Menu
homeConnection

Hex download in Russian full version. Hex editors vs. malware: Selecting a hexadecimal editor to analyze binaries

Hex Editor Neo Ultimate Edition is a binary, decimal and hexadecimal file editor for Windows that will be very convenient for developers and hackers. You will be able to select, view, edit, replace data, and the process itself will not take much time.

A special feature of the program is that it can work with very large files, has an unlimited level of undoing or redoing actions, and viewing the history of changes with its subsequent downloading and editing.

Unlimited undo function.
Selecting various objects.
Save and load the selection.
Search.
Search and replace.
Saving and loading history.
Creating packages.
Operations with the clipboard.
Various modes work.
Setting colors in samples.
Data inspector.
Bookmarks.
Structure viewer.
Statistics.
Base converter.
Creating scenarios.


At the first start, the program will notify you about the availability of the Russian language, ready for downloading from the official website.
Click "Yes".
In the window that opens, check the box next to the Russian language and click the "Download" button.
Next, select “Russian” in the drop-down list and click the “Apply” button.
A window will appear warning you that the translation was created by an open community and may not be entirely correct. The following options will be offered:
"Use this lang pack" - use this translation
"Access online repository" - go to change the source translation in the repository
"Cancel" - Cancel installation
Select the first option, then click the "OK" button. After this, the program will request its own restart to apply the changes,
Click confirmation and the program will restart with a Russian-language interface.


Fixed Bugs
Multiple bug fixes
A number of reported and internally discovered errors have been fixed.
Fixed memory leak
Application allocated and never freed memory when recursive structures were used in Structure Viewer.
Incorrect rendering of floating-point numbers
Floating-point numbers in range (-1..0) were displayed incorrectly in Structure Viewer, Data Inspector and other components.
New Features
Explorer window settings persistence
Explorer windows now remember last recently used folder settings.
New format specifier
Structure Viewer now allows new format specifier "c" in format() function and attribute. It forces rendering of integer values ​​as single-byte or UNICODE character.
New directives in Structure Viewer
The following directives have been added to Structure Viewer definition language: $revert_to, $shift_by and $remove_to. They allow having look-ahead during structure binding.
New field attribute in Structure Viewer
New attribute forces exact match when rendering enumeration fields.
Updated Features
Changed automatic item collapsing logic
User-defined type does not collapse if it contains other user-defined types and all of them implement attribute. Previously, presence of other user-defined types caused automatic collapsing of a parent type during visualization.


Install the program, do not run it.
Copy Patch.exe to the folder with the installed program
Run, click the "Patch" button
Ready

How Windows notepad. Moreover, if you open the binary file text editor and save it to disk, then, in most cases, such a file will be damaged and will not run. To make correct edits you must use hex editors(hex), which are sometimes also called binary editors.

Most ordinary users, it is unlikely that there will be any tasks or needs to use hexadecimal editors. However, for tech-savvy users, such editors can be indispensable tools.

Note: As a fact, but at one time, to edit standard asp.net 1.1 installers, you had to adjust the binary code. For example, in order to make one of the controls a password entry field.

IN this review We have collected some of the best free hex editors for different needs.

Review of Free Hex Editors

There are several excellent free hex editors, ranging from small and simple to complex products that are comparable to commercial solutions. However, the hex editor category is one of those categories where personal needs and preferences are so important that comparing products is not only difficult, but also pointless. Therefore, you should not assume that the products are arranged in descending order.

HxD is an excellent hexadecimal hex editor

One of best utilities for editing binary code is . Firstly, the program is portable and does not require installation, which is especially important if you often need to edit executable files. Secondly, it has a nice interface. Third, HxD processes large files without delays or screen freezes. Plus, add to this the ability to have an unlimited edit history, quick search and replacements, comparison of binary files, full support for ANSI, DOS/IBM-ASCII and EBCDIC. And a dozen more possibilities, some of which will be listed below. HxD also allows you to edit not only the disk, but also the RAM. As a fact, such a set of capabilities makes the program a dangerous toy in the hands of novice users. In addition, security applications may react to its actions in the same way, but experienced users understand that this happens due to the specifics of accessing data and the use of potentially dangerous functions.

Overall, HxD is great for those who frequently deal with various binary codes.

Other features and characteristics:

  • Secure access to files that other programs use
  • Checksum generator: Checksum, CRCs, Custom CRC, SHA-1, SHA-512, MD5, ...
  • Export data to various formats
  • Inserting code templates
  • Opportunity safe removal files.
  • Splitting or merging files
  • Various types of groupings in columns (1,2,4,8,16 bytes)
  • Highlighting changed data
  • Quickly jump to an address
  • Support for copying clipboard data from other programs: Visual Studio/Visual C++, WinHex, HexWorkshop, ...
  • Bookmarks
  • And much more...

Hex editor Hexplorer is an analogue of HxD with the ability to view images when analyzing steganography

Another great hex editor is open source. The program has a number unique features, which also make it a powerful binary image editor. This means you can look at everything graphic files not only in terms of their visual representation, but also their binary code. Of course, it is difficult to imagine editing pictures in hexadecimal format in Everyday life. However, it can be used for purposes such as steganography.

Overall, Hexplorer is not only suitable for those who edit frequently. binary code, but also for those who use non-standard ways to use binary code.

Main features and characteristics:

  • Six color schemes interface for various tasks.
  • Unlimited command history
  • x86 disassembler
  • Import and export in 20 various formats binary files, including Intel Hex, Motorola S-Record, Atmel standard, etc.
  • Ability to find recurring patterns in data
  • Viewing Images
  • Filtering text from binary data
  • Boyer-Moore search algorithm
  • Quick navigation to addresses
  • Allows you to create structures simple types data, such as integers or floating point numbers
  • Pseudo-random number generator
  • Allows you to record macros (scripts) to automate tasks

Other hex editors

There are other hex editors that are also worthy of attention and may come in handy.

Hexadecimal editor XVI32 simple and convenient

XVI32 is a free hexadecimal editor whose name comes from the Roman numeral XVI (16).

  • Supports scripts to automate tasks.
  • Search by pattern
  • ASCII/ANSI
  • Character conversion based on user definitions
  • Writing individual blocks to a file
  • And other possibilities...
  • Stores open file in memory, so there will be problems with large files.
  • As such, there is no command history. This means that any changes you make are made "as is" and you will have to write them down or remember them.

Supports Windows 9x/NT/2000/XP/Vista/7

Hex editor HexEdit with a specialized calculator

HexEdit is another free binary editor from MiTeC.

  • No need to install (portable)
  • Editor random access memory and disk
  • Specialized calculator
  • Can compare files
  • Can dump data from RAM to disk (create a dump)
  • And others...
  • Stores open files in memory

Supports Windows 2000 - Windows 7

Cygnus Free simple hex editor

Cygnus Free is a free hex editor that is one of the older versions of the commercial editor. Therefore functionality is limited.

  • Fast and easy to use
  • Quick search and replace
  • Drag & drop
  • And other possibilities...
  • Stores an open file in RAM with all the ensuing problems
  • The free version does not have technical support
  • Trimmed for functionality

Supports Windows

Quick Selection Guide (Links to download free hex editors)

HxD

Supports many languages, including Russian. Disk and RAM editor. Edits files quickly large sizes. Allows you to generate checksums. Able to compare files. Can safely delete, merge and split files.
All changes are immediately saved to disk. Therefore, before editing, always create backups files.
http://mh-nexus.de/en/hxd/
http://mh-nexus.de/en/downloads.php?product=HxD
850 KB 1.7.7.0 Unrestricted freeware Windows 95 - 7

Hexplorer

RAM and disk editor. Additional functions, such as the Fourier transform. View images. Can recognize NTFS/FAT, BMP headers, and so on. Supports macros to automate tasks
Keeps the open file entirely in memory, making large files difficult to edit. By default, the font and display settings are not very well chosen.

This article will talk about working in the free hex editor Free Hex Editor Neo, using the example of editing a file BkEnd.dll from delivery for correct operation this system with .

1. A little about hex editors and files

As you know, any file stored on a computer’s hard drive is a sequence of machine words - bytes. A byte, in turn, consists of 8 bits, each of which can take the value “0” or “1”, which means that one byte can take 2 8 = 256 values ​​in the range from 0 to 255. The number is 256 10. recorded in hexadecimal system, is a round three-digit number - 100 16, i.e., to represent any number from the range 0-255, no more than 2 digits will be required. This means that it is very convenient to write the value of each byte as a two-digit number in the hexadecimal number system.

The hex-editor shows us the file the way the machine “sees” it, namely, as a sequence of bytes. For example, opening a file in the editor, we will see a matrix consisting of 16 columns and the number of rows depending on the file size. Each matrix value corresponds to one byte, written in two-digit hexadecimal number. By changing the value of the desired byte, we can, accordingly, change the file itself.

In addition, next to the table we can see:

  • To the left of the matrix a line of numbers is displayed: each line corresponds to a number indicating the address/offset of the first byte of this line. The address step is equal to the number of columns.
  • Another ruler is displayed at the top of the matrix: above each column the offset of the byte in this column relative to the first byte of the corresponding line is displayed. The sum of the number corresponding to the i -th row and the number corresponding to the j -th column is the address/offset of the byte (i;j) located at the intersection of the taken row and the taken column.
  • To the right of the matrix the same data is displayed, but in a different interpretation. The most common alternative is to display data as ASCII text, with bytes whose values ​​correspond to non-printable characters displayed as dots (·). You can also edit values ​​in this area.

2. Install Free Hex Editor Neo

For example, I need a byte with an offset 000d9cca write value eb. To do this, I find the row “000d9cco” and column “0a”, double-click on the desired cell and enter a new value.

Proceeding similarly, I make the following changes:

  1. To fix the error " MS required SQL Server 6.5 + Service Pack 5a or higher version!» change the fields:
    by offset 000d9cca meaning 83 change to eb
    by offset 000d9ccb meaning e8 change to 15
    by offset 000db130 meaning 83 change to eb
    by offset 000db131 meaning e8 change to 10
  2. To fix the error " The sort order set for the database differs from the system one!»:
    by offset 0018a79d meaning 75 change to eb
  3. To fix the error " Incorrect syntax near keyword "TRANSACTION"»
    Phrase DUMP TRANSACTION %s WITH TRUNCATE_ONLY, which is located at the offset 002856B0 replace with a phrase ALTER DATABASE %s SET RECOVERY SIMPLE
  4. To fix the error " The database cannot be opened in single-user mode", change the fields:
    by offset 0028549c meaning 64 change to 6b
    by offset 0028549d meaning 62 change to 70

After all changes are made, save the file by clicking " File» — « Save» .

Did this article help you?

After the end of the series with the article “ The best tools pentester" the editor received many letters asking for a selection of hex editors. The interest, of course, is not the ability to edit binary data, but additional features such as automatic recognition of data structures and code disassembly. To make an overview, we found out the opinions of the people who most often have to tinker with such tools - virus analysts. And this is what they told us.

Any hex editor allows you to examine and modify a file at a low level, operating with bits and bytes. The contents of the file are presented in hexadecimal format. This is basic functionality. However, some editors offer users much more, allowing them to figure out exactly what is what in that incomprehensible set of characters that appears when opening a file. To do this, ASCII and Unicode strings are automatically extracted, known patterns are searched, basic data structures are recognized, and much more. There are quite a few hexadecimal editors, but if we decided to consider them in the context of studying malware samples, it is easy to highlight some of them. Only a few turn out to be really useful for analyzing malicious code and examining infected documents (say, PDF).

McAfee FileInsight

FileInsight is a free hex editor for Windows from McAfee Labs. The product, of course, performs all the standard functionality accompanying such software, offering user-friendly interface to view and edit files in hexadecimal and text modes. But this is just a drop in the ocean if you look at all its functionality. It’s worth starting with the fact that FileInsight is capable of parsing the structure of executable binaries for Windows (PE files), as well as OLE objects Microsoft Office. Not only that, but the user is offered a built-in x86 disassembler. Just select the part of the file you want to view as readable code, and FileInsight will show this fragment as a listing of assembly instructions. The disassembler is especially useful when looking for shellcode in malicious files. Other options that reversers will appreciate include the ability to import structure declarations. To do this, the program just needs to specify a header file with declarations like:

struct ANIHeader(
DWORD cbSizeOf; // Num bytes in AniHeader
DWORD cFrames; // Number of unique Icons
DWORD cSteps; // Number of Blits
};

In this case, the program itself will parse such structures. However, many intuitive algorithms for code processing are offered by default. We are talking, first of all, about decoding many obfuscation methods (xor, add, shift, Base64, etc.) - built-in scripts make such crypto protection a one-two punch. It should be noted here that the object of research does not necessarily have to be a binary, it can be a regular web page, suspicious. The program allows you to automate many actions using simple JavaScript scripts or Python modules, of which many have already been written. Alas, with all its advantages, FileInsight also has a serious drawback, which is the inability to process large files. For example, if you try to feed a file of 400-500 MB in size to the utility, the error “Failed to open document” appears.

Hex Editor Neo

There are two versions of this hex editor from HDD Software - a simple free version and an advanced commercial version. The freeware option is a solid, but unremarkable HEX editor that has a cool, customizable interface with support for different color schemes. No more. And here professional version Hex Editor Neo provides several useful options that can be extremely useful when analyzing binaries. For example, the user gets the opportunity to decode code encrypted using the most general algorithms. In addition, it becomes possible to view and edit local resources such as NTFS streams, local disks, process memory, as well as RAM. The most complete version also includes support scripting language, which allows you to automate many processes using scripts in VBScript and JavaScript. But the best part is that you have a built-in disassembler at your service that works with x86, x64, and .NET binaries! Another feature is the quick creation of patches based on comparison of two binaries. Sounds impressive, but is it better than FileInsight? Probably not. FileInsight looks more functional overall. On the other hand, any, even free version Hex Editor Neo works great even with very large files and allows you to search for ASCII and Unicode strings. The disassembler here is not limited to just the x86 platform, and the built-in resource editor is very convenient. There's a lot to think about.

FlexHex

FlexHex is a powerful commercial hex editor from Heaventools Software that includes many of the same features found in Hex Editor Neo. The only thing missing here is, perhaps, script support. But this full-featured editor handles binaries, OLE files, physical disks and alternative NTFS streams. The latter is especially important because FlexHex allows you to edit data that other editors may not even see. In addition, you can immediately feel the focus on working with large amounts of information: no matter the size of the file, navigation through it is carried out without any lags or brakes. For even greater convenience, there is a system of convenient bookmarks. At the same time, FlexHex continuously keeps a history of all operations - you can cancel any action simply by selecting it from the list of changes (undo-list is not limited)! FlexHex supports all necessary operations with binary data, searching for ASCII and Unicode strings. If you need to process a structure with a previously known format, setting its parameters is not difficult using special tools. As a result, we get an excellent hex editor, but still much inferior to FileInsight. The only notable option is OLE file processing, but there are problems here too. Several times when trying to open an infected OLE, the program crashed with the error “The docfile has been corrupted.”

010 Editor

010 Editor – famous commercial product, developed by SweetScape Software. If we compare it with the previous three tools, it can do everything: it supports working with very large files, provides cool capabilities for operating with data, allows you to edit local resources, and has a scripting system for automation routine actions(more than 140 various functions at your service). And 010 Editor also has a twist, unique feature. The editor takes care of everyone thanks to the ability to parse various file formats using its own library of templates (the so-called Binary Templates). Here he has no equal. Many enthusiasts around the world are working on templates, hammering out various format and data structures. As a result, the process of navigating through different file formats becomes transparent and understandable. This also applies to the processing of Windows binaries (PE files), Windows shortcut files (LNK), Zip archives, Java class files and much more. Many were able to realize all the beauty of this feature when famous specialist security engineer Didier Stevens created a template for parsing PDF files for 010 Editor. Together with other utilities, this has greatly simplified the analysis of infected PDF documents, which for the last six months have not ceased to amaze with the number of places from which the reader program can be exploited. We add here a cool tool for comparing binaries, a calculator with C-like syntax, converting data between ASCII, EBCDIC, Unicode formats, and we get a very attractive tool with unique features.

Hiew

Hiew, in terms of the method of distribution, is not much different from its colleagues - this is also a commercial product developed by our compatriot Evgeny Suslikov. Having a long history, the program is greatly loved by many specialists in information security. There are quite obvious reasons for this - powerful capabilities for researching and editing the structure and content of executable files of both Windows (PE) and binaries for Linux (ELF). Another very useful feature for reverse engineering is the built-in x86-64 assembler and disassembler. The latter even supports ARM instructions. Needless to say, the editor perfectly digests large files and allows you to edit logical and physical drives. Many tasks are easily automated through a system of keyboard macros, scripts, and even an API for developing extensions (Hiew Extrenal Modules). But before you rush into battle, keep in mind that the Hiew interface is a DOS-like window, which is quite inconvenient to work with if you’re not used to it. But you can experience all the charm of old school.

Radare

Radare is a set free utilities for the Unix platform, which provide cool features for editing files in HEX mode. It includes the hex editor itself (radare) with the ability to open local and remote files. The program analyzes executable files various formats, both Linux (ELF) and Windows (PE). In addition to editing, the Radare package includes a tool for comparing binary files (radiff) and a built-in assembler/disassembler. And personally, a tool for generating shellcodes (rasc) came in handy a couple of times. Any operations can be easily automated and customized using a script system. Of the minuses, again, we can note the lack of a GUI interface - all actions are carried out from command line, but you can fully work with the utilities only after reading the documentation. On the other hand, the site has visual screencasts demonstrating both the main points and little secrets (like connecting a Python plugin).

So what should you choose?

We've looked at several powerful hex editors that include useful options for analysis suspicious files. Of all the products, FileInsight stands out, which, despite all its functionality (and it is truly impressive), remains free. 010 Editor provides a large number of templates to handle the most different files, including PDF documents. This is a mega feature that should not be neglected. I use these two editors all the time; For the work of an analyst, perhaps they are best suited. If we talk about working under the Unix platform, then, of course, we cannot forget about Radare. The package offers very powerful features, although it is difficult to use due to the fact that it runs from the command line. Hiew is also not very friendly, although its capabilities certainly allow you to perform a variety of operations with binaries. Besides, Hiew is a choice large quantity real pros, and this is worth a lot (and means a lot). As for Hex Editor Neo, it's worth picking up if you're interested in the ability to disassemble x86, x64 and .NET code.