High-density hex viewer focused on visual pattern matching on <1MB binaries.
Binary Editor BZ has this covered on Windows. This is a Unix version you can quickly extend and hack on. Supports live code reload for smooth domain-specific prototyping.
On Arch, run makepkg -si in pkg/archlinux/. On OSX, there's a Homebrew formula you can add to your personal tap and brew install.
Elsewhere, ensure that you have ncursesw, autotools, the Tiny C Compiler, and a GCC-based build environment. You may want to install TCC from source (it's small) to enable live code reload. As usual, ./bootstrap && ./configure && make then sudo make install.
Run some examples (like examples/bs.c) which are all C
scripts executable via the Tiny C Compiler's -run option. For fast
iteration, saved code will be automatically re-loaded by running hex viewers on
supported platforms.
You can write your own views that make use of C libraries, such as the
Capstone-based disassembly view in examples/dasm.c.
Copy-paste liberally from other examples, and see
src/blindsight.h for the VIEW(..) struct + function
definition macro and the API available to render functions.
#!/usr/bin/tcc -run -L/usr/local/lib -lblindsight
#include "blindsight.h"
#include <ncurses.h>
/* vim's xxd.c in default mode */
VIEW(xxd,
/* bytes y, x dimensions */
16, /*=>*/ {1, 59}
)(uint8_t* s, size_t n, /*=>*/ int y, int x) {
for (int i=0, xi=x; i<n; i+=2, xi+=5) {
mvprintw(y, xi, "%02x%02x ", s[i], s[i+1]);
}
for (int i=0, xi=x+41; i<n; i++, xi++) {
unsigned char c = s[i];
mvaddch(y, xi, ' ' <= c && c <= '~' ? c : '.');
}
mvchgat(y, x, 57, A_NORMAL, 0, NULL);
}
view* views[] = {&xxd, 0};
int main(const int argc, char** argv) {
return blindsight(argc, argv, views, "views");
}This should be useful for one-off CTF tools and experiments during reverse engineering.
"Cause still unknown after several thousand engineering-hours of review. Now parsing data with a hex editor to recover final milliseconds."
Hexdumps are the lowest-level debug tool in software. They'll never go away, but as shown by Corkami's dissections they might get fancier.
"We're the goddamned Kalashnikovs of thinking meat."
This is a hex viewer. It's here to encourage and assist the part of the brain that sees animals in clouds and patterns in bespoke ciphertexts. Use it to do initial reconnaissance, seed whimsical hypotheses, and test them swiftly.
Stateful operations like edits on binary formats should be formalized in version controlled tools, not shot from the hip and left undocumented. Your end goal should be elegant domain-specific parsers and pretty-printers, not some kludge caged in a power-of-2 aligned grid. See Scapy, Nom, or Parsec and its variations as examples.