Preparing a bugfix version of CFF Explorer

It has been many years since the last update of what had started as a hobby side-project when I was 19. I’m sorry that I haven’t updated the CFF for such a long time, given that thousands of people use it every day. A few months ago I stopped working for Hex-Rays to fully dedicate myself to my own company and thus I have decided that I have now the time and the energy (barely) to finally update the CFF.

Over the years I’ve received several bugfix requests, but couldn’t oblige because of the lack of time. If you’re interested that a particular fix goes into the upcoming release, please leave a comment under this blog post or drop me an email to ntcore@gmail.com (feel free to repeat the request, as it might have been lost during the years).

Please don’t include radical changes or improvements, we’ll leave that for later maybe. If your company needs professional PE inspection (not editing), I’d advice you to check out my current commercial product at icerbero.com/profiler, which doesn’t cover ‘just’ the Portable Executable format.

UPDATE: Uploaded new version with the following improvements:

– Dropped Itanium version
– Added ENCLog and ENCMap .NET tables
– Modify resources of system files (MUI limitation)
– Fixed resource loop bug
– Fixed MDTables string overflow bug
– Fixed command line scripting bug
– Fixed ‘Select All’ bug in hex editor
– Fixed missing offset check in .NET tables
– Fixed missing reloc size check
– Fixed scripting handles bug
– Use FTs when OFTs are invalid
– Updated UPX

You can continue to leave comments or send me emails. As soon as there are enough new bug reports, I’ll upload a new version. In time, maybe, some small improvements could be included apart from bug fixes.

This entry was posted in News, Update and tagged . Bookmark the permalink.

36 Responses to Preparing a bugfix version of CFF Explorer

  1. kao says:

    It would be nice to fix issues with .NET executable parsing:
    * ENCLog and ENCMap tables are not supported;
    * overly long strings (eg. 10000+ chars field name?) will crash CFF;
    * better support for modifying .NET resources (edit/remove/replace);

  2. zproxy says:

    Thats great news! Looking forward for a newer version. Shall there be any new features?

  3. Ange says:

    that’s awesome – when do you plan to release it? I’m presenting next week on PE.
    are you up-to-date with corkami’s PoCs ?

  4. Kao: Ok, thanks for the reminder. I will be able to include the first two points.

    zproxy: Well, maybe in time. Right now it will be just about bug fixes. :)

    Ange: thanks. Well, difficult to tell what bugs are present. I have tested the Profiler on your files (usually) but not the CFF. The resource loop bug is fixed, and I remember about the invalid OFTs thing, but apart from that I don’t know which bugs are present. I think I could ship a release over the weekend.

  5. Ange says:

    that’s a short notice!
    I’ll upload an ‘official’ package later, you can have a look if you want to make it robust.

  6. SubV says:

    Daniel, please add one little feature to CFF Explorer: ability to add new relocation.

    Thank you for your hard work.

  7. SubV: thanks for your comment. Maybe in the near future I’ll add such a feature. It’s a bit early now for real improvements, but thanks for mentioning it. It might be useful!

    Kao: I haven’t tried the new tables, hopefully they work out of the box. :)

  8. kao says:

    Thank you, ENCLog and ENCMap tables work correctly.

    There’s one more major bug remaining – you’re not checking string offsets for validity. So, if string offset (for example – MethodDef.Name) is insanely large, CFF will blow up. Example file: http://www.mediafire.com/?i7anq1vzym1lboy

  9. Thank you, kao. Will prepare a new build this week, maybe some more fix requests will be sent. Let’s wait a few days.

  10. Predator says:

    siiii grande Daniele!!! Non vedo l’ora che lo pubblichi!

  11. Just released today a new build with two new bug fixes. A fix for the bug reported by kao (thanks) and another fix for the bug affecting the relocs bounds. However, there are still bugs lurking, the only way to completely remove pointer related bugs is not to use pointers just like the Profiler does.

    Predator: grazie. :) E’ già online e oggi ho uppato anche una nuova build con due ulteriori bug fix.

  12. istigatore says:

    Complimenti daniele, davvero un ottimo tool..!!!!!!
    P.S: ho visto che non riesce nell’unpacking delle vecchie versioni del UPX….

  13. ABC says:

    The GenericParamConstraint table is always hidden.

  14. ABC says:

    Sorry, can’t edit.

    The GenericParam.Owner “meaning” column is always empty.

  15. ABC says:

    There’s also a ParamPtr bug. Element size depends on the size of the Param table. I have a file that has 38126 Param rows, and latest CFF Explorer thinks each ParamPtr row is 4 bytes instead of 2 bytes.

  16. Hey ABC, would you be so kind to upload me some samples to demonstrate the issues? Thanks! I will build a new release to fix these bugs soon.

  17. istigatore: probabilmente il nuovo upx.exe non le supporta. E’ sufficiente scaricarsi una versione meno recente di upx e sostituirla nella directory. Magari in futuro darò modo all’utente di scegliere quale versione di upx usare. Grazie. :)

  18. Predator says:

    huuu molto bene! sono riuscito a sistemare un crackme con la metadata table rovinata, con la versione precedente non era possibile! Grande grande =)

  19. gandela says:

    hi,

    I`ve just seen the GUI of “the profiler”, and immediately, two questions arose:

    1) what are you using for managing tabbed panes? In particular, how do you get the close buttons?
    2) How do you embedd Python scripting in our application? Are Qt APIs exposed to Python scripts?

    I`d be really happy to know that. :)

    Now, let me check out that explorer thing… ;)

  20. Predator: grazie! :) E’ giù up una nuova versione, aggiunta ieri sera.

    gandela: hello :)

    1) the docking library I wrote myself. The close button on tabs can be enabled: http://qt-project.org/doc/qt-4.8/qtabbar.html#tabsClosable-prop
    2) it’s sufficient to install PySide. I haven’t exposed the Qt APIs myself.

    Hope this helps.

  21. gandela says:

    Thank you!

    With 1), the problem is to enable it when using the Qt docking library, which creates/destroys tabbars for you, as needed.

    You wrote a full docking library yourself? Respect.
    What are its advantages over the Qt one? Because somehow docking looks much more awesome on your screenshots than it does on my Qt project…^^

    And you can expose your own classess/function to Python code with PySide?
    I am mintaingnig a larger Qt-based application, that exports lots of plugin functions already, and popular demand is that we add Python scripting to the application.
    Could we have scriptside callbacks, too?

    Thanks for oyur time and, huh, sorry for abusing the commenting feature to throw questions at you! ;)

  22. Hey gandela, no problem. :)

    Yes I don’t use it because of the many limitations it has. I wrote it myself yes, took about a month. Apart from allowing every kind of customization a big limitation of the docking in Qt is that it is limited to the sides (you must have central widget).

    You can expose your Qt classes with PySide yes, but I have not used it yet. I use SWIG for non-Qt things because I don’t want to be bound to Python only.

  23. Name says:

    Hy Daniel,

    I’m surprised to not find the content of the “Delay Import Directory” even in the “Import Directory” tree.
    I make a mistake ? or it really doesn’t exist ?
    You can see it in “depends” or “PE Studio 4.50” or “PE explorer”…

    Best regards.

  24. Hey, yes it’s true, it’s a missing feature in the CFF. It’s present in the Profiler though. I will add it sooner or later, I have just begun updating the CFF again after 3 years of not opening the project and since it’s a free tool without ads or anything I can’t work on it if not in my free time. :)
    Kind regards
    Daniel

  25. tonino says:

    Ciao Daniele, potresti aggiungere la possibilita’ di usare i tasti PGup and PGdown nell’hex editor?

    Grazie!

  26. Ciao tonino,
    ci proverò alla prossima versione! Grazie del suggerimento.
    Daniel

  27. robertcollier4 says:

    Can you make CFF Explorer portable? i.e. in a simple ZIP not requiring install. And settings written to a local INI file instead of registry.

  28. I’ll add this to the TODO list, along with the other suggestions. Right now there’s already a single Zip file, what’s missing is only the INI settings instead of registry.

  29. Stefan Achatz says:

    Hi, your tool is my first choice when I have to look into PE file resources. I recently found out the Explorer has a 40MB limitation. Is that intentionally, could this be lifted and is the commercial version limited the same way? I found no info on that on the website.
    Thanks
    Stefan

  30. Hello Stefan,
    please note that the 40 limitation can be changed from the settings, it’s a ‘security’ limitation in order to avoid loading files too large into memory.
    Hope this helps
    Daniel

  31. PSXGamerPro1 says:

    Can you update the UPX version to 3.9 or whatever is the latest.

  32. Edi Liu says:

    Dear Daniel,
    Your CFF Explorer is very great tool for us as a developer/reverser, i hope you still update this tool with an up-to-date features, two thumbs for your great works.

    regards
    Edi Liu

  33. Chromium says:

    Hello,

    “UPDATE: Uploaded new version with the following improvements:”

    but where to find this version? downloaded from main page, but it is still the old 2012 version

  34. Charles says:

    Probably too late on this, but I noticed an issue with CFF Explorer’s scripting issue today, so I figured I might as well report it (For reference, this is CFF Explorer 8.0.0.0):

    Due to the 0-based array modifications made to CFF’s lua implementation, the built-in type function is currently reporting incorrect types for the supplied values. I’ve reproduced this issue in the following script:

    -- Create a log of type evaluations.
    --
    local typeFixes = {
    ['nil'] = 'boolean', -- LUA_TNIL => LUA_TBOOLEAN
    ['boolean'] = 'userdata', -- LUA_TBOOLEAN => LUA_TLIGHTUSERDATA
    ['userdata'] = 'number', -- LUA_TLIGHTUSERDATA => LUA_TNUMBER
    ['number'] = 'string', -- LUA_TNUMBER => LUA_TSTRING
    ['string'] = 'table', -- LUA_TSTRING => LUA_TTABLE
    ['table'] = 'function', -- LUA_TTABLE => LUA_TFUNCTION
    ['function'] = 'userdata' -- LUA_TFUNCTION => LUA_TUSERDATA
    -- ['userdata'] = 'thread' -- LUA_TFUNCTION => LUA_TTHREAD
    }

    local hLog = CreateLog('IncorrectTypes.log')

    function LogType(value, code)
    LogPrint(hLog, string.format('type(%s) => "%s"\n', code, type(value)))
    end

    LogType(nil, 'nil')
    LogType(true, 'true')
    LogType(5, '5')
    LogType('foobar', '"foobar"')
    LogType({}, '{}')
    LogType(function() end, 'function() end')

    CloseLog(hLog)

    That aside, I made a dump of the globals in CF’s lua for my own reference, so I thought I’d share it in hopes that it might be helpful to someone else: CFF-Explorer-Globals.lua

    Thanks for the awesome tool.

  35. Thank you for reporting the bug! :) If I ever do a bugfix for CFF I’ll make sure to include the fix for the bug you reported. Thanks again for the detailed report.

  36. user says:

    CFF bugs in processing managed resources: http://lifeinhex.com/cff-bugs-in-processing-managed-resources/

    P.S. The download link can be found in http://ntcore.com/exsuite.php ( Hint: look for the lines starting with SHA1: )

Leave a Reply

Your email address will not be published. Required fields are marked *

*