Hex Editor – Comprehensive User Guide

Opening Files:

• Use the 📂 Open button to select a file via your system's file chooser.
• Alternatively, drag and drop a file directly into the editor window.

Saving Files:

• Click Save File to write changes back to disk.
• The editor saves with the original filename by default.

Scenario Example: You open a firmware image for analysis, edit a few configuration bytes, and save it back with the same filename for flashing onto hardware.

Display:

• Bytes are shown in two columns: hexadecimal values and their ASCII equivalents.
• Non-printable characters appear as a dot . in the ASCII view.

Interacting:

• Single-click a byte → move cursor and update the Data Inspector.
• Double-click a byte → enter edit mode. A floating editor appears directly over the cell.
• Press Enter to commit and move to the next cell, or Esc to cancel.
• Toggle row width between 16 bytes and 32 bytes using the dropdown.

Scenario Example: While reverse-engineering a save file, you notice your character's health value in decimal is 100. In hex, that is 64. You double-click the byte, change it to FF, and save. When you reopen the game, your character has maximum health.

Keyboard:

• Arrow Keys: move cursor one cell.
• PageUp / PageDown: scroll quickly through data.

Virtualisation: Only the visible portion of the file is rendered. This allows smooth navigation even in multi-gigabyte files.

Overview Ruler: A slim bar on the right shows markers for bookmarks, ranges, search hits, and carved objects. Click to jump.

Scenario Example: You scroll through a 1 GB log file quickly using PageDown, with no lag, and click a red marker in the ruler to jump to an identified error string.

The inspector shows the current byte (or multi-byte selection) in multiple interpretations:

• Unsigned / signed integers (8, 16, 32, 64-bit)
• Floating-point values
• Text encoding (ASCII, UTF-8, UTF-16)

Scenario Example: Selecting four bytes in a binary shows that they represent the floating-point number 3.14159 in little-endian. You confirm that this section stores mathematical constants.

The entropy panel shows randomness (Shannon entropy) across the file:

• Low entropy (structured areas, e.g., headers) appear blue.
• High entropy (compressed/encrypted blocks) appear red.

Scenario Example: While inspecting a suspected malware binary, you see one section is high-entropy compared to the rest. This indicates packed or encrypted payloads.

Hex Search: Enter sequences like DE AD BE EF.

ASCII Search: Enter plain text, e.g., password.

Matches are highlighted in the hex view and marked in the overview ruler.

Scenario Example: You search for PK in a suspicious file, which reveals embedded ZIP archives at multiple offsets.

The Structures Wizard lets you define fields and apply templates for known formats:

• Specify offset, length, type, and endianness.
• Apply predefined templates (PNG, JPEG, ELF, PE, ZIP, etc.).

If a file matches a known format, the editor auto-applies the template and populates a side panel with parsed values.

Scenario Example: Loading a PNG automatically parses its IHDR chunk and shows “Width: 1024, Height: 768, Bit depth: 8” in the structures panel.

Compare files to see changes:

• 🔀 Compare: Two-way binary diff.
• 🌌 Triple Diff: Original vs Current vs Other.

Differences are colour-highlighted in hex and ASCII.

Scenario Example: You compare a clean EXE to a suspected infected EXE. The diff highlights injected shellcode at offset 0x401000.

Every edit is tracked:

• Undo / redo actions instantly.
• Create branches for experimental edits.
• Checkpoint states for quick restoration.

Scenario Example: While patching a binary, you create a branch for each variant. One branch disables copy protection, another modifies level data. You can switch between them instantly.

1. Object Carving & Gallery

Scans the file for embedded objects based on known signatures. Extracted objects are listed with thumbnails or previews.

Scenario: In a memory dump, the carver finds hidden JPEGs. You preview them and discover screenshots of an exfiltrated desktop.

2. Rich Preview

Displays live previews for recognised file types.

• Images → canvas thumbnails
• Audio → WebAudio playback
• Video → <video> playback
• PDF → rendered pages

Scenario: You extract an embedded PDF from an email attachment. The preview shows its first page, revealing phishing instructions without opening it externally.

3. Container Explorers

Parse and browse container formats such as ZIP, RIFF, MP4, and PDF.

Scenario: An APK file (ZIP) is loaded. The explorer lists AndroidManifest.xml, icons, and resources. You export the manifest for static analysis.

4. Metadata Extractors

Extract metadata fields from common file types:

• EXIF in JPEG/TIFF
• ID3 in MP3
• Vorbis comments in OGG/FLAC
• PE/ELF/Mach-O headers

Scenario: A JPEG from a suspect's phone reveals GPS coordinates in its EXIF data, which you map to a location.

5. Strings & IOC Discovery

Extract human-readable strings, decode common encodings, and search with regex/YARA.

Scenario: A DLL reveals hardcoded domains and suspicious Base64-encoded payloads, pointing to malware command-and-control servers.

6. Executable Explorers

Specialised explorers for executables:

• PE (Windows)
• ELF (Linux)
• Mach-O (macOS/iOS)

Scenario: A malicious Windows DLL shows imports of VirtualAlloc and LoadLibrary, confirming it injects shellcode.

7. Plugin Extensibility

You can add your own plugins. A plugin is simply a JavaScript file that registers a panel and analysis routine.

Scenario: You add a YARA plugin. When scanning a suspicious binary, the plugin automatically flags known malware signatures.