Dephi reverse tool Dede exports function name MAP and imports it into IDA

1. Background

When the Dephi program is reversed, the function name of the function can be seen by the Dede software, but it cannot be seen when IDA is reversed. In order to solve this problem, the following methods can be used to achieve:

2. Basic knowledge

IDA cannot restore the original name of the function because there is no PDB file. Through the reverse engineer's assembly code identification, the function can be manually renamed, or the IDC scripting language can be used to name a specific address:

MakeName(0x006E624C, "TSingleForm.ComboBox1Change");

Based on this principle, let's look up how DEde generates such a "address:function" correspondence table.

3. Practice

1. Export address function table from Dede

Find events.txt in the folder, this is the file containing the function address and function name.

2. Run the python script to convert events.txt into IDC script;

The following script opens events.txt in the same directory as the script, and uses the .split() method to load the address and function name into list[0] and list[1], and filter out those without function names.

import ostry:import chardetexcept:os.system('pip install chardet')import chardetdef check_charset(file_path):import chardetwith open(file_path, "rb") as f:data = f.read(4)charset = chardet.detect(data)['encoding']return charsetdef map2idc(in_file, out_file):with open(out_file, 'w') as fout:fout.write('#include \n')fout.write('static main()\n{\n')with open(in_file,encoding=check_charset(in_file)) as fin:for line in fin:list = line.split()if len(list) == 2 and len(str(list[1])) == 8 and str(list[1]).isalnum():if(list[1][-4:]!=list[0][-4:]): #function name==address, don'tfout.write('\tMakeName(0x%s, "%s");\n' % (list[1], list[0]))fout.write('}\n')def main():return map2idc("./events.txt","./ida.idc")

Copy the above python to the .py file, put the python script and events.txt in the same directory, run the python script, and the ida.idc file will be generated.A simple idc script is as follows:

#include static main(){MakeName(0x0040178C, "TObject.System.GetSpace(Integer):TBlock;");}

3. Run the idc script, rename the function

Open Ida, File-->Script file, select the ida.idc file just generated, and you can rename functions in batches.

This way, your dehpi has the function name.

4. Summary

Through this script, we can transfer the results of professional dephi program analysis to the IDA professional reverse code analysis platform to achieve linkage.

References: Import MAP files into IDA Pro's applet - sting feng - Blog Park