11 - Intro to HEX editors
Null diskmag Issue 1
You are probably familiar with the notion of a text editor - Linux has lots of them, for both the terminal and the desktop. The command line choices include vi and nano, and while on the desktop, there are applications like gedit and Kate. But what if you need to edit a binary file? What can you use? There is a class of editor known as a "Hex editor" which allows you to edit any type of file, especially binary files.
Hex editors get their name because the contents of the file are primarily shown as hexadecimal (hex) numbers. We normally count in base 10, meaning each digit (or column) represents a factor of 10. So 123 is 3 units, 2 lots of 10 (i.e. 20) and 1 lot of 100 (i.e. 100). That is great and perfect for how we learn math as children since we have ten fingers! One byte of computer memory or of disk storage can represent a number up to the value of 255. The problem with base 10 is that you need 3 digits to display 255. However, you don't actually have to represent the value in base 10. You could represent them in binary (i.e. base 2) or in hexadecimal (i.e base 16). In Hex, each digit or column represents a factor of 16 and not 10. To distinguish between hex numbers and decimal numbers, hexadecimals are normally prefixed with "0x." So 0x91 is not ninety-one, but rather 145. It is 9 lots of 16 plus 1. In hex, the numbers go like this: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F, 10, 11, 12 and so on. The advantage of this system is that 255 (the maximum value of a byte) can be written as 0xFF (15 lots of 16 plus 15).
A hex editor uses these two-digit representations to provide a simple grid that can be easily navigated, something that would be harder with 3 digit decimal numbers.
There are several different hex editors available for Linux, and like text editors, some are designed to work in the terminal and others from the desktop. Hexcurse is a simple command line text editor. To install it on Ubuntu, type the following in a terminal:
sudo apt-get install hexcurse
To try out hexcurses, type the following:
hexcurse /bin/ls
That will launch the program and load the "ls" binary which is found in "/bin".
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³00000000 7F 45 4C 46 02 01 01 00 00 00 00 00 00 00 00 00³ ³^?LF............³
³00000010 02 00 3E 00 01 00 00 00 90 48 40 00 00 00 00 00³ ³..>......H@.....³
³00000020 40 00 00 00 00 00 00 00 00 A7 01 00 00 00 00 00³ ³@...............³
³00000030 00 00 00 00 40 00 38 00 09 00 40 00 1C 00 1B 00³ ³....@.8...@.....³
³00000040 06 00 00 00 05 00 00 00 40 00 00 00 00 00 00 00³ ³........@.......³
³00000050 40 00 40 00 00 00 00 00 40 00 40 00 00 00 00 00³ ³@.@.....@.@.....³
³00000060 F8 01 00 00 00 00 00 00 F8 01 00 00 00 00 00 00³ ³................³
³00000070 08 00 00 00 00 00 00 00 03 00 00 00 04 00 00 00³ ³................³
³00000080 38 02 00 00 00 00 00 00 38 02 40 00 00 00 00 00³ ³8.......8.@.....³
³00000090 38 02 40 00 00 00 00 00 1C 00 00 00 00 00 00 00³ ³8.@.............³
³000000A0 1C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00³ ³................³
³000000B0 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00³ ³................³
³000000C0 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00³ ³..@.......@.....³
³000000D0 44 9D 01 00 00 00 00 00 44 9D 01 00 00 00 00 00³ ³D.......D.......³
³000000E0 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00³ ³.. .............³
³000000F0 F0 9D 01 00 00 00 00 00 F0 9D 61 00 00 00 00 00³ ³..........a.....³
³00000100 F0 9D 61 00 00 00 00 00 04 08 00 00 00 00 00 00³ ³..a.............³
³00000110 70 15 00 00 00 00 00 00 00 00 20 00 00 00 00 00³ ³p......... .....³
³00000120 02 00 00 00 06 00 00 00 08 9E 01 00 00 00 00 00³ ³................³
³00000130 08 9E 61 00 00 00 00 00 08 9E 61 00 00 00 00 00³ ³..a.......a.....³
³00000140 F0 01 00 00 00 00 00 00 F0 01 00 00 00 00 00 00³ ³................³
³00000150 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00³ ³................³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Help Save Open Goto Find Hex Addr Hex Edit Quit
Use the arrow keys, page up and page down to navigate around the grid of hex numbers. If you type a number, the byte at that point will be changed to the number you entered. Do not attempt this now, otherwise you could break the "/bin/ls" command. If you press TAB, the cursor will jump to the ASCII (text) side and you can change values by entering new letters, numbers and symbols.
Here is a list of the essential keys for using hexcurse:
F2 or CTRL+s - Save
F3 or CTRL+o - Open
F4 or CTRL+g - Goto
F5 or CTRL+f - Find
F8 or CTRL+q - Exit
The best way to experiment safely using a hex editor is to edit one of your own files (and not a system file). Use nano to create a simple C program:
nano hello.c
Cut and paste in the following code:
#include <stdio.h>
main()
{
printf("Hello Make Tech Easier!\n");
}
Compile the program:
gcc -o hello hello.c
Now you can safely invoke hexcurse on the resulting "hello" binary. If you break the binary, it won't matter:
hexcurse hello
Scroll down until you see the string "Hello Make Tech Easier!" in the right-hand section. Press TAB to switch to ASCII editing and navigate to the word "Hello." Type the word "HELLO." Notice that the string changes in the right-hand section and the hex numbers change in the left-hand side. The new hex numbers should be "48 45 4C 4C 4F" which are the ASCII values for "HELLO".
Now save the file using "Ctrl + s", and quit with "Ctrl + q". You can now run the "hello" binary and you will see that the output is "HELLO Make Tech Easier!" and not "Hello Make Tech Easier!" This is because you edited the binary and changed the string.
ghex is a desktop hex editor. To install it, use:
sudo apt-get install ghex
It can be started from the launcher or from the command line. To edit the "hello" binary type:
ghex hello
The program works in a very similar way to "hexcurse". You can navigate with the arrow keys, page up, and page down. TAB switches between editing the hex or text. "Ctrl + s" saves the file and so on. Since it is a desktop app, there is a menu bar which lists the other operations.
These tools can be very powerful, but it is also easy to corrupt binary files, so please use them with care. If you have any questions about "hexcurse" or "ghex" then please feel free to ask them in the comments section and we will see if we can help.