Improved CFF Explorer

kao

CFF Explorer is another invaluable tool for .NET reversers. Unfortunately it is closed-source and is not actively maintained anymore.

One of the most annoying problems is that it cannot correctly process .NET metadata in some assemblies protected by ConfuserEx (and few other protectors).
CFF shows garbage
As you can see, Module data make no sense and Methods also look weird.

Cause of the problem

The problem is caused by obscure and undocumented field in Metadata Table Stream. DNLib is one of the very few tools/libraries that properly supports it:

/// 
/// MDStream flags
/// 
[Flags]
public enum MDStreamFlags : byte {
	/// #Strings stream is big and requires 4 byte offsets
	BigStrings = 1,
	/// #GUID stream is big and requires 4 byte offsets
	BigGUID = 2,
	/// #Blob stream is big and requires 4 byte offsets
	BigBlob = 4,
	/// 
	Padding = 8,
	/// 
	DeltaOnly = 0x20,
	/// Extra data follows the row counts
	ExtraData = 0x40,
	/// Set if certain tables can contain deleted rows. The name column (if present) is set to "_Deleted"
	HasDelete = 0x80,
}

...

/// 
/// Gets the  bit
/// 
public bool HasExtraData {
	get { return (flags & MDStreamFlags.ExtraData) != 0; }
}

...

ulong valid = validMask;
var sizes = new uint[64];
for (int i = 0; i < 64; valid >>= 1, i++) {
	uint rows = (valid & 1) == 0 ? 0 : imageStream.ReadUInt32();
	if (i >= maxPresentTables)
		rows = 0;
	sizes = rows;
	if (i < mdTables.Length)
		mdTables[i] = new MDTable((Table)i, rows, tableInfos[i]);
}

if (HasExtraData)
	extraData = imageStream.ReadUInt32();

This extraData field is causing us troubles.. Oh, well, it's time to fix it! 🙂

Solution

Since CFF Explorer is closed-source, I had to reverse-engineer parts of it. Then I created a small code cave and added extra code that checks flag value and skips over extraData field, if necessary. If you're interested how exactly it was done, check address 004689CC and added code at 00589800.

CFF works fine
Much better, isn't it?

Download link for patched EXE: Please get latest version from this post

Improved dotNET Tracer

kao

dotNET Tracer is a great tool created by my friend Kurapica. It provides information really useful for analyzing different .NET protections, like which modules are being loaded, which functions are being JIT-compiled, and so on.
DotNET Tracer main window

Unfortunately, it is missing some features and has some small bugs. For example, DisguiserNET.Sample.GUI unpackme by li0nsar3c00l (another friend of mine!) detects dotNET tracer and refuses to run:

Disguiser detects dotNET Tracer

Cause of the problem

It's actually quite simple. dotNET Tracer is using .NET CLR Profiling APIs to gather the information. To do that, it needs to set several environment variables, as you can see in the Form_Main.cs:

ProcessStartInfo ProcessSInfo = new ProcessStartInfo(this.toolStripTextBox_FileName.Text, this.toolStripTextBox_args.Text);
ProcessSInfo.EnvironmentVariables.Add("COR_ENABLE_PROFILING", "1");
ProcessSInfo.EnvironmentVariables.Add("COR_PROFILER", "{7A460847-6B67-4C0C-883E-21B233A6DEF8}");
ProcessSInfo.EnvironmentVariables.Add("COMPLUS_ProfAPI_ProfilerCompatibilitySetting", "EnableV2Profiler");

After profiling dll (system.dll) is initialized, it resets first 2 environment variables, but forgot to reset the 3rd one. Disguiser detects presence of that variable and crashes. Oops.

Solution

After spending some time on both tracer and the unpackme, I'm happy to present a fixed version of dotNET Tracer. So far I have improved:

  1. Created workaround for li0n's anti-profiler trick;
  2. Added logging of "Module load finished" events. This prints imagebase for loaded DLLs and thus makes dumping resources from memory easier;
  3. When you close dotNET Tracer, traced process will be killed automatically.

Disguiser runningjust fine
Now I can spend more time on the unpackme.. 🙂

Download link for binaries: http://www.mediafire.com/?8zfaukefx39i32n
I respect Kurapica's wishes and therefore source code will not be made available.

Hello world!

kao

Hi,
I'm kao, I break stuff.

Decent reverser, average coder.. Not a member of any team, I do what I want whenever I feel like. Most of people consider me a freelancer.

What skills do I have? Well, who needs skills, when you have an opinion? And I have opinion about everything. 🙂 On a more serious note, I've worked with certain private game servers. File format analysis, network protocol analysis, data file unpackers, that kinda stuff. Unpacking executables is another of my favorite disciplines. And, of course, reversing .NET protections.

In this blog I'll be writing about things that interest me - software, reversing, tools and technology in general.

As Linus Torvalds recently said:

I'm just not a huge believer in politeness and sensitivity being preferable over bluntly letting people know your feelings.

If you don't like my way of expression, please f*ck off. Otherwise - welcome to my blog!