Improved CFF Explorer
CFF Explorer is another invaluable tool for .NET reversers. Unfortunately it is closed-source and is not actively maintained anymore.
One of the most annoying problems is that it cannot correctly process .NET metadata in some assemblies protected by ConfuserEx (and few other protectors).
As you can see, Module data make no sense and Methods also look weird.
Cause of the problem
The problem is caused by obscure and undocumented field in Metadata Table Stream. DNLib is one of the very few tools/libraries that properly supports it:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
/// <summary> /// MDStream flags /// </summary> [Flags] public enum MDStreamFlags : byte { /// <summary>#Strings stream is big and requires 4 byte offsets</summary> BigStrings = 1, /// <summary>#GUID stream is big and requires 4 byte offsets</summary> BigGUID = 2, /// <summary>#Blob stream is big and requires 4 byte offsets</summary> BigBlob = 4, /// <summary/> Padding = 8, /// <summary/> DeltaOnly = 0x20, /// <summary>Extra data follows the row counts</summary> ExtraData = 0x40, /// <summary>Set if certain tables can contain deleted rows. The name column (if present) is set to "_Deleted"</summary> HasDelete = 0x80, } ... /// <summary> /// Gets the <see cref="MDStreamFlags.ExtraData"/> bit /// </summary> public bool HasExtraData { get { return (flags & MDStreamFlags.ExtraData) != 0; } } ... ulong valid = validMask; var sizes = new uint[64]; for (int i = 0; i < 64; valid >>= 1, i++) { uint rows = (valid & 1) == 0 ? 0 : imageStream.ReadUInt32(); if (i >= maxPresentTables) rows = 0; sizes[i] = rows; if (i < mdTables.Length) mdTables[i] = new MDTable((Table)i, rows, tableInfos[i]); } if (HasExtraData) extraData = imageStream.ReadUInt32(); |
This extraData field is causing us troubles.. Oh, well, it's time to fix it! smile
Solution
Since CFF Explorer is closed-source, I had to reverse-engineer parts of it. Then I created a small code cave and added extra code that checks flag value and skips over extraData field, if necessary. If you're interested how exactly it was done, check address 004689CC and added code at 00589800.
Download link for patched EXE: Please get latest version from this post