return to table of content

A Hex Editor for Reverse Engineers

z3phyr
11 replies
7h12m

I really like this area of computer culture. RE, writing kernel modules, figuring out how stuff works and making stuff do what it was not designed to do aspects. However, legal avenues to do so are far in between and it requires a huge amount of time and help from peers.

exe34
3 replies
6h18m

are there illegal schools teaching kernel module writing?

exe34
1 replies
5h21m

i don't see how that's illegal - it's only a crime if you install it on somebody's computer to steal their information. knives aren't illegal.

Retr0id
0 replies
5h1m

Yes, it's not literally illegal, otherwise Microsoft would be in even more trouble. I just thought it was amusing.

(but also, carrying sensibly sized knife is illegal where I live)

poincaredisk
2 replies
5h22m

However, legal avenues to do so are far in between and it requires a huge amount of time and help from peers.

I reverse engineer things for a living and I have many peers worldwide who do the same. My main field of work is malware analysis.

For recreation, in my country it's explicitly legal to reverse engineer things you own, with a purpose of making it work on your system (think: fixing a windows XP game so it works on windows 10). This is a very broad loophole, and let's you reverse engineer things in most cases when they "feel" like they should be legal.

cess11
0 replies
3h0m

Reversing for the purpose of integrations is commonly also legal.

8372049
0 replies
5h5m

This applies to the entire EEA, fortunately!

sadops
0 replies
31m

Just don't publish it, and you can kinda do whatever. Remember, just because you build or learn something doesn't mean you have to broadcast it. Edification can be its own reward.

no_time
0 replies
6h11m

You don't need a project to be "legal" to have some fun :)

Publish under a pseudonym with no links to your real identity, use dedicated communities that disregard DMCA takedowns. As long as you don't want to earn money this way, the worst that will happen is that your target notices your work and deploys vmprotect on their releases.

kstrauser
0 replies
54m

File formats are great fun to RE. I worked at a place that used a proprietary business management app. One day I was bored and started looking at its data files with a hex editor and saw some patterns like the titles of records in the app were spaced at exact multiples of X bytes apart on the data file. Oh! Fixed width records! Huh, look at that: right after the title, the next two bytes look like the hex value of the record number show in the app. Guess that's how it stores those! If I click this checkbox, this one byte changes from 0x00 to 0x01. Hey there! After enough experimentation I had the whole thing mapped to structs in code and was able to build reports that the original app couldn't support.

There wasn't anything illegal about that. I'm sure the vendor would've preferred we pay them to make reports for us but nothing legally prevented it.

LocalH
0 replies
1h42m

If you've never done at least a tiny bit of "illegal" RE, are you even a true hacker? ;)

_xerces_
7 replies
4h38m

It is hard to find the link for Windows download, most people (especially us dumb Windows users) want to find a link and download, not scroll a bunch then go to another page then scroll some more and make a decision about which one of 20 links they need. It is not that hard, especially for most people on HN but it does add friction to people trying your software. This is a very common thing with other projects so not just picking on this one.

Finally, when it does load on my Windows machine (using MSI installer and after convincing Microsoft that it is safe to run and bypassing their warning) it loads up super tiny on my 4k laptop screen and is unusable. I suppose I could mess about with the compatibility and scaling settings but I kind of lost interest after all of the above.

I tell you all this because obviously a lot of work went into this tool and from the screenshots it looks beautiful and useful, but is let down by the process involved to get it to run, at least on my machine.

For now, I will keep running HxD.

_xerces_
1 replies
1h12m

Why would I do that unless I have a strong reason to use it rather than just move on with my day? A link is posted on HN for some cool software, it is already annoying to install it due to Microsoft complaining about it, then when I first run it, it opens up a tiny window an is asking if it can upload information. I don't expect to spend time figuring out its issues. I can't be the only one using a 4K display on Windows.

pengaru
0 replies
32m

  > Why would I do that unless I have a strong reason to use it rather than just 
  > move on with my day? A link is posted on HN for some cool software, it is
  > already annoying to install it due to Microsoft complaining about it, then
  > when I first run it, it opens up a tiny window an is asking if it can upload
  > information. I don't expect to spend time figuring out its issues. I can't be
  > the only one using a 4K display on Windows.
Spoken as a true reverse engineer, you should ask for a refund.

sva_
1 replies
4h33m

Really weird criticism. If you're confused about how GitHub works, you might follow the link to their website[0] (when you click on "Release" in the readme) and then scroll down to find a "Download for Windows" button.

0. https://imhex.werwolv.net/

tom_
0 replies
4h26m

At least on desktop, there's also a link to the main site in the About section of the repo. This might actually be a better link for the HN submission, as I bet there's a non-zero intersection of hex editor users and people who completely do not understand Git whatsoever (assuming they've even heard of it).

go_prodev
0 replies
4h35m

Maybe they've updated it, but I found a Windows MSI link about halfway down the front page.

nneonneo
4 replies
6h24m

I tried ImHex…found it way too complex for most of what I wanted to do. I’m still a huge fan of Hex Fiend on macOS - simple, fast, does what I want. I still haven’t found the perfect “simple” hex editor on Windows.

nine_k
1 replies
6h13m

Have you tried Hiew?

nneonneo
0 replies
4h43m

No, hadn’t heard about it. Seems interesting, sort of “vim for hex” like. I might give it a spin.

s1gsegv
0 replies
1h28m

Interesting, I find HxD on Windows to be the absolute peak of hex editors with no real parallels on macOS or Linux. Which is a shame because I never use Windows.

Hex Fiend for instance is my hex editor on macOS, but why does it insist on reflowing the lines when I expand the window? I might just want to work with it maximized to avoid visual distractions, but I still only want lines to be 16 or 32 bytes long, and definitely not some weird size that will make things not line up.

MontagFTB
0 replies
4h46m

+1 for HexFiend. Their template format is straightforward to extend. I’ve used it to analyze many different file formats.

I also tried ImHex briefly. I have a ton of respect for the project, but found for my needs it was like using a cannon to kill a housefly.

hackyhacky
4 replies
1h50m

ImHex requires a GPU with OpenGL 3.0 support in general.

Why does a hex editor require OpenGL? (and therefore a GPU?)

Is there a good reason why it needs OpenGL or is it just for l33t-ness?

dagmx
1 replies
1h41m

The UI is built using Imgui (hence the Im prefix) which is a Ui framework for computer graphics programs.

Though, a couple nits:

1. An OpenGL requirement doesn’t necessitate a GPU. There are software implementations of OpenGL but they tend to be rather mediocre at best for performance.

2. Many platforms now assume some kind of GPU. It’s fairly rare to need a GUI tool without also having a GPU available. Of course there are niches for it, but those aren’t also likely to be running a hex editor and tooling locally.

anotherhue
0 replies
24m

'GPU' doesn't mean discrete, power-hungry graphics card either (not that you said it did).

OpenGL calls for basic desktop rendering can be reliably handled by the integrated graphics in the CPU. In which case OpenGL can almost be viewed as a parallel instruction set / DSL.

SideQuark
0 replies
1h32m

Why does a hex editor require ... a GPU?

Any editor, to be fluid and quick at today's screen resolution, needs hardware rendering. The days of drawing things pixelwise, especially any complex formatting, are noticeably slow.

See this [1] for example

[1] https://www.sublimetext.com/blog/articles/hardware-accelerat...

9029
0 replies
1h31m

they probably just picked the opengl renderer for imgui

dagmx
4 replies
4h27m

ImHex has so far been the best hex editor I’ve used for a few reasons. Some of these exist in other editors but rarely all together.

1. File templates mean that it auto highlights sections of known file types.

2. It shows how selected bytes may be interpreted as pretty much every common data type that I would want and does so simultaneously.

3. It’s significantly faster than other editors for me when I use large files

On the downside, the imgui ui gets buggy sometimes but it’s replaced my use of other viewers like HexFiend, hexa etc…

rfoo
1 replies
2h13m

Well, 010 Editor also checks all three. So:

4. Unlike 010 Editor, it does not take you $150 and is FOSS so you can easily patch it to do whatever you need.

ixwt
0 replies
41m

After briefly having used both, the main difference besides layout and aesthetics, is that 010 has a bigger repo of premade templates.

unwind
0 replies
47m

Uh that is literally the link that is posted, that this thread is about.

0xFEE1DEAD
4 replies
7h1m

This seems interesting and is coincidentally exactly what I need right now. My trusty file, strings, hexdump and xxd all failed me. I was going to use ghidra, but it's quite the beast and I haven't had any time to learn it yet. Gonna give this a try tonight.

nneonneo
2 replies
6h21m

What do you need Ghidra for?

Ghidra is, for the most part, not a hex editor. It’s meant for reverse engineering - mainly decompilation, but it’s useful for patching as well. The debugger is new and takes some getting used to (I’m still using GDB + Ghidra), but the disassembler and decompiler are top-notch.

tsujamin
1 replies
5h35m

It’s also useful for defining data structures and carving them up, which (for me) is the role now filled by ImHex.

If HexFiend/xxd are at one end of the spectrum, ghidra at the other, I imagine ImHex and tools like Kaitai are in the middle

nneonneo
0 replies
4h36m

Hex Fiend does data structures and file formats now too, using parsers written in TCL. I’d probably rate Hex Fiend as being in the middle too, especially if you’re going to put xxd at the low end :)

Personally, for file format parsing I like to use Hachoir (specifically Hachoir-wx for GUI file structure browsing), which is a somewhat obscure bit of software that I’ve made some contributions to.

ithkuil
0 replies
5h35m

Username checks out

surfingdino
3 replies
4h12m

Great project, shame the author did not google the username.

kstrauser
2 replies
52m

Why's that?

surfingdino
1 replies
46m

Google it.

kstrauser
0 replies
25m

Ah. Yeah, perhaps, but that was a normal, common word that the bad guys used because it sounded scary, but which still has its original meaning. It's not a word I'd primarily associate with those particular bad guys.

ykonstant
2 replies
5h1m

Does this editor have a way to display the ASCII bytes in CP437 glyphs? I grew up reading binary files in DOS that way and I can read the glyphs much faster than the corresponding hex values; in contrast, using dots for the non-printable characters doesn't really tell me much.

Simran-B
0 replies
1h30m

You can download additional assets in the settings and then interpret data as encoded in various formats. I don't see CP437 in the list but the file format for encodings is straightforward, you can probably create a mapping easily.

https://github.com/WerWolv/ImHex-Patterns/tree/master/encodi...

Dwedit
0 replies
1h29m

The problem with CP437 is that FF, 00, and 20 are all empty space and look the same. Then there's the question about that ambiguous character that's either German Sharp S or Beta.

mahoro
2 replies
5h23m

This is an absolutely great project. I had a lot of fun tinkering with the ROM of my Philips smart clock.

It has a built-in DSL that looks like Rust (without memory management, though – so it's very lightweight), and with that, it's possible to visualize and extract structural data from binary streams. That's really fun and cool.

It also has a visual editor to make simple calculations with no code. It didn't feel polished at the time I tried it. Strangely, writing code in DSL was more intuitive and easier for me.

alex_suzuki
1 replies
4h16m

Cool, a bit like Wireshark protocol dissectors then?

jchw
0 replies
2h33m

There's, unfortunately, a million similar implementations for this basic concept. 010 Binary Templates, Hex Workshop structures, Okteta structures, Kaitai Struct Definitions. Heck, I made my own Go struct tag DSL that does this, before I realized just how many times it had already been done before.

The thing that's complicated of course, is that while it is a good idea and the basic idea is incredibly similar across implementations, there are just enough different concerns to make it hard to have one universal standard that can cover all of the use cases. It's hard enough to have a single parsing framework that handles both text parsing and binary format parsing well, but you also would need to consider the ability to incrementally parse/stream, read/write support, support arbitrary transformations, some formats need pointers, offsets, indices, and of course to what degree such a descriptor should be declarative versus imperative (declarative is better, but it gets increasingly hard to capture all details entirely in a purely declarative manner.)

0xDEADFED5
2 replies
7h5m

Looks good! I usually stick to 010 Editor for it's wildcard search, but ImHex does that and more, I'm sold. Will be testing it out a bit more

0xFEE1DEAD
1 replies
6h58m

what're the odds of two dead 0x users showing up at the same time in a thread previously without comments. gave me a chuckle

jolj
0 replies
6h29m

a thread about a hex editor? kinda high

j16sdiz
1 replies
4h55m

people who value their retinas when working at 3 AM.

You just need a well lit room to use light mode.

Stratoscope
0 replies
23m

Agreed, and also turn down your monitor brightness if needed so the light background matches a piece of paper on your desk.

No one complains that reading something on paper burns out your retinas. A light mode shouldn't either.

I always assumed that ImHex only supported dark mode, but it turns out that it does support light mode too!

noname120
0 replies
6h10m

I will stick to 010 Editor for now[1], it's the most amazing hex editor I've tried in my life. I'm not fond at all of the GUI framework (Dear ImGui) that this new projects uses. It's meant for embedded systems with tiny screens and no window manager, not full-fledged desktop environments where the small elements and the complete lack of UI integration makes for a very awkward experience.

[1] https://www.sweetscape.com/010editor/

hnthrowaway0328
0 replies
4h17m

This looks pretty neat. Would it be a good idea to develop a hex editor as a project? It doesn't look too hard for a simple one, but if one wants there is a lot of room for practice, like parsing all fileformats, from executionable image to doom wads too some proprietary file format, and I'm there is a lot room for tools that help RE too.

drzzhan
0 replies
2h2m

I will just stick with 010 Hex editor for now. Still I will keep an eye on this.

carrja99
0 replies
5h27m

Gave me a flashback to my middle school days when I used a hex editor to modify my saved game files.

Dwedit
0 replies
1h25m

I still use HXD for most cases, but whenever I need to work with encoded text, I use a fork of MadEdit instead. MadEdit has no problem with multibyte characters, whether it's UTF-8, UTF-16, or Shift-JIS.