Assembly Language for Beginners

(Jeff_L) #1

5.1. IDENTIFICATION OF EXECUTABLE FILES


W?method$_class$n__v


5.1.5 Borland.


Here is an example of Borland Delphi’s and C++Builder’sname mangling:


@TApplication@IdleAction$qv
@TApplication@ProcessMDIAccels$qp6tagMSG
@TModule@$bctr$qpcpvt1
@TModule@$bdtr$qv
@TModule@ValidWindow$qp14TWindowsObject
@TrueColorTo8BitN$qpviiiiiit1iiiiii
@TrueColorTo16BitN$qpviiiiiit1iiiiii
@DIB24BitTo8BitBitmap$qpviiiiiit1iiiii
@TrueBitmap@$bctr$qpcl
@TrueBitmap@$bctr$qpvl
@TrueBitmap@$bctr$qiilll


Thenamesalwaysstartwiththe@symbol,thenwehavetheclassnamecame,methodname,andencoded
the types of the arguments of the method.


These names can be in the .exe imports, .dll exports, debug data, etc.


BorlandVisualComponentLibraries(VCL)arestoredin.bplfilesinsteadof.dllones, forexample, vcl50.dll,
rtl60.dll.


Another DLL that might be imported: BORLNDMM.DLL.


Delphi


Almost all Delphi executables has the “Boolean” text string at the beginning of the code segment, along
with other type names.


This is a very typical beginning of theCODEsegment of a Delphi program, this block came right after the
win32 PE file header:


00000400 04 10 40 00 03 07 42 6f 6f 6c 65 61 6e 01 00 00 |[email protected]...|
00000410 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 |[email protected]|
00000420 04 54 72 75 65 8d 40 00 2c 10 40 00 09 08 57 69 |.True.@.,[email protected]|
00000430 64 65 43 68 61 72 03 00 00 00 00 ff ff 00 00 90 |deChar..........|
00000440 44 10 40 00 02 04 43 68 61 72 01 00 00 00 00 ff |[email protected]......|
00000450 00 00 00 90 58 10 40 00 01 08 53 6d 61 6c 6c 69 |[email protected]|
00000460 6e 74 02 00 80 ff ff ff 7f 00 00 90 70 10 40 00 |nt..........p.@.|
00000470 01 07 49 6e 74 65 67 65 72 04 00 00 00 80 ff ff |..Integer.......|
00000480 ff 7f 8b c0 88 10 40 00 01 04 42 79 74 65 01 00 |[email protected]..|
00000490 00 00 00 ff 00 00 00 90 9c 10 40 00 01 04 57 6f |[email protected]|
000004a0 72 64 03 00 00 00 00 ff ff 00 00 90 b0 10 40 00 |rd............@.|
000004b0 01 08 43 61 72 64 69 6e 61 6c 05 00 00 00 00 ff |..Cardinal......|
000004c0 ff ff ff 90 c8 10 40 00 10 05 49 6e 74 36 34 00 |[email protected].|
000004d0 00 00 00 00 00 00 80 ff ff ff ff ff ff ff 7f 90 |................|
000004e0 e4 10 40 00 04 08 45 78 74 65 6e 64 65 64 02 90 |[email protected]..|
000004f0 f4 10 40 00 04 06 44 6f 75 62 6c 65 01 8d 40 00 |[email protected]..@.|
00000500 04 11 40 00 04 08 43 75 72 72 65 6e 63 79 04 90 |[email protected]..|
00000510 14 11 40 00 0a 06 73 74 72 69 6e 67 20 11 40 00 |[email protected] .@.|
00000520 0b 0a 57 69 64 65 53 74 72 69 6e 67 30 11 40 00 |..WideString0.@.|
00000530 0c 07 56 61 72 69 61 6e 74 8d 40 00 40 11 40 00 |..Variant.@.@.@.|
00000540 0c 0a 4f 6c 65 56 61 72 69 61 6e 74 98 11 40 00 |..OleVariant..@.|
00000550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000560 00 00 00 00 00 00 00 00 00 00 00 00 98 11 40 00 |..............@.|
00000570 04 00 00 00 00 00 00 00 18 4d 40 00 24 4d 40 00 |.........M@.$M@.|
00000580 28 4d 40 00 2c 4d 40 00 20 4d 40 00 68 4a 40 00 |(M@.,M@. [email protected]@.|
00000590 84 4a 40 00 c0 4a 40 00 07 54 4f 62 6a 65 63 74 |[email protected]@..TObject|
000005a0 a4 11 40 00 07 07 54 4f 62 6a 65 63 74 98 11 40 |[email protected]..@|
000005b0 00 00 00 00 00 00 00 06 53 79 73 74 65 6d 00 00 |........System..|
000005c0 c4 11 40 00 0f 0a 49 49 6e 74 65 72 66 61 63 65 |[email protected]|
000005d0 00 00 00 00 01 00 00 00 00 00 00 00 00 c0 00 00 |................|

Free download pdf