By ro0ted | February 20, 2015 - 00:59 | Posted in /b/ | 11 Comments
#ro0ted #OpNewblood What the blackhats don’t want you to know: Unwinding Delphi Walk Through

Before I can post how to Reverse a Commercial Program aka Real Program it’s vital we understand Delphi Binaries as real programs use Delphi ex: Commview. This is another Spectator tutorial. Pay attention. This is just a walk Through –



Tools used:




Resource Hacker





So we run the target in ExeInfoPE an .exe analyzer.


Coded in Delphi/Not Packed. Boot up Ollydbg.


Let’s load this in Resource Hacker; let’s see what we can discover…


sometimes the most important sub-folder (resource sections) are the TFORM sections. These are the windows/dialog boxes in the Delphi program. In this particular crackme, we can see that there is one form, TFORM1. Clicking on the little flower inside TFORM1 opens the main data area for this section in Resource Hacker (as you can see above). This data tells you everything about the form; the size, the colors, the placement on the screen, the title (caption), any fields or buttons it has in it- everything.

Usually, the first place I look is the ‘Caption’ as this tells you what will be in the title bar in the window. In this case it’s “Delphi – MsgBoxes”. The importance of this field is, in an app that has many forms called TFORM1, TFORM2, TFORM3… it is difficult to know which form is associated with which window. Looking at the captions can help distinguish this. For example, the caption may say “Register” letting us know it’s the registration screen, or “About” for the about screen.

Introducing DeDe aka Delphi Decompiler.


Delphi Decompiler loads  a Delphi program and breaks it down for you, showing all the forms data we’ve seen, but also where all the methods are called, the address of all the methods, and the method names. It also shows a complete decompilation of the binary if we wish, along with capabilities to modify it.


Now that I’ve showed you all modules, we click Forms>DFM Editor.


Next tab> Procedures.


Let’s Search All Referenced Text Strings in Ollydbg:


No luck.


Let’s go to the Registered Address 00457F15



We didn’t even have to click the button.

Conclusion: Most delphi programs are packed so DeDe won’t work.


(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview +


(Visited 355 times, 1 visits today)

  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.