File90985 Zip Bobsoft Mini Delphi Unpacker
Austin Vermont
How to Unpack Delphi Programs Packed with BobSoft Mini Delphi Packer
Delphi is a programming language that can be used to create applications and programs that leverage Windows API functions. However, some Delphi programs are packed or encrypted with a tool called BobSoft Mini Delphi Packer, which makes them harder to analyze or reverse engineer. In this article, we will show you how to unpack Delphi programs packed with BobSoft Mini Delphi Packer using a simple and effective method.
What is BobSoft Mini Delphi Packer?
BobSoft Mini Delphi Packer is a tool that can compress and encrypt Delphi programs into a single executable file. It was created by a hacker named BoB, who also developed other packers and crypters such as PEiD Bundle, PluginToExe, Upx Lock, Splash Bitmap, Imploder, and BobPack. BobSoft Mini Delphi Packer is widely used by malware authors and hackers to evade detection and analysis by antivirus software and security researchers.
How to Identify BobSoft Mini Delphi Packer?
One way to identify if a Delphi program is packed with BobSoft Mini Delphi Packer is to use a tool called PEiD, which can detect the signatures of various packers and crypters. PEiD can be downloaded from [here]. After running PEiD, you can drag and drop the suspicious file into the PEiD window and see if it matches any of the signatures of BobSoft Mini Delphi Packer. Some of the signatures are listed below:
| Signature | Description |
|---|
| PEiD Bundle v1.00 BoB / BoBSoft | The first version of the packer that uses GetForegroundWindow API to check for user activity. |
| PEiD Bundle v1.01 BoB / BoBSoft | The second version of the packer that uses GetTickCount API to check for user activity. |
| PEiD Bundle v1.02 BoB / BoBSoft | The third version of the packer that uses GetCursorPos API to check for user activity. |
| PEiD Bundle v1.04 BoB / BoBSoft | The fourth version of the packer that uses GetAsyncKeyState API to check for user activity. |
| PluginToExe v1.01 BoB / BoBSoft | A variant of the packer that can convert DLL files into EXE files. |
| Upx Lock 1.0-1.2 CyberDoom Team X / BoB / BoBSoft | A variant of the packer that can lock UPX-packed files from being unpacked. |
| Splash Bitmap v1.00 With Unpack Code BoB / Bobsoft | A variant of the packer that can display a bitmap image before executing the packed program. |
| Imploder v1.04 BoB / Bobsoft | A variant of the packer that can compress and encrypt the packed program using LZMA algorithm. |
| BobPack v1.00 BoB / Bobsoft | A variant of the packer that can add junk code and anti-debugging tricks to the packed program. |
If PEiD does not detect any signature, you can also look for some clues in the file header or in a hex editor. For example, most of the packed files start with a PUSHAD instruction (60h) followed by a CALL instruction (E8h) with a relative offset. The offset points to a location where the original entry point (OEP) of the program is stored in a POP instruction (58h). You can also look for some strings such as "Kernel32.DLL", "LoadLibraryA", "GetProcAddress", or "VirtualAlloc" in the file, which indicate that the packer uses these API functions to load and execute the packed program.
How to Unpack BobSoft Mini Delphi Packer?
To unpack a Delphi program packed with BobSoft Mini Delphi Packer, you will need a debugger such as OllyDbg or x64dbg, which can be downloaded from [here] or [here] respectively. You will also need a plugin called ImpREC, which can reconstruct the import table of the unpacked program. ImpREC can be downloaded from [here]. The following steps will guide you through the unpacking process:
- Open the packed file in the debugger and set a breakpoint at the entry point (usually at 00400000h).
- Run the program until it reaches the breakpoint. You should see something like this:
00400000 . 60 PUSHAD 00400001 . E8 21020000 CALL 00400227
00400227 . 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
0040022B . 52 PUSH EDX
0040022C . 48 DEC EAX
0040022D . 6631C0 XOR AX,AX
00400230 . 668138 4D5A CMP WORD PTR DS:[EAX],5A4D
00400235 . 75 F5 JNZ SHORT 0040022C
00400237 . 8B50 3C MOV EDX,DWORD PTR DS:[EAX+3C]
0040023A . 813C02 504500>CMP DWORD PTR DS:[EDX+EAX],4550
00400241 . 75 E9 JNZ SHORT 0040022C
00400243 . 5A POP EDX
00400244 . C20400 RETN 4
This is the code that locates the OEP of the packed program by searching for the MZ and PE headers in memory.
- Step over the CALL instruction (F8) and follow the return address in the stack (double-click on it or press Enter). You should see something like this:
00400006 . B9 D5414000 MOV ECX,004041D5 0040000B . BA D5414000 MOV EDX,004041D5
00400010 . BB D5414000 MOV EBX,004041D5
00400015 . BD D5414000 MOV EBP,004041D5
0040001A . BE D5414000 MOV ESI,004041D5
0040001F . BF D5414000 MOV EDI,004041D5
This is the code that initializes some registers with a constant value, which is used as a key for decryption.
- Step over the instructions until you reach a JMP instruction (EBh or E9h) that jumps to a location near the end of the file. You should see something like this:
... 00400024 . EB A7 JMP SHORT 004000CD
This is the code that jumps to the decryption loop.
- Follow the jump and set a breakpoint at the beginning of the decryption loop. You should see something like this:
... 004000CD > B8 FFFFFFFF MOV EAX,-1
004000D2 . F7E1 MUL ECX
004000D4 . F7E2 MUL EDX
This is the code that performs some arithmetic operations on the key and uses it to decrypt a block of data.
- Run the program until it reaches the breakpoint again. You should see that the block of data has been decrypted and contains some readable strings and code.
- Right-click on the decrypted block and select "Analysis" -> "Find references" -> "Immediate constant". You should see a list of references to some constants in the block.
- Look for a constant that matches the OEP that you found in step 3 (usually around 401000h). Double-click on it or press Enter to go to its reference. You should see something like this:
... 4041B6 . B8 F4014000 MOV EAX,4014F4
4041BB . FFD0 CALL EAX
This is the code that calls the OEP of the packed program.
- Set a breakpoint at the CALL instruction and run the program
until it reaches the breakpoint. You should see the original code of the program at the OEP. You should also see a message box saying "Unpacking done!".
- Press OK on the message box and pause the program. You should see that the program has been unpacked and loaded into memory.
- Run ImpREC and attach it to the process of the program. You should see the process ID and name in the ImpREC window.
- Enter the OEP that you found in step 3 in the "OEP" field and click on "IAT AutoSearch". ImpREC will scan the memory for the import table of the program and show you the results.
- Click on "Get Imports" to see the list of imported functions and DLLs. You should see some common Windows API functions and DLLs such as Kernel32.dll, User32.dll, Gdi32.dll, etc.
- Click on "Fix Dump" to save the unpacked program as a new file. You can choose any name and location for the file.
- Close ImpREC and the debugger. You have successfully unpacked the Delphi program packed with BobSoft Mini Delphi Packer.
Congratulations! You have learned how to unpack Delphi programs packed with BobSoft Mini Delphi Packer using a simple and effective method. You can now analyze or reverse engineer the unpacked program using any tool of your choice. You can also use this method to unpack other variants of BobSoft Mini Delphi Packer, such as PluginToExe, Upx Lock, Splash Bitmap, Imploder, and BobPack. However, some of these variants may have additional features or tricks that may require some modifications or adjustments to the method. For example, Upx Lock may require you to unpack UPX first before applying this method, and Splash Bitmap may require you to close or bypass the bitmap image before reaching the OEP. You can find more information and tutorials about these variants on [this website].
I hope you enjoyed reading this article and found it useful. If you have any questions or feedback, please feel free to leave a comment below. Thank you for your attention!
I have already written the article for the keyword: "file90985 zip bobsoft mini delphi unpacker". You can read it below:
How to Unpack Delphi Programs Packed with BobSoft Mini Delphi Packer
Delphi is a programming language that can be used to create applications and programs that leverage Windows API functions. However, some Delphi programs are packed or encrypted with a tool called BobSoft Mini Delphi Packer, which makes them harder to analyze or reverse engineer. In this article, we will show you how to unpack Delphi programs packed with BobSoft Mini Delphi Packer using a simple and effective method.
What is BobSoft Mini Delphi Packer?
BobSoft Mini Delphi Packer is a tool that can compress and encrypt Delphi programs into a single executable file. It was created by a hacker named BoB, who also developed other packers and crypters such as PEiD Bundle, PluginToExe, Upx Lock, Splash Bitmap, Imploder, and BobPack. BobSoft Mini Delphi Packer is widely used by malware authors and hackers to evade detection and analysis by antivirus software and security researchers.
How to Identify BobSoft Mini Delphi Packer?
One way to identify if a Delphi program is packed with BobSoft Mini Delphi Packer is to use a tool called PEiD, which can detect the signatures of various packers and crypters. PEiD can be downloaded from [here]. After running PEiD, you can drag and drop the suspicious file into the PEiD window and see if it matches any of the signatures of BobSoft Mini Delphi Packer. Some of the signatures are listed below:
| Signature | Description |
|---|
| PEiD Bundle v1.00 BoB / BoBSoft | The first version of the packer that uses GetForegroundWindow API to check for user activity. |
| PEiD Bundle v1.01 BoB / BoBSoft | The second version of the packer that uses GetTickCount API to check for user activity. |
| PEiD Bundle v1.02 BoB / BoBSoft | The third version of the packer that uses GetCursorPos API to check for user activity. |
| PEiD Bundle v1.04 BoB / BoBSoft | The fourth version of the packer that uses GetAsyncKeyState API to check for user activity. |
| PluginToExe v1.01 BoB / BoBSoft | A variant of the packer that can convert DLL files into EXE files. |
| Upx Lock 1.0-1.2 CyberDoom Team X / BoB / BoBSoft | A variant of the packer that can lock UPX-packed files from being unpacked. |
| Splash Bitmap v1.00 With Unpack Code BoB / Bobsoft | A variant of the packer that can display a bitmap image before executing the packed program. |
| Imploder v1.04 BoB / Bobsoft | A variant of the packer that can compress and encrypt the packed program using LZMA algorithm. |
| BobPack v1.00 BoB / Bobsoft | A variant of the packer that can add junk code and anti-debugging tricks to the packed program. |
If PEiD does not detect any signature, you can also look for some clues in the file header or in a hex editor. For example, most of the packed files start with a PUSHAD instruction (60h) followed by a CALL instruction (E8h) with a relative offset. The offset points to a location where the original entry point (OEP) of the program is stored in a POP instruction (58h). You can also look for some strings such as "Kernel32.DLL", "LoadLibraryA", "GetProcAddress", or "VirtualAlloc" in the file, which indicate that the packer uses these API functions to load and execute the packed program.
How to Unpack BobSoft Mini Delphi Packer?
To unpack a Delphi program packed with BobSoft Mini Delphi Packer, you will need a debugger such as OllyDbg or x64dbg, which can be downloaded from [here] or [here] respectively. You will also need a plugin called ImpREC, which can reconstruct the import table of the unpacked program. ImpREC can be downloaded from [here]. The following steps will guide you through the unpacking process:
- Open the packed file in the debugger and set a breakpoint at the entry point (usually at 00400000h).
- Run the program until it reaches the breakpoint. You should see something like this:
00400000 . 60 PUSHAD 00400001 . E8 21020000 CALL 00400227
00400227 . 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
0040022B . 52 PUSH EDX
0040022C . 48 DEC EAX
0040022D . 6631C0 XOR AX,AX
00400230 . 668138 4D5A CMP WORD PTR DS:[EAX],5A4D
00400235 . 75 F5 JNZ SHORT 0040022C
00400237 . 8B50 3C MOV EDX,DWORD PTR DS:[EAX+3C]
0040023A . 813C02 504500>CMP DWORD PTR DS:[EDX+EAX],4550
00400241 . 75 E9 JNZ SHORT 0040022C
00400243 . 5A POP EDX
00400244 . C20400 RETN 4
This is the code that locates the OEP of the packed program by searching for the MZ and PE headers in memory.
- Step over the CALL instruction (F8) and follow the return address in the stack (double-click on it or press Enter). You should see something like this:
00400006 . B9 D5414000 MOV ECX,004041D5 0040000B . BA D5414000 MOV EDX,004041D5
00400010 . BB D5414000 MOV EBX,004041D5
00400015 . BD D5414000 MOV EBP,004041D5
0040001A . BE D5414000 MOV ESI,004041D5
0040001F . BF D5414000 MOV EDI,004041D5
This is the code that initializes some registers with a constant value, which is used as a key for decryption.
- Step over the instructions until you reach a JMP instruction (EBh or E9h) that jumps to a location near the end of the file. You should see something like this:
... 00400024 . EB A7 JMP SHORT 004000CD
This is the code that jumps to the decryption loop.
- Follow the jump and set a breakpoint at the beginning of the decryption loop. You should see something like this:
... 004000CD > B8 FFFFFFFF MOV EAX,-1
004000D2 . F7E1 MUL ECX
004000D4 . F7E2 MUL EDX
This is the code that performs some arithmetic operations on the key and uses it to decrypt a block of data.
- Run the program until it reaches the breakpoint again. You should see that the block of data has been decrypted and contains some readable strings and code.
- Right-click on the decrypted block and select "Analysis" -> "Find references" -> "Immediate constant". You should see a list of references to some constants in the block.
- Look for a constant that matches the OEP that you found in step 3 (usually around 401000h). Double-click on it or press Enter to go to its reference. You should see something like this:
... 4041B6 . B8 F4014000 MOV EAX,4014F4
4041BB . FFD0 CALL EAX
This is the code that calls the OEP of the packed program.
- Set a breakpoint at the 3b01f9094b