crypto2011 / idr Goto Github PK
View Code? Open in Web Editor NEWInteractive Delphi Reconstructor
License: MIT License
Interactive Delphi Reconstructor
License: MIT License
About constant (const) parameter, in current version of IDR, all treated as variable (var) parameters.
For example:
function CompareStr(const S1, S2: string): Integer;
In IDR, we get the follow result:
function CompareStr(var S1: AnsiString; var S2: AnsiString): Integer;
I have correct this problem.
IDR GUI is really very very huge in case W10 is doing scaling by means of OS,
it is not possible to work in that use-case
example:
I have attempted to decompile the EXE attached and when ever i attempt to open it it will show a message.
and this is the EXE i want to decompile.
In file Decompiler.cpp in function TDecompiler::Decompile there is a piece of code
if ((flags & (CF_FINALLY | CF_EXCEPT)))
{
_curPos += _instrLen; _curAdr += _instrLen;
continue;
}
if (DisInfo.Call)
{
if (flags & cfExcept)
{
_recN = GetInfoRec(DisInfo.Immediate);
if (_recN->SameName("@DoneExcept"))
{
_curPos += _instrLen; _curAdr += _instrLen;
break;
}
}
}
Are you sure that cfExcept is the right one to use - I think it should be CF_EXCEPT ?
Getting AV (AccessViolation) error on latest idr.exe
steps
Load exe
goto CodeViewer page (F6)
Fuzzy scan KB
getting:
target might be sent in private
Please add support for last versoin of delphi
In file TabUnits.cpp in function TFMain_11011981::ShowUnitItems there is a piece of code
//Skip calls, that are in the body of some asm-procs (for example, FloatToText from SysUtils)
if (kind >= ikRefine && kind <= ikFunc && recN->procInfo && (recN->procInfo->flags & cfEmbedded)) continue;
Are you sure that cfEmbedded is the right one to use - I think it should be PF_EMBED ?
Hi crypto2011,
The issue occurs when i try disassemblers this target.
You can check link below: (DSR.exe)
Regards,
I've been working to run the code on Embarcadero C ++ 10.2 Tokyo. Now I have a functional version with a lot of bugs to correct!
If you allow it, could you create a new branch (called cbuilder-10.2
) in the repository to support this alternative development?
Thanks for your consideration.
In file Decompiler.cpp, on line 7428 there is an FPop() call - but there is already another FPop() 2 lines above, replacing the previous FGet(0). Is not the second one superfluous ?
Hello,
I am guessing it might be a lot of work, but I would just like to add this feature request: support for x64 PE's
In file Analyze2.cpp in function TFMain_11011981::AnalyzeProc2 there is the following piece of code
if (DisInfo.Ret)
{
//End of proc
if (!lastAdr || curAdr == lastAdr)
{
if (AnalyzeRetType)
{
//Если тип регистра eax не пустой, находим ближайшую сверху инструкцию его инциализации
if (registers[16].type != "")
{
for (Pos = curPos - 1; Pos >= fromPos; Pos--)
{
b = Flags[Pos];
if ((b & cfInstruction) & !(b & cfSkip))
On the last row, I think it should be if ((b & cfInstruction) && !(b & cfSkip)) - otherwise, according to the generated code it seems that cfSkip check is effectively ignored
It is obvious, that compiled code actually resembles other logic.
However, if I change the second & with && - the kind of many InfoRec`s becomes ikFunc instead of ikProc - this is clearly visible on event handlers for visual controls (usually TNotifyEvent)
I am not sure whether these are bugs, or not ....
After Windows 7, each execut the IDR, we find the controls position will changed.
After Windows 7, has a display setting under the Desktop popup menu -> Display Settings:
"Change the size of text, apps and other items"
This can select: Smaller (100%), Medium (125%), Larger (150%), and so on.
Modify the ScaleForm function in Misc.cpp
void __fastcall ScaleForm(TForm* AForm)
{
HDC _hdc = GetDC(0);
if (_hdc)
{
//Modified by ZGL
int LogicalScreenHeight = GetDeviceCaps(_hdc, VERTRES);
int PhysicalScreenHeight = GetDeviceCaps(_hdc, DESKTOPVERTRES);
AForm->ScaleBy(PhysicalScreenHeight, LogicalScreenHeight);
//Modified end
ReleaseDC(0, _hdc);
}
}
There is a bug when GetTypeInfo from KBver = 1 sometime. Fixed follow:
MTypeInfo* __fastcall MKnowledgeBase::GetTypeInfo(int ATypeIdx, DWORD AFlags, MTypeInfo *tInfo)
{
if (!Inited) return 0;
if (ATypeIdx == -1) return 0;
const BYTE* p = GetKBCachePtr(TypeOffsets[ATypeIdx].Offset, TypeOffsets[ATypeIdx].Size);
//Modified by ZGL
if (Version == 1)
tInfo->Size = TypeOffsets[ATypeIdx].Size;
else
{
tInfo->Size = *((DWORD*)p); p += 4;
}
//---------------
i dont know what is it。
what need i to do?
sorry for this, i noob
In file Decompiler.cpp, around row 7334 there is the following piece of code
if (_item2.Flags & IF_STACK_PTR)
{
Env->Stack[_item2.IntValue].Type = "Variant";
_item2 = Env->Stack[_item1.IntValue];
}
Why there is _item1.IntValue ?
How much effort would be needed to add support for Delphi 8? How can I be sure that my DLL to be decompiled is, in fact, Delphi 8? There is a static string 'Delphi%.8X'
in the disassembly. Any tips or suggestions would be greatly appreciated.
In file Misc.cpp, function TransformString silently skips non-latin characters in ANSI-strings. Also, it produces malformed output like this (non-even number of quotes) - 'Display_Area'#9('
Trying to load a delphi program and this messagebox appears. Can't find where it comes from.
The commit 8f5ded1#diff-ec6e4a38c353eb819ebf6636cbd2d3a9 reintroduce the #21 bug and introduce the files IdcDialog.res IdcDialog.rc
that not exist in repo
I try decompile my application which writen on borland c++ and i get error EAccessViolation My file
http://rgho.st/8ZS8GBgFK
Please, can you show my file and fix bug in IDR.
To project author @crypto2011:
Please, specify LICENSE for IDR project.
See Licensing a repository and Choose an open source license for more information.
Currently IDR project has no license specified.
Now kpnc doesn't work (RIP Kris), so how can I download built binaries?
Hi,
i would like it if the latest knowledge db files were hosted for example on the releases page or linked in the readme.md since your old website seems to be down.
Hi,
Is there any way to build KB for the latest versions of Delphi embarcadero (XE10 or 11 ?)
Cheers,
When big executable is analyzed (over 150MB), IDR tries to use more than 2GB of RAM and causes Out of memory exception. Using 4GB_patch from NTcore (https://ntcore.com/?page_id=371) allows to allocate up to 4GBs and disassembly can continue, but IDR becomes unstable.
Can IDR be compiled as an x64 app (thus allowing it to natively use more memory)?
pos = str.LastDelimiter(",");
if (pos)
{
filename = str.SubString(2, pos - 3); //Modified by ZGL
version = str.SubString(pos + 1, str.Length() - pos).ToInt();
}
else
In IDR, There is a problem that getting the event parameters from KnowledgeBase.
If KnowledgeBase version 2 is correct:
TForm1.FormKeyDown(Sender:TObject; var Key:Word; Shift:TShiftState);
But, if KnowledgeBase version 1, the event parameters can't get:
TForm1.FormKeyDown(?:?; ?:?; ?:?);
In file EditFunctionDlg.cpp, in function TFEditFunctionDlg_11011981::bApplyTypeClick, on row 305 there is a call to FillType() - but there is no call to FillArgs(). As a result, when you modify a prototype, you have to close the form and reopen it in order to see the changes on tab Arguments.
Hello,
I have a Delphi program without source code.
I have downloaded your program and it ran for a long time (no errors) But then what do i need to do to save all .pas and form files.
Can you explain please
Thanks
Wheel
IDR cannot recognized execute file (in attachment) produce by delphi2 compiler.
10xx in advance
Neshkom
VolAdj.zip
default __fastcall,but __usercall @(@,@,@) in fact
and idc have many duplication of name.
it's a great tool,thx a lot
Hi crypto
When i try to decompile this file https://mega.nz/#!4RJ1VB6K!zIlOn__vSnCHbB2Eq2wtUDDChl_l5wi0M0X2CDcwWbk i get this error.
In file Decompiler.cpp, around line 7381 there is the following piece of code
if (_item1.Flags & IF_STACK_PTR)
{
Env->Stack[_item1.IntValue].Type = "Variant";
_item1 = Env->Stack[_item1.IntValue];
}
CmpInfo.L = _item1.Name;
GetRegItem(18, &_item2);//edx - Right argument
if (_item2.Flags & IF_STACK_PTR)
{
Env->Stack[_item2.IntValue].Type = "Variant";
_item2 = Env->Stack[_item2.IntValue];
CmpInfo.R = _item2.Name;
}
Why CmpInfo.L is outside of the if() and CmpInfo.R is inside the if() - should not they be both either inside or outside ?
File: TF3Compression.zip
Hello,
I have a file compiled with Embarcadero Delphi(10.1 Berlin) and while trying to process it with IDR it autodetects it as kb2014 which is obviously wrong.
I the processed file, I get a lot of "prototype of ... is not complete" and "prototype is not complete" and only get the source code for a few functions.
I was wondering how can I obtain the BINs for this version?
This project has been by far the best I could find at decompiling Delphi files. great job!
In function TFMain_11011981::IsValidCode there is a piece of code
if (!memcmp(DisInfo.Mnem, "arpl", 4) ||
!memcmp(DisInfo.Mnem, "out", 3) ||
!memcmp(DisInfo.Mnem, "in", 2))
{
return -1;
}
It returns -1 even if DisInfo.Mnem contains INC - seems like a bug ?
procedure TForm1.Button4Click(Sender: TObject);
var
TmpS: AnsiString;
begin//0
//0044FF6C
EBX := Self;
try
//0044FF83
ESI := $FF7FFFFF{-8388609};
EDX := 8;
EAX := ESI;
TmpS := IntToHex(ESI, {8});
EDX := TmpS;
EAX := Memo1;
EAX := Memo1.FLines;
EAX := Memo1.FLines.Add(TmpS);
finally//1
//0044FFB8
TmpS := '';
end;//1
end;//0
In file Infos.cpp, function InfoProcInfo::AddArg(BYTE Tag, int Ofs, int Size, String Name, String TypeDef) does not initialize argInfo->Register - seems like a bug ?
I disassemble the library in IDR, and debug in IDA pro. How do the results of disassembling from IDR are inserted into ida pro? I make the script, but it breaks the whole code analysis into the IDA.
In file TabStrings.cpp in function TFMain_11011981::miSearchStringClick there is the following piece of code
if (lbRTTIs->ItemIndex < 0)
StringsSearchFrom = 0;
else
StringsSearchFrom = lbStrings->ItemIndex;
It is obvious that lbRTTIs should be actually lbStrings.
Hi, first of all, thank you for your great work.
I have a malware analysis homework and I'm trying to get the source code of the malware
when I used PEiD it told me that the malware is using Delphi 6 -7 (screenshot)
when I'm trying to use IDR I'm getting the following message, I went to the directory and didn't find the file kb2007.bin but found syskb2007.bin
what can I do to fix the problem
best regards
In file Main.cpp in function TFMain_11011981::lbFormsClick instead of
RTTIsSearchFrom = lbRTTIs->ItemIndex;
WhereSearch = SEARCH_FORMS;
it should be
FormsSearchFrom = lbForms->ItemIndex;
WhereSearch = SEARCH_FORMS;
There are the following methods in idc:
They're used the same way as pressing Y button at function header. Is it possible to add types definitions in this script?
In file Main.cpp in function TFMain_11011981::FindText in case SEARCH_NAMES there are
pos = line.Pos("'");
But lines in lbNames are composed from address, item name, colon and item type - there are no quotes, if this is ResourceString; and there are multiple quotes, if this is AnsiString and contains non-latin characters. It seems that the piece of code is copy-pasted from case SEARCH_STRINGS - but here there is no need for Pos() and Substring(), this even seems wrong.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.