#61
|
||||
|
||||
i think scylla is always interested in crash reports, no matter why they happened.
|
#62
|
|||
|
|||
Some feedback
1. It does not remember the last folder used to store dump/fix, but always start from the module home folder. 2. It keeps separate adjacent chunks of functions related to the same module. 3. For dump naming would be better to follow ImpRec behavior: default dump name is module name + suffix. Feature request + Add import manually. Now it can be done using XML editing, but need to recalc offsets, ordinals, etc. + Single -Dump & Fix- button |
#63
|
||||
|
||||
Quote:
About scylla crash, I had found that the function ApiReader:arseExportTable is parsing export not correct in some case, the way of calculating functionName = (char*)(addressOfNamesArray[i] + deltaAddress) is not right if the address of names in the differ memory than the exportbuffer cover.
__________________
Welcome to my place http://www.reaonline.net |
#64
|
|||
|
|||
Quote:
Quote:
Quote:
GetProcAddress points to function rva FFF6 from apphelp.dll and this function address is NOT exported by apphelp.dll. This is my problem. @Syoma Thanks for the suggestions, I will fix that. |
#65
|
||||
|
||||
Quote:
1.trace into the apphelp.dll function code then you'll get the correct api function by watching some special call,jmp such as call eax, call [eax+const], call [ecx+const], jmp eax. 2. Using debuging symbol of apphelp then we'll get the simillar correct name of api. I got the same problem with aclayers.dll, but seem it's hard to make a tracer for that. Seem the best way is to hard-code the address value for these dll.
__________________
Welcome to my place http://www.reaonline.net |
#66
|
||||
|
||||
I know this is not a good Idea or stupid Idea ,but for unpacker when he work on unpack he can do this :
Quote:
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
#67
|
|||
|
|||
New version
Quote:
I cannot reproduce the crash, tested with crysis and far cry. Last edited by Carbon; 03-20-2014 at 19:23. |
The Following 7 Users Gave Reputation+1 to Carbon For This Useful Post: | ||
ahmadmansoor (03-18-2014), Dreamer (03-19-2014), giv (03-17-2014), Kla$ (03-17-2014), MarcElBichon (03-18-2014), niculaita (03-19-2014), nikkapedd (03-18-2014) |
#68
|
||||
|
||||
Quote:
2.I'll try to give you the examples about the crash.
__________________
Welcome to my place http://www.reaonline.net |
#69
|
|||
|
|||
There was a bug with virtual devices...
Last edited by Carbon; 03-20-2014 at 19:23. |
The Following User Gave Reputation+1 to Carbon For This Useful Post: | ||
uranus64 (03-19-2014) |
#70
|
||||
|
||||
More buggy with lastest release. My binary is on Virtual devices and scylla could not define a correct pathname for it (it show unknow for path). When try to select the process with unknow path ---> crash happen
__________________
Welcome to my place http://www.reaonline.net |
#71
|
|||
|
|||
Windows doesn't handle virtual devices like it should
This should work now, but the solution is bad... |
The Following User Gave Reputation+1 to Carbon For This Useful Post: | ||
Kla$ (03-21-2014) |
#72
|
||||
|
||||
Here's the samples for scylla crash bug. Use Ollydbg2 load the scylla_.exe, then you'll stop at EP. Now using scylla to process the scylla_.exe module and scylla will crash. Hope this will help you
__________________
Welcome to my place http://www.reaonline.net |
#73
|
||||
|
||||
Hi Carbon :
about Computer_Angel target don't care about it, scylla is the best and it Does not need any fix for handle virtual devices. this sample is an tricky Target it write false size for IMAGE_EXPORT_DIRECTORY which make it very very big so can't handle it with bufferExportTable = new BYTE[readSize]; so Computer_Angel it is as an anti scylla (or other IAT re builder ) technique . Quote:
Computer_Angel
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
The Following User Gave Reputation+1 to ahmadmansoor For This Useful Post: | ||
niculaita (03-23-2014) |
#74
|
||||
|
||||
Ahmadmansoor , i get this problem when unpack warface game.
__________________
Welcome to my place http://www.reaonline.net |
#75
|
|||
|
|||
Thanks for the file Computer_Angel and thanks for the help ahmadmansoor.
I added an option to read the export table always from disk. This is slower than reading it from the target process. I guess this is a rare case, so people should only enable it if needed. Quote:
|
The Following 5 Users Gave Reputation+1 to Carbon For This Useful Post: | ||
ahmadmansoor (03-24-2014), besoeso (03-24-2014), quygia128 (03-24-2014), Syoma (03-24-2014), wilson bibe (03-24-2014) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Scylla IAT finder and Dumper | Storm Shadow | Source Code | 6 | 05-05-2015 02:22 |
More Armadillo - import reconstruction | FEARHQ | General Discussion | 8 | 09-19-2005 16:46 |