How to binary file headers: a technical reference for developers
- Step 1Open the file in the inspector — Drop the binary. The inspector renders offsets in hex, bytes in hex pairs, and ASCII in the sidebar — the standard xxd layout.
- Step 2Cross-reference with the spec — Use the offset column to locate specific fields. For a PNG, offset 0x08 is the IHDR chunk length; offset 0x0C starts the IHDR type signature (49 48 44 52 = 'IHDR').
- Step 3Note anomalies for further investigation — Fields that deviate from specification — wrong magic bytes at a sub-format offset, unexpected non-null padding — indicate corruption, modification, or deliberate obfuscation.
Frequently asked questions
What is the PE 'e_lfanew' field?+
A DWORD at offset 0x3C in the MZ/DOS header that stores the file offset of the PE signature. Its value varies per file; always follow it dynamically rather than hardcoding offset 0x80.
Why do ZIP files sometimes start at a non-zero offset?+
ZIP end-of-central-directory records are at the end of the file, not the start. Self-extracting archives prepend an executable stub, so the PK magic bytes appear mid-file. The inspector shows these mid-file signatures in the annotated view.
How do I read a big-endian JPEG SOI marker?+
JPEG starts with FF D8 (SOI marker) — always big-endian at offset 0. Subsequent APP markers follow: FF E0 for JFIF, FF E1 for EXIF. The two-byte length field after each marker is also big-endian.
Privacy first
Every JAD Security operation runs entirely in your browser. Files, passwords, and PGP private keys never leave your device — verified by zero outbound network requests during processing.