Binary file editor in Russian. Hex Editor
Now there will be a lot of material on the topic of what data consists of and how it can be edited. Many people know that any file on a computer (picture, text or multimedia) is a binary code - zeros and ones. To edit such files, use HEX editors– an application that edits data consisting of a byte code. Bytes in the editor are represented as hexadecimal.
File extension
The problem lies in the huge number of file types and at first it is not clear how the operating system determines text, multimedia or archive and other types of data. As you know, the file is defined by the system using an extension added after the name, for example, “.exe”, “.txt” and others.
The settings in the OS are flexible, which means that the extension of any file can be removed, but then the operating system will not be able to open it, it will not understand which program to run it with. In this case, the logical structure of the object will not change. The image shows a text file, and next to it is the same one, but without an extension and its icon is white.
If an object without an extension remains the same file with a logical character set, then the extension does not determine its type, but then what? There is such a thing as format- this defines the type, it is also the specification of the data structure. Extension is a completely different term. But what if the user initially came across a file without an extension, but it urgently needs to be opened, and what is unknown?
Descriptors
All files can be roughly divided into two components - the header, which contains object identification data, and various metadata. The second component is the "body" of the object, with the help of which the type of the object and parts of the header, which has the name of the descriptor, are determined. Two popular descriptors are − ASCII And HEX. The second option is analyzed with the help of editors, which were mentioned at the beginning.
The first ASCII method is defined using a text editor, for example, Notepad++, however, it is worth considering one point - some sets of bytes cannot be converted to ASCII format, which means that it is recommended to use HEX editors. By running any file using such a utility, the window will display a matrix view with a sequence of bytes, where one byte is contained in one of the cells. Information about the descriptor is usually found in the first 3 cells, rarely in more. Cells are counted horizontally. The data displayed in the cells is presented as a hexadecimal code.
Descriptor decryption
To understand what kind of data is there, you need to decrypt the code. To do this, you need a special service that determines file formats, for example, open-file.ru . But there are other resources that are easy to find on the Internet. After uploading the file to the site, the data will be analyzed, and then the result will be displayed. A table will appear below with the type, format, and description of the file.
What we discussed above is the use of HEX editors. Now let's deal with the ASCII code. This code can be analyzed using the same open-file.ru. In other words, both codes are checked against the resource and nothing really needs to be entered.
Sometimes the format is not so easy to determine. This applies to ASCII headers. The fact is that the first few characters may be related to file extensions, and maybe to several formats.
Of course, there is an option to define the format. Multiple lines will be used for parsing, not just one. Then some of the elements located there will point to the type of the object by any means.
What else can you do with a hex editor
In addition to the fact that HEX editors help to analyze any file, it is possible to:
- work with disk images;
- edit sections;
- change the contents of RAM;
- change the virtual address space of the process, and so on.
For example, utilities of this type are used in software development. When you need to enter data after the program has been compiled, but you do not want to recompile it. Any program code can be modified using a HEX editor. Of course, you need to be able to do this, to find the necessary data. Thus, they seek to fix errors in the code, or use them for hacking and cheating. This means that the use of HEX editors is very wide.
Which hex editors to use
There are a lot of programs for editing data, and here they are presented below:
A popular utility for Windows. With it, the user will not be able to open any type of file and change it. If something is edited wrong, the utility has a history of changes and you can always return to its original state.
The tool works very quickly, while not weighing much, and it is able to work with large files. The interface is simple and suitable for beginners, there is a Russian language.
This editor can be used in the demo version for a while, and then you need to purchase it. The tool is universal, where many interesting options are found.
It is possible to work not only with files, but also with hard drives, flash drives, optical discs and even floppy disks. All Windows file systems are supported. Supports partition cloning and permanent deletion of data without the possibility of recovery
If you are a beginner, then this program is enough for you, especially in the Help section there is an option to switch to the Russian-language interface.
2 in 1 utility, as it has a file comparison function and a built-in HEX editor. Sometimes it may be necessary to compare these files to determine differences and similarities, and to analyze the structure of objects of various formats.
If two files differ, the areas on the matrix will be painted in any color, and the comparison itself takes place in a matter of seconds. True, files no larger than 4 GB are suitable for analysis.
The utility itself has the ability to change the interface. Which means the user can customize it for themselves. The work will go faster.
This thing comes free of charge, but it is able to work with bulk data of any formats and encodings. It is possible to change the RAM and hard disk.
The program combines output of hexadecimal code and ASCII text. The interface for the English-language interface is quite simple, so working with it will not be difficult, especially if you have already worked in similar editors.
If a file does not open in one editor, then it will open in this one. That is why I have given here a list of several utilities. The specified tool is responsible for opening binary files. There are many settings, and system requirements are available for any computer.
Working in this editor is as simple as printing in Word. There are options for comparing files, their checksums and exporting the analysis to various formats, such as html.
If you need to convert one code to another number system, then Hex Workshop has a converter. The program is shareware, which can be considered one of the drawbacks.
Here you have learned what HEX editors are and why they are used. In the future I will try to write articles on working with them, for example, when you need to edit a file.
After the end of the series of articles “Best pentester tools”, the editorial office received a lot of letters with a request to make a selection of hex editors. Of interest, of course, is not the ability to edit binary data, but additional features like automatic recognition of data structures and code disassembly. To make an overview, we found out the opinions of people who often have to tinker with such tools - virus analysts. And here's what they told us.
Any hex editor allows you to explore and modify a file at a low level, operating with bits and bytes. The contents of the file are presented in hexadecimal form. This is the basic functionality. However, some editors offer users much more, allowing them to figure out what is what in that incomprehensible set of characters that appears when a file is opened. To do this, ASCII and Unicode strings are automatically extracted, known patterns are searched, basic data structures are recognized, and much more. There are quite a few hex editors, but if we decide to consider them in the context of malware samples, it is easy to highlight some of them. Only a few are really useful for analyzing malicious code and examining infected documents (say, PDF).
McAfee FileInsight
FileInsight is a free hex editor for Windows from McAfee Labs. The product, of course, performs all the standard functionality associated with such software, offering a convenient interface for viewing and editing files in hexadecimal and text modes. But this is only a drop in the ocean, if you look at all its functionality. It's worth starting with the fact that FileInsight is able to parse the structure of executable binaries for Windows (PE files), as well as Microsoft Office OLE objects. Not only that, the user is offered a built-in x86 disassembler. It is enough to select the part of the file that you want to view as readable code, and FileInsight will show this fragment as a listing of assembler instructions. The disassembler is especially useful when looking for shellcode in malicious files. Other options that reversers will love is the ability to import structure declarations. To do this, the program just needs to specify a header file with declarations like:
struct ANIHeader(
DWORD cbSizeOf; // Num bytes in AniHeader
DWORD cFrames; // Number of unique Icons
DWORD cSteps; // Number of Blits
};
In this case, the program itself will parse such constructions. However, many intuitive algorithms for code processing are offered by default. First of all, we are talking about decoding many obfuscation methods (xor, add, shift, Base64, etc.) - built-in scripts click such cryptoprotection once or twice. Here it should be noted that the object of research does not have to be a binary, it can be an ordinary web page that arouses suspicion. The program allows you to automate many actions using simple JavaScript scripts or Python modules, which have already been written a lot. Alas, with all the advantages, FileInsight also has a serious drawback, which is expressed in the inability to process large files. For example, if you try to feed the utility a file of 400-500 MB, the error “Failed to open document” crashes.
Hex Editor Neo
There are two versions of this hex editor from HDD Software - a simple free version and an advanced commercial version. The freeware version is a solid but unremarkable HEX editor that has a cool customizable interface with support for different color schemes. No more. But the professional version of Hex Editor Neo provides several useful options that can be extremely useful when analyzing binaries. For example, the user gets the ability to decode code encrypted using the most common algorithms. In addition, it becomes possible to view and edit local resources such as NTFS streams, local drives, process memory, and RAM. In the most complete version, there is also support for a scripting language, which allows you to automate many processes using scripts in VBScript and JavaScript. But the best part is that you have a built-in disassembler that works with x86, x64, and .NET binaries! Another feature is the fast creation of patches based on the comparison of two binaries. Sounds impressive, but is it better than FileInsight? Probably not. FileInsight looks more functional overall. On the other hand, even the free version of Hex Editor Neo works great even with very large files and allows you to search for ASCII and Unicode strings. The disassembler here is not limited to the x86 platform only, and the built-in resource editor is very convenient. There is something to think about.
FlexHex
FlexHex is a powerful commercial hex editor from Heaventools Software that includes many of the features available in Hex Editor Neo. The only thing that is not here is, perhaps, support for scripts. But this full-featured editor handles binaries, OLE files, physical disks, and alternative NTFS streams equally well. The latter is especially important because FlexHex allows you to edit data that other editors might not even see. In addition, you immediately feel the focus on working with large amounts of information: no matter how large the file is, navigation through it is carried out without any lags and brakes. For even more convenience, there is a system of convenient bookmarks. At the same time, FlexHex continuously keeps a history of all operations - you can undo any action by simply selecting it from the list of changes (undo-list is not limited)! FlexHex supports all the necessary operations with binary data, searching for ASCII and Unicode strings. If you need to process a structure with a previously known format, it will not be difficult to set its parameters using special tools. As a result, we get an excellent hex editor, but still much inferior to the same FileInsight. The only noteworthy option is the processing of OLE files, but there are problems here too. Several times when trying to open an infected OLE, the program crashed with the error "The docfile has been corrupted".
010 editor
010 Editor is a famous commercial product developed by SweetScape Software. If you compare it with the previous three tools, then it can do everything: it supports working with very large files, provides cool data manipulation capabilities, allows you to edit local resources, has a scripting system to automate routine actions (more than 140 different functions at your service). And 010 Editor has a zest, a unique feature. The editor makes everyone happy thanks to the ability to parse various file formats using its own template library (so-called Binary Templates). Here he has no equal. Many enthusiasts around the world work on templates, hammering various format and data structures. As a result, the process of navigating through various file formats becomes transparent and understandable. This also applies to the processing of Windows binaries (PE files), Windows shortcut files (LNK), Zip archives, Java class files, and much more. The whole charm of this feature was realized by many people when the well-known security specialist Didier Stevens created a template for parsing PDF files for 010 Editor. Together with other utilities, this greatly simplifies the analysis of infected PDF documents, which for the past six months have never ceased to amaze with the number of places where the reader can be used. We add here a cool binary comparison tool, a calculator with a C-like syntax, data conversion between ASCII, EBCDIC, Unicode formats, and we get a very attractive tool with unique features.
Hiew
Hiew, in terms of distribution method, is not much different from its colleagues - this is also a commercial product that was developed by our compatriot Evgeny Suslikov. With a long history, the program is much loved by many information security professionals. There are quite obvious reasons for this - powerful capabilities for examining and editing the structure and content of executable files for both Windows (PE) and binaries for Linux (ELF). Another very useful feature for reversing is the built-in x86-64 assembler and disassembler. The latter even supports ARM instructions. Needless to say, the editor perfectly digests large files and allows you to edit logical and physical drives. Many tasks are easily automated through a system of keyboard macros, scripts, and even an API for developing extensions (Hiew Extrenal Modules). But before you rush into battle, keep in mind that the Hiew interface is a DOS-like window, which is quite inconvenient to work with out of habit. But you can feel for yourself all the charm of the old school.
radar
Radare is a set of free utilities for the Unix platform that provide cool options for editing files in HEX mode. It includes directly the hex editor itself (radare) with the ability to open local and remote files. The program analyzes executable files of various formats, both Linux (ELF) and Windows (PE). In addition to editing, Radare has a tool for comparing binary files (radiff) and a built-in assembler/disassembler. And personally, a tool for generating shellcodes (rasc) came in handy a couple of times. Any operations can be easily automated and customized using a scripting system. Of the minuses, again, we can note the lack of a GUI interface - all actions are carried out from the command line, and it will be possible to fully work with the utilities only after reading the documentation. On the other hand, the site has visual screencasts that demonstrate both the main points and small secrets (like connecting a Python plugin).
So what to choose?
We have covered several powerful hex editors that include useful options for analyzing suspicious files. Of all the products, FileInsight stands out, which, for all its functionality (and it is really impressive), remains free. 010 Editor provides a large number of templates for processing a wide variety of files, including PDF documents. This is a mega-chip that should not be neglected. These are the two editors I use all the time; for the work of an analyst, perhaps, they are best suited. If we talk about working under the Unix platform, then, of course, we should not forget about Radare. The package offers very powerful features, although it is difficult to use due to the fact that it works from the command line. Hiew is also not very friendly, although its capabilities certainly allow you to perform a variety of operations with binaries. In addition, Hiew is the choice of a lot of real pros, and this is worth a lot (and means a lot). As for Hex Editor Neo, you should take it into service if you are interested in the ability to disassemble x86, x64 and .NET code.
NOTE
The drawings on this page are not displayed, but you can find them in the book.
What we are going to do now is very interesting from my point of view. This will be your first machine code program (and most likely the only one))).
Assembler is a low-level language, but still a language. Have you tried writing a program in machine code? Now let's try.
You can write a program without any assembler compilers and other tools - using any hex editor (or hex editor or hex editor).
Still, parsing programs in a hexadecimal editor is very useful. Especially for those who are going to work with electronics - after all, microprocessors do not understand either Pascal or C ++. Although there are special devices and programs that these languages “explain” to them.
First you need a hex editor. You can use any one you have on hand. However, I will be using the already mentioned McAfee FileInsight v2.1. This hex editor can be downloaded for free. All the actions described below are valid for this editor.
So, you have a hex editor installed. Let's launch it. We click on the OPEN button, find one of the COM files we created, for example, debug_1.com, and load it into the editor.
When the file is loaded, you will see the following in the editor (see also Figure 1.12):
00000000 B4 02 B2 41 CD 21 CD 20 ...A.!. You can open two other files we created: mycode.com (created in emu8086) or ATEST.COM (which we created in section ). See the same. This means that all assemblers produce the same machine code. That is, the differences in the program text are not fundamental - they are due only to differences in the assemblers themselves.
NOTE
If in your case you see a different picture, then either you have opened another file, or you are viewing it in text mode. In the latter case, click the View as Hex button on the toolbar (see Figure 1.12).
What do these numbers mean?
Everything is clear with zeros - this is the first memory cell in which the number B4 is written. This number will then be written to address 0100h (for a COM file). The line must contain 16 numbers, each of which consists of two digits. Numbers are written in hexadecimal form. But our program is small - only 8 bytes, so we have 8 numbers.
Well, what is B4? This command is "Enter value in register AH". What value do we enter? Correct: 02 (the next number in the line).
AX=0200 BX=0000 CX=0000 DX=0000 SP=FFEE BP=0000 SI=0000 DI=0000 DS=0B72 ES=0B72 SS=0B72 CS=0B72 IP=0102 NV UP EI PL NZ NA PO NC 0B72:0102 B241 MOV DL,41 See the last line of B241? A familiar combination? This is the MOV DL command code, 41.
It remains to deal with the mysterious characters at the end of the line. And here everything is simple: each digit in the number corresponds to the code of the character of the ASCII table, and these characters are displayed in the same sequence as the hexadecimal digits. In this text, instead of some characters, there are dots (.) - these are just codes for non-alphabetic characters.
Well, now let's write and create our well-studied program without assemblers and linkers. Open the editor, create a new file (to do this, click the NEW button on the toolbar), then click the View as Hex button and enter the data:
00000000 B4 02 B2 41 CD 21 CD 20 Save the file with a name, for example, hex_1.com. Everything. The program is ready. Now you can run it and once again admire your creation. The result will be the same as in all previous cases.
And one more pleasant surprise from the McAfee FileInsight v2.1 editor - it has its own disassembler! If you load an executable file into the editor, and select the DISASSEMBLY tab in the lower left corner, you can view the source code of the loaded program in assembly language (Fig. 1.12).
Why do we need hex editors and disassemblers at all? After all, it's so difficult. Yes, it's not easy. However, hackers don't think so. It is with the help of hexadecimal editors and disassemblers that they break programs. They find the places they need in the code and fix them in accordance with their hacker whims.
Of course, we are not hackers. We will not break programs. However, disassemblers and hex editors are quite useful for law-abiding programmers as well. They are used, for example, for debugging, for studying machine codes, etc. For example, you know what an assembly language instruction looks like, but you want to know its machine code. If there is no documentation, then there is only one way out - a hexadecimal editor and / or disassembler. However, it should be noted that not all commands fit into the machine code of two numbers. Some commands are quite complex and require more numbers to represent in machine codes.
A HEX editor is a program that can display information the way a computer "sees" it, but converting it to hexadecimal. Opening any file in such an application, the user will see a matrix consisting of columns and rows, the number of which depends on the size of the file in question. Therefore, if you change the byte values in the editor, the contents of the open document will also change.
A bit of theory
Any data is stored in the PC memory in the form of machine words, otherwise - bytes. Each includes 8 bits (binary digits that take on the value of either "0" or "1"). By mathematical calculations, you can understand that a number in the range from 0 to 255 can be written in one byte. If you convert 255 to hexadecimal, it will be converted to FF. That is, to display any machine word, it is very convenient to use the hexadecimal representation. Hence the name of the group of programs - hex editor.
Main elements of programs
In addition to the matrix described above, there may be other means in the interface of the presented group of applications:
- Line numbering. Usually located on the left side of the application. Shows the offset of the first byte of the string relative to the beginning of the file.
- At the top there is often a similar strip of numbers showing the byte offset of the relative left value in the line. By adding the values of the strings, you can get the number of each byte.
- The right area can display the same data as in the table, but in the form of user text).
McAfee FileInsight
This HEX editor is absolutely free. Works only in operating systems of the Windows family. The product has all the gentleman's set, such as viewing and editing a file. At the same time, the program has a pleasant and convenient interface.
But the standard features are the minimum for which FileInsight can be used. What is the maximum? You need to start with the ability to parse the structures of executable files. Is this not enough? Any selected fragment can be disassembled on the fly. One click - and incomprehensible numbers become a readable listing.
Among other things, this HEX editor provides many code processing algorithms to bypass the built-in protection by developers. First of all, you need to pay attention to the decoding of obfuscation methods such as add, xor, Base64, shift. The scripts that the application comes with break such crypto protection with ease. Most of the actions can be automated by writing simple scripts in JS or Python. Sometimes it is not required to create anything new, because the base of these is impressive.
Although FileInsight is considered one of the best tools for reverse engineering, the program also has a huge drawback - the inability to process files larger than 400 MB.
Hex Editor Neo
This HEX editor is distributed in two versions: free and advanced. A product with a freeware license is of high quality, but unremarkable. Of the features, you can highlight the wide settings of the interface and color schemes. The professional version provides more useful features that are especially relevant during analysis
For example, the user is provided with the ability to decode programs encrypted with common algorithms. In addition to this, there are functions that allow you to edit local resources (RAM, NTFS streams, hard drives). Process automation is implemented using VBS and JS scripts.
However, the most important feature of the program is the disassembler, which can work with x64, x86 and .NET files. Another feature not provided by competitors is the creation of a patch based on a comparison of two binary executables. Certainly impressive, but when compared to FileInsight, Neo still loses. However, NEO can handle large files.
Hiew
The Hiew HEX editor does not have a free version. A team from Russia is engaged in development. The product begins its history since the days of 16-bit applications for DOS and Windows 3.1. Hiew is often used by professionals involved in computer and information security issues. The reasons are clear: the whole range of possibilities for editing and viewing executable Windows binaries, as well as compiled Linux programs (ELF).
Another notable feature to aid in reverse engineering is Hiew's built-in disassembler and assembler. Moreover, they work with both x86 and x86_64 applications, processor instructions are also supported. The editor copes with large files without any difficulties, allows you to perform low-level data changes on physical HDDs.
A large number of actions can be automated. To do this, programmers have built in the ability to create scripts, keyboard macros and API functions that are used to call internal procedures from external applications. But Hiew still did not reach the unconditional victory in the field of hexadecimal editors. Its interface is completely made in the style of DOS, and it is engaged in drawing windows (or the console, if we talk about Linux systems).
Good day to all.
For some reason, many people think that working with hex editors is the lot of professionals and novice users should not meddle with them. But, in my opinion, if you have at least basic PC skills and understand why you need a hex editor, then why not?!
With the help of a program of this kind, you can change any file, regardless of its type (many manuals and guides contain information on changing a particular file using a hex editor)! True, the user must have at least a basic understanding of the hexadecimal system (the data in the hex editor is presented in it). However, basic knowledge on it is given in computer science lessons at school, and probably many have heard and have an idea about it (therefore, I will not comment on it in this article). So, here are the best hex editors for beginners (in my humble opinion).
1) Free Hex Editor Neo
One of the simplest and most common editors for hex, decimal and binary files under Windows OS. The program allows you to open any type of files, make changes (the history of changes is saved), conveniently select and edit a file, debug and analyze.
It is also worth noting a very good level of performance, coupled with low system requirements for the machine (for example, the program allows you to open and edit fairly large files, while other editors simply freeze and refuse to work).
Among other things, the program supports the Russian language, has a thoughtful and intuitive interface. Even a novice user will be able to understand and start working with the utility. In general, I recommend it to anyone who is starting their acquaintance with hex editors.
2) WinHex
This editor, unfortunately, is shareware, but it is one of the most versatile, it supports a bunch of different options and features (some of which are hard to find among competitors).
In the disk editor mode, it allows you to work with: HDD, floppy disks, flash drives, DVDs, ZIP disks, etc. Supports file systems: NTFS, FAT16, FAT32, CDFS.
I cannot fail to note convenient tools for analysis: in addition to the main window, you can connect additional ones with various calculators, tools for searching and analyzing the file structure. In general, suitable for both beginners and experienced users. The program supports the Russian language ( select the following menu: Help / Setup / English ).
WinHex, in addition to its most common functions (which support similar programs), allows you to "clone" disks and delete information from them so that no one can ever recover it!
3) HxD Hex Editor
A free and fairly powerful binary editor. Supports all major encodings (ANSI, DOS/IBM-ASCII and EBCDIC), files of almost any size (by the way, the editor allows you to edit RAM in addition to files, directly write changes to the hard drive!).
You can also note a well-thought-out interface, a convenient and simple function for searching and replacing data, a stepped and multi-level system of backups and rollbacks.
After starting, the program consists of two windows: on the left is a hexadecimal code, and on the right is a text translation and the contents of the file.
Of the minuses, I would single out the lack of the Russian language. However, many functions will be clear even to those who have never learned English...
4) HexCmp
HexCmp - this small utility combines 2 programs at once: the first allows you to compare binary files with each other, and the second is a hex editor. This is a very valuable option when you need to find differences in different files, it helps to explore the different structure of a wide variety of file types.
By the way, places after comparison can be painted in a different color, depending on where everything matches and where the data is different. The comparison happens on the fly and is very fast. The program supports files whose size does not exceed 4 GB (which is enough for most tasks).
In addition to the usual comparison, you can compare in the text version (or even both at once!). The program is quite flexible, allows you to customize the color scheme, specify the shortcut buttons. If you configure the program in a proper way, then you can work with it without a mouse at all! In general, I recommend that all novice "checkers" of hex editors and file structures be familiarized.
