About constant (const) parameter, in current version of IDR, all treated as variable (var) parameters.
For example:
function CompareStr(const S1, S2: string): Integer;
In IDR, we get the follow result:
function CompareStr(var S1: AnsiString; var S2: AnsiString): Integer;

I have correct this problem.

IDR GUI is really very very huge in case W10 is doing scaling by means of OS,
it is not possible to work in that use-case
example:

http://prntscr.com/m4cgi2

I have attempted to decompile the EXE attached and when ever i attempt to open it it will show a message.

this is the message:

and this is the EXE i want to decompile.

MpFix_UnpackedUPX.zip

In file Decompiler.cpp in function TDecompiler::Decompile there is a piece of code

if ((flags & (CF_FINALLY | CF_EXCEPT)))
{
  _curPos += _instrLen; _curAdr += _instrLen;
  continue;
}
if (DisInfo.Call)
{
  if (flags & cfExcept)
  {
    _recN = GetInfoRec(DisInfo.Immediate);
    if (_recN->SameName("@DoneExcept"))
    {
      _curPos += _instrLen; _curAdr += _instrLen;
      break;
    }
  }
} 

Are you sure that cfExcept is the right one to use - I think it should be CF_EXCEPT ?

Getting AV (AccessViolation) error on latest idr.exe

steps
Load exe
goto CodeViewer page (F6)
Fuzzy scan KB

getting:

Idr

Access violation at address 00471F6B in module 'Idr.exe'. Read of address 056BFF44.

OK

target might be sent in private

Please add support for last versoin of delphi

In file TabUnits.cpp in function TFMain_11011981::ShowUnitItems there is a piece of code

//Skip calls, that are in the body of some asm-procs (for example, FloatToText from SysUtils)
if (kind >= ikRefine && kind <= ikFunc && recN->procInfo && (recN->procInfo->flags & cfEmbedded)) continue; 

Are you sure that cfEmbedded is the right one to use - I think it should be PF_EMBED ?

Hi crypto2011,

The issue occurs when i try disassemblers this target.

You can check link below: (DSR.exe)

RAR.zip

Regards,

I've been working to run the code on Embarcadero C ++ 10.2 Tokyo. Now I have a functional version with a lot of bugs to correct!

If you allow it, could you create a new branch (called cbuilder-10.2) in the repository to support this alternative development?

My branch.

Thanks for your consideration.

In file Decompiler.cpp, on line 7428 there is an FPop() call - but there is already another FPop() 2 lines above, replacing the previous FGet(0). Is not the second one superfluous ?

Hello,

I am guessing it might be a lot of work, but I would just like to add this feature request: support for x64 PE's

In file Analyze2.cpp in function TFMain_11011981::AnalyzeProc2 there is the following piece of code

if (DisInfo.Ret)
{
  //End of proc
  if (!lastAdr || curAdr == lastAdr)
  {
    if (AnalyzeRetType)
    {
      //Если тип регистра eax не пустой, находим ближайшую сверху инструкцию его инциализации
      if (registers[16].type != "")
      {
        for (Pos = curPos - 1; Pos >= fromPos; Pos--)
        {
          b = Flags[Pos];
          if ((b & cfInstruction) & !(b & cfSkip)) 

On the last row, I think it should be if ((b & cfInstruction) && !(b & cfSkip)) - otherwise, according to the generated code it seems that cfSkip check is effectively ignored

It is obvious, that compiled code actually resembles other logic.

However, if I change the second & with && - the kind of many InfoRec`s becomes ikFunc instead of ikProc - this is clearly visible on event handlers for visual controls (usually TNotifyEvent)
I am not sure whether these are bugs, or not ....

After Windows 7, each execut the IDR, we find the controls position will changed.

Reason:

After Windows 7, has a display setting under the Desktop popup menu -> Display Settings:
"Change the size of text, apps and other items"
This can select: Smaller (100%), Medium (125%), Larger (150%), and so on.

Solve:

Modify the ScaleForm function in Misc.cpp

void __fastcall ScaleForm(TForm* AForm)
{
HDC _hdc = GetDC(0);
if (_hdc)
{
//Modified by ZGL
int LogicalScreenHeight = GetDeviceCaps(_hdc, VERTRES);
int PhysicalScreenHeight = GetDeviceCaps(_hdc, DESKTOPVERTRES);
AForm->ScaleBy(PhysicalScreenHeight, LogicalScreenHeight);
//Modified end
ReleaseDC(0, _hdc);
}
}

There is a bug when GetTypeInfo from KBver = 1 sometime. Fixed follow:

MTypeInfo* __fastcall MKnowledgeBase::GetTypeInfo(int ATypeIdx, DWORD AFlags, MTypeInfo *tInfo)
{
if (!Inited) return 0;

if (ATypeIdx == -1) return 0;

const BYTE* p = GetKBCachePtr(TypeOffsets[ATypeIdx].Offset, TypeOffsets[ATypeIdx].Size);

//Modified by ZGL
if (Version == 1)
    tInfo->Size = TypeOffsets[ATypeIdx].Size;
else
{
    tInfo->Size = *((DWORD*)p); p += 4;
}
//---------------

An old name is still displayed in CodeViewer tab after unit renaming (of course, if there was opened some method from renamed unit).

i dont know what is it。
what need i to do?
sorry for this， i noob

In file Decompiler.cpp, around row 7334 there is the following piece of code

        if (_item2.Flags & IF_STACK_PTR)
        {
            Env->Stack[_item2.IntValue].Type = "Variant";
            _item2 = Env->Stack[_item1.IntValue];
        }

Why there is _item1.IntValue ?

How much effort would be needed to add support for Delphi 8? How can I be sure that my DLL to be decompiled is, in fact, Delphi 8? There is a static string 'Delphi%.8X' in the disassembly. Any tips or suggestions would be greatly appreciated.

In file Misc.cpp, function TransformString silently skips non-latin characters in ANSI-strings. Also, it produces malformed output like this (non-even number of quotes) - 'Display_Area'#9('

Trying to load a delphi program and this messagebox appears. Can't find where it comes from.

The commit 8f5ded1#diff-ec6e4a38c353eb819ebf6636cbd2d3a9 reintroduce the #21 bug and introduce the files IdcDialog.res IdcDialog.rc that not exist in repo

I try decompile my application which writen on borland c++ and i get error EAccessViolation My file
http://rgho.st/8ZS8GBgFK
Please, can you show my file and fix bug in IDR.

License is missing

To project author @crypto2011:

Please, specify LICENSE for IDR project.
See Licensing a repository and Choose an open source license for more information.

Currently IDR project has no license specified.

Now kpnc doesn't work (RIP Kris), so how can I download built binaries?

Hi,
i would like it if the latest knowledge db files were hosted for example on the releases page or linked in the readme.md since your old website seems to be down.

Hi,

Is there any way to build KB for the latest versions of Delphi embarcadero (XE10 or 11 ?)

Cheers,

When big executable is analyzed (over 150MB), IDR tries to use more than 2GB of RAM and causes Out of memory exception. Using 4GB_patch from NTcore (https://ntcore.com/?page_id=371) allows to allocate up to 4GBs and disassembly can continue, but IDR becomes unstable.
Can IDR be compiled as an x64 app (thus allowing it to natively use more memory)?

In IDR, There is a problem that getting the event parameters from KnowledgeBase.
If KnowledgeBase version 2 is correct:
TForm1.FormKeyDown(Sender:TObject; var Key:Word; Shift:TShiftState);

But, if KnowledgeBase version 1, the event parameters can't get:
TForm1.FormKeyDown(?:?; ?:?; ?:?);

In file EditFunctionDlg.cpp, in function TFEditFunctionDlg_11011981::bApplyTypeClick, on row 305 there is a call to FillType() - but there is no call to FillArgs(). As a result, when you modify a prototype, you have to close the form and reopen it in order to see the changes on tab Arguments.

Hello,

I have a Delphi program without source code.
I have downloaded your program and it ran for a long time (no errors) But then what do i need to do to save all .pas and form files.

Can you explain please

Thanks
Wheel

IDR cannot recognized execute file (in attachment) produce by delphi2 compiler.

10xx in advance
Neshkom
VolAdj.zip

default __fastcall,but __usercall @(@,@,@) in fact
and idc have many duplication of name.
it's a great tool,thx a lot

Hi crypto
When i try to decompile this file https://mega.nz/#!4RJ1VB6K!zIlOn__vSnCHbB2Eq2wtUDDChl_l5wi0M0X2CDcwWbk i get this error.

I'am Testing program(( delphi XE3 )) but failed in this procedure.
.

Thank you ;)

In file Decompiler.cpp, around line 7381 there is the following piece of code

        if (_item1.Flags & IF_STACK_PTR)
        {
            Env->Stack[_item1.IntValue].Type = "Variant";
            _item1 = Env->Stack[_item1.IntValue];
        }
        CmpInfo.L = _item1.Name;

        GetRegItem(18, &_item2);//edx - Right argument
        if (_item2.Flags & IF_STACK_PTR)
        {
            Env->Stack[_item2.IntValue].Type = "Variant";
            _item2 = Env->Stack[_item2.IntValue];
            CmpInfo.R = _item2.Name;
        }

Why CmpInfo.L is outside of the if() and CmpInfo.R is inside the if() - should not they be both either inside or outside ?

1. Select TF3Compression unit;
2. Then select DecodeRLE function;
3. Try to decompile.

File: TF3Compression.zip

Hello,
I have a file compiled with Embarcadero Delphi(10.1 Berlin) and while trying to process it with IDR it autodetects it as kb2014 which is obviously wrong.

I the processed file, I get a lot of "prototype of ... is not complete" and "prototype is not complete" and only get the source code for a few functions.

I was wondering how can I obtain the BINs for this version?

This project has been by far the best I could find at decompiling Delphi files. great job!

In function TFMain_11011981::IsValidCode there is a piece of code

        if (!memcmp(DisInfo.Mnem, "arpl", 4) || 
            !memcmp(DisInfo.Mnem, "out", 3)  || 
            !memcmp(DisInfo.Mnem, "in", 2)) 
        { 
            return -1; 
        }  

It returns -1 even if DisInfo.Mnem contains INC - seems like a bug ?

Decompiler result look like this:

procedure TForm1.Button4Click(Sender: TObject);
var
  TmpS: AnsiString;
begin//0
  //0044FF6C
  EBX := Self;
  try
    //0044FF83
    ESI := $FF7FFFFF{-8388609};
    EDX := 8;
    EAX := ESI;
    TmpS := IntToHex(ESI, {8});
    EDX := TmpS;
    EAX := Memo1;
    EAX := Memo1.FLines;
    EAX := Memo1.FLines.Add(TmpS);
  finally//1
    //0044FFB8
    TmpS := '';
  end;//1
end;//0

In file Infos.cpp, function InfoProcInfo::AddArg(BYTE Tag, int Ofs, int Size, String Name, String TypeDef) does not initialize argInfo->Register - seems like a bug ?

I disassemble the library in IDR, and debug in IDA pro. How do the results of disassembling from IDR are inserted into ida pro? I make the script, but it breaks the whole code analysis into the IDA.

In file TabStrings.cpp in function TFMain_11011981::miSearchStringClick there is the following piece of code

if (lbRTTIs->ItemIndex < 0)
  StringsSearchFrom = 0;
else
  StringsSearchFrom = lbStrings->ItemIndex; 

It is obvious that lbRTTIs should be actually lbStrings.

Hi, first of all, thank you for your great work.
I have a malware analysis homework and I'm trying to get the source code of the malware
when I used PEiD it told me that the malware is using Delphi 6 -7 (screenshot)


when I'm trying to use IDR I'm getting the following message, I went to the directory and didn't find the file kb2007.bin but found syskb2007.bin
what can I do to fix the problem
best regards

In file Main.cpp in function TFMain_11011981::lbFormsClick instead of

    RTTIsSearchFrom = lbRTTIs->ItemIndex;
    WhereSearch = SEARCH_FORMS; 

it should be

    FormsSearchFrom = lbForms->ItemIndex;
    WhereSearch = SEARCH_FORMS; 

When I start it on Windows 10 or Windows 7. It shows "Cannot initialize Disasm".

What should I do?

There are the following methods in idc:

• idc.GetType(ea);
• idc.SetType(ea, type_string);

They're used the same way as pressing Y button at function header. Is it possible to add types definitions in this script?

Even if it fully identical, IDR cannot recognize Move function, and I have to use Fuzzy scan KB.
File is TF3Compression.dll

In file Main.cpp in function TFMain_11011981::FindText in case SEARCH_NAMES there are
pos = line.Pos("'");
But lines in lbNames are composed from address, item name, colon and item type - there are no quotes, if this is ResourceString; and there are multiple quotes, if this is AnsiString and contains non-latin characters. It seems that the piece of code is copy-pasted from case SEARCH_STRINGS - but here there is no need for Pos() and Substring(), this even seems wrong.