Improved CFF Explorer

CFF Explorer is another invaluable tool for .NET reversers. Unfortunately it is closed-source and is not actively maintained anymore.

One of the most annoying problems is that it cannot correctly process .NET metadata in some assemblies protected by ConfuserEx (and few other protectors).

As you can see, Module data make no sense and Methods also look weird.

Cause of the problem

The problem is caused by obscure and undocumented field in Metadata Table Stream. DNLib is one of the very few tools/libraries that properly supports it:

/// <summary>
/// MDStream flags
/// </summary>
[Flags]
public enum MDStreamFlags : byte {
	/// <summary>#Strings stream is big and requires 4 byte offsets</summary>
	BigStrings = 1,
	/// <summary>#GUID stream is big and requires 4 byte offsets</summary>
	BigGUID = 2,
	/// <summary>#Blob stream is big and requires 4 byte offsets</summary>
	BigBlob = 4,
	/// <summary/>
	Padding = 8,
	/// <summary/>
	DeltaOnly = 0x20,
	/// <summary>Extra data follows the row counts</summary>
	ExtraData = 0x40,
	/// <summary>Set if certain tables can contain deleted rows. The name column (if present) is set to "_Deleted"</summary>
	HasDelete = 0x80,
}

...

/// <summary>
/// Gets the <see cref="MDStreamFlags.ExtraData"/> bit
/// </summary>
public bool HasExtraData {
	get { return (flags & MDStreamFlags.ExtraData) != 0; }
}

...

ulong valid = validMask;
var sizes = new uint[64];
for (int i = 0; i < 64; valid >>= 1, i++) {
	uint rows = (valid & 1) == 0 ? 0 : imageStream.ReadUInt32();
	if (i >= maxPresentTables)
		rows = 0;
	sizes[i] = rows;
	if (i < mdTables.Length)
		mdTables[i] = new MDTable((Table)i, rows, tableInfos[i]);
}

if (HasExtraData)
	extraData = imageStream.ReadUInt32();

/// <summary>

/// MDStream flags

/// </summary>

[Flags]

public enum MDStreamFlags : byte {

/// <summary>#Strings stream is big and requires 4 byte offsets</summary>

BigStrings = 1,

/// <summary>#GUID stream is big and requires 4 byte offsets</summary>

BigGUID = 2,

/// <summary>#Blob stream is big and requires 4 byte offsets</summary>

BigBlob = 4,

/// <summary/>

Padding = 8,

/// <summary/>

DeltaOnly = 0x20,

/// <summary>Extra data follows the row counts</summary>

ExtraData = 0x40,

/// <summary>Set if certain tables can contain deleted rows. The name column (if present) is set to "_Deleted"</summary>

HasDelete = 0x80,

}

...

/// <summary>

/// Gets the <see cref="MDStreamFlags.ExtraData"/> bit

/// </summary>

public bool HasExtraData {

get { return (flags & MDStreamFlags.ExtraData) != 0; }

}

...

ulong valid = validMask;

var sizes = new uint[64];

for (int i = 0; i < 64; valid >>= 1, i++) {

uint rows = (valid & 1) == 0 ? 0 : imageStream.ReadUInt32();

if (i >= maxPresentTables)

rows = 0;

sizes[i] = rows;

if (i < mdTables.Length)

mdTables[i] = new MDTable((Table)i, rows, tableInfos[i]);

}

if (HasExtraData)

extraData = imageStream.ReadUInt32();

This extraData field is causing us troubles.. Oh, well, it's time to fix it! smile

Solution

Since CFF Explorer is closed-source, I had to reverse-engineer parts of it. Then I created a small code cave and added extra code that checks flag value and skips over extraData field, if necessary. If you're interested how exactly it was done, check address 004689CC and added code at 00589800.

Much better, isn't it?

Download link for patched EXE: Please get latest version from this post

Life In Hex

Breaking the world, one application at a time

Improved CFF Explorer

Cause of the problem

Solution

Leave a Reply Cancel reply