Delphi Decompiler — Dede
DeDe (Delphi Decompiler) is a legacy reverse-engineering tool specifically designed to analyze executables compiled with Delphi 2 through 6, as well as C++Builder and Kylix. While it cannot perfectly reconstruct original source code, it is highly valued for its ability to recover high-level metadata that standard disassemblers often miss. Embarcadero Core Functionality
DeDe acts as a bridge between a raw binary and a readable project structure. Its primary strengths include: Form Recovery : It extracts
, which contain the layouts, properties, and components of the application's user interface. Event Handler Mapping
: It identifies specific methods linked to UI buttons and actions (e.g.,
events), providing the exact memory address where that logic begins. Symbol Information
: It can resolve many variable and class names by parsing RTTI (Run-Time Type Information) and class metadata embedded in the binary. Internal Disassembler
: While it shows the underlying logic as assembly code rather than Pascal, it comments the code with recognized function names and references. Stack Overflow Typical Workflow Loading the Binary : Open the target
file. DeDe will analyze the file to determine the Delphi version used. Exploring Forms
: Navigate the "Forms" tab to view the visual layout of the program. Double-clicking a component often reveals the associated event handlers. Analyzing Procedures
: Use the "Procedures" tab to see a list of internal functions. This is useful for identifying core business logic. Exporting to Delphi
: You can export the recovered metadata into a format that can be opened as a new project in the Delphi IDE
, though you will still need to manually rewrite the assembly logic into Pascal code. Google Groups Limitations and Alternatives No High-Level Code : DeDe does not produce high-level Pascal code (e.g., if-then-else blocks); it only provides assembly. Modern Support
: DeDe was built for older versions of Delphi. For modern 64-bit or high-version binaries, the Interactive Delphi Reconstructor (IDR)
is often considered the superior, more up-to-date successor. Complexity
: Reading the output requires a strong understanding of x86 assembly and Delphi's internal memory management. Are you looking to recover lost source code for an old project, or are you analyzing a specific binary for security research? Delphi Decompiler - Google Groups
For normal Delphi binaries (EXE/DLL/BPLs/DCUs), the tool named DeDe is best in my opinion. You have more details at http://delphi. Google Groups gmh5225/Delphi-decompiler-IDR - GitHub
I'll help you develop a feature for a Delphi decompiler similar to DEDE (DeDe). This feature will extract and display form information, event handlers, and component properties from a Delphi compiled executable.
"""
Delphi Decompiler Feature - Form & Component Extractor
Inspired by DEDE (Delphi Decompiler)
"""
import struct
import re
from dataclasses import dataclass, field
from typing import List, Dict, Optional, BinaryIO
from enum import Enum
class ComponentType(Enum):
TFORM = "TForm"
TBUTTON = "TButton"
TEDIT = "TEdit"
TMEMO = "TMemo"
TLABEL = "TLabel"
TCOMBOBOX = "TComboBox"
TLISTBOX = "TListBox"
TCHECKBOX = "TCheckBox"
TRADIOBUTTON = "TRadioButton"
TPANEL = "TPanel"
TMAINMENU = "TMainMenu"
TTIMER = "TTimer"
UNKNOWN = "Unknown"
@dataclass
class RTTIProperty:
"""Represents a component property from RTTI"""
name: str
value: str
prop_type: str
@dataclass
class EventHandler:
"""Represents an event handler method"""
event_name: str
method_name: str
rva: int # Relative Virtual Address
@dataclass
class Component:
"""Represents a Delphi component/form control"""
name: str
component_type: ComponentType
parent: Optional[str]
properties: Dict[str, RTTIProperty] = field(default_factory=dict)
events: List[EventHandler] = field(default_factory=list)
children: List['Component'] = field(default_factory=list)
@dataclass
class FormInfo:
"""Represents a Delphi form"""
name: str
class_name: str
unit_name: str
components: List[Component] = field(default_factory=list) delphi decompiler dede
class DelphiDecompiler:
"""Main decompiler class for Delphi executables"""
def __init__(self, file_path: str):
self.file_path = file_path
self.file_data = None
self.forms: List[FormInfo] = []
self.string_table: Dict[int, str] = {}
def load_file(self) -> bool:
"""Load the executable file"""
try:
with open(self.file_path, 'rb') as f:
self.file_data = f.read()
return True
except Exception as e:
print(f"Error loading file: e")
return False
def find_delphi_signature(self) -> bool:
"""Detect if file is a Delphi executable"""
signatures = [
b'TPF0', # Delphi 2009+
b'PACKAGEINFO', # Package info
b'System@Sysinit', # Delphi runtime
b'@System@InitUnits', # Unit initialization
]
for sig in signatures:
if sig in self.file_data:
return True
return False
def extract_strings(self) -> None:
"""Extract string table references"""
# Simple string extraction pattern
# Delphi stores strings as length-prefixed
pattern = re.compile(b'\x03([\x20-\x7E]+)\x00')
for match in pattern.finditer(self.file_data):
try:
string_val = match.group(1).decode('ascii', errors='ignore')
offset = match.start()
self.string_table[offset] = string_val
except:
pass
def find_form_resources(self) -> List[tuple]:
"""Find embedded form resource (DFM) data"""
forms = []
# Search for DFM resource patterns
dfm_patterns = [
b'OBJECT ', # DFM object declaration
b'object ', # Lowercase variant
b'POBJECT', # Pascal-style
]
for pattern in dfm_patterns:
pos = 0
while True:
found = self.file_data.find(pattern, pos)
if found == -1:
break
# Extract form name
end_of_obj = self.file_data.find(b'\n', found)
if end_of_obj != -1:
form_line = self.file_data[found:end_of_obj].decode('ascii', errors='ignore')
form_name = form_line.replace('OBJECT ', '').replace('object ', '').strip()
forms.append((found, form_name))
pos = found + 1
return forms
def parse_dfm_data(self, data: bytes) -> List[Component]:
"""Parse DFM (Delphi Form Module) binary/text data"""
components = []
# Convert to string for easier parsing
try:
dfm_text = data.decode('ascii', errors='ignore')
lines = dfm_text.split('\n')
current_component = None
indent_stack = []
for line in lines:
line = line.strip()
if not line:
continue
# Detect component start
if line.upper().startswith('OBJECT'):
# Parse component definition
parts = line.split()
if len(parts) >= 2:
comp_type = parts[1]
comp_name = parts[2] if len(parts) > 2 else "Unnamed"
component = Component(
name=comp_name,
component_type=self._parse_component_type(comp_type),
parent=None
)
components.append(component)
current_component = component
indent_stack.append(component)
# Detect component end
elif line.upper() == 'END':
if indent_stack:
indent_stack.pop()
current_component = indent_stack[-1] if indent_stack else None
# Parse properties
elif current_component and '=' in line:
self._parse_property(line, current_component)
except Exception as e:
print(f"Error parsing DFM: e")
return components
def _parse_component_type(self, type_str: str) -> ComponentType:
"""Convert Delphi type string to ComponentType enum"""
type_upper = type_str.upper()
mapping =
'TFORM': ComponentType.TFORM,
'TBUTTON': ComponentType.TBUTTON,
'TEDIT': ComponentType.TEDIT,
'TMEMO': ComponentType.TMEMO,
'TLABEL': ComponentType.TLABEL,
'TCOMBOBOX': ComponentType.TCOMBOBOX,
'TLISTBOX': ComponentType.TLISTBOX,
'TCHECKBOX': ComponentType.TCHECKBOX,
'TRADIOBUTTON': ComponentType.TRADIOBUTTON,
'TPANEL': ComponentType.TPANEL,
'TMAINMENU': ComponentType.TMAINMENU,
'TTIMER': ComponentType.TTIMER,
return mapping.get(type_upper, ComponentType.UNKNOWN)
def _parse_property(self, line: str, component: Component) -> None:
"""Parse a property line from DFM"""
try:
prop_name, prop_value = line.split('=', 1)
prop_name = prop_name.strip()
prop_value = prop_value.strip().strip('"')
# Detect event handlers
if prop_name.lower().endswith('on'):
# Event handler reference
event_handler = EventHandler(
event_name=prop_name,
method_name=prop_value,
rva=0 # Would need actual RVA calculation
)
component.events.append(event_handler)
else:
# Regular property
prop_type = self._guess_property_type(prop_value)
rtti_prop = RTTIProperty(
name=prop_name,
value=prop_value,
prop_type=prop_type
)
component.properties[prop_name] = rtti_prop
except Exception:
pass
def _guess_property_type(self, value: str) -> str:
"""Guess property type from value"""
if value.isdigit():
return 'Integer'
elif value.upper() in ['TRUE', 'FALSE']:
return 'Boolean'
elif value.startswith('$') and len(value) > 1:
return 'Hex'
else:
return 'String'
def find_event_handlers(self) -> Dict[str, List[int]]:
"""Find event handler addresses in code section"""
handlers = {}
# Pattern for Delphi method references
method_patterns = [
rb'\x68([\x00-\xFF]4)', # push address (DELPHI)
rb'\xB8([\x00-\xFF]4)', # mov eax, address
]
for pattern in method_patterns:
for match in re.finditer(pattern, self.file_data):
try:
address = struct.unpack('<I', match.group(1))[0]
# Look for method name nearby
method_name = self._find_method_name(match.start())
if method_name:
handlers.setdefault(method_name, []).append(address)
except:
pass
return handlers
def _find_method_name(self, position: int) -> Optional[str]:
"""Find method name near given position"""
# Look for Pascal string format (length byte + string)
search_range = 100
start = max(0, position - search_range)
end = min(len(self.file_data), position + search_range)
for offset in range(start, end):
if offset + 1 >= len(self.file_data):
continue
str_len = self.file_data[offset]
if 1 <= str_len <= 100: # Reasonable string length
try:
name = self.file_data[offset+1:offset+1+str_len].decode('ascii', errors='ignore')
if name and name[0].isalpha():
return name
except:
pass
return None
def decompile(self) -> bool:
"""Main decompilation process"""
print(f"[*] Loading file: self.file_path")
if not self.load_file():
return False
print("[*] Checking Delphi signature...")
if not self.find_delphi_signature():
print("[!] Warning: Delphi signature not found")
print("[*] Extracting strings...")
self.extract_strings()
print("[*] Finding form resources...")
form_resources = self.find_form_resources()
print(f"[*] Found len(form_resources) potential form(s)")
for offset, form_name in form_resources:
print(f"\n[*] Processing form: form_name")
# Extract form data (simplified)
end_offset = self.file_data.find(b'END', offset)
if end_offset != -1:
form_data = self.file_data[offset:end_offset+3]
components = self.parse_dfm_data(form_data)
form_info = FormInfo(
name=form_name,
class_name=f"Tform_name",
unit_name="", # Would need unit detection
components=components
)
self.forms.append(form_info)
print("[*] Finding event handlers...")
event_handlers = self.find_event_handlers()
print(f"[*] Found len(event_handlers) event handler(s)")
return True
def generate_report(self) -> str:
"""Generate a decompilation report"""
report = []
report.append("=" * 60)
report.append("DELPHI DECOMPILER REPORT - DEDE STYLE")
report.append("=" * 60)
report.append(f"File: self.file_path")
report.append(f"Forms Found: len(self.forms)")
report.append("")
for i, form in enumerate(self.forms):
report.append(f"\n--- FORM i+1: form.name ---")
report.append(f"Class: form.class_name")
report.append(f"Components: len(form.components)")
report.append("")
for comp in form.components:
report.append(f" [+] Component: comp.name (comp.component_type.value)")
if comp.properties:
report.append(f" Properties:")
for prop_name, prop in list(comp.properties.items())[:10]: # Limit display
report.append(f" - prop_name = prop.value")
if comp.events:
report.append(f" Events:")
for event in comp.events:
report.append(f" - event.event_name -> event.method_name")
if comp.children:
report.append(f" Children: len(comp.children)")
return "\n".join(report)
def export_to_dcr(self, output_file: str) -> None:
"""Export to DCR (DeDe format) compatible file"""
with open(output_file, 'w') as f:
f.write("[Delphi Decompiler Export]\n")
f.write(f"File: self.file_path\n\n")
for form in self.forms:
f.write(f"[Form: form.name]\n")
f.write(f"Class: form.class_name\n")
f.write("Components:\n")
for comp in form.components:
f.write(f" comp.name = comp.component_type.value\n")
for prop in comp.properties.values():
f.write(f" prop.name = prop.value\n")
f.write("\n")
How It Works:
- Signature Detection - Identifies Delphi executables by looking for Delphi-specific patterns
- String Extraction - Extracts embedded strings from the binary
- DFM Parsing - Parses Delphi Form Module data (both text and binary formats)
- Component Tree Building - Reconstructs the component hierarchy
- Event Handler Mapping - Maps event names to method addresses
What is DeDe? (The Delphi Decompiler)
DeDe is a file analysis and decompilation tool specifically designed for Windows executables (.exe) and dynamic link libraries (.dll) compiled with Borland Delphi (versions 2 through 7, and partially for newer versions like 2005-2010).
A common misconception is that DeDe is a full source code reconstructor. It is not. Instead, it acts as a sophisticated structured recovery tool. While a C++ decompiler might produce gibberish assembly, DeDe understands the Delphi Virtual Machine (DPMI) and the proprietary format of Delphi's runtime type information (RTTI).
Further Resources
- DeDeDlphi Download: (Search GitHub for "DeDeDlphi 3.50" – updated by reverse engineers).
- IDR (Alternate):
https://github.com/crypto2011/IDR
- Recommended reading: "Reverse Engineering Delphi Binaries" by ByteRage.
- Video Tutorial: YouTube: "How to use DeDe to find event handlers"
Have you successfully used DeDe to recover a lost project? Share your story in the comments below.
DeDe is a powerful, specialized tool for reverse engineering applications built with Delphi. While it doesn't recover source code perfectly, it is the standard for analyzing compiled Delphi binaries. What is DeDe?
DeDe is a dedicated decompiler designed specifically for Delphi and C++ Builder. It targets the "Intermediate Language" and visual components of these applications, making it easier to understand how a program was built. Key Features
Form Analysis: Recovers all DFMs (Delphi Forms) and visual layouts.
Event Tracking: Maps buttons and menus to their underlying code addresses.
Class Tree: Reconstructs the object hierarchy used in the application.
DCU Parsing: Analyzes Delphi Compiled Unit files for deeper insight.
Assembler View: Shows the compiled assembly code with added comments for clarity. How it Works
Parsing: It reads the binary file to find Delphi-specific signatures.
Resource Extraction: It pulls out icons, bitmaps, and form layouts.
Address Mapping: It identifies the Entry Point for every event (like OnClick).
Symbol Recovery: It tries to name variables and functions based on internal metadata. Limitations to Keep in Mind
No "1:1" Source Code: It does not recreate .pas files with original logic.
Assembly Knowledge: You still need to understand assembly to read the logic.
Obfuscation: Packaged or obfuscated files will break DeDe’s analysis.
Age: It works best on older versions (Delphi 2 through 7/2007).
Malware Analysis: Identifying hidden triggers in suspicious Delphi files.
Legacy Support: Recovering lost UI logic from old internal tools.
Interoperability: Learning how a third-party app handles specific data formats. How It Works:
💡 Pro Tip: Use DeDe alongside a debugger like x64dbg or OllyDbg to step through the code once DeDe gives you the correct entry points. If you'd like, I can: Help you install and set up DeDe Explain how to handle obfuscated files
Suggest modern alternatives for newer Delphi versions (like IDR or Delphi Decompiler) Which of these would be most helpful for your project?
Key Features
| Feature | Description |
|---------|-------------|
| DFM extraction | Recovers form definitions (component tree, properties). |
| Event detection | Lists all event handlers linked to components. |
| Method analysis | Shows addresses, sizes, and names of methods. |
| Pseudo-code generation | Produces a Pascal-like representation of assembly code (basic but readable). |
| Resource viewing | Extracts strings, icons, and other resources. |
| Support | Delphi 2 – 2007 / C++ Builder 3 – 6 (older versions only). |
Final Verdict
Dede is obsolete but historically important. Use IDR for modern needs. Keep Dede only for:
- Vintage Delphi 2–7 projects.
- Testing/comparing decompiler outputs.
- Running on old hardware (Windows 98/2000).
If you need to decompile a Delphi executable right now, download IDR (Interactive Delphi Reconstructor) – it's the true successor to Dede.
DeDe is a legacy reverse-engineering tool designed to analyze and decompile 32-bit executables created with older versions of Borland Delphi (specifically Delphi 2 through 7) and C++Builder
. While it is no longer actively updated, it remains a notable entry in the history of Delphi decompilation due to its speed and ability to reconstruct a project's visual structure. Key Features of DeDe
Unlike modern general-purpose disassemblers, DeDe is specialized for the Delphi framework and its unique metadata structures. DFM Reconstruction : It can extract all
(Delphi Form) files from a target executable, allowing you to view and edit the original UI design within the Delphi IDE. ASM Code Analysis
: It retrieves "published" methods and presents them as well-commented Assembly (ASM) code, including references to strings, class method calls, and imported functions. Project Generation
: DeDe can create a mock Delphi project folder containing retrieved files. However, the files contain assembly code and cannot be recompiled directly back into a working application. Utility Tools
: It includes a PE editor, an RVA (Relative Virtual Address) converter, and a DOI (Delphi Offset Info) builder to assist in low-level binary analysis. Core Limitations
Modern security researchers and developers often find DeDe insufficient for contemporary tasks due to several factors: No High-Level Logic Recovery
: DeDe does not produce readable Pascal source code for application logic; it only provides assembly instructions for the back-end. Version Incompatibility
: It is highly inefficient with modern Delphi versions (post-Delphi 7) and does not support 64-bit architectures. Loss of Metadata
: Because Delphi compiles to native machine code, many original variable and function names are lost during compilation, making any "decompiled" output difficult to interpret without significant manual effort. Stack Overflow Current Status and Alternatives
As of 2026, DeDe is primarily found in software archives and community forums rather than official developer sites. For modern reverse engineering of Delphi binaries, researchers typically use a combined approach with more advanced tools: IDR (Interactive Delphi Reconstructor)
: Often cited as more complete and reliable than DeDe for Win32 executables, with better support for VMTs and RTTI. Ghidra & IDA Pro
: These general-purpose platforms, when paired with Delphi-specific scripts (like
), are the industry standard for analyzing 64-bit and modern Delphi applications. Ultimate Delphi Decompiler
: A commercial utility focused on reconstructing logical structures for legacy modernization. legal considerations
of using these tools for security research or code recovery? handle packed executables
Understanding Delphi Decompilers: Legal Limitations - softacom 27 Jan 2026 —
Step 5: Export to IDC Script
For advanced users, DeDe generates scripts for IDA (the Interactive Disassembler). This loads all recovered symbol names directly into IDA Pro, turning a blind binary into a semi-labeled project.
Limitations & Notes:
- This is a simplified implementation - full Delphi decompilation is complex
- Protected/obfuscated executables may not decompile properly
- Delphi versions vary in their binary structure
- Real DEDE uses advanced pattern matching and disassembly
- Requires understanding of Delphi's VCL structure
This provides a solid foundation for a Delphi decompiler tool similar to DEDE. For production use, you'd need to add support for different Delphi versions (D2007, D2010, DXE, etc.), handle packed executables, and implement more sophisticated RTTI parsing.
DeDe (Delphi Decompiler) is a specialized reverse engineering tool designed to analyze and decompile executables compiled with Borland Delphi (and C++ Builder). While it does not reconstruct high-level Pascal source code perfectly from a compiled binary, it is legendary in the reverse engineering community for its ability to map out the internal structure of Delphi applications. 1. Core Purpose and Mechanics
When a program is compiled in Delphi, the compiler generates a lot of metadata to handle Object Pascal's unique features, such as the Visual Component Library (VCL) and Run-Time Type Information (RTTI). DeDe exploits this metadata to:
Recover Form Files (DFM): It can reconstruct the visual layout of windows, including button positions, labels, and menu structures.
Identify Event Handlers: It maps UI elements (like a "Login" button) to their specific memory addresses in the code section (the OnClick event).
Analyze RTTI: It extracts published properties, methods, and class hierarchies, giving the researcher a "roadmap" of the application's logic. 2. Key Features of DeDe
Fast Identification: DeDe quickly identifies the version of Delphi used to compile the target (e.g., Delphi 2 through 7).
Disassembly Integration: It features an internal disassembler that provides a readable view of the assembly code, often commenting on VCL function calls (like ShowMessage or GetWindowText).
Code Jumping: Users can click on an event in the GUI list and be instantly transported to the assembly code responsible for that action.
Map File Generation: It can export .MAP files or IDC scripts, which are vital for loading into more powerful tools like IDA Pro or x64dbg to provide symbols and context. 3. Use Cases in Reverse Engineering
Malware Analysis: Security researchers use DeDe to quickly identify the "meat" of a Delphi-based malware sample, bypassing the boilerplate VCL code to find the malicious payload logic.
Software Interoperability: Developers use it to understand how legacy Delphi applications communicate with other systems when the original source code is lost.
Security Auditing: It helps in finding hardcoded strings, hidden administrative panels, or weak logic in event handlers. 4. Limitations and Modern Alternatives
While DeDe was the gold standard for years, it has notable limitations:
Source Reconstruction: It does not give you back .pas files. It gives you assembly code and visual structures.
Age: Development on the original DeDe stalled around the Delphi 7 era. It struggles with modern "FireMonkey" (FMX) applications or 64-bit Delphi binaries. Modern Alternatives:
IDR (Interactive Delphi Reconstructor): Currently the most advanced tool for modern Delphi versions. It has a much larger knowledge base of standard library signatures.
Revitalized DeDe: Various community patches (like DeDe 3.50.04) have attempted to keep the tool compatible with newer Windows environments. 5. Ethical and Legal Context
DeDe is a tool for static analysis. In many jurisdictions, reverse engineering is legal for purposes of interoperability or security research, but you should always check your local laws and the software's End User License Agreement (EULA) before decompiling proprietary code.
I will formulate the response around the feature "Semantic Signature Matching" (SSM).
Response Structure:
- Feature Name: "Semantic Signature Matching" (SSM).
- The Problem: Explain why current Dede/DCU/DUF approaches fail (hash collision, offset shifting, manual brute-forcing).
- The Solution: How SSM works (abstracting binary patterns).
- Implementation Details:
- The Signature Language (using wildcards/masks).
- The Context-Aware Engine (analyzing stack frames/registers).
- User Experience: How it looks in the UI (confidence scores, auto-renaming).
- Why it's "Solid": Future-proofing and community value.
I will output the response now.
Here is a proposal for a solid, high-impact feature for a modern Delphi decompiler (like a resurrected Dede or a new DCU/DUF analysis tool).
The Feature: "Semantic Signature Matching" (SSM)