visual binary

• 20 August 2025
• page turner,
• RE

There is something appealing about thinking of binary data as having "primitives." If this is true, they should have patterns, and we should be able to visually distinguish these primitives. In the same way we can distinguish color primitives like red and blue. Enter binvis. The human brain is pretty good at spotting patterns and visually reasoning, so this technique is claimed to be more intuitive than reading hex dumps.

Do I Look Like I Know What a JPG Is?

Let's take a look at three JPGs, put through binvis...

These look... similar... but let's compare them to a PNG.

Still looks mostly the same, but a pattern emerges. Let's compare this to another primitive: text.

All blue. Okay, we see a pattern: what appears to be a header and then actual image data in the JPGs' binvis output. Text is a sea of blue. We can assume ELF files, code, compressed data, all have their own patterns.

Sniffing for Text

Let's hide some text in a BMP image, then see if we can visually find this text using binvis.

First, let's look at the binvis output of the BMP before we modify it.

There is a very clear pattern to this data, so this becomes our baseline for BMP image primitives.

We can hide the hex sequence 66 6C 61 67 7B 6E 6F 77 5F 79 6F 75 5F 73 65 65 5F 6D 65 7D somewhere in the file, which is just ASCII flag{now_you_see_me}.

If we check the BMP in binvis again, we'll see an aberration in the pattern—a small blue island—which is our flag. The patterns of two different binary primitives clash!

The flag is small and visually it doesn't make much of an impact, so it could be easy to miss. However, this is a very trivial example. Embedding a lot of text in the image would show a much larger visual disruption. Most data you'd want to hide would be larger than a couple of bytes.

Additional Thoughts

How do we defeat a tool like this? Camouflage, possibly. When embedding primitives, it could be possible to encode them as another primitive or align the data in such a way that it matches the pattern of the primary primitive.

Citations

• A Visual Study of Primitive Binary Fragment Types, July 4, 2010
• Visual Reverse Engineering of Binary and Data Files

Tools

• imhex - https://imhex.werwolv.net/
• binvis - https://binvis.io/

As an offhand note:
I wanted to make a research blog, but then only ever made one post. So I'm going to make an effort to summarize some papers once in a while under the tag "page turner".

• ← Previous
  identifying grapth flattening
• Next →
  queen city