Skip to content
shellcodes

What the hex viewer tells you before you copy shellcode

Using a hex view to catch alignment issues, obvious bad chars, and length mistakes before shellcode hits an exploit script.

Published on 2 min read
hex-vieweranalysisquality-control

Copy buttons are dangerous. They reward speed over inspection.

A hex viewer is where I catch mistakes that encoders hide.

Length is the first signal

Know the expected order of magnitude for your template. A reverse TCP Linux x64 payload that suddenly shrinks by 40 percent is not a miracle. It is a truncated export.

Click through offsets. If the tail looks like repeating 00 blocks where you expect opcodes, stop.

Spot obvious bad characters early

You do not need a disassembler to see 0x00, 0x0a, 0x0d in the grid. Highlighting in the UI beats scrolling a comma-separated paste.

If your delivery channel forbids 0x20, confirm spaces are not sneaking in via ASCII export mistakes.

Entry point vs embedded data

Many payloads interleave code and data (IP, port, command strings). In hex, data islands look different from opcode soup. Misaligned data often shows up as runs of ASCII-ish bytes in the wrong region.

When syscall stubs look fine but the sockaddr block is nonsense, you fix parameters, not encoders.

Compare two generations

Keep yesterday's blob. Diff visually:

cmp -l payload-old.bin payload-new.bin | head

Small diffs after a parameter change are good. Large diffs after "I only changed the port" mean you regenerated more than you think.

Attacker use

Pre-copy review reduces failed fires that light up SOC dashboards for no reason. Failed fires still log. Reliability is operational security for red teams too.

Defender use

Memory dumps and crash dumps are hex viewers with worse UX. Training analysts to recognize sockaddr blobs and common syscall prologues speeds triage.

Integration habit

Make hex review a gate: no copy until length and forbidden bytes are checked. Ten seconds. Cheaper than an incident ticket asking why your tester hit prod.

Annotate offsets in notes

When you file a runbook, record one or two anchor offsets: where the decoder starts, where embedded IP/port begins. Next review is faster and you avoid debating whether the tail changed or the middle did. Offsets survive copy/paste mistakes better than screenshots alone.