gave Reputation+1 to Storm Shadow For This Useful Post:
niculaita (08-31-2016)
The Following User Says Thank You to Storm Shadow For This Useful Post:
niculaita (08-31-2016)
  #78  
Old 09-20-2016, 22:45
nocturo nocturo is offline
Friend
 
Join Date: May 2016
Posts: 8
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 6
Thanks Rcvd at 2 Times in 1 Post
nocturo Reputation: 1
I thought I was doing something wrong, then I found out this thread! Win10 (anniversary update) + x64dbg doesn't crash, but gives:
NT APIs missing section
060200000109_x86_0000A830
file NtApiCollection.ini.

I used scyllahide from link on x64dbg page (bitbucket link). Hopefully someone can make win10 a platform for RE. Thanks!
Reply With Quote
  #79  
Old 10-05-2016, 13:05
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 190 Times in 50 Posts
mudlord Reputation: 69
I did some testing.

https://github.com/x64dbg/ScyllaHide/issues/2

Seems there is junk bytes at Win10 Anniversary's NtQueryInformationProcess call as well as a different signature. The code leading to the gateway is a JMP to the jmp (so two jmps) to the gateway, whereas Win8.1 is a simple jmp. More details are at that issue link.

Quote:
Originally Posted by Kla$ View Post
Please fix bug on update Windows 10 in ollydbg1 and ollydbg2
thank you in advance

---------------------------
Error
---------------------------
Windows 10 SysWowSpecialJmpAddress was not found!
---------------------------
§°§¬
---------------------------

---------------------------
ERROR
---------------------------
Unknown syscall structure!
---------------------------
§°§¬
---------------------------
That bug I managed to fix, but I haven't checked the remaining ones. There was also changes for 3 APIs that are enough for Obsidium and Themida targets to be detected. So far for me, managed to get VMP debugged.

Last edited by mudlord; 10-06-2016 at 05:58.
Reply With Quote
  #80  
Old 10-20-2016, 00:01
SKiLLa SKiLLa is offline
Friend
 
Join Date: Jul 2016
Location: Europe
Posts: 27
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 17
Thanks Rcvd at 16 Times in 15 Posts
SKiLLa Reputation: 0
It seems last month's Windows Updates for 8.1 (x64) also broke the NtApiCollection.ini PDB resolvers. It was working fine until I ran the updates, rebooted and started x64dbg. When it complained about missing "NTUser* API addresses, Section: 060300000109_x86_000158A0" I ran both PDB resolvers (as admin) and copied over the fresh .ini file, but not all API addresses were resolved properly. Just to be sure I also updated x64dbg to the latest commit, but without success ...
Reply With Quote
  #81  
Old 10-20-2016, 18:57
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
There have been massive issues with the Microsoft symbol servers recently... This was collected (took about 10 minutes) on the latest Windows 8.1 x64 https://gist.github.com/mrexodia/8aea202c1177892b4577a32927cef3bf
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
TechLord (10-21-2016)
  #82  
Old 10-24-2016, 18:26
SKiLLa SKiLLa is offline
Friend
 
Join Date: Jul 2016
Location: Europe
Posts: 27
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 17
Thanks Rcvd at 16 Times in 15 Posts
SKiLLa Reputation: 0
Thumbs up

Thanks mr. Exodia. I did notice some symbol-server issues, but after a few retries it 'completed'. As it turns out; I got returned an incorrect version-tag when running PDBReader and the network-issues weren't messing things up after all (except having me to retry it a couple of times):

[060200000109_x86_000158A0]

instead of:

[060300000109_x86_000158A0]

whilst I do have Windows 8.1 x64 (=v6.3). I changed this manually in the .ini file, after which ScyllaHide seems to work perfectly. Not sure if this is an issue with PDBReader or not, but I should provide more info, please let me know ...

PS: Kindy silly I didn't notice before ... where's the shame-on-me-smiley when you need it ?
Reply With Quote
The Following User Says Thank You to SKiLLa For This Useful Post:
niculaita (10-29-2016)
  #83  
Old 10-29-2016, 10:46
TheEnd TheEnd is offline
Friend
 
Join Date: Mar 2013
Posts: 48
Rept. Given: 47
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 44
Thanks Rcvd at 6 Times in 3 Posts
TheEnd Reputation: 9
NT APIs missing
section
060200000109_x64_0000BAB0
file
X:\x64dbg\plugins\NtApiCollection.ini
Reply With Quote
  #84  
Old 10-30-2016, 03:50
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Everything appears to work fine here. If Microsoft doesn't provide symbols there is not much you can do. What SKiLLa did is not a real solution, for me the problem was solved by running NtApiTool.exe again.
Reply With Quote
The Following 2 Users Say Thank You to mr.exodia For This Useful Post:
niculaita (10-30-2016), TechLord (10-30-2016)
  #85  
Old 11-15-2016, 07:46
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 190 Times in 50 Posts
mudlord Reputation: 69
Seems the Anniversary update problems I documented and reversed are now fixed by another person, and is now in latest Git

Which is super cool.
Reply With Quote
  #86  
Old 11-15-2016, 09:54
kienmanowar's Avatar
kienmanowar kienmanowar is offline
Friend
 
Join Date: Jan 2006
Location: VN
Posts: 98
Rept. Given: 37
Rept. Rcvd 17 Times in 10 Posts
Thanks Given: 161
Thanks Rcvd at 72 Times in 35 Posts
kienmanowar Reputation: 17
Quote:
Originally Posted by mudlord View Post
Seems the Anniversary update problems I documented and reversed are now fixed by another person, and is now in latest Git

Which is super cool.
ScyllaHideIDA.p64 is missing?
Reply With Quote
  #87  
Old 11-15-2016, 22:06
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 281
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 138
Thanks Rcvd at 245 Times in 97 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Quote:
Originally Posted by kienmanowar View Post
ScyllaHideIDA.p64 is missing?
here

plugins.7z
Also remind that the x64 version is a win32 build but with a different extension name.
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm."

Today I whispered in the devils ear, "I am the storm."
Reply With Quote
The Following User Says Thank You to Storm Shadow For This Useful Post:
kienmanowar (11-16-2016)
  #88  
Old 11-16-2016, 17:44
kienmanowar's Avatar
kienmanowar kienmanowar is offline
Friend
 
Join Date: Jan 2006
Location: VN
Posts: 98
Rept. Given: 37
Rept. Rcvd 17 Times in 10 Posts
Thanks Given: 161
Thanks Rcvd at 72 Times in 35 Posts
kienmanowar Reputation: 17
Quote:
Originally Posted by Storm Shadow View Post
here

Attachment 9084
Also remind that the x64 version is a win32 build but with a different extension name.
Can you mirror it? I dont have permissions to download the attachment

Regards,
Reply With Quote
  #89  
Old 11-16-2016, 18:20
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 281
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 138
Thanks Rcvd at 245 Times in 97 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Quote:
Originally Posted by kienmanowar View Post
Can you mirror it? I dont have permissions to download the attachment

Regards,
https://mega.nz/#!rxsjmBhb!OaRLJnutaPGqf9jQUntJKs6ficb9U7m2XZ57JEWrtd0
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm."

Today I whispered in the devils ear, "I am the storm."
Reply With Quote
The Following User Says Thank You to Storm Shadow For This Useful Post:
kienmanowar (11-16-2016)
  #90  
Old 11-27-2016, 21:23
Mendax47's Avatar
Mendax47 Mendax47 is offline
Family
 
Join Date: Jun 2016
Location: Earth..
Posts: 206
Rept. Given: 35
Rept. Rcvd 8 Times in 7 Posts
Thanks Given: 685
Thanks Rcvd at 255 Times in 99 Posts
Mendax47 Reputation: 8
Quote:
Originally Posted by Storm Shadow View Post
here

Attachment 9084
Also remind that the x64 version is a win32 build but with a different extension name.
Hey Bro Can you Upload The Latest One (.p64)...? I Haven't VS To Compile It....
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ScyllaHide HookLibraryx86.dll phroyt General Discussion 3 10-25-2019 09:48
ScyllaHide Detector Lueilwitz Source Code 2 08-07-2019 06:32


All times are GMT +8. The time now is 16:28.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )