Igor’s tip of the week #38: Hex view

In addition to the disassembly and decompilation (Pseudocode) views, IDA also allows you to see the actual, raw bytes behind the program’s instructions and data. This is possible using the Hex view, one of the views opened by default (or available in the View > Open subviews menu). Even if you’ve used it before, there may be features you are not aware of.

Synchronization

Hex view can be synchronized with the disassembly view (IDA View) or Pseudocode (decompiler) view. This option is available in the context menu under “Synchronize with”. Synchronization can also be enabled or disabled in the opposite direction (i.e. from IDA View or Pseudocode window). When it is on, the views’ cursors move in lockstep: changing the position in one view updates it in the other.

Highlight

There are two types of highlight available in the Hex view.
  1. the text match highlight is similar to the one we’ve seen in the disassembly listing and shows matches of the selected text anywhere on the screen.
  2. current item highlight shows the group of bytes that constitutes the current item (i.e. an instruction or a piece of data). This can be an alternative way to track the instruction’s opcode bytes instead of the disassembly option.

Layout and data format

The default settings use the classic 16-byte lines with text on the right. You can change the format of individual items as well as the amount of items per line (either a fixed count or auto-fit).

Text options

Text area at the right of the hex dump can be hidden or switched to another encoding if necessary.

Editing (patching)

Hex view can be used as an alternative to the Patch program menu. To start patching, simply press F2, enter new values and press F2 again to commit changes ( Esc to cancel editing). An additional advantage is that you can edit values in their native format (e.g. decimal or floating-point), or type text in the text area.

Debugging

Default debugging desktop has two Hex Views, one for a generic memory view and one for the stack view (synchronized to the stack pointer). Both are variants of the standard hex view and so the above-described functionality is available but there are a few additional features available only during debugging:
  1. Synchronization is possible not only with other views but also with a value of a register. Whenever the register changes, the position in the hex view will be updated to match (as long as it is a valid address).
  2. A new command in the disassembly view’s context menu allows to open a hex view at the address of the operand under cursor.