1

UPDATE: Even though the above mentions: the question already has an answer, the solution in the linked question does not work in Delphi XE6

Just noticed that all executables generated with Delphi (including Release version) include the names of all types used by that executable and the names of the units they belong to. If you are not careful to remove the RTTI information then it also contains class methods, fields and property names.

What are these strings used for (especially in a Release version)?

Is there a way to prevent type and unit names from being written to the executable?

Steps to reproduce this:

  1. Create a new Delphi project.

  2. Define a class

    {$RTTI EXPLICIT METHODS([]) PROPERTIES([]) FIELDS([])}
type TPerson = class
private
  FName: string;
public
  constructor Create(Name: string);
  destructor Destroy; override; 
end;

constructor TPerson.Create(Name: string);
begin
  inherited Create;
  FName := Name;
end;

destructor TPerson.Destroy;
begin
  inherited Destroy;
end;

  3. Create an object of that class so that the class is referenced/used.

    var person: TPerson;
begin
  person := TPerson.Create('John Doe');
  person.Free;
end;

  4. Compile the project in Release mode.

  5. Use a hex viewer and search for the name of the class (TPerson) in the executable.

How can one prevent the class name from being written to the executable?

also:

How can one remove RTTI at the project level so there would be no need to manually go through every included unit and add the {$RTTI EXPLICIT METHODS([]) PROPERTIES([]) FIELDS([])} clause?

I tried adding $RTTI EXPLICIT METHODS([]) PROPERTIES([]) FIELDS([])} at the top of the .dpr file but this doesn't work in Delphi XE6.

Rob Kennedy
  • 161,384
  • 21
  • 275
  • 467
Jamie
  • 657
  • 7
  • 18
  • 3
    You don't need function names to crack an application. It's enough to step through the disassembled code. – TLama Apr 27 '14 at 21:30
  • Do you have RTTI included? – David Heffernan Apr 27 '14 at 21:32
  • @TLama: Your comment is off-topic. I know one can step through the disassembled code but having methods/variable names associated with that really speeds up the process. – Jamie Apr 27 '14 at 21:35
  • @DavidHeffernan: No, I made sure that RTTI is disabled, but I still get all these strings. – Jamie Apr 27 '14 at 21:36
  • Do you have "Include Remote Debug Symbols" set? – David Dubois Apr 27 '14 at 21:59
  • And how can we reproduce this? How do we know you disabled RTTI right? How do we know you stripped all the debug info? – David Heffernan Apr 27 '14 at 22:01
  • @DavidHeffernan: Here are the steps to reproduce it: 1. Create a class in your project and an object of that class. 2. Add {$RTTI EXPLICIT METHODS([]) PROPERTIES([]) FIELDS([])} before the class definition. 3. Disable RTTI in whatever other way you know of. 4. Build the Release version of your project. 5. Open the executable in your favorite hex editor and search for the name of your class. – Jamie Apr 27 '14 at 22:18
  • What about names of local variables, private fields etc. – David Heffernan Apr 27 '14 at 22:25
  • @DavidHeffernan: Did I mention anything about those in my steps to reproduce it? Private fields and methods are excluded by the RTTI clause that I mentioned above but I am not interested in those. Did you find the class name in your test? – Jamie Apr 27 '14 at 22:30
  • 3
    TLama's point is valid. If someone is going to crack your software, method strings are not going to make a bit of difference. You can't make crack-proof software. In fact, if someone bothers to crack your software - consider yourself lucky. It means your software is probably good enough that you'll get rich from it anyway. People crack Photoshop and you don't see Adobe queueing at the poorhouse. – J... Apr 27 '14 at 22:36
  • ps : http://stackoverflow.com/q/3550556/327083 – J... Apr 27 '14 at 22:36
  • 1
    @J... This is a question about Delphi, not about anti-cracking. Please stick to the topic. – Jamie Apr 27 '14 at 22:38
  • If you are looking to provide a secure license verification system for your Delphi application, I would look to someone like noted Delphi expert Jon Aasenden and his company's soon to be released "Hexlicense" component: http://jonlennartaasenden.wordpress.com/2014/04/04/hexlicense-component-suite-almost-ready/ – Mick Apr 27 '14 at 23:12
  • 1
    @Jamie You did not mention local variables. You just said "variables" which covers a lot of things. I'm trying to get you to be precise. – David Heffernan Apr 28 '14 at 05:13
  • 1
    @DavidHeffernan: Here is a precise question: Did you find the class name in the executable file during your test? – Jamie Apr 28 '14 at 06:04
  • @DavidHeffernan I asked you for the results to the test three times but you refused to answer. Seems to me you didn't want to help at all from the start. – Jamie Apr 28 '14 at 06:19
  • 2
    I would like to help but I'm looking for clarity. I am being discouraged. You should add details in edits to the question rather than comments. Precise details. Example project. How to build it. Which symbols you found, and how. Which symbols you want to be removed. There's a good question in here but it needs for you to do some more work. If you do that you'll get better responses. – David Heffernan Apr 28 '14 at 06:22
  • @DavidHeffernan: Do you have a better answer now? By the way: I put the work into editing the question but you never answered my question regarding the class name in the executable. How is that being helpful? – Jamie Apr 28 '14 at 07:07
  • Thanks for the edit. To be clear, is it just the classes that are found in the executable? – David Heffernan Apr 28 '14 at 07:12
  • @DavidHeffernan unit names also. Now, did you try to reproduce it? What did you find in the executable? – Jamie Apr 28 '14 at 07:17
  • Give me time. Let me take my children to school first. – David Heffernan Apr 28 '14 at 07:19
  • @DavidHeffernan Ok. Please comment only after you tried to reproduce it. It would be more helpful and shorten the number of unnecessary comments here. – Jamie Apr 28 '14 at 07:20
  • @DavidHeffernan Really? – Jamie Apr 28 '14 at 07:28
  • Your latest update appears to indicate distaste at being marked as a duplicate. Remember that your original question asked about removing class names from the executable. That's the duplicate. You then added a second question, of different nature, about globally suppressing RTTI. Really there should be just a single question at a time. With all the edits and additions, the question text has become somewhat unfocused. It was a good question when you just asked about the class names. – David Heffernan Apr 28 '14 at 10:52
  • 1
    @DavidHeffernan. The question was initially about removing units/method/parameters names by suppressing RTTI, if you remember. Then you wanted me to be more specific, because you didn't know whether I did disable RTTI in the right way and still get all those strings. Well, as you found out, there is a problem with suppressing RTTI globally in XE6 (the underlining problem of the original question and comments). Just wanted to let future readers know that the linked duplicate question does not offer a solution for XE6, so the question "doesn't already have an answer" for XE6. – Jamie Apr 28 '14 at 11:04
  • The original question was about why class name text appeared in the executable. At least, that's where it was at when I wrote my answer. – David Heffernan Apr 28 '14 at 11:14
  • How do you explain your comment: "You just said "variables" which covers a lot of things."? We both know how the original question looked like. I rest my case. Have a great day! – Jamie Apr 28 '14 at 11:57
  • OK, what I mean is the original question after the clarifications. – David Heffernan Apr 28 '14 at 12:07

2 Answers2

5

Pythia is a program that can obfuscate binaries created with Delphi or C++ Builder.

However, remember that a competent reverse engineer will only be slightly slowed down by this obfuscation, so I would only use it to prevent cursory tampering/inspection.

Download compiled v1.1 program here: http://www.the-interweb.com/serendipity/index.php?/archives/86-Pythia-1.1.html

Browse the source code here: https://github.com/sporst/Pythia

BEFORE: enter image description here

AFTER: enter image description here

Mick
  • 13,248
  • 9
  • 69
  • 119
  • 3
    Thanks Mick for mentioning Pythia. Unfortunately, the project is 9 years old and doesn't work with recent versions of Delphi, but I will try to make it work. Thanks again, this is a great starting point! – Jamie Apr 28 '14 at 07:35
  • Mick, where do I find this "RTTI Viewer" visible on the screenshots you posted? – forsajt Feb 08 '15 at 15:02
2

The class name is stored in the executable because it is needed to implement TObject.ClassName.

There is no simple way, without resorting to gross hacks, to stop this happening. You could I suppose, have a post-build step that modified the executable file to overwrite the name in the executable. This would obviously break any code that relied upon the ClassName method.

Another option is obfuscation. I'm honestly not sure how much help it would be to a malicious hacker to be able to know the name of all your program's classes.

Your latest edit adds a new question:

How can one remove RTTI at the project level so there would be no need to manually go through every included unit and add the {$RTTI EXPLICIT METHODS([]) PROPERTIES([]) FIELDS([])} clause?

Add this to the very top of your .dpr file, immediately after the program statement:

{$RTTI EXPLICIT METHODS([]) PROPERTIES([]) FIELDS([])}

Although apparently, the ability to do this globally in the .dpr file was unintentional. And Delphi XE6 "fixes" this behaviour: http://qc.embarcadero.com/wc/qcmain.aspx?d=79943

So, if you happen to be using XE6, there appears to be no global project wide way to disable RTTI.

David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
  • Seems like a regression in XE6. They "fixed" [this](http://qc.embarcadero.com/wc/qcmain.aspx?d=79943) but disabled the global .dpr setting. – LU RD Apr 28 '14 at 10:01
  • I second that. The solution proposed doesn't work in Delphi XE6. – Jamie Apr 28 '14 at 10:02
  • 2
    @LURD Oh, how wonderful! Another reason not to upgrade! – David Heffernan Apr 28 '14 at 10:06
  • Note that [QualityCentral has now been shut down](https://community.embarcadero.com/blogs/entry/quality-keeps-moving-forward), so you can't access `qc.embarcadero.com` links anymore. If you need access to old QC data, look at [QCScraper](http://www.uweraabe.de/Blog/2017/06/09/how-to-save-qualitycentral/). – Remy Lebeau Jun 09 '17 at 18:06