Windev 27 !exclusive! — Dump

Dumping WinDev 27: Quick Post

• Windev compiles to native code, not p-code.
• No known decompiler maps native back to 4GL events.
• What can be recovered:

  hfdump.exe source.fic output.csv /format=csv /delimiter=";"

  | Protection | How to Bypass | |------------|----------------| | IsDebuggerPresent check | Patch in memory using Process Hacker → Properties → Memory → Write bytes 0x31 0xC0 0xC3 (xor eax,eax; ret) at the entry of IsDebuggerPresent | | Checksum verification at startup | Use WinDbg to break on CreateFileW for the .exe path, then modify returned value | | Memory encryption (XOR with rolling key) | Dump after decryption occurs (e.g., after GUI is fully loaded, before user input) | | Packed with UPX or custom packer | Use generic unpackers first, then dump the decompressed process | dump windev 27

  • Imports from User32.dll, Kernel32.dll, WD27*.dll.
  • Some window procedures (but not high-level form definitions).
  • Resource section (.rsrc) may contain embedded windows (RC data).

  For reverse engineers facing a dump of a WinDEV 27 binary: prepare a hex editor, a Python environment, and a lot of coffee. The format is undocumented, but with careful memory region analysis, critical data can be recovered. Dumping WinDev 27: Quick Post

  Approach:

  Several ETL tools support HFSQL:

  • Dumping someone else’s Windev 27 software without permission may violate: