Open nmz787 opened 3 years ago
nmz787
commented
3 years ago trying it on windows 7, autodetection also fails, using version 2 yields EAccessViolation immediately after saying "yes" to use native knowledge database. Using version 4 loads the file, but using IDC generator produces:
Access violation at address 0067A0AC in module 'Idr.exe'. Write of address 001F6B1C.
nmz787
commented
3 years ago hmm, actually my last attempt on Win7 was using this build https://github.com/huettenhain/dhrake/releases/download/INITIAL/IDR.7z
using the latest build in this repo, on Win7, and using delphi version 4 with the KB files you posted to dropbox in the README... I get this message when trying to dump the IDC:
Access violation at address 77258DA9 in module 'ntdll.dll'. Write of address 00000014.
nmz787
commented
3 years ago running in admin mode doesn't solve, though the addresses change, the message is otherwise the same
crypto2011
commented
3 years ago My IDR version (I don't know about private builds you mentioned: ...huettenhain...). I had no exceptions, ids-file created normally, but IDA (version 7.0) coudln't run it - I have message "Bad macro usage" at the end of file. I cannot find any information about this error. I have changed OpenDialog to SaveDialog (my fault).
nmz787
commented
3 years ago Can you post the IDC somewhere I can download? What OS did you run on? I think I only need the IDC file at this point, as I'm following a tutorial that uses it inside of Ghidra.
crypto2011
commented
3 years ago Windows 7. Last binary version of IDR (here). Delphi 7. Do you want multipart idc-file or solid one?
nmz787
commented
3 years ago Is that the binary in the top-level of the repo, or the one in the bin dir? (edit, the commit history shows it's the one in the top-level... is the bin dir meant to be removed from the repo?)
I'm following this blog post, and it doesn't mention anything about multi-part IDC file, so I guess the full one is what I'm after. https://blag.nullteilerfrei.de/2019/12/23/reverse-engineering-delphi-binaries-in-ghidra-with-dhrake/
Strange you don't get the exception like I do on Win 7. Did you download and run IDR on just the EXE I linked to, or did you download that whole directory and then run IDR on the EXE? (such that IDR would have access to any shared library files in that directory with the EXE)
nmz787
commented
3 years ago When I ask did you run the EXE, I mean the Smi50.exe I posted in my original post. Is that what you are able to generate the IDC file with?
No I don't trust any private builds :) that is why I run in isolated VMs.
crypto2011
commented
3 years ago Just the file Smi50.exe. Here is a link to idc (archive with password: 0123456789ABCDEF). https://drive.google.com/file/d/1EAD2l-5b5cJXtVKgansDNp4xs64Azeei/view?usp=sharing
nmz787
commented
3 years ago Thanks for the file, it helped with my debugging!
nmz787
commented
3 years ago Windows 7. Last binary version of IDR (here). Delphi 7. Do you want multipart idc-file or solid one?
What did you mean by Delphi 7? I don't have Delphi installed, do you think that has anything to do with the access violation? I was able to export IDC file for another EXE... oh but that might not have been on the same Windows XP virtual machine. Hmm. I will have to try the original EXE I posted with the newer Windows VM (I think it was Win 8 or 10, I can't remember right now).
Loading this EXE fails autodetection of version, tried using 2 or 4 or 6... loads progress without complaint: http://diyhpl.us/~nmz787/pdf/smi3200/software/Exec/Smi50.exe
Then clicking Tools, IDC Generator, then clicking "Open" (though this should probably really read "Save") I get a message like:
Access violation at address 00673529 in module 'Idr.exe'. Read of address 00CD3540.Running inside VirtualBox VM with uXP (micro/slimmed Windows XP) OS, using latest EXE in this github
bindir.Not sure how to help myself with this one, since I don't have the borland C++ compiler to even attempt to compile IDR with debugging symbols, etc...