Log in

View Full Version : Delphi Big Lib Signature Problem


nanobit
July 17th, 2008, 00:34
Whenever I come to crypto reversing, my main problem is detecting the libraries.
I'm reversing this delphi program which uses big library (TLBRijndael, TLbBigInt,...).
some stream procedures like SetPos() or GetSize() are identified by IDA. the point is
before starting the main algorithm after calling near 20 library functions the program
throws an exception and skips the rest code. maybe its because of some division zero
or something else. but if I cannot detect the functions I must guess the problem.

have any of you guys tried reversing delphi's big library or know any sig for that?

I remember black-eye had some crypto/big sig but his website doesn't work atm.
googling gave me nothing and even worse the search section acts so weird, it even
returns "no match" for "Assembly" keyword let alone "Delphi" or "TLB"!!
(this paragraph is more dedicated to JMI )

JMI
July 17th, 2008, 00:48
Thank you for the dedication, and for searching before you Posted. I am a little perplexed with your reported search results, howeve. Putting "assembly" (without the quotes) in the main search box, above, choosing the radio button for "posts"m the search result identified 500 posts! Using "Assembly", with the Capital "A" produced none.

Using "Delphi" (without the quites, but with the capital "D", I go "0" results, however, using "delphi", without the capital "D", I got 383 posts, including yours.

Similar results for "TLB". No hits for "TLB", but 9 posts for "tlb."

One would reasonable conclude that, at the moment, the search function is set to "case sentative." I'll check the adminCP and confirm whether that is an option which can be changed.

Regards,

naides
July 17th, 2008, 00:51
I guess I am missing the question, but: what prevents you from getting your hands on Delphi, the Delphi big library with all its headings, and linking info, then generating the sig Yourself?

nanobit
July 17th, 2008, 01:29
well naides, it's not that easy for me to get my hand over Delphi Big Libs. I didn't even know whether this library I'm facing comes with the official package (as you say, it comes). and I was checking if there's already a signature for that so I don't bother doing that from the beginning. btw, I think my only solution is stepping through the procedures and find out what each method does; which looks like a nightmare to me

naides
July 17th, 2008, 02:00
Let me check on my computer...

http://sourceforge.net/projects/tplockbox may have what you need?
Look at the tplockbox documentation.
My Delphi (2007) does not include TLBRijndael, TLbBigInt objects but these guys (Lockbox) apparently were the ones that implemented them. . .

I am not sure.
CAn you expand a little on Delphi "big libs"?
Perhaps I do have them but I am not sure what I am looking for.

nanobit
July 17th, 2008, 03:33
thanks for the doc link downloading it right now.
the _cls_LbClass_TLbRijndael class was identified by IDA and I saw TLbRijndael and TLbBigInt during stepping the codes. some other hardcoded TLbs I found in exe file (not encountered during the debugging yet, I think I'll see them after passing the exception) are:

TLbCipherMode
TLbCipher
TLbSymmetricCipher
TLbKeySizeRDL
TLbAsymmetricKey
TLbRSAKey

nanobit
July 17th, 2008, 04:14
It seems the program is using LockBox. I thing all I have to do is compile the package and make signatures from it and load it to IDA.
but I don't have Borland Compiler (nor BC or Delphi) and this would be my first signature extraction.
thank you naides! you helped me a lot

blurcode
July 17th, 2008, 04:34
With DeDe you can indentify 3rd party libraries.

naides
July 17th, 2008, 06:38
You can download a demo version of Codegear RAD-Studio, as long as you do the compiling/sig extraction in less than 30 days...

Maximus
July 18th, 2008, 09:11
TurboDelphi, and in general all TurboX versions are free. check them out.

dELTA
July 20th, 2008, 15:59
The following should be a good place to start your IDA signature creation adventures nanobit:

http://www.woodmann.com/collaborative/tools/Category:IDA_Signature_Creation_Tools

nanobit
July 29th, 2008, 09:26
thank you all