Jump to content











Photo
- - - - -

hex editing files via command line


  • Please log in to reply
5 replies to this topic

#1 Zharif

Zharif

    Frequent Member

  • .script developer
  • 172 posts
  • Location:Germany
  •  
    Germany

Posted 16 May 2021 - 12:44 PM

Dear all,

 

I'm just trying to create and edit *.lnk files via command line.
Target files for such links are batch (*.cmd ) files.
Creating such a file is relatively easy via OptimumXs' shortcut.exe (the one I use) .

However, I'm in the need that these *lnk files should rund a specific target *.cmd file as administrator.
To achieve this, a user normally opens the "Properties" of a *lnk file, navigates to the "Link" tab, klicks on "Advanced" and ticks the checkbox "Open as Administrator".
Programmatically, this option is not supported by shortcut.exe.
Using Tiny hexer (small edition) I figured out, which hex value is changed in the *lnk file if someone ticks the "Open as Adminstrator" checkbox.

Problem; how do I hex-edit a given file via command line/batch?
Could someone provide/recommend a (free) hex editor that supports suitable command line switches?

Thanks much in advance for any help here
Zharif



 



#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 16 May 2021 - 01:15 PM

You can likely use for this specific scope gsar:

http://tjaberg.com/

 

Or if you really-really want a hex writer, there is this one, hexalter:

http://reboot.pro/in...ic=2959&p=74816

 

Not anymore available, get it via Wayback Machine:

https://web.archive..../hexalter.shtml

 

loosely gsar is suited to hex edit something in a variable (context identifiable) position, hexalter is better for known fixed position.

 

There is also hexed:

http://apps.venomdev...xed/hexed-help/

https://sourceforge....ts/hexed/files/

 

but it is more complex to use and likely way overkill.

 

The "perfect" tool to change a single byte at a given position is probably hex:

http://eadmaster.alt...age=cliapps#hex

(you want the "old" C version hex.zip)

 

It has to be seen whether these will run on Windows 10 though.

 

:duff:

Wonko


  • Brito likes this

#3 Zharif

Zharif

    Frequent Member

  • .script developer
  • 172 posts
  • Location:Germany
  •  
    Germany

Posted 16 May 2021 - 01:26 PM

Thank you Wonko,

 

both (gsar and hexalter) look very promising.

About gsar, I'm not able to open the downloaded gsar zip file (archive is damaged message).

All other tools from your provided url can be downloaded and opened without any concerns.

So, at first I will try hexalter.

 

Zharif



#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 16 May 2021 - 02:12 PM

Thank you Wonko,

 

both (gsar and hexalter) look very promising.

About gsar, I'm not able to open the downloaded gsar zip file (archive is damaged message).

All other tools from your provided url can be downloaded and opened without any concerns.

So, at first I will try hexalter.

 

Zharif

That is "queer".

It downloads and verifies (and opens) just fine here.

Maybe some OS/browser/antivirus/archiver/whatever issues?

The file is gsar151.zip:

http://tjaberg.com/gsar151.zip

 

I am attaching a stripped down version (only the .exe and the needed .txt files in a .7z archive), see if it works.

 

duff:

Wonko

Attached Files

  • Attached File  gsar.7z   17.46KB   2 downloads


#5 Zharif

Zharif

    Frequent Member

  • .script developer
  • 172 posts
  • Location:Germany
  •  
    Germany

Posted 16 May 2021 - 05:10 PM

Wonko, you pushed me into the right direction; everything is working now as expected.

BTW, the side where hex.exe resides contains really useful stuff - thanks very much for this discovery.

 

In case somebody is interested:

To mark a *lnk file to run the target file as admin, replace value at byte position/address 15 (21 in decimal)  with 60 (96 in decimal).

The existing value dynamically changes regarding to other options that were picked via shell dialog (or via command line using shortcut.exe).

So, constant is the byte address only.

 

 

Here are some quick test results:

Gsar cannot be used in this special case because you need to specify a search pattern (that may change in the link file, see above).

 

Used tools:

hexed.exe     71.66KB

hex.exe         19.97KB

hexalter.exe  10.50KB

 

Used command line syntax: [exe] [command] && ECHO YES || ECHO NO

 

hexed.exe:

  does not provide any error handling

  only value at a specific byte position can be changed (replaced)

  syntax:           hexed -e 15 60 "linkfile" && ECHO YES || ECHO NO

 

hex.exe:

  supports input of decimal or hex values

  no useful error handling - however, supports output of system error codes (e.g. if target file is write protected)

  syntax hex:     hex "linkfile" 0x015 0x60 && ECHO YES||ECHO NO
             dec:     hex "linkfile" 21 96 && ECHO YES||ECHO NO

 

Best seems to be Hexalter.exe:

  very small file size

  internal error handling, e.g. refuses to write if hex input is out of range

  starting at a specific byte position, several trailing bytes can be changed (by replacing existing values)

  Side note: although start address is entered as hex, replacement value must be entered as decimal

  syntax:           hexalter "linkfile" 0x15=96 && ECHO YES || ECHO NO

         or:           hexalter "linkfile" 0x15=96,96,96 && ECHO YES || ECHO NO 

                        --> overwrites values at addresses 0x16, 0x17 with 0x60


  • Brito likes this

#6 Brito

Brito

    Platinum Member

  • .script developer
  • 10616 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 08 June 2021 - 03:45 PM

In case of need, there is also a batch script available for creating shortcuts that run with admin permissions: https://github.com/n.../shortcutJS.bat




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users