{"id":2672,"date":"2014-12-05T20:32:24","date_gmt":"2014-12-05T20:32:24","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2672"},"modified":"2021-01-25T17:46:44","modified_gmt":"2021-01-25T17:46:44","slug":"the-not-so-boring-land-of-borland-executables-part-1","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2014\/12\/05\/the-not-so-boring-land-of-borland-executables-part-1\/","title":{"rendered":"The not so boring land of Borland executables, part 1"},"content":{"rendered":"<p>&#8220;Borland&#8221;, &#8220;Inprise&#8221;, &#8220;Code Gear&#8221;, &#8220;Embarcadero&#8221;, &#8220;Delphi&#8221;, &#8220;C++ Builder&#8221;, as well as &#8220;Boolean&#8221;, &#8220;False&#8221;, &#8220;True&#8221;, &#8220;System&#8221;, &#8220;AnsiChar&#8221; are keywords that are very familiar to anyone who reverse engineers executables on regular basis. Seeing them is a good indicator that the samples we look at were most likely produced by compilers coming either directly, or through its descendants and spinoffs from <a href=\"https:\/\/en.wikipedia.org\/wiki\/Borland\">Borland<\/a>.<\/p>\n<p>I want to talk about them, because Borland executables can be a goldmine for forensic investigators.<\/p>\n<p>The part 1 will focus on the infamous number 0x2A425E19 (708992537) a.k.a 1992-06-19 22:22:17 (Friday).<\/p>\n<p>This is a compilation timestamp of many Delphi files and let&#8217;s face it &#8211; it is just simply annoying.<\/p>\n<p>Lots of people complained about it in the past; it is actually a very well-known bug, have not been addressed for <a href=\"http:\/\/qc.embarcadero.com\/wc\/qcmain.aspx?d=25402\">many years<\/a>, and only (as per the note in the link provided): &#8220;In Delphi 7 this structure was filled properly, but in 2006 not.&#8221; i.e. Delphi 4 &#8211; Delphi 2006 do not set this timestamp correctly.<\/p>\n<p>Now, this is actually an interesting forensic artifact as it tells you the file was compiled most likely with Delphi 4 &#8211; Delphi 2006.<\/p>\n<p>There is more to it.<\/p>\n<p>If the compilation stamp is wrong you can still manage to win the game. If the Delphi executable has a resource directory you may retrieve its compilation timestamp. It is stored in an old-school DOS time format (note that non-Delphi files store it as an EPOCH timestamp, as per PE documentation; yes, Delphi executables are weird \ud83d\ude42 ). And lo and behold, it may be actually a compilation timestamp that indicates when the whole thing was compiled, or at least give you a better estimate!<\/p>\n<p>In any case, it&#8217;s better than nothing.<\/p>\n<p>Example for the same file:<\/p>\n<pre style=\"padding-left: 30px;\">PE Comp.:\u00a0\u00a0\u00a0 1992-06-19 22:22:17 2A425E19, 708992537\n.rsrc comp.: 2010-12-09 14:25:36 3D897332, 1032418098<\/pre>\n<p>PE Compilation timestamp is the buggy 1992-06-19 22:22:17, but the .rsrc directory timestamp is a very reasonable timestamp 2010-12-09 14:25:36.<\/p>\n<p>And yes, there is a script that you can use to do a dirty work for ya (use it for Delphi executables only).<\/p>\n<pre style=\"padding-left: 30px;\">perl pect.pl &lt;filename&gt;<\/pre>\n<p>Download <a href=\"https:\/\/hexacorn.com\/d\/pect.pl\">pect.pl<\/a> here.<\/p>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;Borland&#8221;, &#8220;Inprise&#8221;, &#8220;Code Gear&#8221;, &#8220;Embarcadero&#8221;, &#8220;Delphi&#8221;, &#8220;C++ Builder&#8221;, as well as &#8220;Boolean&#8221;, &#8220;False&#8221;, &#8220;True&#8221;, &#8220;System&#8221;, &#8220;AnsiChar&#8221; are keywords that are very familiar to anyone who reverse engineers executables on regular basis. Seeing them is a good indicator that the samples &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/12\/05\/the-not-so-boring-land-of-borland-executables-part-1\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2672"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=2672"}],"version-history":[{"count":7,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2672\/revisions"}],"predecessor-version":[{"id":7668,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2672\/revisions\/7668"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=2672"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=2672"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=2672"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}