Today I tried to unpack a DLL and use Scylla, but it did not read its OEP from file/memory.

It seems that Scylla does not read DLL OEP in case of DLL Unpacking.

Am I right?

@Newbie_Cracker
I don't get it. You need to find the OEP yourself?

@sendersu
I don't think this is a problem. I will think about it. It is because Scylla doesnt pay attention to the api order (like imprec). Scylla is using a different algorithm.

@ahmadmansoor
here: https://github.com/NtQuery/Scylla

In Scylla, like ImpRec, when you choose a process, the OEP is read from PE header and automatically is shown in OEP text box.

Imprec does the same for DLLs, but Scylla does not.

It seems that it reads the ImageBase and ImageSize from memory (I haven't debugged it to check), but it does not read the OEP from the disk/memory.

just one thing pls upload the distorm 3.1 folder which u use .
I can't access it .
is there a problem to compile it with v10 instead of v9.0 of VS 2010
Thanks

where do these new version come from? They are not mentioned on t4u, Scylla's home.

deepzero, you can get them in t4u download area

Sorry, I don't want to include the distorm project. Just download the latest distorm from the official website and extract it in this folder.
I updated the project files: https://github.com/NtQuery/Scylla/commit/133a8fac409940012ee97d46d4955203bf4421bb

It should work with Visual Studio 2010. I compile it with platform toolset v90 to get WIN XP SP0/1 support. If you compile it with v10, you can execute it only on XP SP2+

@Newbie_Cracker
OK thx, I added it. See attachment.

ahmadmansoor had a nice idea for a new IAT search algorithm. It seems that it is very accurate after some tweaks, but takes a little bit longer depending on your computer.

Use the option "advanced iat search" and test it.

If you like to support this project, BTC Address: 1GmVrhWwUhwLohaCLP4SKV5kkz8rd16N8h

new options added

I really recommend to update due to the bug fixes.

Direct import scanner fix methods:
- Normal: Patch memory with jmp/call only
- Universal: Works with everything, creates a jump table in the scylla section, watch for relocation information in the log file

I also found some weird thing in Windows 7 x64. I don't know yet why this happens:

The 0.9.4 betra behaved strange on my latest attempts.
On simple unpackmes the resulted dump was invalid....
I home that 0.9.4 final does not have that behaviour.

I was watch ur update ,My friend Universal import scanner fix is a Good Idea .
but it is limited with some Protector ,in other it is Difficult to handle it .
Let take the Themida/Winlicense : through the unpacked rutine ,it pass through IAT Table rebuild which write the API to the file .here it decide to write the
so this nop it Defined through this rutine ,and I think it is random .
so guessing which NOP is the right to replce for Fix This import will fault by 70%

pls check this Image :
http://postimg.org/image/6fzu4kr8v/
and u will see what I was talking about .I have write a lot of tut on rebuild IAT for Themedi I can send it to u and through this tut u will see when and where the nop is written .
and so on for other Protector ,which each one his privacy .

can u give example (code or File ) ?

Thanks for ur great work ,pls keep up.

@giv
feel free to report bugs.

@ahmadmansoor
Try the "universal" direct import fixer (enable in options). It will work with Themida and any other protector.

I don't think I can give an example. It is still weird. It has probably something to do with this https://forum.tuts4you.com/topic/34548-scylla-version-announcements/#entry159332

my friend the example which I gave u in the Picture was universal enable in options :D I will upload the files when back to home .

I will check this

Now I see there is a bug. You must disable the "normal" fixer otherwise the "universal" will not work. And it is fixed only in the dumped and fixed file. Not in memory.

Lol .... my friend I have disable the "normal" fixer too.
I have use the default option when run Scylla first time .
check picture
http://postimg.org/image/umncnodiv/

yes that are the correct settings. Now dump and fix and the direct imports will be resolved.

I think I miss something ,so u keep the same size of (jmp or Call) and not make any changes
Ok let me do more checks .

I change the jmp destination to a jmp table.

1.Scylla should have option to use PE Header of module on disk just like imprec .
right now, scylla read the pe header from memory and in some case the export directory is destroy make scylla crash.
You could try some target using cryengine sdk such as Warface to get this case/.

2. About apphelp.dll, we could resolve it using plugin to handle it.

i think scylla is always interested in crash reports, no matter why they happened. :)

Some feedback
1. It does not remember the last folder used to store dump/fix, but always start from the module home folder.
2. It keeps separate adjacent chunks of functions related to the same module.
3. For dump naming would be better to follow ImpRec behavior: default dump name is module name + suffix.

Feature request
+ Add import manually. Now it can be done using XML editing, but need to recalc offsets, ordinals, etc.
+ Single -Dump & Fix- button :)

We could using plugin for apphelp.dll to solve the api. This is my small plugin for Imprec & Scylla.

About scylla crash, I had found that the function ApiReader::parseExportTable is parsing export not correct in some case, the way of calculating functionName = (char*)(addressOfNamesArray[i] + deltaAddress) is not right if the address of names in the differ memory than the exportbuffer cover.

In the options you can choose between reading pe header from disk or from memory. It should work.
Thanks I will fix that.

I am more interested in how your plugin works. How do you resolve the functions?
GetProcAddress points to function rva FFF6 from apphelp.dll and this function address is NOT exported by apphelp.dll. This is my problem.

@Syoma
Thanks for the suggestions, I will fix that.

There're many way.
1.trace into the apphelp.dll function code then you'll get the correct api function by watching some special call,jmp such as call eax, call [eax+const], call [ecx+const], jmp eax.

2. Using debuging symbol of apphelp then we'll get the simillar correct name of api.

I got the same problem with aclayers.dll, but seem it's hard to make a tracer for that. Seem the best way is to hard-code the address value for these dll.

I know this is not a good Idea or stupid Idea ,but for unpacker when he work on unpack he can do this :
and done . so no need to fix this .

New version
@Computer_Angel
I cannot reproduce the crash, tested with crysis and far cry.

1.Just test the new version, seem the module lister not list all the module in process.I'll check it more in next day.
2.I'll try to give you the examples about the crash.

There was a bug with virtual devices...

More buggy with lastest release. My binary is on Virtual devices and scylla could not define a correct pathname for it (it show unknow for path). When try to select the process with unknow path ---> crash happen

Windows doesn't handle virtual devices like it should :(

This should work now, but the solution is bad...

Here's the samples for scylla crash bug. Use Ollydbg2 load the scylla_.exe, then you'll stop at EP. Now using scylla to process the scylla_.exe module and scylla will crash. Hope this will help you :D

Hi Carbon :
about Computer_Angel target don't care about it, scylla is the best and it Does not need any fix for handle virtual devices.
this sample is an tricky Target :rolleyes: it write false size for IMAGE_EXPORT_DIRECTORY which make it very very big so can't handle it with
bufferExportTable = new BYTE[readSize];
so Computer_Angel it is as an anti scylla (or other IAT re builder ) technique ;) .
Computer_Angel just one thing ,pls where u get like this targets ,every time u surprise us with this kind of targets ,I work with a lot of targets never get my hand on targets like which u bring it to us .....
Computer_Angel :cool:

Ahmadmansoor , i get this problem when unpack warface game.

Thanks for the file Computer_Angel and thanks for the help ahmadmansoor.

I added an option to read the export table always from disk. This is slower than reading it from the target process. I guess this is a rare case, so people should only enable it if needed.

Very good release )
Could you please collapse all nodes after chunks merge at the end?
Also, if possible add option to set image header flag "relocations stripped" on Dump.
May be also option to automatically save tree on Dump as ModuleName-Tree.xml

Bug report:
Missed entries in the chunks. Check image.
http://rghost.ru/53312007/image.png

Thanks for the report. Are you sure that this is a mistake? What entry did scylla miss? Can you please show me the spot in olly with dump view "Long -> address with ascii dump".

Yes, I am sure it is mistake. The missed import entries are data-related, not functions. Like __declspec(dllexport) int i; and the same for structures instances.

Also, the same problem with msvcr90.dll import
150 __CppXcptFilter dd ?
154 _adjust_fdiv dd ? // <<----- this one was missed in chunk
158 _amsg_exit dd ?

I do not use Olly. So, not sure what you asking for.

Thanks, I forgot that data exports exist... this should fix it.