# how to search for a pattern in a binary

## Recommended Posts

Hello!

What is the "official" (i.e., probably also the most efficient) way to search for a (fixed) pattern in a binary (e.g., for a null byte)

Just looking for it within a for-loop which runs over every byte of the binary is *not* really efficient...

Converting the binary into a string (in order to apply the appropriate string functions) does not work either as the binary contains null bytes.

Is there a better way?

Thanks in advance for any hint

Kind regards,

Andreas Rozek

##### Share on other sites

an alternative would be to convert the binary into a string with the hexadecimal representation of all the bytes and looking for the relevant hexdecimal pattern. The problem here would be: how to I convince StringInStr or StringRegExp, resp., to take care of the byte boundaries?

My current idea would be to use a "trial-and-error" approach:

- look for the pattern

- check if the pattern starts at an odd position

- if not, try again

- if so, be happy...

Is there a better way?

Kind regards,

Andreas Rozek

##### Share on other sites

Well,

as I did not find a solution in the forum, I made one myself:

```func HexToString (\$Argument)
return BinaryToString(Binary(\$Argument),1)       ; requires the leading "0x"
endfunc

func StringInHex (\$Haystack, \$Needle, \$Offset = 3)
if (\$Offset < 3) then return 0                ; always skip the leading "0x"

\$Needle = StringTrimLeft(StringToHex(\$Needle),2)
while true
local \$Match = StringRegExp(\$Haystack,\$Needle,1,\$Offset)
if (@error <> 0) then return 0                ; \$needle cound not be found

local \$Position = @extended-StringLen(\$Needle)  ; where was \$needle found?
if (BitAnd(\$Position,0x01) = 1) then     ; only odd positions can be valid
return \$Position
else
\$Offset = \$Position+1                         ; try again, starting here
endif
wend
endfunc

func StringToHex (\$Argument)
return String(StringToBinary(\$Argument,1))  ; also delivers the leading "0x"
endfunc```

I now use the hexadecimal representation of a binary to search within. As the pattern to search for now also has to be hexadecimal, I made StringToHex() (and HexToString() for symmetry reasons) and use that for the actual search function StringInHex() (which converts the string automatically and also takes care of "false positives" that do not start at byte boundaries) The result of StringToHex() gives the position within the hexadecimal representation, not within the binary itself.

Is there a better (i.e., more direct) solution?

Kind regards,

Andreas Rozek

Edited by Rozek

## Create an account

Register a new account

×

• Wiki

• Back

• Git