DeDe anti-Compiler

Delphi/C ++ Builder uses the drag-and-drop control to design the interface and associate it with the event. The information is stored in executable files as resources (RCDATA. DeDe uses this principle for decompilation, obtains relevant information, and restores the interface and event contact relationship. However, the event Assembly Code cannot be restored. DeDe discloses the source code. Interested readers can study it.

1. Main Functions

You can use DeDe to view the attributes of the Delphi Program form. You can view the events corresponding to the buttons and decompile the Event code to identify the Delphi library functions, which is highly readable. In addition, events can be output to the map file for use by other tools.

2. Configuration

(1) DSF File

① Meaning of the DSF File

The DSF file content comes from the output symbol table of the BPL library files of different versions. The DeDe disassembly engine uses these symbol tables to add class member method calls to the generated ASM code file, which is very similar to IDA Pro's FLIRT technology. If no BPL symbol table file is loaded, the call to the BPL class cannot be described in the annotated format.

② Load the DSF File

You can Load the required DSF File through the "File/Load Symbol File" menu. If the program correctly identifies the corresponding version of the Delphi program, it will automatically load the DSF file. If you want to automatically load several DSF files each time you start DeDe, select the Options/Configuration menu and complete the work on the Symbols tab. To view the output symbol table contained in a specific DSF file, select Options/Symbols ".

③ Why do I need to create a DSF file?

When processing programs that use custom components (that is, components not installed in Delphi), if the BPL of these custom components are available and DSF files are created for them, deDe will comment out all calls to these custom components. DSF creation speed is also fast.

(2) DOI File

DOI indicates Delphi Class Offset Information (Delphi Class Offset Information). This technology uses Offset Information to identify Class members: Methods and fields (instance variables and attributes ). The DOI file contains the necessary data for identification. Run the DeDe simulation command to find the reference using these offsets. For example, at the offset 0xCC of any subclass inherited from the TForm class, it represents a pointer to the ShowModal method. When calling a call similar to call [reg + $ 00CC], the simulator knows that the object contained in the register is a TForm subclass that references the TForm. ShowModal method. The DOI file should be stored in the DSF folder.

The following is a simple example with the help information of DOI.

* Reference to control LogMemo: TMemo
004E4E7C 8B80F4020000 mov eax, [eax + $02F4]
* Reference to field TMemo. Lines: TStrings
004E4E82 8B8004020000 mov eax, [eax + $0204]
* Possible String Reference to: Loading Export Names...
004E4E88 BA0C584E00 mov dx, $ 004E580C
004E4E8D 8B08 mov ecx, [eax]
* Reference to method TStrings. Add (string)
004E4E8F FF5134 call dword ptr [ecx + $34]

To use the DOI file, just copy the *. DOI file to the DSF folder. The DOI data is automatically inserted into the generated code file.
(3) Meaning of string reference
In DeDe, if you are processing programs that contain non-English strings, select the Option/Configuration menu. On the References tab, you can set the character set used by the DeDe decompilation engine to search for string References.

NOTE: If all character sets are used together #32 ~ #255, you may obtain the incomplete string reference. The Delphi program generally does not use Unicode strings, which is why this option is not included in the string reference configuration. 3. Basic operations

DeDe installation is simple. After installation, run the main program directly. The main interface shown in Figure 7.1 is displayed. Click the button to open the DE_Delphi file in the CD image file, and then click the "Process" button for decompilation. DeDe first loads the analyzed files into the memory before decompiling. Therefore, it can also decompile some compressed and shelled programs.
CLasses Info: displays the class information used in the program;
Units Info: displays the unit information used in the program;
Forms: displays the form information in the program. This part can be modified using the resource editing tool;
Procedures: displays the process information of a program;
Project: You can save the current Project;
Exports: export the symbol file.

Figure 7.1 DeDe page

The Events and Controls are displayed here (see Figure 7.2 ). The Button1Click event corresponds to the "OK" button. Double-click the event to open the code window. This window displays the assembly code corresponding to the current event, and the control bar on the right displays global and local variables. Double-click an expression to add comments. Double-click the jump instruction and CALL instruction to jump to the corresponding code.

Figure 7.2 view event button

Set the username of the target instance DE_Delphi to Name []. The specific code is as follows:
* Reference to control TMainForm. Edit1: TEdit; User Name box control
001272c6 mov eax, [esi + $02F8]
* Reference to: controls. TControl. GetText (TControl): System. String;
0000002cc call 0042F4F8
001272d1 cmp dword ptr [ebp-$ 0C], + $00; determines whether the input character is used
0000002d5 jnz 0000002f5
......
* Reference to: controls. TControl. GetText (TControl): System. String;
003662fe call 0042F4F8
00450303 mov eax, [ebp-$10]; pointing to user name
* Reference to: system. @ LStrLen: Integer;
00450306 call 004044C4
001000030b cmp eax, + $04; determines whether 4 characters are entered
00000030e jnl 00000032e
......
* Reference to: controls. TControl. GetText (TControl): System. String;
00450345 call 0042F4F8
001000034a mov eax, [ebp-$14] pointing to Name []
* Reference to: system. @ LStrLen: Integer;
00000034d call 004044C4; get the username Length
00450352 mov ebx, eax; put the length in ebx as a counter
00450354 test ebx, ebx
00450356 jle 00450381
00450358 mov edi, $00000001; edi = 1
0036635d/mov eax, [ebp-$08]; pointing to Name []
00450360 | movzx eax, byte ptr [eax + edi-$01]
00450365 | lea ecx, [ebp-$18]
00450368 | mov edx, $00000002
* Referenceto: sysutils. IntToHex (System. Integer; System. Integer)
0045036D | call 00408310; inttohex (ord (Name [I]), 2)
00450372 | mov edx, [ebp-$18]; [ebp-$18] pointing to Name [I] hexadecimal
00450375 | lea eax, [ebp-$04]; [ebp-$04] the variable is a pointer to the Sn pointer
* Reference to: system. @ LStrCat;
00450378 | call 004044CC & n