dymbol dymbol - 1 year ago 150
Pascal Question

Reading real content of pascal's binary file

I want to know the real content of binary file.
File was created by Deplhi (FreePascal?) based application.


  • Filename is FDane.bin

  • I don't have source code of this app



After disassembling application i see that (part of disassembled code that contain FDane.bin word):

procedure TFrmDroga.ReadLinesFromFile(Sender : TObject);
begin
(*
005F0BB0 55 push ebp
005F0BB1 8BEC mov ebp, esp
005F0BB3 83C4E0 add esp, -$20
005F0BB6 53 push ebx
005F0BB7 56 push esi
005F0BB8 57 push edi
005F0BB9 8945FC mov [ebp-$04], eax
005F0BBC 8D75EF lea esi, [ebp-$11]
005F0BBF 33C0 xor eax, eax
005F0BC1 55 push ebp
005F0BC2 681A135F00 push $005F131A
005F0BC7 64FF30 push dword ptr fs:[eax]
005F0BCA 648920 mov fs:[eax], esp

|
005F0BCD E8DAC4E1FF call 0040D0AC
005F0BD2 DD1D6C936000 fstp qword ptr [$0060936C]
005F0BD8 9B wait
005F0BD9 B201 mov dl, $01

* Reference to class TMemoryStream
|
005F0BDB A144EB4100 mov eax, dword ptr [$0041EB44]

|
005F0BE0 E84735E1FF call 0040412C
005F0BE5 8945F8 mov [ebp-$08], eax
005F0BE8 B201 mov dl, $01

* Reference to class TMemoryStream
|
005F0BEA A144EB4100 mov eax, dword ptr [$0041EB44]

|
005F0BEF E83835E1FF call 0040412C
005F0BF4 8945F4 mov [ebp-$0C], eax

* Possible String Reference to: 'FDane.bin'
|
005F0BF7 BA30135F00 mov edx, $005F1330
005F0BFC 8B45F4 mov eax, [ebp-$0C]

|
005F0BFF E8C834E3FF call 004240CC
005F0C04 6A00 push $00
005F0C06 6A00 push $00
005F0C08 8B45F8 mov eax, [ebp-$08]

|
005F0C0B E8EC2CE3FF call 004238FC
005F0C10 6A00 push $00
005F0C12 6A00 push $00
005F0C14 8B45F4 mov eax, [ebp-$0C]

|
005F0C17 E8E02CE3FF call 004238FC
005F0C1C 8B45F4 mov eax, [ebp-$0C]
005F0C1F 8B10 mov edx, [eax]
005F0C21 FF12 call dword ptr [edx]
005F0C23 85C0 test eax, eax
005F0C25 7E3B jle 005F0C62
005F0C27 8945E8 mov [ebp-$18], eax
005F0C2A BB01000000 mov ebx, $00000001
005F0C2F 8BD6 mov edx, esi
005F0C31 B901000000 mov ecx, $00000001
005F0C36 8B45F4 mov eax, [ebp-$0C]
005F0C39 8B38 mov edi, [eax]

* Possible reference to virtual method TMemoryStream.OFFS_0C
|
005F0C3B FF570C call dword ptr [edi+$0C]
005F0C3E 8BC3 mov eax, ebx
005F0C40 B9C8000000 mov ecx, $000000C8
005F0C45 99 cdq
005F0C46 F7F9 idiv ecx
005F0C48 80C220 add dl, $20
005F0C4B 3016 xor [esi], dl
005F0C4D 8BD6 mov edx, esi
005F0C4F B901000000 mov ecx, $00000001
005F0C54 8B45F8 mov eax, [ebp-$08]
005F0C57 8B38 mov edi, [eax]

* Possible reference to virtual method TMemoryStream.OFFS_10
|
005F0C59 FF5710 call dword ptr [edi+$10]
005F0C5C 43 inc ebx
005F0C5D FF4DE8 dec dword ptr [ebp-$18]
005F0C60 75CD jnz 005F0C2F
005F0C62 6A00 push $00
005F0C64 6A00 push $00
005F0C66 8B45F8 mov eax, [ebp-$08]

|
005F0C69 E88E2CE3FF call 004238FC
005F0C6E 8B45F4 mov eax, [ebp-$0C]

|
005F0C71 E80634E3FF call 0042407C
005F0C76 8B45FC mov eax, [ebp-$04]

* Reference to control TFrmDroga.CDSBrutto : TClientDataSet
|
005F0C79 8B8098040000 mov eax, [eax+$0498]
005F0C7F 8B55F8 mov edx, [ebp-$08]

|
005F0C82 E8A180F0FF call 004F8D28
005F0C87 8B45FC mov eax, [ebp-$04]

* Reference to control TFrmDroga.CDSBrutto : TClientDataSet
|
005F0C8A 8B8098040000 mov eax, [eax+$0498]


After using 'strings FDane.bin | head -n 50' get (this is a part):

&'(1*+,*.
0120456
82s_f\UM%27
6GFFHIJKLB
>6)5?#
,8-05_^^`abcdn*
srrtuvwxq
!"#$%hg,)g
./0323446789:;<s~G@ABCDEFGH
BL{~sm
nbfeVWXZZ[\_^_`abcd;&
hijklmno
2ytDDGDD7GMEN
Re,'
2342678?:;<=>?
EEFGHIJK
EPbdchh
klkj[\]V_`aecdefgh)
lnopqrstu
7ryNILAC2
s"!"#$%&'
7896;<=5?@ABCD
KJKLMNOP
^U`aheg
`jlo`abndefkhijklm
0}qstuvwxy
<w~H
&&'()*+,-./61
z89:*<<>?@ABCDEFGHuJKLMNOPQR
doj[\]L_aaccdefghi$+
mnopqrstu(7qyLK@@3C
!"#$%&
Zi +
678/::<8>?@ABC
/IIJKLMNO
YTffgdd
gokn_`aucee`ghijkl
prstuvwx9
;v}MI
b{&%&'()*+
;<=%?AAHCDEFGH
ONOPQRST
RYlklac
\WTSdef{hhj`lmnopq
twxyz{|}
!"#$e
**+,-./0
@ABcDDFHHIJKLMn
QSTUVWXY
V^fPQ^^)YWWXYjklLnnparstuvw8


After 200 lines data changes to this:

MKEUNF/0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWV
5797;
ghijklmnopqrstuvwxyz{|}~
!"#$%&7cFFNF
]AAF]V89:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[G
xyz{|}~
!"#$%&'()*;gBBJZT
a[FO]KRS^<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_x1)3D,
_R T
Vyz{|}~
!"#$%&'()*+,-.
cTDDBXMHW\
t/-')d
)-)3.$;,n
r)t:x8vYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcU5-7H:
!"#$%&'()*+,-./012-da}
qW\I]NJM5*666$f
4,!9:RSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgs,
Z(5856
!"#$%&'()*+,-./0123456:snx
EFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
iyi|v{123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkg&9$P93?1846xyz{|}~
!"#$%&'()*+,-./0123456789:!f\U
!%;c
?)3'>/k
VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
ibg#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnoj+"S2'7#+:2:?5^
!"#$%&'()*+,-./0123456789:;<=>2
MNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrsS&
!"#$%&'()*+,-./0123456789:;<=>?@AB_
*6&$'#.l
+#17;!!u
`abcdefghijklmnopqrstuvwxyz{|}~
OVLJ
aikfh
456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwX#
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFf
-)7o
97>=6,9=y
55:D6H&Fijklmnopqrstuvwxyz{|}~
HDOJG_HB
yegenk
456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{N6
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJB
UVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
idolslr'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNF
YZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~


It's looks like there are some character data (I see ASCII up to 127 characters). I'm not a Pascal, Delphi programmer. I know Python, some C and Java. Is it possible to decode ?

Answer Source

Some tips:

The disassembly shows tmemorystream, and then tclientdataset calls. This makes it delphi, and delphi/bcb alone (FreePascal's equivalent is called TBufDataset)

TClientdataset .cds is some proprietary streaming format of a dataset. It might be delphi version dependent. Later (D2010+? rad studio only?) versions come with TClientDataset sources which you could inspect.

Searching for ".cds tclientdataset file format" might also yield something, and hope it doesn't support encryption.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download