BED is a binary editor. With a binary editor (or hex
editor) you can edit any file byte for byte. The data can be
shown in different data formats like ascii, heximal,
decimal, binary or octal numbers.
There are all kinds of situations in which you can
need a binary editor: changing a string in the binary of a
program, getting an accidentally deleted file out of a hard
disc device, writing a conversion program between word
processor formats etc. You can even use it to replace
strings with new lines in it in ordinary ASCII files. The
most common usage of binary editors is cracking commercial
software demos. Mathematica 3.0 is for example cracked by
changing in
/usr/local/mathematica/SystemFiles/FrontEnd/Binaries/Linux/Mathematica at offset 0x7937f "80 3d b4 7c 3d 08 00 75" in to
"88 3d b4 7c 3d 08 90 eb" and in
/usr/local/mathematica/SystemFiles/Kernel/Binaries/Linux/MathKernel at offset 0x127883 "89 c3" in to "90 90". Micro X-Win32
3.4.1 (ftp.starnet.com) is cracked by making the following
changes in xwin32.exe: 00007B18: 83 C6, 00007B19: 3D 05,
00007B1E: 00 01, 00007B1F: 75 C3, 00007B5E: 48 90. Etcetera
etcetera.
Features of bed:
1. Beside ascii unsigned integers of different base (2-36) and number of bytes (only limited by screen size);
2. User defined datatypes in plugins (available: signed integers, float, bcd and char2);
4. Large files and device like /dev/cdrom and /proc/kcore can be loaded (maximum size 1023 gigabytes).
5. Select, copy and past;
6. Undo and redo;
7. Multi files can be displayed at the same time;
8. Under Xwindows the size of the application window can be changed
to any size (within reasonable limits).
9. Extensive search support. Fast specific search and and slower
regex search in seperate routines. You
can search in any of the formats and easily translate between
them (Press return on an other data type).
10. Replace;
11. Marks support, also mark listing and mark stepping;
12. Keys and colors can be configured;
13. Knows only an override mode, no insert mode, so data is never
moved to an other offset without your knowledge. Making the file
bigger and smaller is done explicitly with the commands extend
file and truncate. Data is moved with select, copy and past.
14. Menu driven. Which can be hidden when you dislike it. When
you turn of message line and offset numbering you can concentrate
completely on the data. So you can't accuse me of being msdosish.
Bed is modeled after the integrated environment of Turbo c for dos and msdos edit with the exception that select works wp5.1 (and vi) like: You specify a starting point (Alt-e,s) and with whatever moving function exist you go to an other point and you then press copy (Alt-e,c) or save selection (Alt-e,a). In the rest of this manual I will concentrate on the more specific features of bed.
To be able to handle large files bed only hold in memory what is changed and read the other parts from disk at the moments they are needed.
|--------------|
|Prev F7|
|Next F8|
|Remove M-t|
|Full C-f|
|--------------|
|Save selection|
|--------------|
|Skip bytes |
|Reverse |
|Bytes |
|Base |
|--------------|
|Identical |
|Ascii |
|Integer |
|--------------|
Switching datatype
Moving between parts of the screen with different datatypes
you can do with Prev (Alt-d,p) and Next (Alt-d,n).
Zooming a datatype you do with Full (Alt-d,f), removing a
datatype with Remove (Alt-d,r).
Save selection saves the selected part of the file in the
format of the active datatype.
Adding datatypes
You can add a datatype with Ascii, Integer, Identical. You can
also define datatypes in plugins and then you can add the
datatype in the plugin.
Identical gives an identical copy of the currently active
datatype.
Integer (alt-d,i) gives the following window:
|----------------------------------------|
| |
| [ ] Skip Len: 0 After: 0 |
| |
| [ ] Last low with unit: 0 |
| |
| ( ) Hex (*) Dec ( ) Custom: |
| ( ) Oct ( ) Bin Base nr: |
| |
| Nr bytes: 1 |
| |
| Ok Cancel |
| |
|----------------------------------------|
You can specify the base of the integer in the field Base nr
or you can use one of the options Hex,Oct,Dec or Bin. Hex
stands for hexidecimal, Oct for octal, Dec for decimal and bin
for binary.
You can specify the number of bytes and the order in which the
bytes are interpreted. Last low when
the last unit is interpreted as the lowest unit of the
integer. The unit determines with what unit (in bytes) the
bytes are reordered. When for example specifying 4 in a 8 byte
integer the upper and lower four bytes are exchanged leaving
the order within this four bytes intact.
Modifying datatypes:
This are operation you can apply on some datatypes which
changes certain aspects while leaving other aspects the same.
Bytes: Change the number of bytes of each item.
Base: Change the base
Reverse: reverse the order in which the bytes are
interpretated by a multibyte datatype
Unit: The number of bytes which reorder together
Skip bytes: periodically skip a certain number of bytes.
Reorder and skip
Here is an example to illustrate the use reorder and skip.
Put the following code in file longlongs.c
#include <stdio.h>
int main(void) {
long long threes=3333333333333333333;
printf("%lld\n",threes);
return 0;
}
When compiling with gcc -O6 -S longlong.c -o longlong.s you
will get the following assemble code in longlongs.s:
.string "%}lld\n"
main:
pushl %}ebp
movl %}esp,%}ebp
pushl $776102145
pushl $-2092083883
pushl $.LC0
call printf
xorl %}eax,%}eax
leave
ret
When you take in bed 8 bytes decimal integers and 4 bytes
signed integers (plugin signed.plug) beside
each other and type in the number you get:
hex1 dec8signed4
55 55 4D 83 01 61 42 2E 03333333333333333333 -2092083883
0776102145
You see that
pushl $776102145
pushl $-2092083883
contains the same numbers as the two the signed four byte
integers making up 03333333333333333333.
The difference is that $776102145 is now before $-2092083883
and that pushl stands between $776102145 and $-2092083883.
Now do gcc longlong.s -o longlong and view longlong in bed.
To locate the number you can search for 01 61 42 2E in hex1
or 0776102145 in dec4.
In hex1 you will find:
01 61 42 2E 68 55 55 4D 83
This consists of "01 61 42 2E" followed with "68" and that
followed with "55 55 4D 83"
In the assemble code "01 61 42 2E" corresponds with
$776102145, "68" with pushl, and
"55 55 4D 83" with $-2092083883.
When comparing the hex representation of 03333333333333333333
"55 55 4D 83 01 61 42 2E" with what the compiler made of it
"01 61 42 2E 68 55 55 4D 83". You will see that the following
has happened: 68 is put between and the the order of "01 61 42
2E" and "55 55 4D 83" is reversed. (What is pushed first on
the stack has occupies the lowest address with a upwards
growing stack).
In bed you can now conveniently view the number in the machine
code by leaving out one byte after 4 bytes and reversing with
unit 4:
|----------------------------------------|
| |
| [x] Skip Len: 1 After: 4 |
| |
| [x] Last low with unit: 4 |
| |
| ( ) Hex (*) Dec ( ) Custom: |
| ( ) Oct ( ) Bin Base nr: |
| |
| Nr bytes: 8 |
| |
| Ok Cancel |
| |
|----------------------------------------|
After appropriately aligning the bytes you will get:
nrhex1
00972 01 61 42 2E 68 55 55 4D 83 68 03333333333333333333
Now you can change the number and save the file without
difficulty. If you don't optimize you need different options
to view the number.
When you press on search of the Move menu, you come in the
search window. Standard you search in the currently active
datatype. To select a different data type you press on space
when the appropriate data type is selected (like Ascii).
When you instead presses on Return the search string is also
converted from the old data type to the new data type.
Beside this there are also the usual features like starting
from the top or the bottum of the file instead of the cursor
position, searching backwards, searching case insensitive and
using regular expressions.
Regular expression: Use the GNU regular expression library to
match a pattern against the text (See
regex(7)
). When using regular expression you can search forward and backward in
ascii text. In any other data type you can only search
forward. When "Regular expression" is not checked everything
is first converted to a general byte string and then for this
byte string is searched in the file. When searching with
regular expressions enabled the file is block for block
converted to the currently active datatype and this printable
representation is searched for regular expressions in exactly
the same way as when the file was originally in this form.
This means for example that when searching case sensitively
the hex datatype ff is different from FF.
When using a floating point plugin different byte
strings can give the same superficial appearance. When you
convert the search pattern first into bytes and then search
for the bytes, you will only find one of this underlying byte
strings. When searching in regex mode you will find all of
them. The char2 plugin contains a data type which leaves out
every other byte. And when converting to bytes you have to
fill them in with something and when in the file they are
filled different you will not find the byte string. But when
searching only in the superficial appearance you can find
them.
I haven't tried any attempt to optimize regular
expressions so regular expression search in ascii is very
slow, and this conversion to other datatypes before searching
makes it even slower. So only small distances can be searched
this way.
Further shortcoming of regular expressions search:
- Only one hit in a single datatype is returned. When
searching for 1 in a hex datatype it stops only once in 11.
- The same byte can generate a hit in different alignments.
Only one is shown. To see them all you should change the
alignment around every hit.
Case sensitive: When checked upper and lower case are
treated distinctively
Boundaries: Multibyte datatypes can be aligned differently a 4
byte digit can start at offset 0,1,2 or 3 and give then
different 4 byte digits. Without checking Boundaries all will
be returned. With Boundaries checked only bytes aligned in the
same way as is now shown on the screen are returned.
Forward: When checked the file is searched in the forward
direction going from lower to higher offsets. When not checked the file is searched backward.
Edge file: When checked the file is searched from the edge of
the file. From offset 0 when searching forward, from end of
file when searching backward.
Find: Here you type the search pattern
List: Generated a list of all hits. When compiled with
CONFIG_THREADS=y you can go on editing whilehits are marked
so you can view them in marklist (Alt-m,l).
Ascii, Dec etc give when checked the current active datatype.
The last datatype is the currently active. In this case that it char2. Which is a plugin datatype.
Nr bytes: give the number of bytes each data item occupies. By
some datatype you can change this for example by unsigned integers.
Last low: changes the byte order of multibyte datatypes. With
last low checked the last byte of an integer is the lowest.
-----------------------------------------------------------
| |
| [x] Regular expression [x] Forward |
| [x] Case sensitive [ ] Boundaries [ ] Edge file |
| |
| |
| Find: |
| |
| Replace with: |
| |
| |
| ( ) Ascii ( ) Dec ( ) Oct |
| Ok ( ) Hex ( ) Bin (*) char2 |
| |
| Cancel Nr bytes: 2 [ ] Last low |
-----------------------------------------------------------
Everthing has the same meaning as in search, with a replace
string added.
At the place where the search string is found the replacestring is placed. The replace string
overwrites the data. When Regular expression is checked you
can insert the whole search string by & or
supexpressions by \1 \2 to \9. In the searchstring
subexpressions are demarcated by \(pattern\).
for example:
keys 27 115 = search
In which case Alt-s is bound to 'search' which is the search function.
The numbers are a decimal representation of the escape sequences generated by a
key or a key combination. Within bed you can press Alt-t,k to press
a key and see the keycodes and keybinding.
Bed version 0.2.7 added the possibility to make keys statements of the
following format:
keys capname = procedure
capname is a terminfo name for a key sequence. For example
keys kf1 = selectprocedure
binds selectprocedure to function key F1. See man terminfo for details.
There seems to be as much variation in keylabels as keycodes,
so don't expect to much.
bed -k
If you only want to assign the right meaning to the keys used
by the program
(instead of making new keybinding), you can press bed -k. You are
asked to press function
keys and it will append the corresponding key assignments to
~/.bedrc.
Personal keybindings
If you want to make personal keybindings you should come to
know the
procedure argument to keys. To come to know the name of a
procedure mentioned
in the menu or bounded to an other key you press Alt-t,k followed
by the
key or menukey combination.
If you want for example to know what the name is of the
procedure behind
Alt-f,o you press Alt-t,k followed by Alt-f,o and on the
commandline
you see something like "menu item Alt-f,o = addfile".
To bind this to insert you press Alt-t,k,INS and get as answer
something like:
No keybinding for 27 91 50 126
You add now at the bottum of ~/.bedrc
keys 27 91 50 126 = addfile
An other way to learn the names of the procedures is the read the
Procedures section later in this manual, but the program itself is
always
more up to date then the manual.
context term linux
keys 27 91 49 126 = home
keys 27 91 91 66 = dosave
Context termcap
keys 27 91 72 = home
keys 27 79 81 = dosave
#end ~/.bedrc
In which case home is binded to the home key and dosave to F2 for both linux
console and xterm. Linux console is recognised by TERM=linux and xterm sets
termcap which linux console does not.
addprev and addnext is for all contexts bound to the same value (shift-F5 and shift-F6 respectively).
If there is no environmental variable shared by the context you like to give
the same configuration you can set a environmental variable and use this at a context argument. It is possible to set enviromental variables within the configuration file with:
setenv name val
To do the same by TERM=cons25 as with TERM=cons50 you can write:
context TERM cons25
setenv consoleterm yes
context TERM cons50
setenv consoleterm yes
context TERM cons43
setenv consoleterm yes
context consoleterm
keys 27 91 97 = beginfile #S-F3
keys 27 91 98 = endfile #S-F4
keys 27 91 101 = middlepage #S-F7
color screen-element [foreground background] [attr,attr...]
You can give only attributes or both the foreground and the background color and
any number of attributes.
The screen parts are the following:
TEXT: The color the text is showed in. It is better not to give this a color because this
makes the screen updating much slower (some feature of ncurses)
COMMAND: the commandline
SELECTION: selection
CURSOR: cursor in active datatype
CURSORPAS: cursor in passive datatype
SELCURSOR: cursor during selection
BAR: the menubar
BARKEY: Key highlighting in the menubar
MENU: Opened menu's
MENUKEY: key highlighting in menu
MENUSEL: color of menu element which is selected
OPENTITLE: title of file manager
OPENKEY: key highlighting of key manager
OPENNORMAL: background key manager
OPENLIST: color of non active items of list
OPENLISTSEL: color of active item
OPENLISTACT: color of active item when this piece is used
SHOWBACK: Search/replace window
SPACEAFTER: color of space before and between datatypes
The colors and attributes are just the colors and attributes of ncurses. When they
don't look the way the name suggests you should send your complains to the makers
of ncurses.
Colors: BLACK RED GREEN YELLOW BLUE MAGENTA CYAN WHITE
Attributes: NORMAL STANDOUT UNDERLINE REVERSE BLINK DIM BOLD
PROTECT INVIS ALTCHARSET CHARTEXT
For me only STANDOUT UNDERLINE REVERSE BLINK BOLD have a useful
meaning.
On example:
color BAR WHITE RED blink
Which makes a blinking white on red menu bar (on my computer it blinks only
under linux console and not in xterm or rxvt).
To make the cursor bold and underlined you can do
color cursor bold underline
The color lines can be intermixed with the keys lines and can also be specific to a
context.
For the filemanager and search window this is the only way the change keybindings. Inside the menu you can also change keybindings by putting
253
in front of the key numbers. See procedure firstmenuitem.
Beside this there are around sixty-six procedure names that can be bound to keys. The first 48 are part of the menu and are also grouped that way.
File
Edit
Move
Data type
Window
Options
Not shown in menu
Only applies within an opened menu. You have to put 253 immediately after the keys keyword. So for example:
keys 253 1 = firstmenuitem
makes that within an opened menu contr-a jumps to the first menu item.
Here is an example:
/*Begin example1.c */
#ifdef GLOBAL
#endif
#ifdef EDITOR
int example1(void) {
message("Hello world!!!");
}
#endif
call(example1)
/* End example1 */
Everything in the area in which GLOBAL is defined is code outside of the EDITOR
class. Everything inside the area in which EDITOR is defined is inside the Editor
class and at the end of the files are the names of the procedures which should be
bounded to a key in bed.
In this example the procedure example1 uses an function of bed which writes a
message to the messageline and call(example1) says that the function example1
should be assessable by bed.
This function example1 you can bound to a key the same way as bed's own procedures . For example
keys 1 = example1
to bind contr-A to example1.
To compile the example you need just to do
make example1.plug
in the plugings/examples directory. Which assumes that there is the original Makefile
and the make variable PLUGINDIR is assigned to the directory in which plugin.cpp,
faked.h and mainprocedures.h reside.
Ones compiled you have to put the line
plugin ABSOLUTEFILENAME
in ~/.bedrc before you bind a key to the corresponding functions.
So in for this example you can add
plugin /usr/local/share/bed/plugins/example1.plug
keys 1 = example1
in ~/.bedrc to enjoy the pleasure of getting "Hello world!!" when you press Contr-A.
In the procedures you write you can use all the procedures which can bounded to
keys (which have the format int name(void)), plus some extra procedures I am going to describe now.
The following functions are inside class Editor:
int topos(long pos)
Go to offset pos in the current file.
int dosearch(char *str, int len)
Search for str with length len in the current document
int getfilepos()
Get the offset of the shown part of the file.
int geteditpos()
Get the offset of the cursor in the current screen.
int getmem(long pos,char *buf,int len)
Get from position pos a piece of the current file with length len.
int putmem(long pos,char *buf,int len)
Put at position pos the array buf of length len.
int getmode(Type type)
Get (goto) a display with data type type. Type has the following definition:
typedef enum {HEX=16,ASCII=256,DEC=10,BIN=2,OCT=8 } Type;
int getselbuf(char **buf)
Put a pointer to the cutbuffer in *buf and returns the length of the cutbuffer.
int putselbuf(char *buf,int len)
Puts buf with length len in the cutbuffer.
int getselect(void)
int putselect(int pos)
getselect returns the starting position of the current selection or -1 if there is no
selection. Putselect put's the starting position of the selection or with -1 unselects.
(The end position is the cursor position).
int screensize()
Get the number of bytes currently on the screen.
char *getfilename(char *buf)
The current filename is copied to buf.
int message(char *format ...)
Write to messageline. Same format as printf.
int getkeyinput(char *format ...)
Ask in the same format as printf. And get an key as answer.
int inputget(char *answer,const char *format,...)
Ask in the same format as printf and get an answer in answer (should hold enough
memory).
int filesize(void)
Get filesize.
int toscreen(void)
Makes that the effect of previous operations is shown on the screen.
void filesup(void)
When a newwin (of ncurses) is used you can with filesup get the file windows of bed
again on top.
Global procedures:
extern Editor *editfile(const char *file)
Open a new file. When you want to do operations on this file you should hold in
mind that the previous functions are part of the class Editor. So when you can do
for example:
/*start stupid.cpp
#compile with make stupid.plug
#put in ~/.bedrc
plugin /usr/local/share/bed/plugins/stupid.plug
keys 1 stupid
# and call contr-A in bed
*/
#ifdef EDITOR
int another(void) {
topos(400);
toscreen();
getkeyinput("I am going to delete everyting O.K. ");
putmem(0,"Hello",5);
}
int stupid(void) {
Editor *ed=editfile("/boot/zimage");
return ed->another();
}
#endif
call(stupid)
/*end stupid.c */
extern Editor *getactive(void)
Get the currently active Editor.
extern void rewriteall(void)
Rewrites everything on the screen.
Some examples of plugins are put in plugins/examples: one shows the assembler labels of the bytes starting with the cursor
(gdb.plug), one shows the file type (when the cursor is on the first byte of a file)
(file.plug) and and one filters what's selected through an other program (filter.plug).
A new syntac uses class Editor {} instead of the defines. See plugin sources ending in *.cc.
By the way don't define variables in the EDITOR (or class Editor) part, also don't try to assess
class Editor variables of the main program directly. It will mess up everything.
The setup of plugin using class Editor should be changed in the feature because it relies
too much on undocumented features.
You can also define you own datatypes a a subclass. See for example float.cc
The information about plugins is not updated since version 0.0.0.. For additions and modifications you can look at the example plugins or in faked.h or the Options menu inside bed (Key binding and Procedures).