Recent

Author Topic: Decompile Pascal Binaries  (Read 866 times)

revindrakm

  • Newbie
  • Posts: 3
Decompile Pascal Binaries
« on: October 24, 2024, 12:37:32 am »
I need help decrypting this file, I've been trying for days, but I don't know what I'm doing wrong.https://drive.google.com/file/d/1LjmgShY7GFh15qOHZf9lGwUZI0VXFSl4/view?usp=sharing

even using ida pro it seems like it has more than one block

Fibonacci

  • Hero Member
  • *****
  • Posts: 594
  • Internal Error Hunter
Re: Decompile Pascal Binaries
« Reply #1 on: October 24, 2024, 01:40:33 am »
This is a compiled Pascal Script, likely from Inno Setup, from the Eudemons Online game installer. What it does is irrelevant, as the objects referenced in the script are linked with the main program. This compiled script can only use a few functions and structures provided by the actual executable. Nothing extra special to "decrypt" here.

Code: [Select]
Offset Size Type String
0000 05 A IFPS
009e 07 A BOOLEAN
00b3 0c A TBITMAPIMAGE
00c3 0c A TBITMAPIMAGE
00d8 05 A TFORM
00e1 05 A TFORM
00ef 0b A TWINCONTROL
00fe 0b A TWINCONTROL
0112 07 A TBITMAP
011d 07 A TBITMAP
012d 08 A TCONTROL
0139 08 A TCONTROL
014a 0a A TCOMPONENT
0158 0a A TCOMPONENT
016b 09 A TMAINFORM
0178 09 A TMAINFORM
018a 0b A TWIZARDFORM
0199 0b A TWIZARDFORM
01d3 05 A !MAIN
01eb 1a A GETBACKGROUNDIMAGEFILENAME
0209 06 A 16 @16
0211 0e A EXPANDCONSTANT
0226 15 A EXTRACTTEMPORARYFILE
0243 0f A EXTRACTFILENAME
0265 16 A DISPLAYBACKGROUNDIMAGE
027f 0e A -1 @29 @27 @16
0293 1a A class:TBITMAPIMAGE|BITMAP|
02b7 1c A class:TGRAPHIC|LOADFROMFILE|
02dc 1b A class:TBITMAPIMAGE|CENTER@|
0301 1d A class:TBITMAPIMAGE|AUTOSIZE@|
0328 15 A class:TCONTROL|WIDTH|
0347 15 A class:TCONTROL|LEFT@|
0366 16 A class:TCONTROL|HEIGHT|
0386 14 A class:TCONTROL|TOP@|
03ab 10 A INITIALIZEWIZARD
03c7 16 A class:TCONTROL|CREATE|
03e2 08 A MAINFORM
03f5 17 A class:TCONTROL|PARENT@|
0412 0a A WIZARDFORM
042e 0e A CREATELOGOFORM
0448 07 A class:-
0455 16 A class:TCONTROL|WIDTH@|
0475 17 A class:TCONTROL|HEIGHT@|
0496 19 A class:TFORM|BORDERSTYLE@|
04b9 16 A class:TFORM|POSITION@|
04d9 11 A class:TFORM|SHOW|
04f2 17 A class:TCONTROL|REPAINT|
050d 05 A SLEEP
0525 0c A FREELOGOFORM
0539 09 A !ASSIGNED
054e 13 A class:TOBJECT|FREE|
0569 07 A class:-
057d 0f A INITIALIZESETUP
0594 13 A REGQUERYSTRINGVALUE
05b2 0a A FILEEXISTS
05c4 0c A REMOVEQUOTES
05d8 06 A MSGBOX
05e8 09 A SHELLEXEC
060a 0e A CURPAGECHANGED
061c 06 A -1 @10
0628 1a A class:TWINCONTROL|SHOWING|
064c 12 A class:TFORM|CLOSE|
066d 0e A CURSTEPCHANGED
067f 06 A -1 @39
0692 17 A CURUNINSTALLSTEPCHANGED
06ad 07 A -1 @40
06d7 06 A {tmp}\
090f 05 A 1.bmp
0b99 09 A Setup.bmp
0e02 0f A UninstallString
0e25 5e A SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DC77B24-075D-4D58-A434-C83312C32BB7}_is1
0f2c 8e A Setup checks your computer has been installed Eudemons Online,the installation Eudemons Online need to uninstall the installed Eudemons Online
0fbc 1f A would you want to uninstall it?
10a1 05 U ЀЄЄЄЄ
1172 05 A 1.bmp
11e9 05 A 1.bmp
1260 05 A 2.bmp
12d7 05 A 3.bmp
134e 05 A 4.bmp
1439 35 A http://install.91.com/analyzeinstall.aspx?o=1&g=11001
148c 05 U ЀЄЄЄЄ
1536 35 A http://install.91.com/analyzeinstall.aspx?o=0&g=11001
1589 05 U ЀЄЄЄЄ

revindrakm

  • Newbie
  • Posts: 3
Re: Decompile Pascal Binaries
« Reply #2 on: October 24, 2024, 01:46:44 am »
These are the buttons, yes you are correct, but it seems they encrypted the buttons inside this file

TRon

  • Hero Member
  • *****
  • Posts: 3619
Re: Decompile Pascal Binaries
« Reply #3 on: October 24, 2024, 02:20:57 am »
I don't think you got the message. There is nothing to decrypt from that script. It is as simple as that.

No matter what you are trying to accomplish it looks and smells shady and for that you are at the wrong address.
This tagline is powered by AI (AI advertisement: Free Pascal the only programming language that matters)

revindrakm

  • Newbie
  • Posts: 3
Re: Decompile Pascal Binaries
« Reply #4 on: October 24, 2024, 02:32:21 am »
Oh Ok Thank guys

Aruna

  • Hero Member
  • *****
  • Posts: 513
Re: Decompile Pascal Binaries
« Reply #5 on: October 25, 2024, 02:42:26 am »
This is a compiled Pascal Script, likely from Inno Setup, from the Eudemons Online game installer. What it does is irrelevant, as the objects referenced in the script are linked with the main program. This compiled script can only use a few functions and structures provided by the actual executable. Nothing extra special to "decrypt" here.

Code: [Select]
Offset Size Type String
0000 05 A IFPS
009e 07 A BOOLEAN
00b3 0c A TBITMAPIMAGE
00c3 0c A TBITMAPIMAGE
00d8 05 A TFORM
00e1 05 A TFORM
00ef 0b A TWINCONTROL
00fe 0b A TWINCONTROL
0112 07 A TBITMAP
011d 07 A TBITMAP
012d 08 A TCONTROL
0139 08 A TCONTROL
014a 0a A TCOMPONENT
0158 0a A TCOMPONENT
016b 09 A TMAINFORM
0178 09 A TMAINFORM
018a 0b A TWIZARDFORM
0199 0b A TWIZARDFORM
01d3 05 A !MAIN
01eb 1a A GETBACKGROUNDIMAGEFILENAME
0209 06 A 16 @16
0211 0e A EXPANDCONSTANT
0226 15 A EXTRACTTEMPORARYFILE
0243 0f A EXTRACTFILENAME
0265 16 A DISPLAYBACKGROUNDIMAGE
027f 0e A -1 @29 @27 @16
0293 1a A class:TBITMAPIMAGE|BITMAP|
02b7 1c A class:TGRAPHIC|LOADFROMFILE|
02dc 1b A class:TBITMAPIMAGE|CENTER@|
0301 1d A class:TBITMAPIMAGE|AUTOSIZE@|
0328 15 A class:TCONTROL|WIDTH|
0347 15 A class:TCONTROL|LEFT@|
0366 16 A class:TCONTROL|HEIGHT|
0386 14 A class:TCONTROL|TOP@|
03ab 10 A INITIALIZEWIZARD
03c7 16 A class:TCONTROL|CREATE|
03e2 08 A MAINFORM
03f5 17 A class:TCONTROL|PARENT@|
0412 0a A WIZARDFORM
042e 0e A CREATELOGOFORM
0448 07 A class:-
0455 16 A class:TCONTROL|WIDTH@|
0475 17 A class:TCONTROL|HEIGHT@|
0496 19 A class:TFORM|BORDERSTYLE@|
04b9 16 A class:TFORM|POSITION@|
04d9 11 A class:TFORM|SHOW|
04f2 17 A class:TCONTROL|REPAINT|
050d 05 A SLEEP
0525 0c A FREELOGOFORM
0539 09 A !ASSIGNED
054e 13 A class:TOBJECT|FREE|
0569 07 A class:-
057d 0f A INITIALIZESETUP
0594 13 A REGQUERYSTRINGVALUE
05b2 0a A FILEEXISTS
05c4 0c A REMOVEQUOTES
05d8 06 A MSGBOX
05e8 09 A SHELLEXEC
060a 0e A CURPAGECHANGED
061c 06 A -1 @10
0628 1a A class:TWINCONTROL|SHOWING|
064c 12 A class:TFORM|CLOSE|
066d 0e A CURSTEPCHANGED
067f 06 A -1 @39
0692 17 A CURUNINSTALLSTEPCHANGED
06ad 07 A -1 @40
06d7 06 A {tmp}\
090f 05 A 1.bmp
0b99 09 A Setup.bmp
0e02 0f A UninstallString
0e25 5e A SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DC77B24-075D-4D58-A434-C83312C32BB7}_is1
0f2c 8e A Setup checks your computer has been installed Eudemons Online,the installation Eudemons Online need to uninstall the installed Eudemons Online
0fbc 1f A would you want to uninstall it?
10a1 05 U ЀЄЄЄЄ
1172 05 A 1.bmp
11e9 05 A 1.bmp
1260 05 A 2.bmp
12d7 05 A 3.bmp
134e 05 A 4.bmp
1439 35 A http://install.91.com/analyzeinstall.aspx?o=1&g=11001
148c 05 U ЀЄЄЄЄ
1536 35 A http://install.91.com/analyzeinstall.aspx?o=0&g=11001
1589 05 U ЀЄЄЄЄ

Hi @Fibonacci what did you use to get this output? I ran
Code: Pascal  [Select][+][-]
  1. strings CompiledCode.bin
and got something similar but not your exact output. So I am curious to find out how you did this please?

Fibonacci

  • Hero Member
  • *****
  • Posts: 594
  • Internal Error Hunter
Re: Decompile Pascal Binaries
« Reply #6 on: October 25, 2024, 02:52:51 am »
Hi @Fibonacci what did you use to get this output? I ran
Code: Pascal  [Select][+][-]
  1. strings CompiledCode.bin
and got something similar but not your exact output. So I am curious to find out how you did this please?

I used Detect It Easy: https://github.com/horsicq/Detect-It-Easy

Aruna

  • Hero Member
  • *****
  • Posts: 513
Re: Decompile Pascal Binaries
« Reply #7 on: October 25, 2024, 03:18:51 am »
Hi @Fibonacci what did you use to get this output? I ran
Code: Pascal  [Select][+][-]
  1. strings CompiledCode.bin
and got something similar but not your exact output. So I am curious to find out how you did this please?

I used Detect It Easy: https://github.com/horsicq/Detect-It-Easy
Thank you @Fibonacci.This Detect-It-Easy is very comprehensive just looking at the screenshots ( wow ) I wonder if we can do something similar using the Laz-IDE and fpc?

Fibonacci

  • Hero Member
  • *****
  • Posts: 594
  • Internal Error Hunter
Re: Decompile Pascal Binaries
« Reply #8 on: October 25, 2024, 03:44:41 am »
Thank you @Fibonacci.This Detect-It-Easy is very comprehensive just looking at the screenshots ( wow ) I wonder if we can do something similar using the Laz-IDE and fpc?

Sure can, why not you :D

DIE can detect thousands of signatures (its mainly for crypters/protectors), and the scripts are in the 'db' directory. Here's an example for detecting FPC PE binaries: https://github.com/horsicq/Detect-It-Easy/blob/master/db/PE/Free_Pascal.4.sg

What it finds:
Code: Text  [Select][+][-]
  1. PE32
  2. Operation system: Windows(95)[I386, 32-bit, GUI]
  3. Compiler: Free Pascal(3.3.1 [2023/08/12] for i386)
  4. Language: Object Pascal

Really like this software ;) From PE tools, I can also recommend PE-Bear. I know someone on this forum has written a tool similar to PE-Bear (in FPC+Lazarus of course), but I don’t remember who.

440bx

  • Hero Member
  • *****
  • Posts: 4727
Re: Decompile Pascal Binaries
« Reply #9 on: October 25, 2024, 05:57:26 am »
I know someone on this forum has written a tool similar to PE-Bear (in FPC+Lazarus of course), but I don’t remember who.
You might be referring to me.  I wrote PeBytesF which is a PE dump/viewer type of program similar to PEBear, CFF Explorer, Dumpbin, Matt Pietrek's PEDump and many others.  It was my _first_ FPC program, a port from the C version I wrote many years before I started using FPC.  It was an exercise in FPC proficiency. :)  (and a chance to leave behind some C code I was never pleased with.)

For those who might be interested, the link to the latest version of my PE viewer is:
https://forum.lazarus.freepascal.org/index.php/topic,46617.msg459635.html#msg459635

There are some things my PE viewer does better than any other: 1. when it comes to displaying PE information, it is the most complete one  (there is enough information to edit the PE data using a hex editor.)  2. it is by far the one that presents the information in the most intelligible, readable and understandable way, hands down!  3. it's the only PE viewer that presents the information in both, raw and cooked format.  4. it tells you if the PE uses some areas for multiple purposes. 4. it is often the _only_ one which outputs the LOAD CONFIG directory completely and accurately (even MS' Dumpbin fails to do that for some PE files.)

One thing it doesn't do that others do (but poorly) is disassemble the code section(s).  PEBear, CFF Explorer and dumpbin (likely among others) do but, they do a linear dis-assembly which means a significant percentage of the dis-assembly will be incorrect because they do _not_ recognize data stored in code segments, effectively making the dis-assembly less than useless because it is misleading.

Dumpbin has one feature I like that PeBytesF does not have (and will _not_ have) which is: it can use PDB symbols to produce a reasonably good dis-assembly but, if dis-assembly is desired then the free version of IDA does a much better job.
(FPC v3.0.4 and Lazarus 1.8.2) or (FPC v3.2.2 and Lazarus v3.2) on Windows 7 SP1 64bit.

 

TinyPortal © 2005-2018