NeonFlash
March 25th, 2012, 03:20
Hello,
I have an application compiled using Delphi 6 or 7. It was initially packed using ASPack. I unpacked it manually, dumped it and rebuild the import table using ImpRec.
After loading it in Olly once again post unpacking, I again get the message that the OEP is outside the code section.
If I check the strings now, I can see meaningful strings in it and references to certain websites it attempts to connect to. I can also see references to Registry Key Paths and so on.
I tried stepping through the code in debugger to analyze it and noticed that after a first few instructions, there is some junk code because of which it crashes.
I proceeded with another approach after this. I used DeDe to decompile the unpacke delphi exe.
Exported the project which gave me a .dfm (form), .dpr(project) file. I loaded this into Delphi XE2, to see what it does. However, it only shows information specific to TAppService which tells me that it is trying to install a Windows Service.
Below is the first few lines of disassembly of the unpacked exe code:
when I step into the last call subroutine above (004049b4), there is a call to kernel32.ExitProcess.
However, I can't seem to find a way to bypass that. And even if I manage to bypass it somehow, once I return from this subroutine, I will end up at another junk code.
Any suggestions?
I have an application compiled using Delphi 6 or 7. It was initially packed using ASPack. I unpacked it manually, dumped it and rebuild the import table using ImpRec.
After loading it in Olly once again post unpacking, I again get the message that the OEP is outside the code section.
If I check the strings now, I can see meaningful strings in it and references to certain websites it attempts to connect to. I can also see references to Registry Key Paths and so on.
I tried stepping through the code in debugger to analyze it and noticed that after a first few instructions, there is some junk code because of which it crashes.
I proceeded with another approach after this. I used DeDe to decompile the unpacke delphi exe.
Exported the project which gave me a .dfm (form), .dpr(project) file. I loaded this into Delphi XE2, to see what it does. However, it only shows information specific to TAppService which tells me that it is trying to install a Windows Service.
Below is the first few lines of disassembly of the unpacked exe code:
Code:
PUSH EBP
MOV EBP,ESP
ADD ESP,-10
PUSH EBX
MOV EAX,dumped_.0046AF50
CALL dumped_.00406C24
MOV EAX,DWORD PTR DS:[46EA14]
MOV BYTE PTR DS:[EAX],2F
// Below section of instructions pass a date/time format repeatedly to a subroutine
MOV EAX,DWORD PTR DS:[46EAAC]
MOV EDX,dumped_.0046C954 ; ASCII "yyyy/mm/dd"
CALL dumped_.00404BB0
MOV EAX,DWORD PTR DS:[46ECE0]
MOV EDX,dumped_.0046C954 ; ASCII "yyyy/mm/dd"
00CALL dumped_.00404BB0
MOV EAX,DWORD PTR DS:[46E9A8]
MOV EDX,dumped_.0046C968 ; ASCII "hh:mm:ss"
CALL dumped_.00404BB0
MOV EAX,DWORD PTR DS:[46EBF0]
MOV EDX,dumped_.0046C968 ; ASCII "hh:mm:ss"
CALL dumped_.00404BB0
MOV EAX,DWORD PTR DS:[46EC30]
MOV EAX,DWORD PTR DS:[EAX]
CMP BYTE PTR DS:[EAX+30],0
JE SHORT dumped_.0046C916
MOV EAX,DWORD PTR DS:[46EC30]
MOV EAX,DWORD PTR DS:[EAX]
MOV EDX,DWORD PTR DS:[EAX]
CALL DWORD PTR DS:[EDX+34]
MOV ECX,DWORD PTR DS:[46EA2C] ; dumped_.00473D24
MOV EAX,DWORD PTR DS:[46EC30]
MOV EAX,DWORD PTR DS:[EAX]
MOV EDX,DWORD PTR DS:[46AA9C] ; dumped_.0046AAE8
MOV EBX,DWORD PTR DS:[EAX]
CALL DWORD PTR DS:[EBX+30]
MOV EAX,DWORD PTR DS:[46EC30]
MOV EAX,DWORD PTR DS:[EAX]
MOV EDX,DWORD PTR DS:[EAX]
CALL DWORD PTR DS:[EDX+38]
POP EBX
CALL dumped_.004049B4 // the call instruction which crashes the application
DD FFFFFFFF
DD 0000000A
when I step into the last call subroutine above (004049b4), there is a call to kernel32.ExitProcess.
However, I can't seem to find a way to bypass that. And even if I manage to bypass it somehow, once I return from this subroutine, I will end up at another junk code.
Any suggestions?