Trying to break on a WM_LBUTTONUP within a DELPHI app

Stingered · #1 03-25-2018, 04:50

Trying to catch a registration dialog so I can RE the keygen algo, but I cannot seem to be able to break on the dialog. It's a Delphi app, and using conventional methods in OllyDBG and/or x64DBG gets me nothing. I've tried hard-code BO in user32.dll and a windows message break point. Anyway, basically just you just load up the open windows handles in OllyDBG or X64DBG and break on the button command. Doesn't work though.

Any ideas?

[edit]

Tried using IDR and it crashes every single time.

Thx

niculaita · #2 03-25-2018, 20:02

it s a fake delphi app
that was compiled this mode only to deceive reverser

Stingered · #3 03-26-2018, 00:15

Quote:

Originally Posted by niculaita

it s a fake delphi app
that was compiled this mode only to deceive reverser

I see your point. However, everything identifies as Embarcadero Delphi.

https://www.davidesperalta.com/appbuilder/

ionioni · #4 03-26-2018, 01:07

Quote:

Originally Posted by Stingered

I see your point. However, everything identifies as Embarcadero Delphi.

https://www.davidesperalta.com/appbuilder/

yellow is onOK procedure

Apuromafo · #5 03-29-2018, 10:26

use IDA open analize and and export a map...
use idr, only open and export a map

in x64dbg use (plugin https://github.com/x64dbg/x64dbg/wiki/Plugins)
[Download] SwissArmyKnife by Nukem: x64dbg utility for linker map files, diff files, peid/ida signatures, and code signature generation.

for import map

in normal x64dbg, try to use labels for guide

br, Apuromafo

sendersu · #6 03-29-2018, 14:28

Quote:

Originally Posted by Apuromafo

use IDA open analize and and export a map...
use idr, only open and export a map

in x64dbg use (plugin https://github.com/x64dbg/x64dbg/wiki/Plugins)
[Download] SwissArmyKnife by Nukem: x64dbg utility for linker map files, diff files, peid/ida signatures, and code signature generation.

for import map

in normal x64dbg, try to use labels for guide

br, Apuromafo

IDR is enough (if Delphi is not very modern)
the rest is not required

Levis · #7 03-29-2018, 16:14

You should try to locate address of VCL Component's procedure and break there (depend on which one you're looking for). IDA/IDR should be great, but i simply prefer PE Explorer because It's lightweight. Got success with old Delphi versions

sendersu · #8 03-29-2018, 18:59

IDR has the brilliant feature - shows/locates any control handler routine like a charm.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
why I can't break	zaratustra	General Discussion	3	10-01-2004 17:28

The Following User Says Thank You to niculaita For This Useful Post:
Stingered (03-26-2018)

The Following User Says Thank You to ionioni For This Useful Post:
Stingered (03-26-2018)

The Following User Says Thank You to Apuromafo For This Useful Post:
Stingered (03-30-2018)

The Following User Says Thank You to Levis For This Useful Post:
Stingered (03-30-2018)

The Following User Says Thank You to sendersu For This Useful Post:
Stingered (03-30-2018)