Trao đổi với tôi

http://www.buidao.com

11/3/22

[Reverse] Reverse engineering Delphi executables

1/ IDR can be good for viewing class metadata and generating scripts that can (sometimes) improve IDA results, although they usually need to be manually edited to fix some bogus results.

https://github.com/crypto2011/IDR 

2/With IDA I've noticed sometimes it doesn't automatically detect a Delphi executable, so you can improve the analysis by:

- Open the executable but uncheck automatic analysis.
- Options -> Compiler to Delphi with calling convention Fastcall.
- Set the default string literals to Delphi or Delphi (16 bits), depending on how recent the executable is.
- View -> Open Subviews -> Type libraries, remove the defaults.
- View -> Open Subviews -> Signatures, remove the default and add the flirt signatures for your target (for example "bds" for Delphi 6/7), and mssdk32/64.
- Finally, start the analysis.

This can help quite a bit, although the flirt signatures tend to have a lot of false positives for VCL functions, so just be aware.

3/Check this out
https://github.com/Coldzer0/IDA-For-Delphi

4/Python 3.9 support for IDA 7.5

https://hex-rays.com/blog/python-3-9-support-for-ida-7-5/