Log in

View Full Version : Delphi 6 and 7 IDA Signature


TQN
July 28th, 2004, 23:39
Hi all !
After above half month of my free times, I have finished with creating IDA Signature file for Delphi 6 and 7 RTL (not contain VCL, CLX). I recompile the Delphi 6, 7 RTL source to .obj file, create .pat file, use DCUExplorer tool to manual edit unknown, unexport functions (named with xxxx::_16xxx, unknown_libname, ...). I have tested them with a Delphi 7 console app and a Delphi 7 Dll, and almost above 95% of RTL functions will be recognized. The D6RTL.sig is rude, and is a subset of D7RTL.sig. I suggest you should use D7RTL.sig for Delphi 6 and 7 .exe, .dll.
But I have a note: in IDA, the B32VCL.sig is a startup signature file, so it will be applied automatically, but it have many unname and unknown functions. When we apply D7RTL.sig, the name of recognized functions in D7RTL will not be applied to the unknown and unname functions in B32VCL.sig. So, when IDA start, remove the B32VCL.sig in Signature window, apply D7RTL.sig, then apply B32VCL.sig.
I hope you will enjoy !
Regards !
TQN

dELTA
July 29th, 2004, 07:09
Nice work TQN, thanks!

314159265358979
July 29th, 2004, 10:04
Nice work, thanx. Another way is to load *.bpl in IDA as dll, let it analyze that file and then export signatures with idb_2_pat plugin. It's cool if you have only demo with precompiled .dcus. But, even better is to parse *.dcu into *.pat.

314159265358979

TQN
July 29th, 2004, 22:22
Thank dELTA and 314159265358979 !
After finished this signature, I realize that I could do it easier with a dcu2pat tool. I will add this tool to my todo list in my free time. Another way is rebuild the DCULoader loader of Mike Sinkovsky for IDA Pro 4.5 and uses IDB_2_PAT to create the signature.
Regards !
TQN

friedo
July 31st, 2004, 11:46
Quote:
[Originally Posted by TQN]Thank dELTA and 314159265358979 !
After finished this signature, I realize that I could do it easier with a dcu2pat tool. I will add this tool to my todo list in my free time. Another way is rebuild the DCULoader loader of Mike Sinkovsky for IDA Pro 4.5 and uses IDB_2_PAT to create the signature.
Regards !
TQN

btw. delphi allows to create OBJ files instead of DCUs. There愀 already an OBJ2PAT tool... ;-)

TQN
July 31st, 2004, 23:14
Thanks friedo !
This is the way I created this signature (obj2pat == plb ??). But the pat file created will ignore and don't have a large number of small functions (< 16 byte), and a lot of xxxx:_16xxxx and unknown_libname functions. So I must use DCUExplorer to manual add and edit them.
TQN

JonathanL
August 8th, 2004, 11:20
A wonderful work! Thanks a lot, TQN!