$Id: a07cf90837a3c4373b82d6724b97593810766af7 $
A big part of my daily work is digging around in binary blobs. I’ve been using Hiew almost exclusively for a few years, and I’m a big fan – more people should use it!
The problem is Hiew has a steep learning curve, so if you literally use a hex editor once a year, then it’s probably just not worth it. However, if you live in a hex editor, then it might be more interesting than you realized!
This article assumes you’re already familiar with another hex editor, and are curious if it’s worth your time learning Hiew.
Let me walk you through a few common hex editing tasks and show you how they look… maybe 0.01% of the people reading this will be intrigued 😂
Let’s get this out of the way - if you’ve never seen Hiew before, it’s a console hex editor!
It has basic mouse support, but you primarily operate it with the keyboard. If you think vim
looks arcane, you’re not going to enjoy using Hiew – that’s okay!
Hiew has been around a long time, first released in 1991. It’s still actively maintained – version 8.80 was just released in November – but it comes from an era where powerful software was usually designed around the idea of keyboard macros.
Like other tools built this way, Hiew has an emphasis on chaining together simple commands to perform complex tasks. That means there’s a steep learning curve before you feel proficient, but as you build up your command vocabulary you’ll be able to perform operations that look like magic.
Okay, Let’s dive right in!
← Psst…this symbol means there’s a figure available… just click it!
You’re trying to understand an undocumented proprietary file format.
A good place to start is usually looking at the list of strings that appear in the file, that’s alt+f6.
Hopefully that will give you some clues about what fields might be in the header. In Hiew, you mark fields using blocks, and you start a block with *.
I see there’s what looks like a filename near the top, so let me mark that.
All the usual movement commands work while you’re defining a block, including searching and jumping. Vim users will recognize this as very similar to visual mode.
Now that it’s marked, you can assign it a color with alt+m, or just give it a random color with alt+shift+m.
I like to just keep hitting alt+shift+m until I get a color I like.
Okay, now you can watch me repeat that process for a few more fields…
Tip: Feeling shortcut overload? Don’t worry, I made hiewdocs, an easy online shortcut reference!
Now we probably want to add some notes to remind us what we think a field is. In Hiew, you enter a comment with ;.
Just like with a dissasembler, each location can have a name and a comment, you enter a name with shift+f12. They’re both optional, skip one or both if you like!
Once some fields are marked, you can move between them with alt+n (forward) and alt+shift+n (backward).
Hiew will display any names and comments as you navigate around as floating tips. You can also open a list with f12 and jump straight to the one you’re interested in!
I think we’re making progress. Look at this field, I think it’s the length of the data block:
If I examine it in the calculator, as a DWORD
that would be 203008
. Okay, Let’s extract a block of that length and save it to a file.
So we need to…
+203008t
to move forward that many bytes. Now we can use f2 to save the current block to a file.
You can hit backspace to jump back to your last location when done.
Tip: Hiew has about a million ways to jump around a file! Don’t worry, you don’t need to memorize them!
Let’s take a look at this block we saved. I think I know what this is, if I add a deflate header…
Ah-ha, we got back the uncompressed data!
You probably spotted the PK
header, and realized this is not an undocumented file format at all, it’s a ZIP archive. Yep, you got me 🙂
You don’t need to go through this process for common formats like Zip, you can just use a standard template that will populate the fields for you. If I do that, the names list f12 looks like this.
You’re trying to patch an executable you don’t have the source code for.
The first thing you need to know is that Hiew has three main views. They are text, code and data. You can quickly flip between them without losing your place, just hit enter. Most Hiew users get into the habit of doing this frequently!
Let’s take a closer look at the code view.
As you can see, Hiew has a builtin disassembler, very handy if you work in security and need to extract shellcode!
Do you see those little arrow annotations? Those are shortcuts to follow a branch, you just hit the corresponding key to jump to the branch target. This lets you browse the code effectively without leaving Hiew.
If you see ↓5
, that means it’s a forward branch and you can press 5 to jump to the destination.
While we’re browsing around we can enter comments with ;, just like in data view. The only difference is that your comments get added to the disassembly, rather than as floating tooltips!
Here’s a neat feature, see these dashes?
That’s your bookmark stack! If you want to go explore somewhere else, you can hit +, then you return later by hitting -.
Tip: Take a look at hiewdocs if you want to master the bookmark stack!
Hiew understands most major executable formats, and will populate names automatically. You can easily browse and patch headers, sections, tables, and so on.
Let’s take a look at the imports table.
Look, there’s a call to IsDebuggerPresent()
.
Let’s patch it out just for fun. Hiew not only has a dissasembler built in, it also has an assembler. I think this is a unique feature among major hex editors!
There’s a handy shortcut to just nop
an instruction alt+f2.
Now let’s change this nop into xor eax, eax
, and we’re done!
I challenge you to find me a hex editor that makes patching executables easier than Hiew 😂
You’re trying to repair a damaged file.
Want to see a picture of my pup 🐶? His name is Deputy Dexter!
$ display dexter.png
display-im6.q16: improper image header `dexter.png' @ error/png.c/ReadPNGImage/4107.
Huh, that didn’t work! Maybe we can fix this problem with Hiew.
Okay, this doesn’t look right, there’s an extra 0D
in the header.
I’d bet this was probably broken by someone trying to convert from UNIX to DOS line endings!1 We need to go through the file and replace every occurrence of 0D 0A
with 0A
.
A repetitive task like this is a good opportunity for me to show you how keyboard macros work. All we need to do is fix one of these errors, then we can tell Hiew to repeat everything we just did.
So, hit alt+. to begin recording a macro. This recording symbol should appear.
Now we need to search for the next occurrence of
0D 0A
, so f7, and enter 0D0A
.
To delete a byte, you mark it then press shift+f2.
That’s it! Now hit alt+. to end the macro.
To tell Hiew to repeat this for every occurrence in the file, open the macro manager with alt+=, and then make sure the L
(loop) and S
(search failure) flags are set. This just means that Hiew should repeat exection until a search failure occurs.
You can give it a name if you want to save it for future use, but we’re only going to use it once. So hit enter to run it!
Tip: The default execution speed is 200ms, which is slow enough that you can watch it run. It’s kinda cool to watch, but you can turn it all the way down to 0ms if you like!
Let’s check if that worked, can we see Dexter!
There’s my little guy!
Tip: You can abort a running macro with esc. For some reason it will say “aborted by hacker” lol?
Yes, I broke it on purpose for this demonstation!↩︎