It has been many years since the last update of what had started as a hobby side-project when I was 19. I’m sorry that I haven’t updated the CFF for such a long time, given that thousands of people use it every day. A few months ago I stopped working for Hex-Rays to fully dedicate myself to my own company and thus I have decided that I have now the time and the energy (barely) to finally update the CFF.
Over the years I’ve received several bugfix requests, but couldn’t oblige because of the lack of time. If you’re interested that a particular fix goes into the upcoming release, please leave a comment under this blog post or drop me an email to firstname.lastname@example.org (feel free to repeat the request, as it might have been lost during the years).
Please don’t include radical changes or improvements, we’ll leave that for later maybe. If your company needs professional PE inspection (not editing), I’d advice you to check out my current commercial product at cerbero.io/profiler, which doesn’t cover ‘just’ the Portable Executable format.
UPDATE: Uploaded new version with the following improvements:
– Dropped Itanium version
– Added ENCLog and ENCMap .NET tables
– Modify resources of system files (MUI limitation)
– Fixed resource loop bug
– Fixed MDTables string overflow bug
– Fixed command line scripting bug
– Fixed ‘Select All’ bug in hex editor
– Fixed missing offset check in .NET tables
– Fixed missing reloc size check
– Fixed scripting handles bug
– Use FTs when OFTs are invalid
– Updated UPX
You can continue to leave comments or send me emails. As soon as there are enough new bug reports, I’ll upload a new version. In time, maybe, some small improvements could be included apart from bug fixes.
Today I’ve received a Secunia report email about a buffer overflow vulnerability in the CFF Explorer. I was quite amused =). I mean, I usually get emails sent me by users about bugs in the CFF, never got an email by Secunia before.
However, it’s always good to get bug reports. The bug itself was related to a string overflow in the resource editor. I put string safe functions quite some time ago in the old kernel of the CFF, but apparently I missed one.
So, since I had already the project open to fix this bug, I also added support for .NET unoptimized metadata streams. Which is the most important new feature in this release.
Fixed some bugs in both applications.
In particular, made some part of the CFF Explorer more robust. The current CFF Explorer still contains the core I wrote when I was 19yo. The newer kernel, which I don’t know if I’ll ever get the time to finish, doesn’t have the same problems. Anyway, this should improve rebuilding, resources importing and displaying of .NET table elements with extremely long names (more than 4096 characters).
Arguments can now be passed through command line just by making them follow the name of the script. E.g.:
“CFF Explorer.exe” “C:\mydir\script.cff” arg1 arg2 “arg 3”
To access the arguments from the scripting part you can use the global variables argv and argc, which are the same thing as in C. Actually, argv would’ve been sufficient as it is a table and its size can be retrieved with “#”, argc is only present for coherence with the C-style.
[cc lang=”lua”]x = 0
while x < argc do
x = x + 1
I also fixed a bug in the add section code and improved the PE rebuilding.
Improved support for tiny PEs.
Fixed a bug in the Exception Directory which was due to the grid set up.
Fixed a minor bug on x64.
Added the Driver List tool.