Reverse Engineering (Decompiling) Delphi Applications

Reverse Engineering (Decompiling) Delphi Applications-

Decompilation? Reverse? Cracking?
Simply speaking, decompilation is the inverse of compilation: translating an executable file into a higher level language.
Suppose you lose your Delphi project’s source and you only have the executable file: reverse engineering (decompilation) is useful if the original sources are not available.
Hm, “sources not available”, does this mean that we can decompile other people’s Delphi projects? Well, yes and no..

Is true decompilation possible?
No, of course not. Fully automated decompilation is not possible – no decompiler could exactly reproduce the original source code.

When a Delphi project is compiled and linked to produce a standalone executable file, most of the names used in the program are converted to addresses. This loss of names means that a decompiler would have to create unique names for all the constants, variables, functions, and procedures. Even if a certain degree of success is achieved, the generated “source code” lacks meaningful variable and function names.
Obviously, source language syntax no longer exists in the executable. It would be very difficult for a decompiler to interpret the series of machine language instructions (ASM) that exist in an executable file and decide what the original source instruction was.

Why and when to use.
Reverse engineering can be used for a several reasons, some of which are:
. Recovery of lost source code
. Migration of applications to a new hardware platform
. Determination of the existence of viruses or malicious code in the program
. Error correction when the owner of the application is not available to make the correction.
. Recovery of someone else’s source code (to determine an algorithm for example).

Is this legal?
Reverse engineering is NOT cracking, although it is sometimes difficult to draw the fine line between those two. Computer programs are protected by copyright and trademark laws. Different countries have different exceptions to the copyright owner’s rights. The most common ones state that it is ok to decompile: for the purposes of interpretability where the interface specification has not been made available, for the purposes of error correction where the owner of the copyright is not available to make the correction, to determine parts of the program that are not protected by copyright. Of course you should be very carefull / contact your lawyer if you are in doubt whether you are permitted to disassemble some program’s exe file.

Note: if you are looking for Delphi cracks, key generators or just serial numbers: you are on the wrong site. Please bear in mind that everything you find here is written/presented for exploration / educational purposes only.

For the moment, Borland does not offer any product capable of decompiling an executable (.exe) file or the “Delphi compiled unit” (.dcu) back to the original source code (.pas).

Delphi compiled unit: DCU

When a Delphi project is compiled or run a compiled unit (.pas) file is created. By default the compiled version of each unit is stored in a separate binary-format file with the same name as the unit file, but with the extension .DCU. For example unit1.dcu contains the code and data declared in the unit1.pas file.
This means that if you have someones, for example, component compiled source all you have to do is to reverse it and get the code. Wrong. The DCU file format is undocumented (proprietary format) and may change from version to version.

After the compiler: Delphi Reverse Engineering
If you would like to try to decompile a Delphi executable file, these are some of the things you should know:

Delphi programs source files are usually stored in two file types: ASCII code files (.pas, .dpr), and resource files (.res, .rc, .dfm, .dcr). Dfm files contain the details (properties) of the objects contained in a form. When creating an exe, Delphi copies information in .dfm files into the finished .exe code file. Form files describe each component in your form, including the values of all persistent properties. Every time we change a form’s position, a button’s caption or assign an event procedure to a component, Delphi writes those modifications in a DFM file (not the code of the event procedure – this is stored in the pas/dcu file). In order to get the “dfm” from the executable file we need to understand what type of resources are stored inside a Win32 executable.

All programs compiled by Delphi have the following sections : CODE, DATA, BSS, .idata, tls, .rdata, .rsrc. The most important from decompiling point of view are the CODE and .rsrc sections. In the “Adding functionality to a Delphi program” article some interesting facts about Delphi executables format, class info and DFM resources are shown: how to reassign events to be handled by other event handlers defined in the same form. Even more: how to add your own event handler, adding the code to the executable, that will change the caption of a button.

Among many types of resources that are stored in an exe file, the RT_RCDATA or the Application-defined resource (raw data) holds the information that were in the DFM file before the compilation. In order to extract the DFM data from an exe file we can call the EnumResourceNames API function… For more information on extracting DFM from an executable go see: Coding a Delphi DFM explorer article.

The art of reverse engineering has traditionally been the land of technical wizards, familiar with assembly language and debuggers. Several Delphi decompilers have appeared that allow anybody, even with limited technical knowledge, to reverse engineer most Delphi executable files.

If you are interested in reverse engineering Delphi programs I suggest you to take a look at the following few “decompilers”:

IDR (Interactive Delphi Reconstructor)
A decompiler of executable files (EXE) and dynamic libraries (DLL), written in Delphi and executed in Windows32 environment. Final project goal is development of the program capable to restore the most part of initial Delphi source codes from the compiled file but IDR, as well as others Delphi decompilers, cannot do it yet. Nevertheless, IDR is in a status considerably to facilitate such process. In comparison with other well known Delphi decompilers the result of IDR analysis has the greatest completeness and reliability.

Revendepro finds almost all structures (classes, types, procedures, etc) in the program, and generates the pascal representation, procedures will be written in assembler. Due to some limitation in assembler the generated output can not be recompiled. The source to this decompiler is freely available. Unfortunately this is the only one decompiler I was not able to use – it prompts with an exception when you try to decompile some Delphi executable file.

EMS Source Rescuer
EMS Source Rescuer is an easy-to-use wizard application which can help you to restore your lost source code. If you lose your Delphi or C++Builder project sources, but have an executable file, then this tool can rescue part of lost sources. Rescuer produces all project forms and data modules with all assigned properties and events. Produced event procedures don’t have a body (it is not a decompiler), but have an address of code in executable file. In most cases Rescuer saves 50-90% of your time to project restoration.

DeDe is a very fast program that can analyze executables compiled with Delphi. After decompilation DeDe gives you the following:
– All dfm files of the target. You will be able to open and edit them with Delphi
– All published methods in well commented ASM code with references to strings, imported function calls, classes methods calls, components in the unit, Try-Except and Try-Finally blocks. By default DeDe retrieves only the published methods sources, but you may also process another procedure in a executable if you know the RVA offset using the Tools|Disassemble Proc menu
– A lot of additional information.
– You can create a Delphi project folder with all dfm, pas, dpr files. Note: pas files contains the mentioned above well commented ASM code. They can not be recompiled!