Preparing a bugfix version of CFF Explorer

It has been many years since the last update of what had started as a hobby side-project when I was 19. I’m sorry that I haven’t updated the CFF for such a long time, given that thousands of people use it every day. A few months ago I stopped working for Hex-Rays to fully dedicate myself to my own company and thus I have decided that I have now the time and the energy (barely) to finally update the CFF.

Over the years I’ve received several bugfix requests, but couldn’t oblige because of the lack of time. If you’re interested that a particular fix goes into the upcoming release, please leave a comment under this blog post or drop me an email to ntcore@gmail.com (feel free to repeat the request, as it might have been lost during the years).

Please don’t include radical changes or improvements, we’ll leave that for later maybe. If your company needs professional PE inspection (not editing), I’d advice you to check out my current commercial product at cerbero.io/profiler, which doesn’t cover ‘just’ the Portable Executable format.

UPDATE: Uploaded new version with the following improvements:

– Dropped Itanium version
– Added ENCLog and ENCMap .NET tables
– Modify resources of system files (MUI limitation)
– Fixed resource loop bug
– Fixed MDTables string overflow bug
– Fixed command line scripting bug
– Fixed ‘Select All’ bug in hex editor
– Fixed missing offset check in .NET tables
– Fixed missing reloc size check
– Fixed scripting handles bug
– Use FTs when OFTs are invalid
– Updated UPX

You can continue to leave comments or send me emails. As soon as there are enough new bug reports, I’ll upload a new version. In time, maybe, some small improvements could be included apart from bug fixes.

37 thoughts on “Preparing a bugfix version of CFF Explorer”

  1. It would be nice to fix issues with .NET executable parsing:
    * ENCLog and ENCMap tables are not supported;
    * overly long strings (eg. 10000+ chars field name?) will crash CFF;
    * better support for modifying .NET resources (edit/remove/replace);

  2. Kao: Ok, thanks for the reminder. I will be able to include the first two points.

    zproxy: Well, maybe in time. Right now it will be just about bug fixes. πŸ™‚

    Ange: thanks. Well, difficult to tell what bugs are present. I have tested the Profiler on your files (usually) but not the CFF. The resource loop bug is fixed, and I remember about the invalid OFTs thing, but apart from that I don’t know which bugs are present. I think I could ship a release over the weekend.

  3. Daniel, please add one little feature to CFF Explorer: ability to add new relocation.

    Thank you for your hard work.

  4. SubV: thanks for your comment. Maybe in the near future I’ll add such a feature. It’s a bit early now for real improvements, but thanks for mentioning it. It might be useful!

    Kao: I haven’t tried the new tables, hopefully they work out of the box. πŸ™‚

  5. Just released today a new build with two new bug fixes. A fix for the bug reported by kao (thanks) and another fix for the bug affecting the relocs bounds. However, there are still bugs lurking, the only way to completely remove pointer related bugs is not to use pointers just like the Profiler does.

    Predator: grazie. πŸ™‚ E’ giΓ  online e oggi ho uppato anche una nuova build con due ulteriori bug fix.

  6. Complimenti daniele, davvero un ottimo tool..!!!!!!
    P.S: ho visto che non riesce nell’unpacking delle vecchie versioni del UPX….

  7. There’s also a ParamPtr bug. Element size depends on the size of the Param table. I have a file that has 38126 Param rows, and latest CFF Explorer thinks each ParamPtr row is 4 bytes instead of 2 bytes.

  8. istigatore: probabilmente il nuovo upx.exe non le supporta. E’ sufficiente scaricarsi una versione meno recente di upx e sostituirla nella directory. Magari in futuro darΓ² modo all’utente di scegliere quale versione di upx usare. Grazie. πŸ™‚

  9. huuu molto bene! sono riuscito a sistemare un crackme con la metadata table rovinata, con la versione precedente non era possibile! Grande grande =)

  10. hi,

    I`ve just seen the GUI of “the profiler”, and immediately, two questions arose:

    1) what are you using for managing tabbed panes? In particular, how do you get the close buttons?
    2) How do you embedd Python scripting in our application? Are Qt APIs exposed to Python scripts?

    I`d be really happy to know that. πŸ™‚

    Now, let me check out that explorer thing… πŸ˜‰

  11. Thank you!

    With 1), the problem is to enable it when using the Qt docking library, which creates/destroys tabbars for you, as needed.

    You wrote a full docking library yourself? Respect.
    What are its advantages over the Qt one? Because somehow docking looks much more awesome on your screenshots than it does on my Qt project…^^

    And you can expose your own classess/function to Python code with PySide?
    I am mintaingnig a larger Qt-based application, that exports lots of plugin functions already, and popular demand is that we add Python scripting to the application.
    Could we have scriptside callbacks, too?

    Thanks for oyur time and, huh, sorry for abusing the commenting feature to throw questions at you! πŸ˜‰

  12. Hey gandela, no problem. πŸ™‚

    Yes I don’t use it because of the many limitations it has. I wrote it myself yes, took about a month. Apart from allowing every kind of customization a big limitation of the docking in Qt is that it is limited to the sides (you must have central widget).

    You can expose your Qt classes with PySide yes, but I have not used it yet. I use SWIG for non-Qt things because I don’t want to be bound to Python only.

  13. Hy Daniel,

    I’m surprised to not find the content of the “Delay Import Directory” even in the “Import Directory” tree.
    I make a mistake ? or it really doesn’t exist ?
    You can see it in “depends” or “PE Studio 4.50” or “PE explorer”…

    Best regards.

  14. Hey, yes it’s true, it’s a missing feature in the CFF. It’s present in the Profiler though. I will add it sooner or later, I have just begun updating the CFF again after 3 years of not opening the project and since it’s a free tool without ads or anything I can’t work on it if not in my free time. πŸ™‚
    Kind regards
    Daniel

  15. Can you make CFF Explorer portable? i.e. in a simple ZIP not requiring install. And settings written to a local INI file instead of registry.

  16. I’ll add this to the TODO list, along with the other suggestions. Right now there’s already a single Zip file, what’s missing is only the INI settings instead of registry.

  17. Hi, your tool is my first choice when I have to look into PE file resources. I recently found out the Explorer has a 40MB limitation. Is that intentionally, could this be lifted and is the commercial version limited the same way? I found no info on that on the website.
    Thanks
    Stefan

    1. Hello Stefan,
      please note that the 40 limitation can be changed from the settings, it’s a ‘security’ limitation in order to avoid loading files too large into memory.
      Hope this helps
      Daniel

  18. Dear Daniel,
    Your CFF Explorer is very great tool for us as a developer/reverser, i hope you still update this tool with an up-to-date features, two thumbs for your great works.

    regards
    Edi Liu

  19. Hello,

    “UPDATE: Uploaded new version with the following improvements:”

    but where to find this version? downloaded from main page, but it is still the old 2012 version

  20. Probably too late on this, but I noticed an issue with CFF Explorer’s scripting issue today, so I figured I might as well report it (For reference, this is CFF Explorer 8.0.0.0):

    Due to the 0-based array modifications made to CFF’s lua implementation, the built-in type function is currently reporting incorrect types for the supplied values. I’ve reproduced this issue in the following script:

    -- Create a log of type evaluations.
    --
    local typeFixes = {
    ['nil'] = 'boolean', -- LUA_TNIL => LUA_TBOOLEAN
    ['boolean'] = 'userdata', -- LUA_TBOOLEAN => LUA_TLIGHTUSERDATA
    ['userdata'] = 'number', -- LUA_TLIGHTUSERDATA => LUA_TNUMBER
    ['number'] = 'string', -- LUA_TNUMBER => LUA_TSTRING
    ['string'] = 'table', -- LUA_TSTRING => LUA_TTABLE
    ['table'] = 'function', -- LUA_TTABLE => LUA_TFUNCTION
    ['function'] = 'userdata' -- LUA_TFUNCTION => LUA_TUSERDATA
    -- ['userdata'] = 'thread' -- LUA_TFUNCTION => LUA_TTHREAD
    }

    local hLog = CreateLog('IncorrectTypes.log')

    function LogType(value, code)
    LogPrint(hLog, string.format('type(%s) => "%s"\n', code, type(value)))
    end

    LogType(nil, 'nil')
    LogType(true, 'true')
    LogType(5, '5')
    LogType('foobar', '"foobar"')
    LogType({}, '{}')
    LogType(function() end, 'function() end')

    CloseLog(hLog)

    That aside, I made a dump of the globals in CF’s lua for my own reference, so I thought I’d share it in hopes that it might be helpful to someone else: CFF-Explorer-Globals.lua

    Thanks for the awesome tool.

  21. A patch for my referred tool? Awful! Can’t wait to see it. I couldn’t have made DxWnd without it. Thank you and … ciao!

Leave a Reply

Your email address will not be published. Required fields are marked *