Hi,
I have a little problem I whish to discuss here..

I have a Delphi quite complex app which is asprotected. Well, no problems removing asprotect, but the unpacked application I got has a problem: it's written in Delphi so the ASM isn't quite clear and to do even simple things, like compare strings, it's not so simple to read, not talking about variables which are always relative to EBP, as usual in Delphi programs..

Unfortunately the unpacking process removed all those informations usually used by DeDe to reverse the program..

I'm just wondering now if there's a way to get back the informations used by DeDe or similar programs into the dumped program.

The problem is the same for any other not c++ program I guess.

use IDA and apply all delphi signatures. u can then create a map file and load it into olly for example.

good suggestion..I haven't thought, also because I wasn't able to find a good signature 4 IDA in the past...where can I find it ? Is there a way to export from dede or dsf files

Have you tried using DeDe on the running process?

-nt

IDA comes with pretty good delphi signatures. just click the nice flower and press insert button. check out these signatures:

BP32_2 Borland Delphi/C++Builder VCL
C4VCL CBuilder 4 and Delphi 4 VCL
D3VCL Delphi 3 Visual Component Library
D4VCL Delphi 4 Visual Component Library
D5VCL Delphi 5 Visual Component Library
DELPHI Delphi V1.0

2nikolatesla20
yep, DeDe won't attach to the ready-to-dump process (I mean with stolen bytes placed back with Olly stopped at the OEP)..buttons are not activated..

2HaRdLoCk
I tried to do it, but despite this applying delphi sigs only identify 8, 10 matches at all..

hmm... if you dump it right generally Dede should be able to work on it with some minor fixes on the file header... Also generally IDA built in sig will do pretty well already...

minor fixes on the header? Which for example?
The dump is "perfect", because the asprotected file is quite simple, the stolen bytes aren't erased as they are visible at the OEP through ecx..

learn Delphi routines!

__________________
(.|.)
..).( (¯`·._.·[¯¨´*·~-.¸¸,.-~*´¨&8~)
₪¯¨´*·~-.¸¸,.-~*´¨]·._.·´¯)
( v )
.\|/

All that is just the substitution for Shub-nigurrath's graphics under Shub's signature block that appears on other Forums.

Regards,

This might offend some ppl out there LOL

eg Evaluator

he would say you dirty.....

Actually, I hadn't even paid attention, so I had not "visualized" the form on the left. But, then, I have a clean mind, so they are just paranthesis and periods to me.

Regards,

do some characters create problems to any1? I would never been able to think of it. Nothing special indeed, so just because I don't want to "hurt" anyone, I removed them

..if you are so sensible boys and girls well let know that the world is worst, goddamned worst ..humpf

Speaking of eval, haven't been around for a while, anyone knows where he went? Maybe vacation or something I guess...

Shub-nigurrath:

Don't need to be humpfing. ester was just teasing evaluator, who sometimes objects to things which display the female form in way the eval seem not to find pleasing. WE don't mind and it was just general teasing. No need to get up tight about either the symbols or the posts.

Regards,

well well ok, reenter in the terms more appropriate for this forum so.
Anyway for what was the initial question of this thread I solved the problems with IDA/DeDe and dumped Delphi programs, thanks to suggestions here posted..

TAL.