Hex editors vs. malware: Selecting a hexadecimal editor to analyze binaries

A HEX editor is a program that can display information the way the computer “sees” it, but converting it into hexadecimal. Opening any file in such an application, the user will see a matrix consisting of columns and rows, the number of which depends on the size of the file in question. Therefore, if you change the byte values ​​in the editor, the contents of the open document will also change.

A little theory

Any data is stored in the PC memory in the form of machine words, otherwise bytes. Each includes 8 bits (binary digits that take the value of either "0" or "1"). Through mathematical calculations, you can understand that one byte can contain a number in the range from 0 to 255. If you convert 255 to hexadecimal, it is converted to FF. That is, to display any machine word it is very convenient to use the hexadecimal representation. Hence the name of the group of programs - hexadecimal editor.

Basic elements of programs

In addition to the matrix described above, the interface of the presented group of applications may contain other tools:

• Line numbering. Typically located on the left side of the application. Shows the offset of the first byte of the line relative to the beginning of the file.
• At the top there is often a similar strip of numbers indicating the byte offset of the relative left value in the line. By adding the values ​​of the strings, you can get the number of each byte.
• The right pane can display the same data as in the table, but as text for the user).

McAfee FileInsight

This HEX editor is completely free. Works only on Windows operating systems. The product has all the gentleman's requirements, such as viewing and editing a file. At the same time, the program has a pleasant and user-friendly interface.

But the standard features are the minimum that FileInsight can be used for. What's the maximum? We need to start with the ability to parse the structures of executable files. Is this not enough? Any selected fragment can be disassembled on the fly. One click - and incomprehensible numbers become a readable listing.

Among other things, this HEX editor provides many code processing algorithms to bypass the protection built in by developers. First of all, you need to pay attention to decoding obfuscation methods such as add, xor, Base64, shift. The scripts that the application comes with break such cryptographic protection with ease. Most of the actions can be automated by writing simple scripts in JS or Python. Sometimes there is no need to create anything new, because the base of these has been collected impressively.

Although FileInsight is considered one of the best tools for reverse engineering, the program also has a huge drawback - the inability to process files larger than 400 MB.

Hex Editor Neo

This HEX editor comes in two versions: free and advanced. A product with a freeware license is of high quality, but unremarkable. Features include extensive interface settings and color schemes. The professional version provides more useful features that are especially relevant during analysis

For example, the user is given the ability to decode programs encrypted with common algorithms. In addition to this, there are functions that allow you to edit local resources (RAM, NTFS streams, hard drives). Process automation is implemented using VBS and JS scripts.

However, the most important feature of the program is its disassembler, which can work with x64, x86 and .NET files. Another feature not provided by competitors is the creation of a patch based on a comparison of two executable binaries. It's certainly impressive, but when compared to FileInsight, Neo still falls short. However, NEO can handle large files.

Hiew

Hiew HEX editor does not have a free version. The development is carried out by a team from Russia. The product's history dates back to the days of 16-bit applications for DOS and Windows 3.1. Hiew is often used by professionals involved in computer and information security issues. The reasons are clear: a full range of capabilities for editing and viewing Windows executable binaries, as well as compiled Linux (ELF) programs.

Another notable feature that helps in reverse engineering is Hiew's built-in disassembler and assembler. Moreover, they work with both x86 and x86_64 applications, processor instructions are also supported. The editor copes with large files without any difficulties, and allows you to perform low-level data changes on physical HDDs.

A large number of actions can be automated. To achieve this, programmers have built in the ability to create scripts, keyboard macros and API functions that are used to call internal procedures from external applications. But Hiew still did not achieve an unconditional victory in the field of hexadecimal editors. Its interface is completely made in the DOS style, and windows are rendered (or the console, if we talk about Linux systems).

This article will talk about working in the free hex editor Free Hex Editor Neo, using the example of editing a file BkEnd.dll from the delivery for correct operation of this system with .

1. A little about hex editors and files

As you know, any file stored on a computer’s hard drive is a sequence of machine words - bytes. A byte, in turn, consists of 8 bits, each of which can take the value “0” or “1”, which means that one byte can take 2 8 = 256 values ​​in the range from 0 to 255. The number is 256 10. written in the hexadecimal system, is a round three-digit number - 100 16, i.e., to represent any number from the range 0-255, no more than 2 digits will be required. This means that it is very convenient to write the value of each byte as a two-digit number in the hexadecimal number system.

The hex-editor shows us the file the way the machine “sees” it, namely, as a sequence of bytes. For example, opening a file in the editor, we will see a matrix consisting of 16 columns and the number of rows depending on the file size. Each matrix value corresponds to one byte, written as a two-digit hexadecimal number. By changing the value of the desired byte, we can, accordingly, change the file itself.

In addition, next to the table we can see:

• To the left of the matrix a line of numbers is displayed: each line corresponds to a number indicating the address/offset of the first byte of this line. The address step is equal to the number of columns.
• Another ruler is displayed at the top of the matrix: above each column the offset of the byte in this column relative to the first byte of the corresponding line is displayed. The sum of the number corresponding to the i -th row and the number corresponding to the j -th column is the address/offset of the byte (i;j) located at the intersection of the taken row and the taken column.
• To the right of the matrix the same data is displayed, but in a different interpretation. The most common alternative is to display data as ASCII text, with bytes whose values ​​correspond to non-printable characters displayed as dots (·). You can also edit values ​​in this area.

2. Install Free Hex Editor Neo

For example, I need a byte with an offset 000d9cca write value eb. To do this, I find the row “000d9cco” and column “0a”, double-click on the desired cell and enter a new value.

Proceeding similarly, I make the following changes:

1. To fix the error " Requires MS SQL Server 6.5 + Service Pack 5a or higher!» change the fields:
   by offset 000d9cca meaning 83 change to eb
   by offset 000d9ccb meaning e8 change to 15
   by offset 000db130 meaning 83 change to eb
   by offset 000db131 meaning e8 change to 10
2. To fix the error " The sort order set for the database differs from the system one!»:
   by offset 0018a79d meaning 75 change to eb
3. To fix the error " Incorrect syntax near keyword "TRANSACTION"»
   Phrase DUMP TRANSACTION %s WITH TRUNCATE_ONLY, which is located at the offset 002856B0 replace with a phrase ALTER DATABASE %s SET RECOVERY SIMPLE
4. To fix the error " The database cannot be opened in single-user mode", change the fields:
   by offset 0028549c meaning 64 change to 6b
   by offset 0028549d meaning 62 change to 70

After all changes are made, save the file by clicking " File» — « Save» .

Did this article help you?

Good day everyone.

For some reason, many people believe that working with hex editors is the domain of professionals and that novice users should not try them. But, in my opinion, if you have at least basic PC skills and an idea of ​​why you need a hex editor, then why not?!

Using a program of this kind, you can change any file, regardless of its type (many manuals and guides contain information on changing a particular file using a hex editor)! True, the user needs to have at least a basic understanding of the hexadecimal system (data in the hex editor is presented precisely in it). However, basic knowledge on it is taught in computer science classes at school, and probably many have heard and have an idea about it (therefore I will not comment on it in this article). So, here are the best hex editors for beginners (in my humble opinion).

1) Free Hex Editor Neo

One of the simplest and most common editors for hexadecimal, decimal and binary files for Windows. The program allows you to open any type of file, make changes (the history of changes is saved), conveniently select and edit a file, debug and analyze.

It is also worth noting a very good level of performance coupled with low system requirements for the machine (for example, the program allows you to open and edit fairly large files, while other editors simply freeze and refuse to work).

Among other things, the program supports the Russian language and has a well-thought-out and intuitive interface. Even a novice user will be able to figure it out and start working with the utility. In general, I recommend it to everyone who is starting their acquaintance with hex editors.

2) WinHex

This editor, unfortunately, is shareware, but it is one of the most versatile, supporting a bunch of different options and features (some of which are difficult to find among competitors).

In disk editor mode, it allows you to work with: HDDs, floppy disks, flash drives, DVDs, ZIP disks, etc. Supports file systems: NTFS, FAT16, FAT32, CDFS.

I can’t help but note the convenient tools for analysis: in addition to the main window, you can connect additional ones with various calculators, tools for searching and analyzing the file structure. In general, it is suitable for both beginners and experienced users. The program supports Russian language ( select the following menu: Help / Setup / Russian ).

WinHex, in addition to its most common functions (which support similar programs), allows you to “clone” disks and delete information from them so that no one can ever recover it!

3) HxD Hex Editor

A free and quite powerful binary file editor. Supports all major encodings (ANSI, DOS/IBM-ASCII and EBCDIC), files of almost any size (by the way, the editor allows, in addition to files, to edit RAM and directly write changes to the hard drive!).

You can also note a well-thought-out interface, a convenient and simple function for searching and replacing data, a stepped and multi-level system of backups and rollbacks.

After launch, the program consists of two windows: on the left is the hexadecimal code, and on the right is the text translation and the contents of the file.

Among the minuses, I would highlight the lack of Russian language. However, many functions will be clear even to those who have never learned English...

4) HexCmp

HexCmp - this small utility combines 2 programs at once: the first allows you to compare binary files with each other, and the second is a hex editor. This is a very valuable option when you need to find differences in different files, helping you explore the different structures of a wide variety of file types.

By the way, places after comparison can be painted in different colors, depending on where everything matches and where the data is different. The comparison happens on the fly and very quickly. The program supports files whose size does not exceed 4 GB (quite enough for most tasks).

In addition to the usual comparison, you can also compare in text form (or even both at once!). The program is quite flexible, it allows you to customize the color scheme and specify shortcut buttons. If you configure the program appropriately, you can work with it without a mouse at all! In general, I recommend that all beginning “checkers” of hex editors and file structures should read it.

5) Hex Workshop

Hex Workshop is a simple and convenient binary file editor, which is distinguished primarily by its flexible settings and low system requirements. Thanks to this, it can be used to edit quite large files that simply do not open or freeze in other editors.

The editor has all the most necessary functions: editing, search and replace, copying, pasting, etc. The program can perform logical operations, conduct binary file comparisons, view and generate various file checksums, export data to popular formats: rtf and html .

The editor also has a converter between binary, binary and hexadecimal systems. In general, a good arsenal for a hex editor. Perhaps the only negative is that the program is shareware...

Hex Editor Neo is a free version of a hexadecimal and binary file editor, capable of editing large objects. Allows you to undo/redo multiple times after editing. In addition, convenient tools for searching and replacing data are built-in.

Hex Editor Neo has capabilities for highlighting, viewing, editing, replacing, debugging and analyzing data. An important quality of the program is the ability to simultaneously open several files (tabbed support). With the editor, for example, you can make patches to a file with two clicks.

Manipulate your EXE, DLL, DAT, AVI, MP3, JPG files with unlimited undo/redo capabilities. The history of the work done appears in a tree form; you can always easily return to the desired or original type of data.

Features of Hex Editor Neo

• Edit binary files of any size at the fastest speed
• Find and replace data in binary files
• Writing microcode programs
• Exploring the functionality of any executable file

Like Windows Notepad. Moreover, if you open a binary file with a text editor and save it to disk, in most cases the file will be corrupted and will not run. To make correct edits, you must use hexadecimal editors (hex), which are sometimes also called binary editors.

Most ordinary users are unlikely to have any tasks or needs to use hexadecimal editors. However, for tech-savvy users, such editors can be indispensable tools.

Note: As a fact, but at one time, to edit standard asp.net 1.1 installers, you had to adjust the binary code. For example, in order to make one of the controls a password entry field.

This review contains some of the best free hex editors for different needs.

Review of Free Hex Editors

There are several excellent free hex editors, ranging from small and simple to complex products that are comparable to commercial solutions. However, the hex editor category is one of those categories where personal needs and preferences are so important that comparing products is not only difficult, but also pointless. Therefore, you should not assume that the products are arranged in descending order.

HxD is an excellent hexadecimal hex editor

One of the best utilities for editing binary code is . Firstly, the program is portable and does not require installation, which is especially important if you often need to edit executable files. Secondly, it has a nice interface. Thirdly, HxD processes large files without delays or screen freezing. Plus, add unlimited edit history, fast search and replace, binary file comparison, and full support for ANSI, DOS/IBM-ASCII, and EBCDIC. And a dozen more possibilities, some of which will be listed below. HxD also allows you to edit not only the disk, but also the RAM. As a fact, such a set of capabilities makes the program a dangerous toy in the hands of novice users. In addition, security applications may react to its actions in the same way, but experienced users understand that this happens due to the specifics of accessing data and the use of potentially dangerous functions.

Overall, HxD is great for those who frequently deal with various binary codes.

Other features and characteristics:

• Secure access to files that other programs use
• Checksum generator: Checksum, CRCs, Custom CRC, SHA-1, SHA-512, MD5, ...
• Export data to various formats
• Inserting code templates
• Ability to safely delete files.
• Splitting or merging files
• Various types of groupings in columns (1,2,4,8,16 bytes)
• Highlighting changed data
• Quickly jump to an address
• Support for copying clipboard data from other programs: Visual Studio/Visual C++, WinHex, HexWorkshop, ...
• Bookmarks
• And much more...

Hex editor Hexplorer is an analogue of HxD with the ability to view images when analyzing steganography

Another great hex editor is open source. The program has a number of unique features that make it also a powerful binary image editor. This means that you can look at all graphic files not only from the point of view of their visual representation, but also their binary code. Of course, it is difficult to imagine editing pictures in hexadecimal in everyday life. However, it can be used for purposes such as steganography.

Overall, Hexplorer is suitable not only for those who frequently edit binary code, but also for those who use non-standard ways to use binary code.

Main features and characteristics:

• Six interface color schemes for various tasks.
• Unlimited command history
• x86 disassembler
• Import and export to 20 different binary file formats, including Intel Hex, Motorola S-Record, Atmel standard, etc.
• Ability to find recurring patterns in data
• Viewing Images
• Filtering text from binary data
• Boyer-Moore search algorithm
• Quick navigation to addresses
• Allows you to create structures of simple data types, such as integers or floating point numbers
• Pseudo-random number generator
• Allows you to record macros (scripts) to automate tasks

Other hex editors

There are other hex editors that are also worthy of attention and may come in handy.

Hexadecimal editor XVI32 simple and convenient

XVI32 is a free hexadecimal editor whose name comes from the Roman numeral XVI (16).

• Supports scripts to automate tasks.
• Search by pattern
• ASCII/ANSI
• Character conversion based on user definitions
• Writing individual blocks to a file
• And other possibilities...

• Stores the open file in memory, so large files will have problems.
• As such, there is no command history. This means that any changes you make are made "as is" and you will have to write them down or remember them.

Supports Windows 9x/NT/2000/XP/Vista/7

Hex editor HexEdit with a specialized calculator

HexEdit is another free binary editor from MiTeC.

• No need to install (portable)
• RAM and disk editor
• Specialized calculator
• Can compare files
• Can dump data from RAM to disk (create a dump)
• And others...

• Stores open files in memory

Supports Windows 2000 - Windows 7

Cygnus Free simple hex editor

Cygnus Free is a free hex editor that is one of the older versions of the commercial editor. Therefore functionality is limited.

• Fast and easy to use
• Quick search and replace
• Drag & drop
• And other possibilities...

• Stores an open file in RAM with all the ensuing problems
• The free version does not have technical support
• Trimmed for functionality

Supports Windows

Quick Selection Guide (links to download free hex editors)

HxD

Hexplorer