Searching through a hex dump using regex in Vim (or elsewhere)

Question

I’m looking for a way to search for the text representation of a series of hexadecimal numbers. I search in the hex dump of a binary file that looks like so:

Answer 1

Well it seems none of the more elegant solutions have worked for you so here:

\v03(\n[^:]+:)? 28(\n[^:]+:)? 0B(\n[^:]+:)?

Yeah, it's copy pasted and super brute forcy but it'd look so much better if I could get friggin backreferences to work.

Just type '/' then copy that pattern in and hit enter, replace 03 28 0B with whatever you need followed by space, new value, then the parenthetical statement. There's roughly a 100% chance there's something better, but I can't think of it.

This will match the memory location as well, but that shouldn't matter if all you want to do is take a peek.

Edit: Forgot about \v

Answer 2

Let me propose the following mappings that take a number of hex digits from user input or visual selection, create appropriate pattern, and start a search for it.

nnoremap <silent> <expr> <leader>x/ SearchHexBytes('/', 0)
nnoremap <silent> <expr> <leader>x? SearchHexBytes('?', 0)
vnoremap <silent> <leader>x/ :call SearchHexBytes('/', 1)<cr>/<cr>
vnoremap <silent> <leader>x? :call SearchHexBytes('?', 1)<cr>?<cr>

function! SearchHexBytes(dir, vis)
    if a:vis
        let [qr, qt] = [getreg('"'), getregtype('"')]
        norm! gvy
        let s = @"
        call setreg('"', qr, qt)
    else
        call inputsave()
        let s = input(a:dir)
        call inputrestore()
    endif
    if s =~ "[^ \t0-9A-Fa-f]"
        echohl Error | echomsg 'Invalid hex digits' | echohl None
        return
    endif
    let @/ = join(split(s, '\s\+'), '\%(\s*\|\n0x\x\+:\s*\)')
    return a:dir . "\r"
endfunction

Answer 3

You can use PSPad which has a built-in HEX Editor and HEX search. Just open your original binary file, switch to HEX Editor and search for your sequence.