Can a hex editor be used to edit the instructions in an executable binary?
https://stackoverflow.com/questions/7933858
-
16-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
If I have a binary executable containing compiled C code, can I use a hex editor to edit that binary and change a specific instruction into another one, such as nop or jmp? How can I know the offset of the instruction I want to change?
Yes, this is for educational purposes.
Solution
UPDATE: Sorry, missed the Mach-O tag. This list is really for standard x86, not for Mach-O specifically. Still, it's a nice list for standard x86 code :)
Sure, but you're better off using a tool such as OllyDbg, SoftICE, or Immunity Debugger (a variant of Olly that's designed for reverse engineering). Learning x86 asm isn't actually as difficult as most people make out. You can learn a lot of Win32 assembly from http://win32assembly.online.fr/
You can get a list of opcodes at http://ref.x86asm.net/ if you're really set on editing with a hex editor.
More great tools for this kind of stuff:
- PE Info (free EXE header editor)
- CFF Explorer (free EXE header editor / rebuilder. more features than PE Info)
- PE Explorer (commercial EXE header and resource editor)
- TrID (file type identifier)
- PEID (executable / packer identifier)
- IDA Pro (static executable analysis)
- procmon (activity analysis)
- procexp (like taskmgr, but way better and more in depth)
- ildasm (CIL disassembler)
- ilasm (CIL assembler)
- RedGate Reflector (.NET reverse engineering tool)
- .NET Reflector (.NET reverse engineering tool)
- XVI32 (hex editor)
- Hex Workshop (hex editor / structure editor)
OTHER TIPS
The de facto tool for doing this and all other forms of binary manipulation is Interactive Disassembler (better known as IDA, comes with a cool free trial!) remember you'll have to rebase the rest of the binary if you change the size of the instruction + operand (I.E changing an x86 nop instruction to a jmp instruction w/ the operands in Mach-O will, more than likely, cause the binary to not run unless you rebase, which IDA of course has an amazing utility for).
A hex editor will not be able to do the same (easily at least).
