X64dbg: Scylla crashed after loading specific executable with exception C0000005

Created on 19 Jun 2017  路  3Comments  路  Source: x64dbg/x64dbg

  • Debugger version

    • Jun 8, 2017 snapshot x86
    • May 25, 2017 snapshot x86
  • Operating system version and Service Pack (including 32 or 64 bits).

    • Windows 8.1 build 9600 x64
    • Windows 10 ??? x64 (I forgot)
  • Brief description of the issue.
    Scylla x86 plugin crashed running specific executable.

  • Elaborate reproduction steps for the bug/issue being reported.

    • load the executable attached here. mon.zip
    • open Scylla from menu.
    • got Exception C0000005

By the way, if i open Scylla window in advance and load it afterwards, after choosing the process to attach, it will crash as well.

bug

Most helpful comment

Scylla for some reason can't enumerate the APIs of one of the loaded modules from memory (i would blame it on lib.dll provided in the zip file), setting Scylla to read APIs from disk will workaround this issue.

Before debugging the application open Scylla -> Misc -> Options -> tick the option Read APIs always from disk (slower!)
or edit Scylla.ini and change the following parameter:
APIS_ALWAYS_FROM_DISK=1

To prove that lib.dll is the reason:

  1. Make sure break on System Breakpoint is selected in the debugger options
  2. Make sure Read APIs always from disk (slower!) is not selected in Scylla options
  3. Open x32dbg.exe -> press F3 and select lib.dll
    When you land at the system breakpoint go to the Symbols tab, and you'll notice that lib.dll is not loaded yet
  4. Open Scylla and it won't crash
  5. Now run the debugger (F9) to reach the entrypoint of the dll (so that it's loaded),
    then try to open Scylla and it'll crash

Repeat those steps again but select/mark Read APIs always from disk (slower!) in Scylla options and no crashes will occur.

All 3 comments

Scylla for some reason can't enumerate the APIs of one of the loaded modules from memory (i would blame it on lib.dll provided in the zip file), setting Scylla to read APIs from disk will workaround this issue.

Before debugging the application open Scylla -> Misc -> Options -> tick the option Read APIs always from disk (slower!)
or edit Scylla.ini and change the following parameter:
APIS_ALWAYS_FROM_DISK=1

To prove that lib.dll is the reason:

  1. Make sure break on System Breakpoint is selected in the debugger options
  2. Make sure Read APIs always from disk (slower!) is not selected in Scylla options
  3. Open x32dbg.exe -> press F3 and select lib.dll
    When you land at the system breakpoint go to the Symbols tab, and you'll notice that lib.dll is not loaded yet
  4. Open Scylla and it won't crash
  5. Now run the debugger (F9) to reach the entrypoint of the dll (so that it's loaded),
    then try to open Scylla and it'll crash

Repeat those steps again but select/mark Read APIs always from disk (slower!) in Scylla options and no crashes will occur.

It works! Thanks, @wk-952 for your solution and timely reply. I'll change the issue title for others who are also searching for a solution. I guess it's because of that lib.dll as well, because crash happened right after Scylla shows it loaded lib.dll in its log window, and later I found lib.dll is protected by VMProtect. btw, is this a fixable bug?

Adding more info to this issue:
Scylla fails here: ApiReader.cpp#L59, the function ApiReader::isModuleLoadedInOwnProcess() should return true but in this case it's returning false.
The reason is that lib.dll is not registered/stored in the std::vector ProcessAccessHelp::ownModuleList which seems to be only manipulated here: Scylla.cpp by ProcessAccessHelp::getProcessModules().
Hope these info help in resolving the issue.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

wk-952 picture wk-952  路  3Comments

jin-x picture jin-x  路  4Comments

arash88 picture arash88  路  4Comments

wk-952 picture wk-952  路  3Comments

AxDSan picture AxDSan  路  6Comments