Scylla x64/x86 Imports Reconstruction

[Carbon]

ahmadmansoor had a nice idea for a new IAT search algorithm. It seems that it is very accurate after some tweaks, but takes a little bit longer depending on your computer.

Use the option "advanced iat search" and test it.

If you like to support this project, BTC Address: 1GmVrhWwUhwLohaCLP4SKV5kkz8rd16N8h

Code:

Version 0.9.2

- Pick DLL -> Set DLL Entrypoint
- Advanced IAT Search Algorithm (Enable/Disable it in Options), thanks to ahmadmansoor
- Fixed bug in Options
- Added donate information, please feel free to donate some BTC to support this project

[Carbon]

new options added

Quote:

Version 0.9.4 beta

- direct import scan + fix: 5 byte CALL/JMP, junk byte must be after CALL/JMP
- create new iat in section
- fixed various bugs

Version 0.9.3
- new dll function: iat search
- new dll function: iat fix auto

[Carbon]

Quote:

Version 0.9.4 Final

- direct import scanner (LEA, MOV, PUSH, CALL, JMP) + fixer with 2 fix methods
- create new iat in section
- fixed various bugs

I really recommend to update due to the bug fixes.

Direct import scanner fix methods:
- Normal: Patch memory with jmp/call only
- Universal: Works with everything, creates a jump table in the scylla section, watch for relocation information in the log file

I also found some weird thing in Windows 7 x64. I don't know yet why this happens:

Quote:

### Windows 7 x64

Sometimes the API kernel32.dll GetProcAddress cannot be resolved, because the IAT has an entry from apphelp.dll
Solution? I don't know

[ahmadmansoor]

Quote:

Originally Posted by Carbon

I really recommend to update due to the bug fixes.

Direct import scanner fix methods:
- Normal: Patch memory with jmp/call only
- Universal: Works with everything, creates a jump table in the scylla section, watch for relocation information in the log file
:

I was watch ur update ,My friend Universal import scanner fix is a Good Idea .
but it is limited with some Protector ,in other it is Difficult to handle it .
Let take the Themida/Winlicense : through the unpacked rutine ,it pass through IAT Table rebuild which write the API to the file .here it decide to write the

Quote:

NOP
Jmp xxxxx
or
Call xxxxx
Nop

so this nop it Defined through this rutine ,and I think it is random .

Quote:

00412893 CC int3
00412894 > 90 nop
00412895 .- E9 96287477 jmp msvcr100.__set_app_type
0041289A > 90 nop
0041289B .- E9 60587477 jmp msvcr100._amsg_exit
004128A0 > 90 nop
004128A1 .- E9 3A647477 jmp msvcr100.__wgetmainargs
004128A6 CC int3
+++++++++++++++++++++++++++++++++++++
004129C7 CC int3
004129C8 > 90 nop
004129C9 .- E9 D2567477 jmp msvcr100._exit
004129CE > 90 nop
004129CF .- E9 BCA68177 jmp msvcr100._XcptFilter
004129D4 >- E9 E7567477 jmp msvcr100._cexit
004129D9 . 6F outs dx, dword ptr es:[edi]
004129DA >- E9 A1567477 jmp msvcr100.exit
004129DF 13 db 13
004129E0 > 90 nop
004129E1 .- E9 DA708177 jmp msvcr100._CrtSetCheckCount
004129E6 CC int3

so guessing which NOP is the right to replce for Fix This import will fault by 70%

pls check this Image :
http://postimg.org/image/6fzu4kr8v/
and u will see what I was talking about .I have write a lot of tut on rebuild IAT for Themedi I can send it to u and through this tut u will see when and where the nop is written .
and so on for other Protector ,which each one his privacy .

Quote:

I also found some weird thing in Windows 7 x64. I don't know yet why this happens

can u give example (code or File ) ?

Thanks for ur great work ,pls keep up.

[Carbon]

@giv
feel free to report bugs.

@ahmadmansoor
Try the "universal" direct import fixer (enable in options). It will work with Themida and any other protector.

I don't think I can give an example. It is still weird. It has probably something to do with this https://forum.tuts4you.com/topic/34548-scylla-version-announcements/#entry159332

[ahmadmansoor]

Quote:

Originally Posted by Carbon

@ahmadmansoor
Try the "universal" direct import fixer (enable in options). It will work with Themida and any other protector.

my friend the example which I gave u in the Picture was universal enable in options I will upload the files when back to home .

Quote:

I don't think I can give an example. It is still weird. It has probably something to do with this https://forum.tuts4you.com/topic/34548-scylla-version-announcements/#entry159332

I will check this

[Carbon]

Quote:

Originally Posted by ahmadmansoor

my friend the example which I gave u in the Picture was universal enable in options I will upload the files when back to home .

Now I see there is a bug. You must disable the "normal" fixer otherwise the "universal" will not work. And it is fixed only in the dumped and fixed file. Not in memory.

[Computer_Angel]

Quote:

Originally Posted by Carbon

I also found some weird thing in Windows 7 x64. I don't know yet why this happens:

We could using plugin for apphelp.dll to solve the api. This is my small plugin for Imprec & Scylla.

About scylla crash, I had found that the function ApiReader:arseExportTable is parsing export not correct in some case, the way of calculating functionName = (char*)(addressOfNamesArray[i] + deltaAddress) is not right if the address of names in the differ memory than the exportbuffer cover.