It is not a mistery that Hex-Rays is preparing for the IDA 6.0 beta program. In this post I’ll write a bit about my personal, behind the scenes, experience with the project.

It took me 7 months to port/rewrite the old VCL GUI of IDA Pro. The new GUI, as it had been already anticipated months ago on the official blog, is Qt based.

The main difficulties I have faced were mostly not of technical nature, although it was a complex task, but psychological ones. It took a lot of patience and it was very difficult every morning to go to work and to have to see an unfinished product with the old GUI reminding myself how much was still to do.

What follows is a rough roadmap of my work, I’ll mention only the milestones and not the hundreds of smaller parts. It has to be noted that at least for what concerns the docking I wrote most of it before joining Hex-Rays to accelerate the development of the actual GUI once in the company. While Qt has a docking system, it is not as advanced as the one used by the VCL GUI, which is a commercial control. So, I wrote a docking system myself in order to offer all the advanced features the old GUI had.

January: first impact with the code. Took me a week to grasp the initial concepts to start. Basically at the end of the month I could display disassembly and graph mode of a file. Also, hints, graph overview and disassembly arrows were implemented.

February: implemented chooser and forms (which I actually completely changed internally, that’s why I had to improve them again later on to obtain better backwards compatibility).

March: marathon month. Implemented every day one or more dialogs/views such as: hex view, cpu regs view, enum view, struct view, options, navigation band, colors, etc. etc. More than 30, some very easy, some advanced controls such as the hex view or the cpu regs view.

April: two weeks to finish the docking and smaller things.

May: two weeks to implement the desktop part (the ability to save/restore layouts and options) and smaller things.

June: fixes, help system and improved the forms implementation.

July: Hundreds of fixes for the beta.

While there will be still bugs to fix, I consider the project as completed and I wrote this post to close a chapter for myself.

At the beginning of September I started looking for a job. I actually wanted a job to work from remote. Despite the fact that I got several offers, all of them required relocation. So in the end I saw the Hex-Rays hiring announcement on Woodmann and sent out my résumé. From all the relocations, Belgium was the nearest and best connected one and of course it’s a very good job.

The first month at Hex-Rays has been tough on all fronts. Mainly because of the relocation and getting used to work in an office. Now work is proceeding well, but the rest is still difficult. Having one day of sun here in Belgium would help, by the way.

Musil wrote in his life’s work that modern man is spending his life always increasing his level of expertise, remaining with a millimeter of specialistic knowledge which only few people in the world could really understand. The others, talking about his millimeter would only say stupid things and he himself can’t move from his own millimeter without running into the same problem.
I think I found my millimeter in the IT world. However, I can’t stand still on it. I always keep moving with exasperated restlessness.

I have written in the last 2 years at least 5 programs of bigger size which are almost complete, but as I’m now working at Hex-Rays they will have to wait. When I was writing mostly software on my own I did it almost entirely to be active in something. Now that I’m working on IDA every day I feel that my need of being active is fulfilled and I don’t feel the need to write more code when I’m at home. Instead, I feel the need of art.

Why haven’t I tried producing art instead of programming already? Because I have always been capable of judging my own work objectively and I know when the time is not right.

What’s the difference between programming and art? Both need experience. The difference is that one can build one’s technical experience alone in one’s room, without the help of events, social interaction, etc. In a technical field it is possible to make the time needed for experience advance faster. Viceversa, in one’s reflections about life one has to actually follow the time of his own life.

I feel that something is changing about that.

I apologize if in the last time I couldn’t answer to emails without many days of delay, but I’m incredibly busy in my real life.
There is some important news I can’t yet talk about but will soon.

Also, yesterday the new Qt 4.6 has come out. For Windows developers good news: the sdk come with gcc 4.4 with patches for phonon, in case you don’t want to use Visual Studio (like myself). Among the new features: animation and state machine frameworks, multi-touch support, symbian support. Also many improvements in Qt Creator.

P.S. I wanted to publish this post several days ago, but pressed Save Draft instead of Publish.

Today I received the following email from my hosting provider:

[...] Security is our highest priority and the last years we have taken dramatic measures to build the most secure hosting environment around.

We sincerely apologize for this incident and will take measures to ensure to prevent such incidents in the future.

The index pages of both rcecafe and ntcore were missing in fact. For precaution I reuploaded both pages completely.

Fixed a significant bug in the mini hook engine on x64. The functions’ syntax hasn’t changed, so you can just update your dll.

Big news: Microsoft is developing MFC again!

Seems that the huge managed code campain didn’t stop developers from writing MFC applications. So, for the first time in years huge updates have been made to the MFC. The new MFC will soon be available (they’re still in beta) as an update.

I quote from Somasegar’s MSDN blog:

The team is looking at the feedback and finalizing plans for where we should be focusing to move Visual C++ forward. One of the first areas you will see us invest is in native libraries. The team is working on a significant update to the Microsoft Foundation Classes (MFC). We will be delivering this as an update to Visual Studio 2008 in the first half of 2008. We will have a preview of the same sometime around the early part of the new year.

Using this update to MFC, developers will be able to create applications with the “look and feel” of Microsoft’s Office, Internet Explorer and Visual Studio. Some of the specific features include Office 2007 Ribbon bar look, Internet Explorer look with rebars and task panes, Visual Studio look with sophisticated docking functionality, auto hide windows, property grids and the like. You can also enable your users to customize your application through live drag and drop of menu items and toolbar buttons.

Checking the validity of a PE file is a very difficult task, but checking a .NET assembly is even more complicated, since you have to check the tables integrity, the code integrity, the stack integrity etc. Ok, there’s already a tool that does that provided by the .NET framework. However, that tool isn’t perfect either and doesn’t check some other problems. When I wrote my .NET compiler I spent literally days figuring out what was wrong one time or another time in the format I produced, and the MS tools didn’t help. But let’s not go OT, I just wanted to say that this a topic on the woodmann forum triggered my interest because it was a good opportunity to test the CFF Explorer’s scripting capabilities. So, yesterday I took two hours and wrote a little script (called PE Validator Script) which checks for some of the most common problems in a PE. Since it’s a script (thus opensource) it can be expanded easily.

You can find it in the extensions repository:

http://www.woodmann.com/collaborative/tools/index.php/PE_Validator_Script

Here are the current checks:

– check CRC32 (useful for drivers)
– check number of rva and sizes
– check image size
– check sections
– check that EP is valid
– check that EP is in code
– check that the EP section is executable
– check data directories RVAs
– check whether the API IsDebuggerPresent is imported

Don’t be too serious about it, it’s just a thing I did for fun.

Scripting documentation:

http://ntcore.com/Files/cffscriptv1.htm

News:

- Fixed a lot of bugs
- Fixed a minor bug in the MetaData tables
- Fixed minor resizing bug on Vista
- General improvements
- Significantly improved the interface
- Improved Resource Editor
- Improved Rebuilder (added checksum update and strip debug directory)
- Improved Data Directories viewer
- Improved Hex Editor
- Improved Sections Dialog (added section’s hex view)
- Improved MetaData Tables
- Extended the SDK
- Added powerful very scripting language
- Added documentation for the scripting language
- Added security features for the scripting language
- Added support for generic files
- Added Name Unmangler
- Added Debug Directory
- Added Dependency Walker
- Added Quick Disassembler (x86, x64)

Hope you like it.

After months of work I finally have a release.

Only today I had 4000 unique visitors on NTCore!

It all began yesterday evening when I reached in 3062 visitors. I really couldn’t believe my eyes when I saw the number on my visitors counter. What happened? I noticed going through the referrals that I had been linked by several major sites. One of them was del.icio.us.

In one and a half day I reached 7000 unique visitors.

Why? Because of Vista4Experts, which, after not even a week of being released, has being linked everywhere on the net. Really a big hit. If you type it into google, you’ll find more than 30,000 results. And, I repeat, that’s after not even a week that I uploaded this software on NTCore.

Webpages and blogs from all over the world are talking about it.

PC World asked me if they could host the program as well, because they are covering it in an article about Windows Vista.

All this tells me that I was right about my criticism about Vista and a lot of people, even not experts, feel like me.

Three days ago I got sick (not unusual for me) and had to stay in bed. Unfortunately, I easily get bored by just staying in bed. Ok, I watch some movies, I read, but then I feel the urge to do something. On the other hand, I wasn’t in the mood of working on the CFF Explorer or finishing my new article. So, I decided to work on something more relaxing (even though it turned out to be more stressful than I thought).

The result of these three days is Vista4Experts, which is, in my opinion, is kind of a treat for people like us (meaning experts), who don’t want security center notifications, User Account Control dialogs, automatic Windows Defender scannings, automatic update installations (which cause you to reboot your system if you don’t react quickly enough). People who want MSDN (or google) set as default search engine in the Internet Explorer search bar, who want the start menu power button to shut down the system instead of hibernating it, etc. These and many more fixes are included in Vista4Experts. All of these changes can be discarded, enabled or reversed. Vista4Experts is the first expert utility of its kind and works on every platform.

I realize, of course, that many fixes in Vista4Experts lower Windows Vista’s default security, but that’s the difference between users who feel enough confident to decide what’s best for their system and users who don’t. Many of Windows Vista’s security features are extremely annoying to many developers and other IT experts.

I even think it’s bad that Microsoft didn’t provide a permanent way to disable the driver signature verification and making it possible only for signed drivers to run on x64 (that if the user isn’t in the mood of pressing F8 on every boot). A way of replying to my criticism is to say that many hardware manufacturers would force the user to disable the driver verification in order to use their drivers, but that’s non-sense! No serious manufacturer would do that. This is my system and I want to run any driver that I want to! I’m pretty sure I won’t involuntarily execute a rootkit, don’t worry about me Microsoft…

Let’s take for example TrueCrypt. It’s a top quality free software and, of course, works through a file system driver. Why should the author/company pay 500$ (or less) for a 1-year certificate to sign their driver? Ok, it’s not a problem for TrueCrypt, since this product was famous long time before Vista came along. Its community surely will cover all the expenses, I suppose. But what about a new project which may start now. Should the developer invest 500$ for something which might not even cover his expenses? Oh, sure, 500$ isn’t that much, and he can do pay this amount without selling computer, but the questions are: is it right? Will he?
And myself, the user, why shouldn’t I be able to run his driver if I absolutely want to? That, of course, without being bothered by the terrible F8 or by installing a test certificate?

We keep going in the direction where the user has less and less control over his own system. It’s unfair and disappointing.