Very good release )
Could you please collapse all nodes after chunks merge at the end?
Also, if possible add option to set image header flag "relocations stripped" on Dump.
May be also option to automatically save tree on Dump as ModuleName-Tree.xml

Bug report:
Missed entries in the chunks. Check image.
http://rghost.ru/53312007/image.png

Thanks for the report. Are you sure that this is a mistake? What entry did scylla miss? Can you please show me the spot in olly with dump view "Long -> address with ascii dump".

Yes, I am sure it is mistake. The missed import entries are data-related, not functions. Like __declspec(dllexport) int i; and the same for structures instances.

Also, the same problem with msvcr90.dll import
150 __CppXcptFilter dd ?
154 _adjust_fdiv dd ? // <<----- this one was missed in chunk
158 _amsg_exit dd ?

I do not use Olly. So, not sure what you asking for.

Thanks, I forgot that data exports exist... this should fix it.

Bug report:
Consequent chunks merged to single branch (check attached image)

Feature request:
Often, especially in Delphi, you can see multiple kernel32.dll chunks with the same functions (which may be stolen). Could you please add extra loop to check all entries with the same address and fix them at once?
For example: suppose GetProcAddress stolen and we have 3 chunks where function redirected to stub 00112233. Select 00112233 entry in Scylla, resolve function manually - get it resolved in all 3 chunks.

Initialize function select dialog with default module name value.
For example: we process kernel32.dll chunk. DLL module name with very high probability would be the same as any chunk entry above current. For the first entry some heuristic possible by module names frequency calculation for all entries in the chunk.

Add option 'Save tree on exit' or Exit confirmation dialog.
It is quite terrible to find Scylla window closed by extra ESC when over 50 entries already processed.

Bug report:
---------------------------
Exception! Please report it!
---------------------------
ExceptionCode C0000005
ExceptionFlags 00000000
NumberParameters 00000002
ExceptionAddress VA 77437419
ExceptionAddress RVA 77037419

eax=0x0012EE14, ebx=0x00000000, edx=0x00670601, ecx=0x7E429340, esi=0x0012EE14, edi=0x001AF5A8, ebp=0x0012EDF0, esp=0x0012EDB0, eip=0x77437419
---------------------------
OK
---------------------------

Got it on last chunk entry after manual GetProcAddress fix and press OK. WinXP/x86 SP3, Scylla 0.9.6a

Feature request:
Add Re-scan names button. Check attached image.
Add Export Tree for ImpRec.

Sorry for the late reply. I was busy with the ScyllaHide project.

How do you produce the view in NamesBug.png‎? Do you think this are valid api addresses?

I dont want to add this feature directly to scylla, but I coded a small standalone tool for this purpose. I thought about using the imprec format, but it is really terrible so I chose the "right way".


C#.NET, can convert scylla xml to imprec (crap) txt.
https://bitbucket.org/NtQuery/scyllatoimprectree
https://bitbucket.org/NtQuery/scyllatoimprectree/downloads/ScyllaToImprecTree.rar

Hi, it was some time ago. So, I forgot how I did that. But I think it was done in usual way using some protected application. Yes, that are valid API addresses. I think they are always the same for WinXP SP3/x86. So, you can check by yourself.
Most probable next few days I will do new version of that app and provide more details.
Do you have any information on other reports?

Scylla Imports Reconstruction 0.9.7b
 

................................

Fixed Scylla 0.9.7b
 

i have made aquick patch till Aguila it self will fix the issues i mentioned:
1.Freeze bug under exe32protector
2.Crash bug under PEP protector
(more details in PM since im dont sure im can post other forum link)

Scylla 0.9.7c

Version 0.9.8

- Bugfixes for x64, IAT Search
- diStorm3 update from Jan 3rd 2015

Version 0.11.0

- Update `ScyllaIatFixAutoW` and `ScyllaIatSearch` to allow dumping DLLs
- `pyscylla.dump_pe` and `pyscylla.rebuild_pe` now return None and throw
exceptions on failure
- Generate Python bindings for Python 3.8+ (i.e., drop Python 3.7 support)

Version 0.10.0

- Update default configuration
- Add support for Windows 8.1 and Windows 10
- Switch build system to CMake
- Add bindings for Python 3
- Add a new `createNewIat` parameter to `ScyllaIatFixAutoW`
- Fix bad handling of instructions with a REX prefix in `IATReferenceScan::patchNewIat`
- Handle multiple imports that have the same address in `ApiReader::getApiByVirtualAddress`
- Add a Sphinx-generated documentation
- Update distorm to version 3.5.2
- Update WTL to version 10

https://github.com/ergrelet/Scylla
https://github.com/ergrelet/Scylla/releases