TQN
July 28th, 2004, 23:39
Hi all !
After above half month of my free times, I have finished with creating IDA Signature file for Delphi 6 and 7 RTL (not contain VCL, CLX). I recompile the Delphi 6, 7 RTL source to .obj file, create .pat file, use DCUExplorer tool to manual edit unknown, unexport functions (named with xxxx::_16xxx, unknown_libname, ...). I have tested them with a Delphi 7 console app and a Delphi 7 Dll, and almost above 95% of RTL functions will be recognized. The D6RTL.sig is rude, and is a subset of D7RTL.sig. I suggest you should use D7RTL.sig for Delphi 6 and 7 .exe, .dll.
But I have a note: in IDA, the B32VCL.sig is a startup signature file, so it will be applied automatically, but it have many unname and unknown functions. When we apply D7RTL.sig, the name of recognized functions in D7RTL will not be applied to the unknown and unname functions in B32VCL.sig. So, when IDA start, remove the B32VCL.sig in Signature window, apply D7RTL.sig, then apply B32VCL.sig.
I hope you will enjoy !
Regards !
TQN
After above half month of my free times, I have finished with creating IDA Signature file for Delphi 6 and 7 RTL (not contain VCL, CLX). I recompile the Delphi 6, 7 RTL source to .obj file, create .pat file, use DCUExplorer tool to manual edit unknown, unexport functions (named with xxxx::_16xxx, unknown_libname, ...). I have tested them with a Delphi 7 console app and a Delphi 7 Dll, and almost above 95% of RTL functions will be recognized. The D6RTL.sig is rude, and is a subset of D7RTL.sig. I suggest you should use D7RTL.sig for Delphi 6 and 7 .exe, .dll.
But I have a note: in IDA, the B32VCL.sig is a startup signature file, so it will be applied automatically, but it have many unname and unknown functions. When we apply D7RTL.sig, the name of recognized functions in D7RTL will not be applied to the unknown and unname functions in B32VCL.sig. So, when IDA start, remove the B32VCL.sig in Signature window, apply D7RTL.sig, then apply B32VCL.sig.
I hope you will enjoy !
Regards !
TQN