You’re making an attempt to know an undocumented proprietary file format.
A very good place to start out is often trying on the checklist of strings that seem within the file, that’s alt+f6.
String Checklist
Hopefully that provides you with some clues about what fields could be within the header. In Hiew, you mark fields utilizing blocks, and also you begin a block with *.
I see there’s what seems like a filename close to the highest, so let me mark that.
All the same old motion instructions work when you’re defining a block, together with looking and leaping. Vim customers will acknowledge this as similar to visible mode.
Now that it’s marked, you possibly can assign it a coloration with alt+m, or simply give it a random coloration with alt+shift+m.
I like to simply maintain hitting alt+shift+m till I get a coloration I like.
Okay, now you possibly can watch me repeat that course of for a number of extra fields…
Tip: Feeling shortcut overload? Don’t fear, I made hiewdocs, a straightforward on-line shortcut reference!
Now we in all probability need to add some notes to remind us what we predict a discipline is. In Hiew, you enter a remark with ;.
Identical to with a dissasembler, every location can have a identify and a remark, you enter a reputation with shift+f12. They’re each optionally available, skip one or each for those who like!
As soon as some fields are marked, you possibly can transfer between them with alt+n (ahead) and alt+shift+n (backward).
Hiew will show any names and feedback as you navigate round as floating ideas. You may as well open an inventory with f12 and bounce straight to the one you’re all for!
I believe we’re making progress. Take a look at this discipline, I believe it’s the size of the information block:
Calculator
If I look at it within the calculator, as a DWORD that might be 203008. Okay, Let’s extract a block of that size and reserve it to a file.
So we have to…
Hit * to pick a block.
Press f5 to leap to an offset.
Enter +203008t to maneuver ahead that many bytes.
Now we will use f2 to avoid wasting the present block to a file.
Write Block
You may hit backspace to leap again to your final location when achieved.
Tip: Hiew has about one million methods to leap round a file! Don’t fear, you don’t must memorize them!
Let’s check out this block we saved. I believe I do know what that is, if I add a deflate header…
Ah-ha, we obtained again the uncompressed information!
You in all probability noticed the PK header, and realized this isn’t an undocumented file format in any respect, it’s a ZIP archive. Yep, you bought me 🙂
You don’t must undergo this course of for frequent codecs like Zip, you possibly can simply use a typical template that can populate the fields for you. If I do this, the names checklist f12 seems like this.
Kiewtai
State of affairs #2
You’re making an attempt to patch an executable you don’t have the supply code for.
The very first thing you should know is that Hiew has three predominant views. They’re textual content, code and information. You may shortly flip between them with out shedding your house, simply hit enter. Most Hiew customers get into the behavior of doing this incessantly!
Let’s take a better have a look at the code view.
Code View
As you possibly can see, Hiew has a builtin disassembler, very useful for those who work in safety and must extract shellcode!
Do you see these little arrow annotations? These are shortcuts to observe a department, you simply hit the corresponding key to leap to the department goal. This allows you to browse the code successfully with out leaving Hiew.
In the event you see ↓5, meaning it’s a ahead department and you may press 5 to leap to the vacation spot.
Department Annotations
Whereas we’re searching round we will enter feedback with ;, similar to in information view. The one distinction is that your feedback get added to the disassembly, moderately than as floating tooltips!
Right here’s a neat function, see these dashes?
Bookmark Stack
That’s your bookmark stack! If you wish to go discover someplace else, you possibly can hit +, you then return later by hitting -.
Tip: Check out hiewdocs if you wish to grasp the bookmark stack!
Hiew understands most main executable codecs, and can populate names mechanically. You may simply browse and patch headers, sections, tables, and so forth.
Let’s check out the imports desk.
Look, there’s a name to IsDebuggerPresent().
IsDebuggerPresent
Let’s patch it out only for enjoyable. Hiew not solely has a dissasembler in-built, it additionally has an assembler. I believe it is a distinctive function amongst main hex editors!
There’s a useful shortcut to simply nop an instruction alt+f2.
Now let’s change this nop into xor eax, eax, and we’re achieved!
I problem you to seek out me a hex editor that makes patching executables simpler than Hiew 😂
State of affairs #3
You’re making an attempt to restore a broken file.
Need to see an image of my pup 🐶? His identify is Deputy Dexter!
$ show dexter.png
display-im6.q16: improper picture header `dexter.png' @ error/png.c/ReadPNGImage/4107.
Huh, that didn’t work! Perhaps we will repair this downside with Hiew.
Damaged Header
Okay, this doesn’t look proper, there’s an additional 0D within the header.
I’d guess this was in all probability damaged by somebody making an attempt to transform from UNIX to DOS line endings! We have to undergo the file and substitute each prevalence of 0D 0A with 0A.
A repetitive process like it is a good alternative for me to point out you the way keyboard macros work. All we have to do is repair one among these errors, then we will inform Hiew to repeat every part we simply did.
So, hit alt+. to start recording a macro. This recording image ought to seem.
Macro Indicator
Now we have to seek for the subsequent prevalence of 0D 0A, so f7, and enter 0D0A.
To delete a byte, you mark it then press shift+f2.
That’s it! Now hit alt+. to finish the macro.
To inform Hiew to repeat this for each prevalence within the file, open the macro supervisor with alt+=, after which be sure that the L (loop) and S (search failure) flags are set. This simply signifies that Hiew ought to repeat exection till a search failure happens.
Macro Supervisor
You may give it a reputation if you wish to reserve it for future use, however we’re solely going to make use of it as soon as. So hit enter to run it!
Tip: The default execution velocity is 200ms, which is gradual sufficient you can watch it run. It’s kinda cool to observe, however you possibly can flip all of it the best way all the way down to 0ms for those who like!
Let’s examine if that labored, can we see Dexter!
Macro Supervisor
There’s my little man!
Tip: You may abort a working macro with esc. For some cause it should say “aborted by hacker” lol?
