Hex Editor – Comprehensive User Guide

File Handling

Opening Files:

Use the 📂 Open button to select a file via your system's file chooser.
Alternatively, drag and drop a file directly into the editor window.

Saving Files:

Click Save File to write changes back to disk.
The editor saves with the original filename by default.

Scenario Example: You open a firmware image for analysis, edit a few configuration bytes, and save it back with the same filename for flashing onto hardware.

Workflow: ┌──────────────┐ ┌───────────────┐ ┌───────────────┐ │ Click "Open" │ → │ Edit contents │ → │ Click "Save" │ └──────────────┘ └───────────────┘ └───────────────┘

Hex & ASCII View

Display:

Bytes are shown in two columns: hexadecimal values and their ASCII equivalents.
Non-printable characters appear as a dot . in the ASCII view.

Interacting:

Single-click a byte → move cursor and update the Data Inspector.
Double-click a byte → enter edit mode. A floating editor appears directly over the cell.
Press Enter to commit and move to the next cell, or Esc to cancel.
Toggle row width between 16 bytes and 32 bytes using the dropdown.

Scenario Example: While reverse-engineering a save file, you notice your character's health value in decimal is 100. In hex, that is 64. You double-click the byte, change it to FF, and save. When you reopen the game, your character has maximum health.

Workflow: ┌─────────────────────┐ │ Open file │ ├─────────────────────┤ │ Locate value in hex │ ├─────────────────────┤ │ Double-click & edit │ ├─────────────────────┤ │ Save & test │ └─────────────────────┘

Navigation

Keyboard:

Arrow Keys: move cursor one cell.
PageUp / PageDown: scroll quickly through data.

Virtualisation: Only the visible portion of the file is rendered. This allows smooth navigation even in multi-gigabyte files.

Overview Ruler: A slim bar on the right shows markers for bookmarks, ranges, search hits, and carved objects. Click to jump.

Scenario Example: You scroll through a 1 GB log file quickly using PageDown, with no lag, and click a red marker in the ruler to jump to an identified error string.

Data Inspector

The inspector shows the current byte (or multi-byte selection) in multiple interpretations:

Unsigned / signed integers (8, 16, 32, 64-bit)
Floating-point values
Text encoding (ASCII, UTF-8, UTF-16)
Sniffing: a quick “what is this?” guess based on magic bytes near the cursor (useful for spotting embedded formats)

Scenario Example: Selecting four bytes in a binary shows that they represent the floating-point number 3.14159 in little-endian. You confirm that this section stores mathematical constants.

Entropy Analysis

The entropy panel shows randomness (Shannon entropy) across the file:

Low entropy (structured areas, e.g., headers) appear blue.
High entropy (compressed/encrypted blocks) appear red.
Change heatmap overlay: when a compare buffer is loaded, a translucent overlay indicates the fraction of bytes that differ per block.

Scenario Example: While inspecting a suspected malware binary, you see one section is high-entropy compared to the rest. This indicates packed or encrypted payloads.

Search

Hex Search: Enter sequences like DE AD BE EF.

ASCII Search: Enter plain text, e.g., password.

Matches are highlighted in the hex view and marked in the overview ruler.

Scenario Example: You search for PK in a suspicious file, which reveals embedded ZIP archives at multiple offsets.

Forensics Tools (Modal)

Click Forensics on the toolbar to open a single modal containing a handful of “I just need answers” tools.

Hashes

Compute whole-file hashes: CRC32, MD5, SHA-1, SHA-256, SHA-512.
Compute hashes for a selected range (or cursor-based default range).

IOCs

Extracts ASCII-ish strings then identifies common indicators: URLs, domains, emails, IPv4/IPv6, GUIDs.
Also flags common “hash-looking” strings (MD5/SHA1/SHA256/SHA512), Windows/UNC paths, unix-ish paths, registry keys, onion domains, and Bitcoin addresses.
Exports results as CSV or JSON.

Transform

Runs simple range operations: hex/base64 encode/decode, XOR, and inflate.
Inflate auto-tries gzip, zlib/deflate, and raw deflate (because real-world data rarely reads the manual).
“Replace Range” applies the output back into the file (currently only when output length matches the selected length).

Workbench (Deobfuscation Pipeline)

Run a chain of steps over a byte range to quickly unwrap payloads (e.g. XOR → inflate → decode).
Includes quick preview (text + hex) and exports the output as binary or hex text.

Timeline Scan

Scans a range with a stride and collects plausible timestamps across multiple formats.
Results are clickable (jump-to-offset) and exportable as CSV/JSON.

Rules (YARA-lite)

A small client-side rules DSL supporting ASCII and hex patterns.
Scan the selection or entire file, then export hits as CSV/JSON.

Struct Diff

Compares lightweight structure summaries between the current file and a loaded compare buffer.
Supports ZIP/PE/ELF/Mach-O and reports added/removed/changed entries/sections and key header field changes.

Case Export

Exports a case bundle ZIP containing case.json, evidence.json, and optional artefacts such as compare buffer, diffs, IOCs, timeline results, rules hits, and struct diff output.

Timestamps

Enter an offset and the tool will interpret the bytes using several common timestamp formats:

UNIX (u32/u64, seconds and common unit heuristics)
Windows FILETIME (u64, LE)
WebKit/Chrome (u64, LE microseconds since 1601)
FAT date/time (u16 time + u16 date)
Mac/HFS epoch (u32 seconds since 1904)
OLE Automation DATE (f64 days since 1899-12-30)

Evidence Log

Records key actions (file open, exports, scans, hash operations, transforms) with UTC timestamps.
Backed by localStorage (so it survives refreshes).
Export as JSON/CSV, or clear when you’ve made your notes.

Structures

The Structures Wizard lets you define fields and apply templates for known formats:

Specify offset, length, type, and endianness.
Apply predefined templates (PNG, JPEG, ELF, PE, ZIP, etc.).

If a file matches a known format, the editor auto-applies the template and populates a side panel with parsed values.

Scenario Example: Loading a PNG automatically parses its IHDR chunk and shows “Width: 1024, Height: 768, Bit depth: 8” in the structures panel.

Diffing

Compare files to see changes:

🔀 Compare: Two-way binary diff.
🌌 Triple Diff: Original vs Current vs Other.

Differences are colour-highlighted in hex and ASCII.

When a compare buffer is loaded, other tools can reuse it (for example the entropy change overlay and Struct Diff in the Forensics modal).

Scenario Example: You compare a clean EXE to a suspected infected EXE. The diff highlights injected shellcode at offset 0x401000.

Timeline & Branching

Every edit is tracked:

Undo / redo actions instantly.
Create branches for experimental edits.
Checkpoint states for quick restoration.

Scenario Example: While patching a binary, you create a branch for each variant. One branch disables copy protection, another modifies level data. You can switch between them instantly.

Plugins (Advanced Analysis)

1. Object Carving & Gallery

Scans the file for embedded objects based on known signatures. Extracted objects are listed with thumbnails or previews.

Carved hits are also validated (where possible) to improve confidence and flag likely truncation or malformed headers.

Export: You can export individual hits, or use the bulk export buttons. Export ZIP downloads carved_objects.zip, a self-describing archive containing:

Per-type folders (e.g. png/, pdf/)
One file per hit with an offset/length-based filename
A carve_results.json manifest describing all hits (offset, length, type, confidence)

Workflow: [File] → [Scan for signatures] → [Identify objects] → [List in gallery] → [Preview/Export]

Scenario: In a memory dump, the carver finds hidden JPEGs. You preview them and discover screenshots of an exfiltrated desktop.

2. Rich Preview

Displays live previews for recognised file types.

Images → canvas thumbnails
Audio → WebAudio playback
Video → <video> playback
PDF → rendered pages

Workflow: [Select object] → [Plugin detects type] → [Preview in side panel]

Scenario: You extract an embedded PDF from an email attachment. The preview shows its first page, revealing phishing instructions without opening it externally.

3. Container Explorers

Parse and browse container formats such as ZIP, RIFF, MP4, and PDF.

Workflow: [Detect container] → [Parse index/table] → [List entries/chunks] → [Export or preview]

Scenario: An APK file (ZIP) is loaded. The explorer lists AndroidManifest.xml, icons, and resources. You export the manifest for static analysis.

4. Metadata Extractors

Extract metadata fields from common file types:

EXIF in JPEG/TIFF
ID3 in MP3
Vorbis comments in OGG/FLAC
PE/ELF/Mach-O headers

Scenario: A JPEG from a suspect's phone reveals GPS coordinates in its EXIF data, which you map to a location.

5. Strings & IOC Discovery

Extract human-readable strings, decode common encodings, and search with regex/YARA.

Workflow: [Scan file] → [Extract strings] → [Filter/regex search] → [Mark hits in ruler]

Scenario: A DLL reveals hardcoded domains and suspicious Base64-encoded payloads, pointing to malware command-and-control servers.

7. Steganography (Sidebar Tab)

Steganography tools are accessed via the Steganography tab in the sidebar. This consolidates extraction and injection workflows in one place.

Extract recovers hidden payloads using the selected method.
Inject can hide a text payload, or you can use Inject File to embed raw bytes from a chosen file.

6. Executable Explorers

Specialised explorers for executables:

PE (Windows)
ELF (Linux)
Mach-O (macOS/iOS)

Scenario: A malicious Windows DLL shows imports of VirtualAlloc and LoadLibrary, confirming it injects shellcode.

7. Plugin Extensibility

You can add your own plugins. A plugin is simply a JavaScript file that registers a panel and analysis routine.

Scenario: You add a YARA plugin. When scanning a suspicious binary, the plugin automatically flags known malware signatures.