#46
|
|||
|
|||
deepzero, you can get them in t4u download area
|
The Following User Gave Reputation+1 to Av0id For This Useful Post: | ||
deepzero (09-06-2013) |
#47
|
|||
|
|||
Quote:
I updated the project files: https://github.com/NtQuery/Scylla/commit/133a8fac409940012ee97d46d4955203bf4421bb It should work with Visual Studio 2010. I compile it with platform toolset v90 to get WIN XP SP0/1 support. If you compile it with v10, you can execute it only on XP SP2+ @Newbie_Cracker OK thx, I added it. See attachment. Last edited by Carbon; 03-20-2014 at 19:23. |
The Following 3 Users Gave Reputation+1 to Carbon For This Useful Post: | ||
#48
|
|||
|
|||
ahmadmansoor had a nice idea for a new IAT search algorithm. It seems that it is very accurate after some tweaks, but takes a little bit longer depending on your computer.
Use the option "advanced iat search" and test it. If you like to support this project, BTC Address: 1GmVrhWwUhwLohaCLP4SKV5kkz8rd16N8h Code:
Version 0.9.2 - Pick DLL -> Set DLL Entrypoint - Advanced IAT Search Algorithm (Enable/Disable it in Options), thanks to ahmadmansoor - Fixed bug in Options - Added donate information, please feel free to donate some BTC to support this project |
The Following 7 Users Gave Reputation+1 to Carbon For This Useful Post: | ||
ahmadmansoor (09-27-2013), alekine322 (09-29-2013), DMichael (09-27-2013), nikkapedd (09-30-2013), sendersu (09-27-2013), the_beginner (09-28-2013), wilson bibe (09-27-2013) |
#49
|
|||
|
|||
new options added
Quote:
Last edited by Carbon; 03-20-2014 at 19:23. |
The Following 8 Users Gave Reputation+1 to Carbon For This Useful Post: | ||
ahmadmansoor (02-03-2014), alekine322 (02-03-2014), DMichael (02-03-2014), h8er (02-05-2014), niculaita (02-03-2014), nikkapedd (02-03-2014), winndy (02-03-2014), ZeNiX (02-03-2014) |
#50
|
|||
|
|||
Quote:
Direct import scanner fix methods: - Normal: Patch memory with jmp/call only - Universal: Works with everything, creates a jump table in the scylla section, watch for relocation information in the log file I also found some weird thing in Windows 7 x64. I don't know yet why this happens: Quote:
|
The Following 5 Users Gave Reputation+1 to Carbon For This Useful Post: | ||
ahmadmansoor (02-06-2014), copyleft (02-08-2014), giv (02-05-2014), h8er (02-05-2014), Kla$ (02-05-2014) |
#51
|
||||
|
||||
The 0.9.4 betra behaved strange on my latest attempts.
On simple unpackmes the resulted dump was invalid.... I home that 0.9.4 final does not have that behaviour. |
#52
|
||||
|
||||
Quote:
but it is limited with some Protector ,in other it is Difficult to handle it . Let take the Themida/Winlicense : through the unpacked rutine ,it pass through IAT Table rebuild which write the API to the file .here it decide to write the Quote:
Quote:
pls check this Image : http://postimg.org/image/6fzu4kr8v/ and u will see what I was talking about .I have write a lot of tut on rebuild IAT for Themedi I can send it to u and through this tut u will see when and where the nop is written . and so on for other Protector ,which each one his privacy . Quote:
Thanks for ur great work ,pls keep up.
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
#53
|
|||
|
|||
@giv
feel free to report bugs. @ahmadmansoor Try the "universal" direct import fixer (enable in options). It will work with Themida and any other protector. I don't think I can give an example. It is still weird. It has probably something to do with this https://forum.tuts4you.com/topic/34548-scylla-version-announcements/#entry159332 |
#54
|
||||
|
||||
Quote:
Quote:
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
#55
|
|||
|
|||
Now I see there is a bug. You must disable the "normal" fixer otherwise the "universal" will not work. And it is fixed only in the dumped and fixed file. Not in memory.
|
#56
|
||||
|
||||
Lol .... my friend I have disable the "normal" fixer too.
I have use the default option when run Scylla first time . check picture http://postimg.org/image/umncnodiv/
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
#57
|
|||
|
|||
Quote:
|
#58
|
||||
|
||||
I think I miss something ,so u keep the same size of (jmp or Call) and not make any changes
Quote:
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
#59
|
|||
|
|||
I change the jmp destination to a jmp table.
|
#60
|
||||
|
||||
1.Scylla should have option to use PE Header of module on disk just like imprec .
right now, scylla read the pe header from memory and in some case the export directory is destroy make scylla crash. You could try some target using cryengine sdk such as Warface to get this case/. 2. About apphelp.dll, we could resolve it using plugin to handle it.
__________________
Welcome to my place http://www.reaonline.net |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Scylla IAT finder and Dumper | Storm Shadow | Source Code | 6 | 05-05-2015 02:22 |
More Armadillo - import reconstruction | FEARHQ | General Discussion | 8 | 09-19-2005 16:46 |