Reverse delphi based Malware (RAT)

#15767 by hanan
Thu Sep 27, 2012 7:58 am

Hi,

I would like to know if reversing a malware that has been written with delphi is requiring a different skill set than knowing how to reverse a malware that has been written using C or the like.

I found that to be different, but i would like to know how much different is it? am i need to know how the program in delphi ( i mean knowing paradigms that delphi programmers are using in their programs) ?

Username

hanan

Posts

44

Joined

Wed Jul 11, 2012 5:26 pm

Re: Reverse delphi based Malware (RAT)

#15774 by EP_X0FF
Fri Sep 28, 2012 5:33 am

No big difference. Load proper FLIRT signature to IDA and thats all. Even if it compiled by Delphi, most Delphi malware not written on OOP. They use KOL to remove most object oriented code for output file size reduction and better morphing.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Reverse delphi based Malware (RAT)

#15782 by hanan
Fri Sep 28, 2012 12:44 pm

One thing though i learned today is that most delphi programs use TLS for internal reasons probably not for malicious purposes, so one probably shouldn't waste time on the TLS of a delphi malware.

Username

hanan

Posts

44

Joined

Wed Jul 11, 2012 5:26 pm

Re: Reverse delphi based Malware (RAT)

#15785 by Apocalypse
Fri Sep 28, 2012 1:41 pm

http://kpnc.org/idr32/en/index.htm

Username

Apocalypse

Posts

12

Joined

Fri Oct 28, 2011 11:51 am