 Hello, Didier Stevens here, senior handler with the InternetStorm Center. We are going to look at Pascal strings here. So I have a small Delphi program, just hello world, right line, hello world, that I have compiled into an Xe. And now with my strings command, I can search for Pascal strings. I'm going to explain the command later, but a Pascal string is a string that is prefixed by its length. And here you can see the different Pascal strings into the executable at the end here, hello world, the one that we saw in the source code. So a Pascal string or a P string is a string, a sequence of characters that is preceded, prefixed by a counter, an integer. And that counter tells us how many characters there are in the string. And that type of string is not delimited at the end by a null character, for example, like C strings. Now, if I run my strings.py command like that on hello.exe, I will have all strings greater than three or four characters. All those strings here, if we do a line count, we have 1699 strings. And if I grab for hello world, hello, for example, then I have my hello world string. So strings without any options will extract all the strings with a given length, a minimum length can specify this with option n, and the default is four. So you need at least four printable characters for strings to find a string. Now we can reduce the amount of strings that are output by strings command by saying, okay, we want to look for Pascal strings. So Pascal strings or B strings typical for programming languages like Pascal and Delphi. So you start the command and you use option uppercase p for Pascal string. And then you are going to specify the format of the integer that is that contains the counter for the number of characters in the string. So this integer can have different formats. It can be, for example, eight bits or 32 bits. And I use the format specification that is used by the Python struct module. So first of all, we are going to look for a little endian integer. And it's a 32-bit unsigned integer. So this is how you specify this for that format string. Smaller than means little endian, uppercase i means unsigned 32-bit integer. And that's what we are going to look for in hello.exe. And here we find the hello world. Now if we look again at the source code, you will find another string here, colon space. So that's only two characters. And this one is not displayed. But if we start our command again and say that the minimum length is now two, then we have more strings and also that colon space string. In Delphi, you can also have another integer format for Pascal strings. Here the strings we are looking for were 32-bit prefixed integers. And you also have what they call short strings. And a short string is just a byte. So the integer is just eight bits a byte. Little endian, although that has not much meaning for a byte. Uppercase b is an unsigned byte, so an eight-bit integer, hello.exe. And then we also have a longer list of all kinds of strings, so Pascal strings, but using eight bits instead of 32-bit integers.