Jump to content

how to search for a pattern in a binary


 Share

Recommended Posts

Hello!

What is the "official" (i.e., probably also the most efficient) way to search for a (fixed) pattern in a binary (e.g., for a null byte)

Just looking for it within a for-loop which runs over every byte of the binary is *not* really efficient...

Converting the binary into a string (in order to apply the appropriate string functions) does not work either as the binary contains null bytes.

Is there a better way?

Thanks in advance for any hint

Kind regards,

Andreas Rozek

Link to comment
Share on other sites

Just as an additional remark:

an alternative would be to convert the binary into a string with the hexadecimal representation of all the bytes and looking for the relevant hexdecimal pattern. The problem here would be: how to I convince StringInStr or StringRegExp, resp., to take care of the byte boundaries?

My current idea would be to use a "trial-and-error" approach:

- look for the pattern

- check if the pattern starts at an odd position

- if not, try again

- if so, be happy...

Is there a better way?

Kind regards,

Andreas Rozek

Link to comment
Share on other sites

Well,

as I did not find a solution in the forum, I made one myself:

func HexToString ($Argument)
    return BinaryToString(Binary($Argument),1)       ; requires the leading "0x"
  endfunc

  func StringInHex ($Haystack, $Needle, $Offset = 3)
    if ($Offset < 3) then return 0                ; always skip the leading "0x"

    $Needle = StringTrimLeft(StringToHex($Needle),2)
    while true
      local $Match = StringRegExp($Haystack,$Needle,1,$Offset)
      if (@error <> 0) then return 0                ; $needle cound not be found

      local $Position = @extended-StringLen($Needle)  ; where was $needle found?
      if (BitAnd($Position,0x01) = 1) then     ; only odd positions can be valid
        return $Position
      else
        $Offset = $Position+1                         ; try again, starting here
      endif
    wend
  endfunc

  func StringToHex ($Argument)
    return String(StringToBinary($Argument,1))  ; also delivers the leading "0x"
  endfunc

I now use the hexadecimal representation of a binary to search within. As the pattern to search for now also has to be hexadecimal, I made StringToHex() (and HexToString() for symmetry reasons) and use that for the actual search function StringInHex() (which converts the string automatically and also takes care of "false positives" that do not start at byte boundaries) The result of StringToHex() gives the position within the hexadecimal representation, not within the binary itself.

Is there a better (i.e., more direct) solution?

Kind regards,

Andreas Rozek

Edited by Rozek
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...