Delphi
- 2. Agenda • Introduction to Delphi Framework • Overview of Delphi PE • Significant Language Features • Versions of Delphi • Encryption types • What we can do? • Delphi Compressors • Delphi Decompiler • Run-Time Type Information In Delphi • Static Analysis • Signature for diff. versions of Delphi
- 3. • The Delphi programming language was developed by Borland. • It is an object-oriented, visual programming environment derived from the Pascal language, used to develop applications for deployment on the web, Windows and Linux. Introduction to Delphi Framework
- 4. • Delphi is a high-level, compiled language that supports structured and object- oriented design. • Delphi is powerful and easy to use tool for generating stand-alone graphical user interface (GUI) programs or 32-bit console applications
- 5. DataBases • Delphi can access many types of databases. Using forms and reports that you create, the BDE (Borland Database Engine) can access local databases, like Paradox, network SQL server databases, or any data source accessible through ODBC (open database connectivity).
- 6. Overview of Delphi PE • MS
- 7. Significant Language Features • Visual Programming Tools - It contain tools to make programming for Windows ease. • Compiled Code - Delphi code is compiled; therefore, the compiled code runs quick. • Object oriented - objects keep the simple, organized and protected.
- 8. Versions of Delphi • VER80 - Delphi 1 • VER90 - Delphi 2 • VER100 - Delphi 3 • VER120 - Delphi 4 • VER130 - Delphi 5 • VER140 - Delphi 6 • VER150 - Delphi 7 • VER160 - Delphi 8 • VER170 - Delphi 2005 • VER180 - Delphi 2006 • VER180 - Delphi 2007 • VER185 - Delphi 2008 • VER200 - Delphi 2009 • VER210 - Delphi 2010
- 9. Why Generic Signature is difficult on Delphi files?
- 10. TDS Problem (Time date Stamp) • Most Delphi compilers has a constant Time date stamp in most the cases which suggests that taking signature from DOS buffer may result in FP.
- 11. Encryption types • Mostly Delphi Files follows the following encryption for malicious purposes it becomes very difficult to add a signature that is unique to detect a good number : Hash Algorithms: SHA-1, HAVAL, MD2, MD5, SHA-256, SHA-384, SHA-512 MD5 Hash a String Encrypting/decrypting a data stream. File Encryption / Decryption Quoted-Printable Encode/Decode a String AES Encryption Generate Psuedo-Random Data using ARC4 ASCII / ANSI Secret Key in Symmetric Encryption Ref: http://www.example-code.com/delphi/encryption.asp
- 12. • It is very hard to exclude the compiler code in Delphi Files so we can have a buffer from the Delphi Entry Point to runtime Error string Usually the Code starts from runtime error in the decreasing order (Strings) for Delphi Files
- 13. Delphi Files Buffer generation
- 14. • We can’t get into the main code for the selection of the bytes which sometimes makes the signature not very unique In case the EXE-T buffer has the string calling the malicious code using mov push instructions it is usually considered for signature
- 17. What we can do is..!!!! • We can locate the nearest opcode from 558BEC to Runtime Error as a single Buffer. • Start a Buffer from Runtime Error to a max range as per the requirement in the decreasing order.
- 19. User Code
- 20. Advantages • We can cover more detection with less generic Signatures. • Signature becomes more unique. • Files with encryption can be easily detected and made unique with regards to the sign created
- 21. Don’t take signature • Quick Batch files: A file that contains a sequence, or batch of commands. Using quick batch file compiler one can easily make an EXE file by compiling batch file with QBF compiler. • Archive: Compressing and deflating files and directories in well-known formats like ZIP, RAR, TAR, GZIP, CAB
- 22. Delphi Compressors • Flex Compress: http://www.componentace.com/compression_component_com pression_delphi_encryption_delphi_flexcompress.htm • ZipForge: http://www.componentace.com/zip_component_zip_delphi_zi pforge.htm • Abbrevia: http://sourceforge.net/projects/tpabbrevia/ • ZipTV: http://www.ziptv.com/index.html • TZipMaster: http://www.delphizip.org/ A compression Delphi component designed for creating archives with strong encryption and better compression rate than WinZip and RAR.
- 23. Delphi Decompiler • Revendepro • DeDe • IDR (Interactive Delphi Reconstructor)
- 24. Revendepro • Revendepro finds almost all structures (classes, types, procedures, etc) in the program, and generates the pascal representation. • Due to some limitation in assembler the generated output can not be recompiled.
- 25. DeDe • DeDe is a very fast program that can analyze executables compiled with Delphi. • Dede can completely rebuild the projects (DPR), forms (DFM) & units (PAS) files from an existing uncompressed EXE. • The built-in disassembler allows you to disassemble a lot of functions and represents them in semi-decompiled mode.
- 26. IDR (Interactive Delphi Reconstructor) • A decompiler of executable files (EXE) and dynamic libraries (DLL), written in Delphi and executed in Windows32 environment. • The current version of the program can process files (GUI and console applications), compiled by Delphi compilers of versions Delphi2 – Delphi2010.
- 28. • Lets do some Postmortem and try to understand, how IDR helps us to decompile Delphi file and how we get on to suspicious part.
- 29. • There are many machine code decompilers that produce Pascal code. Mostly "Delphi decompilers" parse the form and RTTI data, but do not actually decompile the machine code. • Delphi typically has embedded form data for any form in the project, and it also has metadata on all published properties
- 30. Run-Time Type Information In Delphi • All versions of Delphi have supported the generation of run-time type information. • RTTI is implemented as data structures generated by the compiler while compiling a program. • The general idea is to allow information describing various categories of types to be available at run-time. • Normally, types are considered to be available only at compile-time, used by the compiler to identify storage requirements • Ref : http://www.blong.com/Conferences/BorConUK98/DelphiRTTI/CB140.htm • In short, Runtime Type Information is information about an object's data type that is set into memory at run-time
- 31. Some reverse Engineering Lets do some Static Analysis in Ollydbg
- 32. Signature for diff. versions of Delphi • Borland Delphi v4.0 - v5.0 Sig = {50 6A 00 E8 -- -- FF FF BA -- -- -- -- 52 89 05 -- -- -- -- 89 42 04 C7 42 08 00 00 00 00 C7 42 0C 00 00 00 00 E8 -- -- -- -- 5A 58 E8 -- -- -- -- C3} • Borland Delphi v6.0 - v7.0 Sig1 = {53 8B D8 33 C0 A3 00 -- -- -- 06 A0 0E 80 -- -- 0F FA 30 -- -- -- 0A 10 -- -- -- 0A 30 -- -- -- 03 3C 0A 30 -- -- -- 03 3C 0A 30 -- -- -- E8}
- 33. • Borland Delphi v6.0 - v7.0 Sig2 = {55 8B EC 83 C4 F0 B8 -- -- -- -- E8 -- -- FB FF A1 -- -- -- -- 8B -- E8 -- -- FF FF 8B 0D -- -- -- -- A1 -- -- -- -- 8B 00 8B 15 -- -- -- -- E8 -- -- FF FF A1 -- -- -- -- 8B -- E8 -- -- FF FF E8 -- -- FB FF 8D 40} • Borland Delphi v6.0 Sig1 = {53 8B D8 33 C0 A3 -- -- -- -- 6A 00 E8 -- -- -- FF A3 -- -- -- -- A1 -- -- -- -- A3 -- -- -- -- 33 C0 A3 -- -- -- -- 33 C0 A3 -- -- -- -- E8}
- 34. • Borland Delphi v6.0 Sig2 = {55 8B EC 83 C4 F0 B8 -- -- 45 00 E8 -- -- -- FF A1 -- -- 45 00 8B 00 E8 -- -- FF FF 8B 0D}
- 35. Hard Fact: Melissa virus was written by a man gone bitter after he was turned down by a stripper named Melissa