Searching and replacing in CI Hex Viewer

The data search and replace function is as important for work in hexadecimal editor as in any other data editor of any kind: you should easily find yourself in a huge amount of hexadecimal digits. For this purpose, CI Hex Viewer offers multiple search possibilities and simultaneous replace. In this article, we give examples of how you can use advantages and possibilities of the data search and replace tool.

---

The program offers three possible search variants: search of textual values in the text field, search of hexadecimal values in the hexadecimal field and advanced search of hexadecimal values in the hexadecimal field.

To activate the search tool press Find data in the tool bar for data viewing.

Text search serves for a fast search of values in the textual data area. In this article, we give an example of a damaged .pdf file. Our task is to get all possible objects contained in this file. As we search for the objects by their names, the text search is the best to fit our task.

While setting search parameters we select Text in the Search as field. Then we set the name of the necessary object into the Search for field and opt for Down in the search direction drop-down list with the cursor position at the beginning.

For a simultaneous search of several objects with the same names we activate the enumerate positions check box. To define the maximum number of positions to search for we use the maximum positions check box.

For a correct detection of the searched text value, you should select the right text encoding. In our case, it is UTF-8 Unicode.

To make the search more precise we activate the search is case sensitive box.

The program adds all positions with the found values to the list of marked positions. Using the Save button you can keep the search results for future use

or open the necessary position using Go to button.

Simple hexadecimal search serves to find hexadecimal data values in the hexadecimal program area. As an example, we take a .bmp file and check the values of hexadecimal fields in order to examine the data consistency. According to the .bmp-file structure, the field at position 0x08 must contain value 00.

For search in the simple hexadecimal mode, we select Hex values from the search as drop-down list. Then we enter the searched value 00 in the search for field and after all opt for down direction from the search direction drop-down list. For search at the defined position, we enable the corresponding check box where we enter position 8 of a 512-byte block.

With search at a fixed position, the program searches the values at the given position in every block of the set size. If the program doesn’t find necessary value in one block, it continues the search at the given position in the next block.

For a simultaneous search of the given values at several positions enable the enumerate positions check box and define the number of positions for search in the maximum positions field.

As the result of our search the value at the given position was found proving the intactness of data in this field.

With an advanced hexadecimal search you can precise the search pattern using a special syntax that allows finding data faster and more accurately. To activate the advanced search we select advanced hex search from the Search for drop-down list. The search pattern is made using the following symbols:

? – denotes any 4 bits of hexadecimal number (0?11 means any of 0011, 0111 .. 0F11). With „?“-symbol you can search hexadecimal values when not all hexadecimal digits are known. For example, we insert search pattern ?6 6F ?E 74.

The search results in combination of hexadecimal digits matching the searched data values.

*N* - any N bytes (*12* means any 12 bytes). The *_*-limitation allows searching hexadecimal values by search pattern start and end, leaving out the middle of the pattern with the given number of bytes. For example, „46“ is an object name start, „65“ – object name end and *6* - the number of bytes to be omitted in the search pattern.

The search results in the necessary combination of bytes matching the searched data.

!B! – value that is NOT “B” (!0! means “not zero”; !ff! means “not ff”. The !_!-limitation allows omitting unnecessary hexadecimal values from the search (e.g. empty areas of a hard drive). With the cursor at the disk end empty area we select Up as the search direction and enter !00! or !0! into the search for field.

The search results in the first non-zero value in the disk area.

{B1,B2...} – enumeration of valid bytes, e.g. {00,?1,1f} means 0, any of 01…F1 or 1F. This search function allows adding several values to the data search. In our example, we search for the word “Font”, which can be both in capital and small letters and both included into the search at the same time. We add and enumerate corresponding hexadecimal values to search.

The search results in all variants of writing the letter „F‘, capital with value 46

and small with value 66.

{??, !B2!...} – special case of „except“ enumeration (byte matches first, but not second…). This function allows inserting a search pattern, where all necessary values are enlisted and unnecessary are omitted. In our example, the program leaves out all small “f”-letters after we have given the search value {46,!66!}.

The search results in finding all capital „F“-letters.

's' – specifies ASCII string ('str' will mean 73 74 72). This function allows searching of text values in a one-byte ASCII encoding. We enter 'Font' in this example.

As a result, we get the corresponding text value for „Font“, encoded with one-byte ASCII.

“s” – specifies Unicode string (“str” 73 00 74 00 72 00). This function allows finding text values in a two-byte Unicode encoding. For example, we enter the value “With”.

As a result, we get the two-byte encoded text value „W.i.t.h” with the corresponding hexadecimal value „57 00 69 00 74 00 68 00“.

`s` - specifies UTF-8 string (the same as ASCII, but encodes “localized” symbols to UTF-8. This function allows searching multiple-byte values and words with a mixed encoding or in a local computer language. For example, in case of a file with a Cyrillic font we enter `текстовий` into the search string.

The program sets the cursor at start of the found value.

The symbols „+”- and „-„ denote, if the search is case sensitive or not. In our example, we enter +’Font’ to find the results with capital letters only. To include both variants we can enter - ’Font’.

As a result, we get only capital letters with +’Font’.

The search for +’font’ gave no results.

To activate the data search and replace tool press Find and replace button in the data-editing mode.

The search function in the replace tool has the same setting options as in the data-viewing mode. For replacing the searched values, we use the Replace with bytes field. For example, we replace the word stream in the .pdf file with corresponding hexadecimal values for marker. For this, we enter the word to be replaced in the search for field and the set of bytes to replace it with in the replace with bytes field. For instant replacing of all search matches, we activate the replace all pattern occurrences check box.

When the software finds the searched data pattern, it offers three possible options to handle the search result: to replace the occurrence, to skip the occurrence and stop the search.

The search with instant replacement of all pattern occurrences changes all data values at once.

The examples given above have illustrated the search variants available in the program and the ways of setting the search parameters to get the best result. The search and replace tool are combined into one in the edit mode in order to search for the necessary values and replace them at once.