Goodbye Visual C++

Seems the new CFF Explorer will be compiled with GCC. More than one reason for that. Visual Studio 2008 doesn’t support anymore Windows 98 and NT4 without giving an explanation. The incompatibility is due to a major operating system version inside the Optional Header of the PE and to the fact that the C runtime library makes some unsupported calls. I could of course patch the whole thing and manage to make it run on those operating systems, but why should I? This is not my job. It should be Microsoft’s job to offer an alternative compiling method which provides backward compatibility. What angers me is that Microsoft not only doesn’t care about backward compatibility, they don’t even bother explaining why they had to remove the support for those operating system. The GCC (Mingw) runtime makes it possible to even compile Qt programs for Windows 98 (which is possible with VC++ 2005 too, but it forces me to use an older compiler). And, as I might not be interested so much in Windows 98, I really am interested in providing compatibility with NT4. Or, at least, if it doesn’t offer backward compatibility I want it to be for a better reason than the C runtime. I’m sick and tired of these decisions Microsoft imposes. Just like the XP support which soon will end (actually I haven’t understood if it ends this month or in April 2009). As I understood for OEMs it ends this month. Anyway, I managed to compile the CFF’s kernel with GCC and also fixed lots of errors signalled by that compiler. Another good reason to use GCC is that it’s cross platform, meaning that a port would be much easier. The only drawback of Mingw is that it has a very small (and not up-to-date) Windows SDK, but I’m not interested in that, especially for the CFF Explorer which should become 100% platform independent. At the moment I reached 97% platform independency. My only complaint is directed to the ansi C library. My goodness, you can’t do anything with the IO functions it provides. I’m grateful that they were so kind to provide 64bit support for files: fseek64, ftello64 etc. But there are lots of things missing. For instance, I am unable to truncate a file… In a normal world that would be: FILE *f = fopen(..); ftruncate(f, len);. No, that’s not possible at all in ansi C. That really bothers me, because it forces me to write platform dependent code for my basic programming interface.

EDIT: Seems the new QFile of Qt 4.4 implements the resize method for files and that would do just fine.

DisasMSIL and CFF Explorer

Today I wrote a free/open disasm engine for Microsoft’s Intermediate Language (MSIL).

http://ntcore.com/Files/disasmsil.htm

You can use it any context you wish. There are no license restrictions. The only thing I ask you to do is to send me your bug fixes (if any).

I also added the MSIL disasm engine to the CFF Explorer which is now able to disassemble the methods’ code directly from the MetaData tables.

Rebel.NET

Today I’m releasing the Rebel.NET software and its official guide.

Rebel.NET is a rebuilding tool for .NET assemblies which is capable of adding and replacing methods and streams. It’s possible to replace only a limited number of methods or every method contained in a .NET assembly. The simplicity of Rebel.NET consists in the replacing process: one can choose what to replace. Rebel.NET is, mainly, a very solid base to overcome every .NET protection and to re-create a fully decompilable .NET assembly. As such, Rebel.NET has to be considered a research project, not an encouragement to violate licensing terms.

As I have written the software and the article in this week when during my sickness (fever), I’m expecting bugs and typos. Please report them.

Of course, I’ve tested the Rebel.NET with more advanced .NET assemblies than those presented in the guide.

DynLogger

DynLogger logs all dynamically retrieved functions by reporting the module name and the requested function. It can come very handy when one wants to know a “hidden” function used by an application.

I recycled the code of a bigger project to write this little application. It’s a very small utility, but it might be of use after all. It was tested on XP and Vista, both x86 and x64. It works for .NET application as well. Just start the logging process, the log will be saved after you quit the monitored application.