Results 1 to 5 of 5

Thread: Delphi without Dede?

  1. #1
    Scally
    Guest

    Delphi without Dede?

    Can anyone recommend tutorial(S) on working with Delphi, where Dede/revendre etc cannot show the detail of the code?
    The file in question was discussed in an earlier thread where Kayaker came up with a way of unpacking the UPX host which did not unpack correctly with UPX -d. (use icedeump \pedump 400000 file)
    Having done this, with no clues from the usual tools, I just get hopelessly lost in the code. Registers (& the pointed to addresses) don't seem to show anything related to the days left or entered string.
    The forms don't seem to have the usual names (e.g. no tmainform) & there are refs in the prog to bits being compressed which is why, I guess, Dede can't show the detail.
    h*tp://www.legacyfamilytree.com/GENViewerDownload.asp
    I'm pretty sure the process I need is 'butapplyclick' which is at o/s 1660166 (0x00195506) or 02131610 (0x0020869a) in the unpacked version of the file. Is there a way of using this location to find the proc in sice?
    Alternatively a good tut would help.
    TIA
    Scally
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,157
    Blog Entries
    5
    Hi Scally,

    DeDe is handy, but what it's most useful for is giving an RVA to break on for OnClick events. You see this under Procedures/Events - an RVA dword and a Hint word. All you need to do is figure out where DeDe gets this info from and get it yourself from the file. To do this you need to know how Delphi stores this info.

    If you look at the pedump of that Genviewer proggy in Exescope you find under the TdlgEnterLicense form the OnClick event you're looking for:

    object butApply: TBitBtn
    Caption = 'Apply'
    OnClick = butApplyClick

    Even better than searching the resources with Exescope, get a copy of D-Peeper h*tp://batry.hypermart.net/D_Peeper.htm
    which allows you to click directly on Delphi components (like the 'Apply' button in the reg box) and get their Event names.

    If I use D_Peeper on that button I get:
    OnClick = dlgEnterLicense.butApplyClick // TdlgEnterLicense

    OK, now do a hex search for dlgEnterLicense or butApplyClick and you find:

    001954FF 1400 6C61 5900 0D62 7574 4170 706C 7943 ..laY..butApplyC
    0019550F 6C69 636B 1054 646C 6745 6E74 6572 4C69 lick.TdlgEnterLi
    0019551F 6365 6E73 65 cense

    The 7 bytes before the ascii are what's important.
    The 1st WORD is the 'Hint' you would see in DeDe (0014)
    The next DWORD is the RVA of that event (0059616C)
    The next BYTE is the length of the text that follows (0D)

    Now just set a bpx 59616C, enter some s/n and press Apply. And whaddya know, it breaks

    And to think I almost deleted the thing

    Kayaker

  3. #3
    Kythen
    Guest
    Kayaker, you forgot to mention that D-Peeper is a good exercise in playing with Asprotect

    I usually avoid unpacking stuff like the plague (crypto/LMs/dongles my preference), but it was a fun little diversion!

    Thanks for finding this new tool and a good way for me to waste half the morning! <g>
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,157
    Blog Entries
    5
    Kythen (07-18-2001 09:49):
    Kayaker, you forgot to mention that D-Peeper is a good exercise in playing with Asprotect
    Oh, didn't I mention that little detail? ;D

  5. #5
    Scally
    Guest
    Hi Kayaker,
    Thanks, I've learned a lot from this & can now clear a lot of clutter of the HD.
    I looked at a couple of tuts before that I found on the net & what was screwing me up was the hint, the tuts said look before the proc which I did - I saw 6159 000D & translated to 0D005961 (Ie nonsense)- when what I needed was to ignore the 000D & go back one. The protection was fairly easy after that, 5961ad/596243 & the initial compare on opening at 5979e9.
    Thanks, I'll not be so feared of delphi again.... or maybe....
    Scally
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Full Delphi 6 and Delphi 7 Signature For IDA
    By TQN in forum Tools of Our Trade (TOT) Messageboard
    Replies: 28
    Last Post: June 25th, 2007, 11:20
  2. Full Delphi 6 and Delphi 7 IDA signature
    By TQN in forum OllyDbg Support Forums
    Replies: 2
    Last Post: September 16th, 2004, 01:50
  3. IDA and Dede dissassembly differences
    By 5aLIVE in forum The Newbie Forum
    Replies: 1
    Last Post: July 13th, 2004, 13:17
  4. Dede source code available now
    By Lbolt99 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: August 12th, 2002, 23:39
  5. Dede probs with directdraw graphical stuff
    By Lbolt99 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: July 25th, 2002, 20:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •