I didn't even had the time to post yesterday. I'm very busy in this period, and so I've got to release immediately my Explorer Suite (which includes the new version of my CFF Explorer). You can download the suite from here:

http://ntcore.com/Files/Explorer_Suite_Setup.zip

Gotta go, bye.

Hello Ntoskrnl:

I want to tell you how much I admire your nice and, for sure, hard work. Excellent!

I wish only communicate an apparent bug in your tool, in Resource Viewer.

When trying to view pictures of icons of a certain target, I have noticed it only shows first icon of two existing ones.

You could download the target (2.2 Mb) from:
hxxp://rapidshare.de/files/26387059/target.rar.html


Congratulations for your powerful tool!

Cheers

Nacho_dj

Thanks Nacho_dj. I see what you mean, it's pretty unusual to find double icons, but in this target it's the case. I will add this missing support as soon as I can. Thank you very much for showing the problem to me.

I had a little bit of time and so I fixed some bugs. Thanks to Nacho_dj for bringing up the problem of the Resource Viewer.

If you want to download the updated version:

http://ntcore.com/Files/Explorer_Suite_Setup.zip

Ciao

Excellent work, congrats !

I'm ready to use it, so.

Thanks for all your nice and handy work.

Cheers

Nacho_dj

Great tool. Using it often.

Thanks guys, it's always nice to know that somebody appreciates your own work.

I only just started using your tool, although I usually stick to my usual chosen tools rather than try lots of new apps I actually like it a lot and will start using it. Nice work.

One comment - in some of the options (CFF Explorer) such as NT Header/Optional Header, you've filled out the "Meaning" column. It would be a nice touch if you could increase the use of this column. For example, the section headers characteristics could have a meaning column using mnemonics, eg: "E" for executable, "W" for writable etc. Mostly because I'm lazy and don't want to engage my brain to figure out what flags each section has

One side question, some of the columns are highlighted in red. I couldn't see an immediate pattern to this other than them being ones you might look at more often. Is there a reason?

Putting a meaning column into the section header might be a good idea, but you can click on the menu Change Section Characteristics to see which flags are checked.

Usually if you click on the red with the mouse a box will appear to change flags (the only exception is the section header).

I hope I wasn't too confusing in my explanation.

Here a little screenshot:

http://ntoskrnl.pmode.net/flags.jpg

Ah, whoops, let's quietly ignore the fact I didn't bother trying to right-click rather than directly edit the field

Thanks!

tnx for this great tool

Thanks =)

I fixed some bugs:

- Fixed Hex Editor font bug
- Fixed Delete Section bug
- Fixed x64/Itanium Grid Control bug

Some days ago, I received a mail from a guy who made me aware of a problem the CFF Explorer has on not european systems. Seems that sometimes the font "courier" isn't available (in any language), so the system picks the next fixed-width font he finds. In that case there were some viewing problems, especially when the font was larger than the one I planned to use. Now the hex editor does support every font. Also, fixed a bug of the grid control who didn't select in the correct way on 64bit systems.

To update just uninstall the previous version and install the new one.

Download link: http://ntcore.com/exsuite.php

If there is any problem, please make me aware of it. Thanks.

Ntoskrnl, nice work and good tool, but i have a problems with latest version (on previous version i haven't any problems): rebuilder doesn't work correctly, it crashed any file (for example i want to delete unneccessary section from armadillo dumped file), i do it in this way:
- go to sections
- delete sections from .text1 to .pdata with option 'delete section header and data'
- then in same menu i selected 'rebuild image size'
- and then 'rebuild pe header'
- bah! file crashed and can't be executed

and also in previous version i notice that after such manipulation the headers of last sections which was deleted isn't cleared, i must fill space outside last header section manually with nulls

ps. why i must download those bunch of .msi files? why don't make three links on main page? and why you using .msi distribution for such small program?

one thing at a time =)

what crashes? the cff?

In the last time I just improved the RvaToOffset (one month ago) to make it work with some packers who messed with sections fields, I didn't touch the rebuilder. I don't know about armadillo packed files, but on normal files it works perfectly well...

I have to ask you to be more specific about what happens.

no, cff doesn't crash, cff crashing the file, try to do this on file provided below (for now it's works ok):
- delete sections from '.text1' to '.pdata' with option 'delete section header and data'
- then in same menu select 'rebuild image size'
- then in same menu select 'rebuild pe header'
- then save
- and now dumped_.dll file crashes (you can see it in dll_loader inside archive)

ps. also take a look to section headers in you favourite hex-editor after such manipulation (how many '.mackt' sections do you see?)

hxxp://avoidik.ueuo.com/bug_test.rar (1,3mb)

Well, the bug isn't new. Also, it's little and doesn't compromise the execution. I simply forgot, in case the section you delete isn't the last one, to delete the last section after shifting all the other ones. I tried out the exe, it doesn't do anything, but also it doesn't crash after deleting the sections you said. Anyway, I fixed the annoying bug you told me:

http://ntoskrnl.pmode.net/update.zip

You can try out this update, if it works I will update the official version. But nothing changed in the section removement, so it can't work in a different way with older versions of the cff.

Thank you.

nop, it doesn't work, after rebuilding loadlibrary indicate that dll file have invalid format, it seems something wrong with pe-header and cff-explorer can't figure it out