Results 1 to 4 of 4

Thread: Delphi App Reversing with Olly

  1. #1

    Delphi App Reversing with Olly

    Hello,

    I have an application compiled using Delphi 6 or 7. It was initially packed using ASPack. I unpacked it manually, dumped it and rebuild the import table using ImpRec.

    After loading it in Olly once again post unpacking, I again get the message that the OEP is outside the code section.

    If I check the strings now, I can see meaningful strings in it and references to certain websites it attempts to connect to. I can also see references to Registry Key Paths and so on.

    I tried stepping through the code in debugger to analyze it and noticed that after a first few instructions, there is some junk code because of which it crashes.

    I proceeded with another approach after this. I used DeDe to decompile the unpacke delphi exe.

    Exported the project which gave me a .dfm (form), .dpr(project) file. I loaded this into Delphi XE2, to see what it does. However, it only shows information specific to TAppService which tells me that it is trying to install a Windows Service.

    Below is the first few lines of disassembly of the unpacked exe code:

    Code:
    PUSH EBP
    MOV EBP,ESP
    ADD ESP,-10
    PUSH EBX
    MOV EAX,dumped_.0046AF50
    CALL dumped_.00406C24
    MOV EAX,DWORD PTR DS:[46EA14]
    MOV BYTE PTR DS:[EAX],2F
    
    // Below section of instructions pass a date/time format repeatedly to a subroutine
    
    MOV EAX,DWORD PTR DS:[46EAAC]
    MOV EDX,dumped_.0046C954                 ;  ASCII "yyyy/mm/dd"
    CALL dumped_.00404BB0
    MOV EAX,DWORD PTR DS:[46ECE0]
    MOV EDX,dumped_.0046C954                 ;  ASCII "yyyy/mm/dd"
    00CALL dumped_.00404BB0
    MOV EAX,DWORD PTR DS:[46E9A8]
    MOV EDX,dumped_.0046C968                 ;  ASCII "hh:mm:ss"
    CALL dumped_.00404BB0
    MOV EAX,DWORD PTR DS:[46EBF0]
    MOV EDX,dumped_.0046C968                 ;  ASCII "hh:mm:ss"
    CALL dumped_.00404BB0
    
    
    MOV EAX,DWORD PTR DS:[46EC30]
    MOV EAX,DWORD PTR DS:[EAX]
    CMP BYTE PTR DS:[EAX+30],0
    JE SHORT dumped_.0046C916
    
    
    MOV EAX,DWORD PTR DS:[46EC30]
    MOV EAX,DWORD PTR DS:[EAX]
    MOV EDX,DWORD PTR DS:[EAX]
    CALL DWORD PTR DS:[EDX+34]
    MOV ECX,DWORD PTR DS:[46EA2C]            ;  dumped_.00473D24
    MOV EAX,DWORD PTR DS:[46EC30]
    MOV EAX,DWORD PTR DS:[EAX]
    MOV EDX,DWORD PTR DS:[46AA9C]            ;  dumped_.0046AAE8
    MOV EBX,DWORD PTR DS:[EAX]
    CALL DWORD PTR DS:[EBX+30]
    MOV EAX,DWORD PTR DS:[46EC30]
    MOV EAX,DWORD PTR DS:[EAX]
    MOV EDX,DWORD PTR DS:[EAX]
    CALL DWORD PTR DS:[EDX+38]
    POP EBX
    CALL dumped_.004049B4 // the call instruction which crashes the application
    DD FFFFFFFF
    DD 0000000A
    when I step into the last call subroutine above (004049b4), there is a call to kernel32.ExitProcess.

    However, I can't seem to find a way to bypass that. And even if I manage to bypass it somehow, once I return from this subroutine, I will end up at another junk code.

    Any suggestions?

  2. #2
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    What's inside 0x4049b4 of the original packed application?
    A mind is like a parachute. It doesnt work if it's not open.

  3. #3
    Does unpacked file run fine on its own (without being launched by olly)? If it doesn't, maybe it's an issue of your manually rebuilt import table...

    If that is not the case, there could be some anti debug trick.

    Best regards

    Nacho_dj

  4. #4
    Hi,

    Thank you for the replies. It appears that there is some problem with the exe, since nothing happens when I run it even outside the debugger. I need to check it once again. I even tried to change the subsystem of the exe from Win GUI to console mode and thought I could make it work.

    It appears, it attempts to install a service and run as a windows service.

    I shall update this thread with more details soon.

Similar Threads

  1. Replies: 3
    Last Post: March 29th, 2013, 12:18
  2. Replies: 2
    Last Post: February 15th, 2009, 21:52
  3. Does Olly support Delphi applications?
    By JackTripper in forum OllyDbg Support Forums
    Replies: 17
    Last Post: July 5th, 2007, 06:26
  4. Full Delphi 6 and Delphi 7 Signature For IDA
    By TQN in forum Tools of Our Trade (TOT) Messageboard
    Replies: 28
    Last Post: June 25th, 2007, 11:20
  5. Full Delphi 6 and Delphi 7 IDA signature
    By TQN in forum OllyDbg Support Forums
    Replies: 2
    Last Post: September 16th, 2004, 01:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •