issuhub.com

Reverse Engineering for Beginners

(avery) #1

CHAPTER 55. IDENTIFICATION OF EXECUTABLE FILES CHAPTER 55. IDENTIFICATION OF EXECUTABLE FILES


55.3 Intel FORTRAN


libifcoremd.dll, libifportmd.dll and libiomp5md.dll (OpenMP support) may be imported.


libifcoremd.dll has a lot of functions prefixed withfor_, which means FORTRAN.


55.4 Watcom, OpenWatcom


55.4.1 Name mangling.


Names usually start with theWsymbol.


For example, that is how the method named “method” of the class “class” that does not have any arguments and returnsvoid
is encoded:


W?method$_class$n__v


55.5 Borland.


Here is an example of Borland Delphi’s and C++Builder’sname mangling:


@TApplication@IdleAction$qv
@TApplication@ProcessMDIAccels$qp6tagMSG
@TModule@$bctr$qpcpvt1
@TModule@$bdtr$qv
@TModule@ValidWindow$qp14TWindowsObject
@TrueColorTo8BitN$qpviiiiiit1iiiiii
@TrueColorTo16BitN$qpviiiiiit1iiiiii
@DIB24BitTo8BitBitmap$qpviiiiiit1iiiii
@TrueBitmap@$bctr$qpcl
@TrueBitmap@$bctr$qpvl
@TrueBitmap@$bctr$qiilll


The names always start with the@symbol, then we have the class name came, method name, and encoded the types of the
arguments of the method.


These names can be in the .exe imports, .dll exports, debug data,etc.


Borland Visual Component Libraries (VCL) are stored in .bpl files instead of .dll ones, for example, vcl50.dll, rtl60.dll.


Another DLL that might be imported: BORLNDMM.DLL.


55.5.1 Delphi.


Almost all Delphi executables has the “Boolean” text string at the beginning of the code segment, along with other type
names.


This is a very typical beginning of theCODEsegment of a Delphi program, this block came right after the win32 PE file
header:


00000400 04 10 40 00 03 07 42 6f 6f 6c 65 61 6e 01 00 00 |[email protected]...|
00000410 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 |[email protected]|
00000420 04 54 72 75 65 8d 40 00 2c 10 40 00 09 08 57 69 |.True.@.,[email protected]|
00000430 64 65 43 68 61 72 03 00 00 00 00 ff ff 00 00 90 |deChar..........|
00000440 44 10 40 00 02 04 43 68 61 72 01 00 00 00 00 ff |[email protected]......|
00000450 00 00 00 90 58 10 40 00 01 08 53 6d 61 6c 6c 69 |[email protected]|
00000460 6e 74 02 00 80 ff ff ff 7f 00 00 90 70 10 40 00 |nt..........p.@.|
00000470 01 07 49 6e 74 65 67 65 72 04 00 00 00 80 ff ff |..Integer.......|
00000480 ff 7f 8b c0 88 10 40 00 01 04 42 79 74 65 01 00 |[email protected]..|
00000490 00 00 00 ff 00 00 00 90 9c 10 40 00 01 04 57 6f |[email protected]|
000004a0 72 64 03 00 00 00 00 ff ff 00 00 90 b0 10 40 00 |rd............@.|
000004b0 01 08 43 61 72 64 69 6e 61 6c 05 00 00 00 00 ff |..Cardinal......|
000004c0 ff ff ff 90 c8 10 40 00 10 05 49 6e 74 36 34 00 |[email protected].|
000004d0 00 00 00 00 00 00 80 ff ff ff ff ff ff ff 7f 90 |................|
000004e0 e4 10 40 00 04 08 45 78 74 65 6e 64 65 64 02 90 |[email protected]..|

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.