980606
+Aitor
0010
NA
PC
|
|
|
|
|
|
|
|
|
|
|
|
| fra_00xx
980606 +Aitor 0010 NA PC |
|
|
|
|
||
|
|
|
|
|
So many times we have heard things like "Delphi is like a Pascal based Visual Basic", CERTAINLY NOT!! OOP techniques applied to Delphi are the main reason to get a +100 Kb "hello world" exe file, but, taking apart all the overbloated object hierarchy, we are still able to develop full Win32 API based software, enjoying the beauty of one of the nicest languages ever, Pascal.
In a simple "Hello world" Delphi program, there are thousands of useless bytes, resources injected into the executable that program will never use, strings, cursors, etc., not to mention all the crap that VCL object hierarchy takes with it. A real programmer must know in deep the language he/she uses, now he/she most learn how his/her compiler works ... amazing situation, isn't it?
So many things hidden to our eyes ... Delphi
programmers /
reverse
+engineers, it's time to reveal some of them ...
|
|
Anyone that has opened an executable of Delphi at
some time with the
Resource Workshop of Borland has met with a total
absence of windows and
dialog boxes, but yes with a series more or less
extensive of RCDATA
type
resources. What is there behind all this? If you don't
know it, I hope
this document helps you to understand it...
RCDATA, WHAT IS IT?
Inside a Win32 executable we can store different type of resources:
DELPHI AND RCDATA RESOURCES
Delphi programs source files are usually distributed in two file types: ASCII code files (.PAS, .DPR, .INC), and resource files (.RES, .RC, .DFM, .DCR).
At design time (code time), part of the program is written in background without the programmer almost realizes. Every time the programmer changes a window's position, a button's color or assigns an event to a component, Delphi writes those modifications in a DFM file.
A DFM file is nothing more than an ASCII file
encoded by Delphi.
Later,
during the compilation, this file is linked with the
executable one in
form of RCDATA resource. Starting from now, when you
hear speak of the
Borland/Inprise's own RCDATA format, you will know
which way the wind is
blowing ...
EXTRACTING DFM RCDATA FROM A DELPHI EXECUTABLE
A function of the Win32 API will allow us to write
a small program to
do the work. Next an extract of code from our small
tool:
function CB_EnumDfmNameProc(hModule: THandle;
lpszType, lpszName:
PChar;
lParam: Integer): Boolean;
stdcall;
var
ms: TMemoryStream;
rs: TResourceStream;
Buffer: array of Byte;
begin
with TResourceInfo(lParam) do
begin
rs :=
TResourceStream.Create(TResourceInfo(lParam).Module,
lpszname,
lpszType);
// load resource in memory
try
ms
:=
TMemoryStream.Create;
try
try
SetLength(Buffer, 4);
rs.Read(Buffer[0], SizeOf(Buffer)); // read the first
4 bytes
if string(Buffer) = 'TPF0'
then // is it a DFM
resource?
begin
rs.Seek(0, 0);
ObjectBinaryToText(rs, ms); //
decode DFM
ms.Seek(0, 0);
AddDfm(StrPas(lpszName), ms); // add it to
our own list
end;
except
raise;
end;
finally
ms.Free;
end;
finally
rs.free;
end;
end;
Result := True;
end; {CB_EnumDfmNameProc}
procedure TResourceInfo.EnumDfmNames;
begin
if FModule > 0
then
// if an EXE file has been loaded
EnumResourceNames(FModule,
RT_RCDATA,
// go and search RCDATA resources
@CB_EnumDfmNameProc,
Integer(Self));
end; {TResourceInfo.EnumDfmNames}
DECODING / ENCODING DFM RCDATA
As we have already mentioned before, the RCDATA format used by the DFM files is a Borland/Inprise's characteristic format. In the Delphi 4 unit "Classes" of Delphi there are 4 functions, called object conversion routines, to convert DFM binary blocks to ASCII format, and vice versa:
Before explaining how works our program, a question is pending, what was that 4 byte header that appeared in the code shown in the previous point? The matter is that Delphi doesn't only store automatically DFM blocks DFM as RCDATA, but rather we will also meet with resources like DVCLAL and PACKAGEINFO. To distinguish them some of other, we will read the first four bytes of the block that in all those of DFM type is always "TPF0" ($54 $50 $46 $30).
CODING A DELPHI DFM EXPLORER
With all the above-mentioned we should already be able to write a tool that makes us life a little easier as much to crackers as to programmers.
The operation is simple:
|
|
All that you have seen here, including the little demo tool, have been written in an hot Sunday afternoon, very hot indeed ... :) It's possible that this text contains something incorrect, or that the program has shortcomings that I have not seen. If you find something wrong, don't wait more and write now, it will be of benefit to +all ...
A zip file containing binaries and full sources of
the DfmExplorer tool can be downloaded here.
An spanish translation of this doc can be
downloaded from http://pagina.de/wkt">wkt
homepage.
(c) 1999 Aitor, +HCU and wkt
Basque Country, May 1999
|
|
homepage
links
anonymity
+ORC
students' essays
academy database
bots wars
antismut
tools
cocktails
javascript wars
search_forms
mail_fravia Is reverse engineering illegal?