Results 1 to 12 of 12

Thread: Delphi Big Lib Signature Problem

  1. #1

    Delphi Big Lib Signature Problem

    Whenever I come to crypto reversing, my main problem is detecting the libraries.
    I'm reversing this delphi program which uses big library (TLBRijndael, TLbBigInt,...).
    some stream procedures like SetPos() or GetSize() are identified by IDA. the point is
    before starting the main algorithm after calling near 20 library functions the program
    throws an exception and skips the rest code. maybe its because of some division zero
    or something else. but if I cannot detect the functions I must guess the problem.

    have any of you guys tried reversing delphi's big library or know any sig for that?

    I remember black-eye had some crypto/big sig but his website doesn't work atm.
    googling gave me nothing and even worse the search section acts so weird, it even
    returns "no match" for "Assembly" keyword let alone "Delphi" or "TLB"!!
    (this paragraph is more dedicated to JMI )

  2. #2
    Thank you for the dedication, and for searching before you Posted. I am a little perplexed with your reported search results, howeve. Putting "assembly" (without the quotes) in the main search box, above, choosing the radio button for "posts"m the search result identified 500 posts! Using "Assembly", with the Capital "A" produced none.

    Using "Delphi" (without the quites, but with the capital "D", I go "0" results, however, using "delphi", without the capital "D", I got 383 posts, including yours.

    Similar results for "TLB". No hits for "TLB", but 9 posts for "tlb."

    One would reasonable conclude that, at the moment, the search function is set to "case sentative." I'll check the adminCP and confirm whether that is an option which can be changed.

    Regards,
    JMI

  3. #3
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    I guess I am missing the question, but: what prevents you from getting your hands on Delphi, the Delphi big library with all its headings, and linking info, then generating the sig Yourself?

  4. #4
    well naides, it's not that easy for me to get my hand over Delphi Big Libs. I didn't even know whether this library I'm facing comes with the official package (as you say, it comes). and I was checking if there's already a signature for that so I don't bother doing that from the beginning. btw, I think my only solution is stepping through the procedures and find out what each method does; which looks like a nightmare to me

  5. #5
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Let me check on my computer...

    http://sourceforge.net/projects/tplockbox may have what you need?
    Look at the tplockbox documentation.
    My Delphi (2007) does not include TLBRijndael, TLbBigInt objects but these guys (Lockbox) apparently were the ones that implemented them. . .

    I am not sure.
    CAn you expand a little on Delphi "big libs"?
    Perhaps I do have them but I am not sure what I am looking for.

  6. #6
    thanks for the doc link downloading it right now.
    the _cls_LbClass_TLbRijndael class was identified by IDA and I saw TLbRijndael and TLbBigInt during stepping the codes. some other hardcoded TLbs I found in exe file (not encountered during the debugging yet, I think I'll see them after passing the exception) are:

    TLbCipherMode
    TLbCipher
    TLbSymmetricCipher
    TLbKeySizeRDL
    TLbAsymmetricKey
    TLbRSAKey

  7. #7
    It seems the program is using LockBox. I thing all I have to do is compile the package and make signatures from it and load it to IDA.
    but I don't have Borland Compiler (nor BC or Delphi) and this would be my first signature extraction.
    thank you naides! you helped me a lot

  8. #8
    Registered User
    Join Date
    Aug 2005
    Location
    Greece
    Posts
    157
    With DeDe you can indentify 3rd party libraries.
    A picture worth 1K words (or .5K DWORDS).

  9. #9
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    You can download a demo version of Codegear RAD-Studio, as long as you do the compiling/sig extraction in less than 30 days...

  10. #10
    TurboDelphi, and in general all TurboX versions are free. check them out.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  11. #11
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    The following should be a good place to start your IDA signature creation adventures nanobit:

    http://www.woodmann.com/collaborative/tools/index.php/Category:IDA_Signature_Creation_Tools
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  12. #12
    thank you all

Similar Threads

  1. Signature Files
    By peterg70 in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: July 2nd, 2011, 10:18
  2. Full Delphi 6 and Delphi 7 Signature For IDA
    By TQN in forum Tools of Our Trade (TOT) Messageboard
    Replies: 28
    Last Post: June 25th, 2007, 11:20
  3. Full Delphi 6 and Delphi 7 IDA signature
    By TQN in forum OllyDbg Support Forums
    Replies: 2
    Last Post: September 16th, 2004, 01:50
  4. Delphi 6 and 7 IDA Signature
    By TQN in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: August 8th, 2004, 11:20
  5. Assembly Coding in Delphi Problem
    By Hero in forum The Newbie Forum
    Replies: 2
    Last Post: July 30th, 2004, 03:15

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •