Skip to content

NetHex 1.0

NetHex is my first shot at a C# custom control. It can be used to display data in hexadecimal representation and to edit that data. It's a C# 2.0 project so you need to have Visual C# 2005 Express Edition Beta 2 installed if you want to test the control yourself.

Click here to download the NetHex control and a sample program that shows how to use it

Screenshot of the sample program:



Oh yeah, there's a small bug I'm blaming on Visual Studio. If you modify a form with the control on it and then start the program your VS will terminate without any error message or anything. The work-around is fortunately very simple: Modify the Form, close the Form design window and start the program then. This stops the unexpected termination of VS.

Fixing old RGH-Profan files

I bet that none of you have ever heard of the programming language RGH-Profan (now called XProfan). It was however my first Windows programming language. Back then I had to decide between buying RGH-Profan 5.0 and buying Delphi which was at version 2 at the time I think. Looking back I actually think I made the right decision.
Anyway, the RGH-Profan programming language is something you'd imagine to be the result of crossing QBasic and Turbo Pascal and porting it to 32 bit Windows. It's easy to use but quite limited (at least it was in version 5 years ago, I know nothing about the current version 9).

One thing that bugged people a bit in recent years was that the programs needed to be compiled twice, once for Windows 95 and once for Windows NT because of some Windows API incompatibilities. That was not much of a problem back then but as Microsoft moved away from the Windows 9X architecture towards the NT architecture with the releases of Windows 2000 and Windows XP many old RGH-Profan programs that were only available in Win9X form ceased to work. This article is about patching the problems away and allowing Win9X compiled RGH-Profan executables to be run in Windows XP.
Continue reading "Fixing old RGH-Profan files"

New website: ProgJ

Did you ever think there should be something like Slashdot but strictly for programming related items? Kinda like Slashdot's Developers category but with more than 2 articles a week? Yeah, I thought that too. That's why I decided to start a new website that's exactly that. It's called ProgJ and you can find it at http://www.progj.com/.

Right now it's of course still in a beta-phase. And as I don't have a 2nd server to test my stuff on it's possible that you get to see live changes to the website while browsing it! Enjoy.

AIM Fight Checker

There's this new website called AIM Fight where you can check the popularity of your AIM nick. The site checks the buddy lists of all AIM users and calculates a score from the number of users that added you to your buddy list. A better description can be found on that site.

Here's a small C# 2005 Application which can be used to check nicks at a given time interval. As a bonus the history of all scores is displayed in a line chart (which was generated using the extremely awesome ZedGraph library).

99% of you probably won't be able to run it because it requires the .NET 2005 Beta Framework which hardly anyone has installed yet.

Click here if you still want to download the program including the C# source code.
Click here to see a screenshot of the program.

Oh yeah, you need to wait for 3 updates (= 9 minutes) until the chart starts looking good.

Protecting the Oracle - A proof of concept for a Delphi obfuscator



Attention: Check this update too

0. Introduction

The advent of DeDe, the self-proclaimed Delphi Decompiler, in 1999 started a new era in reverse engineering programs compiled with Borland Delphi. In case you're not aware of this tool, the term decompiler is actually misleading to describe the functionality of DeDe as it implies that the tool can reconstruct Delphi source code from binary files. This is definitely not the case though.
What DeDe really is is a class browser that allows the user to browse the meta-data of all classes derived from TObject that are used in the binary file (that's equivalent to the classes of the VCL). It's basically an enhanced version of the Delphi object inspector that's used during Delphi development but it works for binary files instead of Delphi source files.
DeDe also comes with other features like a built-in disassembler but these other features were neither new nor as revolutionary as DeDe's core functionality.

1. What exactly is the problem?
At first glance the insight DeDe offers doesn't seem to be much of a problem. After all there's no critical data in the properties of the components you set in the object inspector when you implement your software. This line of thinking is fundamentally flawed though. There actually is critical data in these properties, and lots of it. Otherwise DeDe would have never had such an impact on reverse engineering Delphi binaries.
The critical data I'm talking about in the context of reverse engineering Delphi files are the names of the properties and some of their values.

Imagine a shareware program that can be registered using a standard name/password combination the user enters in a special dialog. The password can be entered in edit fields and the user confirms his input by clicking a button. Now what's more helpful to a person who wants to gain access to the important parts of the registration logic with the goal to crack the software? A resource named RegisterDialog or a resource named G5gAQLRICMZPIU?
What about a button named RegButton with a corresponding OnClick property called RegButtonClick? This is certainly a dead give-away for any potential attacker and because DeDe can resolve the addresses where these events can be found in the file and perform an instant disassembly of the code there the attacker could locate the critical code in less than three seconds.
Would a button named HoiDDdf4 with a property named KLF442E and a value like JHIogeeGEIffdF be just as valuable to the attacker, especially when it's buried in hundreds if not thousands of equally meaningless names? I think not.
And that's exactly what this paper intends to show you: How to make DeDe completely useless by obfuscating the data DeDe reads from Delphi binary files.
...

The rest of this document and the source code of Pythia can be found in the ZIP file.