Delphi 5 disassembly summary
There are many tools to help Delphi's reverse engineering, I have used more Ded and IDA Pro. By loading the Flirt module (File / Load File / FlirtiRT Signature Fire ...) can be obtained according to the development tool in accordance with the development tool in Ida Pro. This is very helpful for cracking, helping to read assembly code is very helpful. The same feature is called the .dsf symbol library in Dede 3.5, but actually looks like Flirt seems to get more symbol information, while DEDE can get Delphi-specific data, such as .dpr, .dfm, .pas project file.
Delphi Compile Code and the general C compile code are not the same, such as call the convention, C's Thiscall deliver the THIS pointer with ECX, and Delphi's Thiscall transmits this pointer with EAX; C's FastCall generally uses ECX / EDX two registers for two registers Parameter passes, while delphi uses three EAX / EDX / ECX; when the floating point number is used, the DOUBLE parameters are passed by stack two DWORDs, while Delphi uses FLD and FSTP to pass the parameters through the FPU. The name is not the same, here is not described here.
About calling agreements http://baby.homeip.net/patrick/archives/000142.php
The current IDA does not support loading. Map / .sym symbol information, according to the DataRescue website, can be loaded (http://www.ccso.com/faq.html) by. IDC script. Ded's IDA / Softice symbol output is said to automatically detect running Soft-Ice and import symbols, but it is not very fantastic when actually used, and can write a program into .idc script according to. Map file format:
#! / usr / bin / perl
Use strict;
Sub dump_idc;
MY $ HEX_PAT = "[0-9A-FA-F] ";
MY $ start;
MY @entries;
While (<>) {
CHOP;
IF ($ start eq '--fetch-next') {
# Start, Length, Name, Class
($ start) = m / $ HEX_PAT: ($ HEX_PAT) / S ($ HEX_PAT) H / S (/ W ) / S (/ W ) /;
IF (! $ start) {
Print stderr "invalid. map file format!";
EXIT -1;
}
$ start = HEX ($ start);
NEXT;
}
IF (M / START / S LENGTH / S NAME / S CLASS /) {
$ start = '--fetch-next';
NEXT;
}
IF (M / $ HEX_PAT: ($ HEX_PAT) / S * (. *) $ /) {
MY ($ OFFSET, $ Entry) = (HEX ($ 1), $ 2);
MY $ RVA = $ OFFSET $ START;
Push @entries, [$ RVA, $ Entry];
}
}
@Entries = sort {$ a -> [0] cmp $ b -> [0]} @entries;
& DUMP_IDC;
SUB Dump_idc {
Print "static main () {/ n";
Foreach (@entries) {
My ($ RVA, $ ENTRY) = @ $ _;
# $ RVA = HEX ($ RVA);
$ ENTRY = ~ S / ^ / * // $ /;
$ ENTRY = ~ S / ^ [<> / -] * //;
$ entry = ~ s //(.* or
$ entry = ~ s /:.*!
$ entry = ~ s //./?/;
$ entry = ~ s // [([0-9] ) /] / _ $ 1 / g;
$ entry = ~ s //[.* $_ ₹ RVA /;
$ ENTRY = ~ S /;.*!
$ ENTRY = ~ S / ^ / S * //;
NEXT IF! $ ENTRY;
Printf "Makename (0x% x, /" $ entry / "); / n", $ RVA, $ Entry
}
Print "} / n";
}
1;
Some procedures determine if the registration is determined by throwing anomalies, and there is a famous article on the exception Matt Pietrek http://www.microsoft.com/msj/0197/Exception/Exception.aspx worth reading. From the assembly code, all TRY / CATCH blocks have similar structures:
Code: 004bde4c xor Eax, EAX
Code: 004bde4e push ebp
Code: 004BDE4F Push Offset Loc_4bde92
Code: 004BDE54 Push DWORD PTR FS: [EAX]; Save the previous handler
Code: 004BDE57 MOV FS: [EAX], ESP
Code: 004bde92 LOC_4BDE92:
Code: 004bde92 jmp _any2_handler_deverr?
Code: 004bde97 JMP Short Loc_4bde89
Code: 004BDeea Pop Edx; Previous Handler
Code: 004bdeeb pop ECX
Code: 004BDEEC POP ECX
Code: 004BDEED MOV FS: [EAX], EDX; Recovery
Note that the code of the 4bde97H is not executed, what is going on? It turns out that it is Finally corresponding block, and the SEH core will automatically get a 4BDE97H Finally entry address according to PUSH OFFSET LOC_4BDE92. Therefore, when debugging has an abnormal process, it is sometimes necessary to set a breakpoint at the handler of Handler and Finally.
Today, you will come here, you may have a next time.
