[HN Gopher] Imhex: A hex editor for reverse engineers
___________________________________________________________________
Imhex: A hex editor for reverse engineers
Author : wsc981
Score : 363 points
Date : 2024-06-29 07:25 UTC (15 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| z3phyr wrote:
| I really like this area of computer culture. RE, writing kernel
| modules, figuring out how stuff works and making stuff do what it
| was not designed to do aspects. However, legal avenues to do so
| are far in between and it requires a huge amount of time and help
| from peers.
| exe34 wrote:
| are there illegal schools teaching kernel module writing?
| Retr0id wrote:
| Yes. A silly example I encountered just yesterday, looking
| for usermodehelper invocation examples: https://gist.github.c
| om/muratdemirtas/31b46c459c9c2e285ed71b...
|
| Commenter asks:
|
| > also, question: Why is it called linux_keylogger?
| exe34 wrote:
| i don't see how that's illegal - it's only a crime if you
| install it on somebody's computer to steal their
| information. knives aren't illegal.
| Retr0id wrote:
| Yes, it's not literally illegal, otherwise Microsoft
| would be in even more trouble. I just thought it was
| amusing.
|
| (but also, carrying sensibly sized knife _is_ illegal
| where I live)
| no_time wrote:
| You don't need a project to be "legal" to have some fun :)
|
| Publish under a pseudonym with no links to your real identity,
| use dedicated communities that disregard DMCA takedowns. As
| long as you don't want to earn money this way, the worst that
| will happen is that your target notices your work and deploys
| vmprotect on their releases.
| poincaredisk wrote:
| >However, legal avenues to do so are far in between and it
| requires a huge amount of time and help from peers.
|
| I reverse engineer things for a living and I have many peers
| worldwide who do the same. My main field of work is malware
| analysis.
|
| For recreation, in my country it's explicitly legal to reverse
| engineer things you own, with a purpose of making it work on
| your system (think: fixing a windows XP game so it works on
| windows 10). This is a very broad loophole, and let's you
| reverse engineer things in most cases when they "feel" like
| they should be legal.
| 8372049 wrote:
| This applies to the entire EEA, fortunately!
| cess11 wrote:
| Reversing for the purpose of integrations is commonly also
| legal.
| LocalH wrote:
| If you've never done at least a tiny bit of "illegal" RE, are
| you even a _true_ hacker? ;)
| kstrauser wrote:
| File formats are great fun to RE. I worked at a place that used
| a proprietary business management app. One day I was bored and
| started looking at its data files with a hex editor and saw
| some patterns like the titles of records in the app were spaced
| at exact multiples of X bytes apart on the data file. Oh! Fixed
| width records! Huh, look at that: right after the title, the
| next two bytes look like the hex value of the record number
| show in the app. Guess that's how it stores those! If I click
| this checkbox, this one byte changes from 0x00 to 0x01. Hey
| there! After enough experimentation I had the whole thing
| mapped to structs in code and was able to build reports that
| the original app couldn't support.
|
| There wasn't anything illegal about that. I'm sure the vendor
| would've preferred we pay them to make reports for us but
| nothing legally prevented it.
| sadops wrote:
| Just don't publish it, and you can kinda do whatever. Remember,
| just because you build or learn something doesn't mean you have
| to broadcast it. Edification can be its own reward.
| wkat4242 wrote:
| It's publishing what you've learned not ok?
| 0xDEADFED5 wrote:
| Looks good! I usually stick to 010 Editor for it's wildcard
| search, but ImHex does that and more, I'm sold. Will be testing
| it out a bit more
| 0xFEE1DEAD wrote:
| what're the odds of two dead 0x users showing up at the same
| time in a thread previously without comments. gave me a chuckle
| jolj wrote:
| a thread about a hex editor? kinda high
| 0xFEE1DEAD wrote:
| This seems interesting and is coincidentally exactly what I need
| right now. My trusty file, strings, hexdump and xxd all failed
| me. I was going to use ghidra, but it's quite the beast and I
| haven't had any time to learn it yet. Gonna give this a try
| tonight.
| nneonneo wrote:
| What do you need Ghidra for?
|
| Ghidra is, for the most part, not a hex editor. It's meant for
| reverse engineering - mainly decompilation, but it's useful for
| patching as well. The debugger is new and takes some getting
| used to (I'm still using GDB + Ghidra), but the disassembler
| and decompiler are top-notch.
| tsujamin wrote:
| It's also useful for defining data structures and carving
| them up, which (for me) is the role now filled by ImHex.
|
| If HexFiend/xxd are at one end of the spectrum, ghidra at the
| other, I imagine ImHex and tools like Kaitai are in the
| middle
| nneonneo wrote:
| Hex Fiend does data structures and file formats now too,
| using parsers written in TCL. I'd probably rate Hex Fiend
| as being in the middle too, especially if you're going to
| put xxd at the low end :)
|
| Personally, for file format parsing I like to use Hachoir
| (specifically Hachoir-wx for GUI file structure browsing),
| which is a somewhat obscure bit of software that I've made
| some contributions to.
| tsujamin wrote:
| Huh interesting, thanks for the recs!
| ithkuil wrote:
| Username checks out
| nneonneo wrote:
| I tried ImHex...found it way too complex for most of what I
| wanted to do. I'm still a huge fan of Hex Fiend on macOS -
| simple, fast, does what I want. I still haven't found the perfect
| "simple" hex editor on Windows.
| nine_k wrote:
| Have you tried Hiew?
| nneonneo wrote:
| No, hadn't heard about it. Seems interesting, sort of "vim
| for hex" like. I might give it a spin.
| andrewshadura wrote:
| Actually ncedit for hex.
| MontagFTB wrote:
| +1 for HexFiend. Their template format is straightforward to
| extend. I've used it to analyze many different file formats.
|
| I also tried ImHex briefly. I have a ton of respect for the
| project, but found for my needs it was like using a cannon to
| kill a housefly.
| s1gsegv wrote:
| Interesting, I find HxD on Windows to be the absolute peak of
| hex editors with no real parallels on macOS or Linux. Which is
| a shame because I never use Windows.
|
| Hex Fiend for instance is my hex editor on macOS, but why does
| it insist on reflowing the lines when I expand the window? I
| might just want to work with it maximized to avoid visual
| distractions, but I still only want lines to be 16 or 32 bytes
| long, and definitely not some weird size that will make things
| not line up.
| GordonS wrote:
| +1 for HxD, been using it on Windows for a long while now,
| and it's the best he editor I've tried. Haven't tried ImHex
| yet, mind.
| markus_zhang wrote:
| I use HxD as well. It is an interesting and fast tool.
| s1gsegv wrote:
| This is the other thing with HxD and I think it's very
| important for a hex editor, it handles huge amounts of data
| in the correct way. HxD can open entire block devices, or
| per-process/whole system RAM, and it all works without
| bogging down.
|
| I've tried a lot of lesser hex editors that get cooked the
| moment you try to open a 4GB file. I don't know if the
| field I'm in skews this, but most of the time if I'm
| looking at a file in a hex editor, it's relatively large
| and I need to find a tiny amount of information in it.
| noname120 wrote:
| I will stick to 010 Editor for now[1], it's the most amazing hex
| editor I've tried in my life. I'm not fond at all of the GUI
| framework (Dear ImGui) that this new projects uses. It's meant
| for embedded systems with tiny screens and no window manager, not
| full-fledged desktop environments where the small elements and
| the complete lack of UI integration makes for a very awkward
| experience.
|
| [1] https://www.sweetscape.com/010editor/
| rafram wrote:
| Yeah, just the crappy aliased font rendering alone makes this
| painful to use for me.
| carrja99 wrote:
| Gave me a flashback to my middle school days when I used a hex
| editor to modify my saved game files.
| mahoro wrote:
| This is an absolutely great project. I had a lot of fun tinkering
| with the ROM of my Philips smart clock.
|
| It has a built-in DSL that looks like Rust (without memory
| management, though - so it's very lightweight), and with that,
| it's possible to visualize and extract structural data from
| binary streams. That's really fun and cool.
|
| It also has a visual editor to make simple calculations with no
| code. It didn't feel polished at the time I tried it. Strangely,
| writing code in DSL was more intuitive and easier for me.
| alex_suzuki wrote:
| Cool, a bit like Wireshark protocol dissectors then?
| jchw wrote:
| There's, unfortunately, a million similar implementations for
| this basic concept. 010 Binary Templates, Hex Workshop
| structures, Okteta structures, Kaitai Struct Definitions.
| Heck, I made my own Go struct tag DSL that does this, before
| I realized just how many times it had already been done
| before.
|
| The thing that's complicated of course, is that while it is a
| good idea and the basic idea is incredibly similar across
| implementations, there are _just_ enough different concerns
| to make it hard to have one universal standard that can cover
| all of the use cases. It 's hard enough to have a single
| parsing framework that handles both text parsing and binary
| format parsing well, but you also would need to consider the
| ability to incrementally parse/stream, read/write support,
| support arbitrary transformations, some formats need
| pointers, offsets, indices, and of course to what degree such
| a descriptor should be declarative versus imperative
| (declarative is better, but it gets increasingly hard to
| capture all details entirely in a purely declarative manner.)
| ykonstant wrote:
| Does this editor have a way to display the ASCII bytes in CP437
| glyphs? I grew up reading binary files in DOS that way and I can
| read the glyphs much faster than the corresponding hex values; in
| contrast, using dots for the non-printable characters doesn't
| really tell me much.
| Simran-B wrote:
| You can download additional assets in the settings and then
| interpret data as encoded in various formats. I don't see CP437
| in the list but the file format for encodings is
| straightforward, you can probably create a mapping easily.
|
| https://github.com/WerWolv/ImHex-Patterns/tree/master/encodi...
| Dwedit wrote:
| The problem with CP437 is that FF, 00, and 20 are all empty
| space and look the same. Then there's the question about that
| ambiguous character that's either German Sharp S or Beta.
| ykonstant wrote:
| I break ties by using 0 for NULL which declutters output with
| lots of null bytes, and [?] for non-breaking space because I
| saw the glyph on Wikipedia.
| stavros wrote:
| I will fight anyone who claims that a beta and an eszett look
| the same.
| j16sdiz wrote:
| > people who value their retinas when working at 3 AM.
|
| You just need a well lit room to use light mode.
| Stratoscope wrote:
| Agreed, and also turn down your monitor brightness if needed so
| the light background matches a piece of paper on your desk.
|
| No one complains that reading something on paper burns out your
| retinas. A light mode shouldn't either.
|
| I always assumed that ImHex only supported dark mode, but it
| turns out that it does support light mode too!
| wkat4242 wrote:
| > No one complains that reading something on paper burns out
| your retinas. A light mode shouldn't either.
|
| The problem is that modern monitors are optimised for max
| brightness, not minimum. On my monitor I work on 0%
| brightness during the _day_. More is too bright already.
| During the night I turn down the contrast for lack of other
| options. That screws up colour depth though. Dark mode helps
| a ton too. A monitor that could display accurate colours at
| low brightness would be amazing but nobody cares enough to
| make one.
| someplaceguy wrote:
| > > people who value their retinas when working at 3 AM.
|
| > You just need a well lit room to use light mode.
|
| Who wants a well-lit room at 3 AM?
| aquova wrote:
| Not to be confused with the Reverse Engineer's Hex Editor, rehex
|
| https://github.com/solemnwarning/rehex
| _xerces_ wrote:
| It is hard to find the link for Windows download, most people
| (especially us dumb Windows users) want to find a link and
| download, not scroll a bunch then go to another page then scroll
| some more and make a decision about which one of 20 links they
| need. It is not that hard, especially for most people on HN but
| it does add friction to people trying your software. This is a
| very common thing with other projects so not just picking on this
| one.
|
| Finally, when it does load on my Windows machine (using MSI
| installer and after convincing Microsoft that it is safe to run
| and bypassing their warning) it loads up super tiny on my 4k
| laptop screen and is unusable. I suppose I could mess about with
| the compatibility and scaling settings but I kind of lost
| interest after all of the above.
|
| I tell you all this because obviously a lot of work went into
| this tool and from the screenshots it looks beautiful and useful,
| but is let down by the process involved to get it to run, at
| least on my machine.
|
| For now, I will keep running HxD.
| go_prodev wrote:
| Maybe they've updated it, but I found a Windows MSI link about
| halfway down the front page.
| sva_ wrote:
| Really weird criticism. If you're confused about how GitHub
| works, you might follow the link to their website[0] (when you
| click on "Release" in the readme) and then scroll down to find
| a "Download for Windows" button.
|
| 0. https://imhex.werwolv.net/
| tom_ wrote:
| At least on desktop, there's also a link to the main site in
| the About section of the repo. This might actually be a
| better link for the HN submission, as I bet there's a non-
| zero intersection of hex editor users and people who
| completely do not understand Git whatsoever (assuming they've
| even heard of it).
| denysvitali wrote:
| You can also use it on the web, no need to download it:
| https://web.imhex.werwolv.net/
| pengaru wrote:
| Maybe create an issue saying as much?
|
| https://github.com/WerWolv/ImHex/issues
| _xerces_ wrote:
| Why would I do that unless I have a strong reason to use it
| rather than just move on with my day? A link is posted on HN
| for some cool software, it is already annoying to install it
| due to Microsoft complaining about it, then when I first run
| it, it opens up a tiny window an is asking if it can upload
| information. I don't expect to spend time figuring out its
| issues. I can't be the only one using a 4K display on
| Windows.
| pengaru wrote:
| > Why would I do that unless I have a strong reason to use
| it rather than just > move on with my day? A link is
| posted on HN for some cool software, it is > already
| annoying to install it due to Microsoft complaining about
| it, then > when I first run it, it opens up a tiny
| window an is asking if it can upload > information. I
| don't expect to spend time figuring out its issues. I can't
| be > the only one using a 4K display on Windows.
|
| Spoken as a true reverse engineer, you should ask for a
| refund.
| timeon wrote:
| Sounds like weird OS.
| dagmx wrote:
| ImHex has so far been the best hex editor I've used for a few
| reasons. Some of these exist in other editors but rarely all
| together.
|
| 1. File templates mean that it auto highlights sections of known
| file types.
|
| 2. It shows how selected bytes may be interpreted as pretty much
| every common data type that I would want and does so
| simultaneously.
|
| 3. It's significantly faster than other editors for me when I use
| large files
|
| On the downside, the imgui ui gets buggy sometimes but it's
| replaced my use of other viewers like HexFiend, hexa etc...
| mostthingsweb wrote:
| https://github.com/WerWolv/ImHex
|
| Oooh that looks slick, thanks for the tip!
| unwind wrote:
| Uh that is literally the link that is posted, that this
| thread is about.
| stavros wrote:
| I'm guilty of not reading the article more often than not,
| but posting the exact link of the article in a comment is
| next-level.
| rfoo wrote:
| Well, 010 Editor also checks all three. So:
|
| 4. Unlike 010 Editor, it does not take you $150 and is FOSS so
| you can easily patch it to do whatever you need.
| ixwt wrote:
| After briefly having used both, the main difference besides
| layout and aesthetics, is that 010 has a bigger repo of
| premade templates.
| hnthrowaway0328 wrote:
| This looks pretty neat. Would it be a good idea to develop a hex
| editor as a project? It doesn't look too hard for a simple one,
| but if one wants there is a lot of room for practice, like
| parsing all fileformats, from executionable image to doom wads
| too some proprietary file format, and I'm there is a lot room for
| tools that help RE too.
| surfingdino wrote:
| Great project, shame the author did not google the username.
| kstrauser wrote:
| Why's that?
| surfingdino wrote:
| Google it.
| kstrauser wrote:
| Ah. Yeah, perhaps, but that was a normal, common word that
| the bad guys used because it sounded scary, but which still
| has its original meaning. It's not a word I'd primarily
| associate with those particular bad guys.
| surfingdino wrote:
| https://en.wikipedia.org/wiki/Werwolf
|
| probably not a good idea to pick a username sounding
| closely to that stuff.
| kstrauser wrote:
| I get what you're saying. I wouldn't pick it for myself.
| Still, he's from Switzerland where German is a local
| language, and that's a normal German word outside the
| Nazi usage. It wasn't one of the ones they invented
| themselves.
|
| I think it's closer to, say, "beer hall", which isn't
| inherently Nazi even though "beer hall putsch" was their
| thing. They can still have beer halls.
| markus_zhang wrote:
| Isn't "Werewolf", a common D&D monster (well, actually
| probably uncommon or even rare in D&D world, but you get
| what I mean), has the same pronunciation? I guess the
| Nazis just picked something that sound scary and
| stealthy.
| WerWolv wrote:
| Hey, I'd just like to tune in here real quick. I've been using
| this username since I was like 10, long before I really
| understood what Nazis are. By the time I learned about this,
| I've already had this username for years and changing it
| everywhere would have been a ton of work. As a native German
| speaker, this association is really not something people
| generally make. I'd mostly just like to state that I'm probably
| as far away from being a right extremist as I can be.
| surfingdino wrote:
| Nobody's accusing you of being one. Peace.
| drzzhan wrote:
| I will just stick with 010 Hex editor for now. Still I will keep
| an eye on this.
| hackyhacky wrote:
| > ImHex requires a GPU with OpenGL 3.0 support in general.
|
| Why does a hex editor require OpenGL? (and therefore a GPU?)
|
| Is there a good reason why it needs OpenGL or is it just for
| l33t-ness?
| dagmx wrote:
| The UI is built using Imgui (hence the Im prefix) which is a Ui
| framework for computer graphics programs.
|
| Though, a couple nits:
|
| 1. An OpenGL requirement doesn't necessitate a GPU. There are
| software implementations of OpenGL but they tend to be rather
| mediocre at best for performance.
|
| 2. Many platforms now assume some kind of GPU. It's fairly rare
| to need a GUI tool without also having a GPU available. Of
| course there are niches for it, but those aren't also likely to
| be running a hex editor and tooling locally.
| anotherhue wrote:
| 'GPU' doesn't mean discrete, power-hungry graphics card
| either (not that you said it did).
|
| OpenGL calls for basic desktop rendering can be reliably
| handled by the integrated graphics in the CPU. In which case
| OpenGL can almost be viewed as a parallel instruction set /
| DSL.
| SideQuark wrote:
| > Why does a hex editor require ... a GPU?
|
| Any editor, to be fluid and quick at today's screen resolution,
| needs hardware rendering. The days of drawing things pixelwise,
| especially any complex formatting, are noticeably slow.
|
| See this [1] for example
|
| [1] https://www.sublimetext.com/blog/articles/hardware-
| accelerat...
| 9029 wrote:
| they probably just picked the opengl renderer for imgui
| Dwedit wrote:
| I still use HXD for most cases, but whenever I need to work with
| encoded text, I use a fork of MadEdit instead. MadEdit has no
| problem with multibyte characters, whether it's UTF-8, UTF-16, or
| Shift-JIS.
| jonhohle wrote:
| This looks awesome. I'm spending the majority of my time
| reversing an old game and mostly still use hexdump.
| dang wrote:
| Related:
|
| _ImHex - A Hex Editor_ -
| https://news.ycombinator.com/item?id=32287902 - July 2022 (70
| comments)
|
| _ImHex - A Hex Editor_ -
| https://news.ycombinator.com/item?id=25353965 - Dec 2020 (78
| comments)
| kamov wrote:
| Sadly this program seems to segfault on Wayland.
| denysvitali wrote:
| Try the web version: https://web.imhex.werwolv.net
___________________________________________________________________
(page generated 2024-06-29 23:00 UTC)