![]() I'll not torture you with any suspense here: These are not the droids we are looking for. ![]() ![]() To be very precise, I had to _declspec(noreturn) the call FUN_00405134 to avoid some faulty output, but that's irrelevant (unless you try to reproduce the above and get confused). * WARNING: Subroutine does not return */ If you load this into vanilla Ghidra 9.1.1, it decompiles the entry point as follows: In this accompanying article, I will focus on the initial repairs that () performs on a freshly analyzed Delphi binary in Ghidra and I will showcase these features by analyzing () with the following SHA-256 hash:ĩ3873e9ee0c14e659d11e280acd6ac109f52bc78e294953371dd58ff8f6cf787 I hope that by putting the code out there, people will be able to copy & paste relevant portions of it, because the scripts do a few things that you regularly want to automate. The project is called **Dhrake**, which is short for _"Delphi hand rake"_. I'd say it does about as bad as IDA, and so I went on a journey to rewrite my scripts from work as Ghidra scripts. Then () came along and I was very curious to know how it would fare against some of the Delphi malware that I know and ~~loathe~~ love. I have spent some time reverse engineering Delphi binaries with IDA & HexRays at work, but IDA tends to make a few mistakes and I wrote a few scripts to fix them. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |