Main window - SillyBits/hexalyzer GitHub Wiki

This is the main window:

---

Before we dig into details, following a short overview on the toolbar (with keyboard shortcuts in []):

• File handling:

  - Creates a new project [Ctrl + N]

  - Opens existing projects [Ctrl + O]

  - Saves any project changes [Ctrl + S]

  - Closes current project (you will be prompted if unsaved changes exist) [Ctrl + W]

• Node handling:

  - Untyped split at cursor position [Ins]

  - Add a variable string node [S]

  - Add an ASCII string node [A]

  - Add an UNICODE string node [U]

  - Add an ASCII char node

  - Add an UNICODE char node

  - Add a 1-byte signed integer node [1]

  - Add a 1-byte unsigned integer node [Shift + 1]

  - Add a 2-byte signed integer node [2]

  - Add a 2-byte unsigned integer node [Shift + 2]

  - Add a 4-byte signed integer node [4]

  - Add a 4-byte unsigned integer node [Shift + 4]

  - Add a 8-byte signed integer node [8]

  - Add a 8-byte unsigned integer node [Shift + 8]

  - Add a float node [F]

  - Add a double node [D]

  - Remove node, merging it into previous/next [Del]

• Views:

  - Toggles Value preview panel on/off

  - Toggles Data buffer info panel on/off

• Tools:

  - Toggles Background analyzer on/off

---

I've tried to map every feasible type to assist with dissecting binaries. Some types are a bit special and might be changed with future versions, esp. those string nodes which do relying on a 4-byte length prefix before actual string content (as used with, for example Pascal strings).

Explanation is best by using an example, right? Right. So here we go. The repository contains a small ready-made example, Example1.hexaproj which contains the analysis nodes, and Example1.bin which acts as the source being dissected.

As with every hex-viewer you might be familiar with (HxD or Hexplorer to name a few), several columns exist:

• Offset into the file your viewing.
• Hex dump on raw data.
• Ascii dump on raw data.

But Hexalyzer adds 2 additional columns:

• Value to show the 'transformed value' of the node based on its type.
• Remark to allow for taking notes for each individual node.

In the picture above you can see a total of 8 nodes, each separated by a dim horizontal line. You might have noticed already some offsets are drawn using a darkish green color, those are offets which have a typed node assigned whereas black offsets still lack some type assignment.

Following a short description on individual lines:

1. An UInt32 node which transforms EF BE AD DE into the real value DEADBEEFh. Also has some remark on it: "The magic id (DEADBEEF)"

2. An untyped node, so no actual value present. As with typed nodes, you're allowed to take notes on untyped ones too.

3. Another UInt32 00000400h with a remark.

4. Some big untyped node of length 116.

5. An ASCII string "Some totally random string", with length prefix (0000001B) and it's Null-terminator.

6. More untyped data

7. An UNICODE string with same string as with line 5 (note that I've assumed negative lengths with unicode strings, this is caused by the "needs" for this tool :wink: ).

8. More untyped data following (up until end of file).

As you might have noticed already, the toolbar and most menu items are grayed out, rendered inaccessible. This is because the tool lacks a hint on where to add "stuff". Just left-click into any part of either the hex or ascii column to set a caret, this will enable edit mode. Besides clicking, caret can also be moved using your cursor keys, even special combinations like [Ctrl + Home] are handled as usual. Moving the caret around is somewhat intelligent, allowing you to navigate around without even touching your mouse again :grinning: If you, for example, reached the end of one node, navigating to the left again will automatically take you to the start of the node following, and vice versa. Might be a bit disturbing at first, but you will get to it quite fast, promised :grin: