View Single Post
  #5  
Old 06-13-2019, 03:12
zeffy zeffy is offline
Friend
 
Join Date: Jul 2017
Posts: 39
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 141
Thanks Rcvd at 140 Times in 40 Posts
zeffy Reputation: 3
IDR can be good for viewing class metadata and generating scripts that can (sometimes) improve IDA results, although they usually need to be manually edited to fix some bogus results.

With IDA I've noticed sometimes it doesn't automatically detect a Delphi executable, so you can improve the analysis by:

- Open the executable but uncheck automatic analysis.
- Options -> Compiler to Delphi with calling convention Fastcall.
- Set the default string literals to Delphi or Delphi (16 bits), depending on how recent the executable is.
- View -> Open Subviews -> Type libraries, remove the defaults.
- View -> Open Subviews -> Signatures, remove the default and add the flirt signatures for your target (for example "bds" for Delphi 6/7), and mssdk32/64.
- Finally, start the analysis.

This can help quite a bit, although the flirt signatures tend to have a lot of false positives for VCL functions, so just be aware.
Reply With Quote
The Following 3 Users Say Thank You to zeffy For This Useful Post:
Indigo (07-19-2019), niculaita (06-23-2019), SinaDiR (06-23-2019)