search

crypto2011 / IDR

Interactive Delphi Reconstructor
MIT License
922 stars 220 forks source link

How to use Assembly code? #76

Open mohammadkad opened 2 years ago

mohammadkad commented 2 years ago

Hello dear,

I'm using your great project for decompiling an .exe file (Delphi 7.0), I get a bunch of .pas and *.dfms and it seems ok, But many function contents are assembly code and have a style like this:

procedure PROCEDURE_NAME(Sender:TObject); begin { 0064A8CC mov eax,[006CBFFC];gvar_006CBFFC:TSaveDialog ... } end;

My question is how I can convert this commented assembly part to "Inline Assembly Code" [asm ... end;] , what should I do about Addresses and other parts?

Thanks in advance

crypto2011 commented 2 years ago

Hello. You need to decompile all program or only part of logic?

вс, 3 июл. 2022 г., 17:55 Mohammad Kadkhodaei @.***>:

Hello dear,

I'm using your great project for decompiling an .exe file (Delphi 7.0), I get a bunch of .pas and *dfms and it seems ok, But many function contents are assembly code and have a style like this:

procedure PROCEDURE_NAME(Sender:TObject); begin { 0064A8CC mov eax,[006CBFFC];gvar_006CBFFC:TSaveDialog ... } end;

My question is how I can convert this commented assembly part to "Inline Assembly Code" [asm ... end;] , what should I do about Addresses and other parts?

Thanks in advance

— Reply to this email directly, view it on GitHub https://github.com/crypto2011/IDR/issues/76, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEDYZMNWZEBA32GMLE2ETTDVSGSUTANCNFSM52Q2CPQA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

mohammadkad commented 2 years ago

Hello again,

I need to find a procedure behind a Button, firstly I recieve this one: (Commented Assembly code!! + Addresses)

procedure TExportFileForm.ConvertBtnClick(Sender:TObject); begin {* 0064AB70 push ebp 0064AB71 mov ebp,esp 0064AB73 xor ecx,ecx 0064AB75 push ecx 0064AB76 push ecx ....

Then I use your feature and convert it to delphi source code, it turned to this one:

procedure TExportFileForm.ConvertBtnClick(Sender:TObject); var

lvar_8:TCaption; lvar_C:TCaption; lvar_10:TCaption; lvar_14:TCaption; EAX : TEdit; ECX : Integer; EBX : Tobject; //lvar_4:AnsiString; //lvar_8:AnsiString; //lvar_C:AnsiString; //lvar_10:AnsiString; //lvar_14:AnsiString; begin//0 //0064AB70 ECX := 0; EBX := Self; try //0064AB8B EAX := edFilename; lvar_8 := edFilename.Text; //0064AB99 EAX := edDestination; lvar_C := edDestination.Text; if (lvar_8 = '') Or (lvar_C = '') then ...

I can't go further cuz Assembly code is strange for me and I can't handle addresses, delphi codes also is very strange ( combination of delphi and asm)

crypto2011 commented 2 years ago

Can you send me a file? Just make 7z archive with password and upload it to google disk.

пн, 4 июл. 2022 г., 20:48 Mohammad Kadkhodaei @.***>:

Hello again,

I need to find a procedure behind a Button, firstly I recieve this one: (Commented Assembly code!! + Addresses)

procedure TExportFileForm.ConvertBtnClick(Sender:TObject); begin {* 0064AB70 push ebp 0064AB71 mov ebp,esp 0064AB73 xor ecx,ecx 0064AB75 push ecx 0064AB76 push ecx ....

Then I use your feature and convert it to delphi source code, it turned to this one:

procedure TExportFileForm.ConvertBtnClick(Sender:TObject); var

lvar_8:TCaption; lvar_C:TCaption; lvar_10:TCaption; lvar_14:TCaption; EAX : TEdit; ECX : Integer; EBX : Tobject; //lvar_4:AnsiString; //lvar_8:AnsiString; //lvar_C:AnsiString; //lvar_10:AnsiString; //lvar_14:AnsiString; begin//0 //0064AB70 ECX := 0; EBX := Self; try //0064AB8B EAX := edFilename; lvar_8 := edFilename.Text; //0064AB99 EAX := edDestination; lvar_C := edDestination.Text; if (lvar_8 = '') Or (lvar_C = '') then ...

I can'not go further cuz Assembly code is strange for me and I can't handle addresses, delphi codes also is very strange ( combination of delphi and asm)

— Reply to this email directly, view it on GitHub https://github.com/crypto2011/IDR/issues/76#issuecomment-1174035219, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEDYZMLGGPLRO26P6FHZ4PLVSMPXFANCNFSM52Q2CPQA . You are receiving this because you commented.Message ID: @.***>

mohammadkad commented 2 years ago

of course, Can I mail it for you?

crypto2011 commented 2 years ago

Try to mail

пн, 4 июл. 2022 г., 21:06 Mohammad Kadkhodaei @.***>:

of course, Can I mail it for you?

— Reply to this email directly, view it on GitHub https://github.com/crypto2011/IDR/issues/76#issuecomment-1174044703, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEDYZMMDHLU42O7YKHTZJJTVSMR4BANCNFSM52Q2CPQA . You are receiving this because you commented.Message ID: @.***>