How to search through a hex dump using regexes in Vim (or elsewhere)?

Question

I’m looking for a way to search for the text representation of a series of hexadecimal numbers in the hex dump of a binary file that looks like so:

0x000001A0: 36 5B 09 76 99 31 55 09 78 99 34 51 49 BF E0 03
0x000001B0: 28 0B 0A 03 0B E0 07 28 0B 0A 03 0B 49 58 09 35

The issue is that the pattern may roll over onto the next line. For instance, in the above two lines, I wouldn’t be able to immediately search for 03 28 0B because it spans two lines.

I have been told from recent posting that regex is the way to go, but I’m unfamiliar with it and do not know what to use: Notepad++, Vim, Word, or anything else.

Edit 1: The text file that shows the above was derived from a binary file, and I can use Notepad++.

Edit 2: To give an example, say I'm trying to get as close to 11:45:00 (military time) as possible. 03 28 0B 0A 03 0B scattered over the two lines above, can be read as “3 seconds, 40 minutes, 11 hours on the 10th day of March 2011”. I'm looking for a way to go through this file to find how close I can get to 11:45:00.

Answer 1

Let me propose the following mappings that take a number of hex digits from user input or visual selection, create appropriate pattern, and start a search for it.

nnoremap <silent> <expr> <leader>x/ SearchHexBytes('/', 0)
nnoremap <silent> <expr> <leader>x? SearchHexBytes('?', 0)
vnoremap <silent> <leader>x/ :call SearchHexBytes('/', 1)<cr>/<cr>
vnoremap <silent> <leader>x? :call SearchHexBytes('?', 1)<cr>?<cr>

function! SearchHexBytes(dir, vis)
    if a:vis
        let [qr, qt] = [getreg('"'), getregtype('"')]
        norm! gvy
        let s = @"
        call setreg('"', qr, qt)
    else
        call inputsave()
        let s = input(a:dir)
        call inputrestore()
    endif
    if s =~ "[^ \t0-9A-Fa-f]"
        echohl Error | echomsg 'Invalid hex digits' | echohl None
        return
    endif
    let @/ = join(split(s, '\s\+'), '\%(\s*\|\n0x\x\+:\s*\)')
    return a:dir . "\r"
endfunction

Answer 2

You can use PSPad which has a built-in HEX Editor and HEX search. Just open your original binary file, switch to HEX Editor and search for your sequence.

Answer 3

Well it seems none of the more elegant solutions have worked for you so here:

\v03(\n[^:]+:)? 28(\n[^:]+:)? 0B(\n[^:]+:)?

Yeah, it's copy pasted and super brute forcy but it'd look so much better if I could get friggin backreferences to work.

Just type '/' then copy that pattern in and hit enter, replace 03 28 0B with whatever you need followed by space, new value, then the parenthetical statement. There's roughly a 100% chance there's something better, but I can't think of it.

This will match the memory location as well, but that shouldn't matter if all you want to do is take a peek.

Edit: Forgot about \v