-
Notifications
You must be signed in to change notification settings - Fork 26
Home
mtivadar edited this page Sep 21, 2015
·
21 revisions
- PE (Portable executable) file format
- Boot sector format
- Binary (default)
- Binary view mode
- Hex view mode
- Disassembler view mode
-
Main window
- TAB will change view mode
- F2 switch between view/edit mode
- Shift + arrows will begin selection, also works with PageUp/PageDown
- Ctrl + arrows will scroll vertically/horizontally with one line
- CTRL+End will go to the end of the file
- CTRL+Home will go to the beginning of the file
- End will go to the end of the page
- Home will go to the beginning of the page
- s will jump over bytes of same value
- e will go to next qword of value 0
- / opens search window
- n search next
- b search previous
- Shift+F4 opens encrypt/decrypt window
-
F10 opens dropper window. Dropped bytes are saved in same file name + '.drop' suffix
- From current selected text or whole file
-
Type specifies what to drop
- Binary will drop byte values
- Hex will drop text, every byte value represented as two hex digits, values separated by space. eg '90 90 90 4d 5a'
- PE will drop all PE files contained in selection or file
-
Hex view mode
- F6 will change column number: 1, 4, 8, 16, 32, 36, 40
- In Edit mode ALT+[0-9a-f] will edit whole selection, if you want to fill a block with same byte. If ALT is not pressed, current byte is edited, high nibble and low nibble
-
Disasm view mode
- Enter on a call/branch will follow address
- Esc will return
-
PE plugin
- F3 will change address mode between Relative Virtual Address/Virtual Address/File Address
- [ and ] will iterate through sections
- 0 will jump to overlay if present
- F7 jumps to Entry Point
-
ALT+g opens/closes go to window
- VirtualAddress/FileAddress/RVA values are possible
- hex values must be written with 0x prefix
- available symbols: EP entry point, END end of file
- eg. EP - 0x100
- ALT+h opens/closes header view
-
ALT+d opens/closes directory window
- Enter goes to directory start
- F9 selects directory entry
-
ALT+s opens/closes sections view
- Enter goes to section starting offset
- F9 selects entire section
-
ALT+i opens/closes import view
- Enter goes to import entry in IAT
- ALT+e opens/closes export view
- ALT+v opens/closes version info view
- ALT+f closes the window
-
BootSector plugin
- F3 will change address mode between File Address and Memory Address. The latter will consider that code starts at 0x7c00
- ALT+p opens/closes partition table view
- [ and ] iterates through partitions
-
ALT+g opens/closes go to window
- MemAddress/FileAddress values are possible
-
Binary plugin
This plugin will load the file if no other plugin recognizes the file format. Go to, text selection, dropper are available, also jump over same values with 's'.
Performs encoding/decoding for current text selection. Key can be written as hex stream (00 aa b1 c2 ...), or hex number 0x1234ab..., or decimal number. If key cannot be validated, edit box will turn yellow.
- basic
- ROL/ROR/XOR/ADD/SUB are supported, same operations are possible on key which will be performed on every step
- bytes can be skipped on every step
- rc4
- key can be string or written as hex bytes
- aes
- key must be 16/24/32 bytes, iv must be 16 bytes. Both can be written as string or hex bytes
- encrypted/decrypted text will be multiple of 16 bytes
-
PE plugin
- All occurrences of MZ, PE\x00\x00
- ASCII text and widechar ascii
- call [IAT] instructions
- IAT and overlay
- 30 bytes from entry point are highlighted
-
Bootsector plugin
- partition table
In every plugin if text is selected, it will be also highlighted all occurrences of current selection
Powered by: Python, Qt4, Terminus font, pefile, Capstone