5.2 Communication with outer world (function level)
000005e0 00 00 00 00 46 06 53 79 73 74 65 6d 03 00 ff ff |....F.System....|
000005f0 f4 11 40 00 0f 09 49 44 69 73 70 61 74 63 68 c0 |[email protected].|
00000600 11 40 00 01 00 04 02 00 00 00 00 00 c0 00 00 00 |.@..............|
00000610 00 00 00 46 06 53 79 73 74 65 6d 04 00 ff ff 90 |...F.System.....|
00000620 cc 83 44 24 04 f8 e9 51 6c 00 00 83 44 24 04 f8 |..D$...Ql...D$..|
00000630 e9 6f 6c 00 00 83 44 24 04 f8 e9 79 6c 00 00 cc |.ol...D$...yl...|
00000640 cc 21 12 40 00 2b 12 40 00 35 12 40 00 01 00 00 |.!.@[email protected].@....|
00000650 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 |................|
00000660 46 41 12 40 00 08 00 00 00 00 00 00 00 8d 40 00 |FA.@..........@.|
00000670 bc 12 40 00 4d 12 40 00 00 00 00 00 00 00 00 00 |[email protected].@.........|
00000680 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000690 bc 12 40 00 0c 00 00 00 4c 11 40 00 18 4d 40 00 |[email protected][email protected]@.|
000006a0 50 7e 40 00 5c 7e 40 00 2c 4d 40 00 20 4d 40 00 |P~@.~@.,M@. M@.|
000006b0 6c 7e 40 00 84 4a 40 00 c0 4a 40 00 11 54 49 6e |[email protected]@[email protected]|
000006c0 74 65 72 66 61 63 65 64 4f 62 6a 65 63 74 8b c0 |terfacedObject..|
000006d0 d4 12 40 00 07 11 54 49 6e 74 65 72 66 61 63 65 |[email protected]|
000006e0 64 4f 62 6a 65 63 74 bc 12 40 00 a0 11 40 00 00 |dObject..@...@..|
000006f0 00 06 53 79 73 74 65 6d 00 00 8b c0 00 13 40 00 |..System......@.|
00000700 11 0b 54 42 6f 75 6e 64 41 72 72 61 79 04 00 00 |..TBoundArray...|
00000710 00 00 00 00 00 03 00 00 00 6c 10 40 00 06 53 79 |[email protected]|
00000720 73 74 65 6d 28 13 40 00 04 09 54 44 61 74 65 54 |stem([email protected]|
00000730 69 6d 65 01 ff 25 48 e0 c4 00 8b c0 ff 25 44 e0 |ime..%H......%D.|
The first 4 bytes of the data segment (DATA) can be00 00 00 00,32 13 8B C0orFF FF FF FF.
This information can be useful when dealing with packed/encrypted Delphi executables.
5.1.6 Other known DLLs.
- vcomp*.dll—Microsoft’s implementation of OpenMP.
5.2 Communication with outer world (function level)
It’s often advisable to track function arguments and return values in debugger orDBI. For example, the
author once tried to understand meaning of some obscure function, which happens to be incorrectly
implemented bubble sort^4. (It worked correctly, but slower.) Meanwhile, watching inputs and outputs of
this function helps instantly to understand what it does.
Often,whenyouseedivisionbymultiplication(3.9onpage497),butforgotalldetailsaboutitsmechanics,
you can just observe input and output and quickly find divisor.
5.3 Communication with the outer world (win32).
Sometimes it’s enough to observe some function’s inputs and outputs in order to understand what it does.
That way you can save time.
Files and registry access: for the very basic analysis, Process Monitor^5 utility from SysInternals can help.
For the basic analysis of network accesses, Wireshark^6 can be useful.
But then you will have to look inside anyway.
The first thing to look for is which functions from theOS’sAPIs and standard libraries are used.
If the program is divided into a main executable file and a group of DLL files, sometimes the names of the
functions in these DLLs can help.
If we are interested in exactly what can lead to a call toMessageBox()with specific text, we can try to
find this text in the data segment, find the references to it and find the points from which the control may
be passed to theMessageBox()call we’re interested in.
(^4) https://yurichev.com/blog/weird_sort/
(^5) http://go.yurichev.com/17301
(^6) http://go.yurichev.com/17303