The not so boring land of Borland executables, part 1

December 5, 2014 in Malware Analysis

“Borland”, “Inprise”, “Code Gear”, “Embarcadero”, “Delphi”, “C++ Builder”, as well as “Boolean”, “False”, “True”, “System”, “AnsiChar” are keywords that are very familiar to anyone who reverse engineers executables on regular basis. Seeing them is a good indicator that the samples we look at were most likely produced by compilers coming either directly, or through its descendants and spinoffs from Borland.

I want to talk about them, because Borland executables can be a goldmine for forensic investigators.

The part 1 will focus on the infamous number 0x2A425E19 (708992537) a.k.a 1992-06-19 22:22:17 (Friday).

This is a compilation timestamp of many Delphi files and let’s face it – it is just simply annoying.

Lots of people complained about it in the past; it is actually a very well-known bug, have not been addressed for many years, and only (as per the note in the link provided): “In Delphi 7 this structure was filled properly, but in 2006 not.” i.e. Delphi 4 – Delphi 2006 do not set this timestamp correctly.

Now, this is actually an interesting forensic artifact as it tells you the file was compiled most likely with Delphi 4 – Delphi 2006.

There is more to it.

If the compilation stamp is wrong you can still manage to win the game. If the Delphi executable has a resource directory you may retrieve its compilation timestamp. It is stored in an old-school DOS time format (note that non-Delphi files store it as an EPOCH timestamp, as per PE documentation; yes, Delphi executables are weird 🙂 ). And lo and behold, it may be actually a compilation timestamp that indicates when the whole thing was compiled, or at least give you a better estimate!

In any case, it’s better than nothing.

Example for the same file:

PE Comp.:    1992-06-19 22:22:17 2A425E19, 708992537
.rsrc comp.: 2010-12-09 14:25:36 3D897332, 1032418098

PE Compilation timestamp is the buggy 1992-06-19 22:22:17, but the .rsrc directory timestamp is a very reasonable timestamp 2010-12-09 14:25:36.

And yes, there is a script that you can use to do a dirty work for ya (use it for Delphi executables only).

perl pect.pl <filename>

Download pect.pl here.

Share this :)

Comments are closed.