Decompiling Delphi - 2

I came across this on delphi.about.com web site and thought it useful to add it a a reference here.

continued from part one

For the moment, Borland does not offer any product capable of decompiling an executable (.exe) file or the "Delphi compiled unit" (.dcu) back to the original source code (.pas).

Delphi compiled unit: DCU

When a Delphi project is compiled or run a compiled unit (.pas) file is created. By default the compiled version of each unit is stored in a separate binary-format file with the same name as the unit file, but with the extension .DCU. For example unit1.dcu contains the code and data declared in the unit1.pas file. This means that if you have someones, for example, component compiled source all you have to do is to reverse it and get the code. Wrong. The DCU file format is undocumented (proprietary format) and may change from version to version.

After the compiler: Delphi Reverse Engineering

If you would like to try to decompile a Delphi executable file, these are some of the things you should know: Delphi programs source files are usually stored in two file types: ASCII code files (.pas, .dpr), and resource files (.res, .rc, .dfm, .dcr). Dfm files contain the details (properties) of the objects contained in a form. When creating an exe, Delphi copies information in .dfm files into the finished .exe code file. Form files describe each component in your form, including the values of all persistent properties. Every time we change a form's position, a button's caption or assign an event procedure to a component, Delphi writes those modifications in a DFM file (not the code of the event procedure - this is stored in the pas/dcu file). In order to get the "dfm" from the executable file we need to understand what type of resources are stored inside a Win32 executable. All programs compiled by Delphi have the following sections : CODE, DATA, BSS, .idata, tls, .rdata, .rsrc. The most important from decompiling point of view are the CODE and .rsrc sections. In the "Adding functionality to a Delphi program" article some interesting facts about Delphi executables format, class info and DFM resources are shown: how to reassign events to be handled by other event handlers defined in the same form. Even more: how to add your own event handler, adding the code to the executable, that will change the caption of a button. Among many types of resources that are stored in an exe file, the RT_RCDATA or the Application-defined resource (raw data) holds the information that were in the DFM file before the compilation. In order to extract the DFM data from an exe file we can call the EnumResourceNames API function... For more information on extracting DFM from an executable go see: Coding a Delphi DFM explorer article.

Goto part one Goto part three

Comments

Popular posts from this blog

Decompiling Delphi - 3

Artificial Intelligence, Oxymoron and Natural Intelligence