DEV Community: Antonio Davide The latest articles on DEV Community by Antonio Davide (@dax89). https://dev.to/dax89 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F578088%2Fabbc6aba-15c9-42a5-83cf-1f70b28ca0c6.jpg DEV Community: Antonio Davide https://dev.to/dax89 en Hunting strings in binary files Antonio Davide Mon, 02 Mar 2026 14:30:10 +0000 https://dev.to/dax89/hunting-strings-in-binary-files-4al9 https://dev.to/dax89/hunting-strings-in-binary-files-4al9 <p>Let's suppose we want to analyze an unknown file in order to get some information about its content.<br> In binary analysis, everything begins by looking for strings because they are the only human readable data stored there.</p> <p>Strings? What could go wrong?<br> Let's see!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>This post will explore the ASCII Character Set only </code></pre> </div> <h2> Strategy #1: contiguous alphanumeric characters </h2> <p>We can assume that a contiguous series of alphanumeric characters is a valid string:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;ctype.h&gt;</span><span class="cp"> </span> <span class="kt">void</span> <span class="nf">print_strings</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">s</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span> <span class="p">{</span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">end</span> <span class="o">=</span> <span class="n">s</span> <span class="o">+</span> <span class="n">len</span><span class="p">;</span> <span class="k">while</span><span class="p">(</span><span class="n">s</span> <span class="o">&lt;</span> <span class="n">end</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span><span class="p">(</span><span class="n">isalnum</span><span class="p">(</span><span class="o">*</span><span class="n">s</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// we found an alphanumeric character</span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">start</span> <span class="o">=</span> <span class="n">s</span><span class="p">;</span> <span class="c1">// save the start position</span> <span class="c1">// continue scanning until end or non-alphanumeric</span> <span class="c1">// character is found</span> <span class="k">while</span><span class="p">(</span><span class="n">s</span> <span class="o">&lt;</span> <span class="n">end</span> <span class="o">&amp;&amp;</span> <span class="n">isalnum</span><span class="p">(</span><span class="o">*</span><span class="n">s</span><span class="p">))</span> <span class="n">s</span><span class="o">++</span><span class="p">;</span> <span class="c1">// we found a string, calculate its length and print it</span> <span class="kt">int</span> <span class="n">n</span> <span class="o">=</span> <span class="n">s</span> <span class="o">-</span> <span class="n">start</span><span class="p">;</span> <span class="n">printf</span><span class="p">(</span><span class="s">"%.*s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">n</span><span class="p">,</span> <span class="n">start</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="c1">// non-alphanumeric, go ahead...</span> <span class="n">s</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This code works fine but there are few issues:</p> <ol> <li>punctuation marks are invalid.</li> <li>whitespaces are invalid, this breaks detection and gives too many results.</li> <li>single characters are detected as valid strings.</li> </ol> <h2> Strategy #2: improved detection </h2> <p>Let's begin to define some rules:</p> <ol> <li>the character's range <code>A-Za-z0-9</code>, whitespaces and all punctuations are valid.</li> <li>strings longer than a certain value are valid. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;ctype.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;stdbool.h&gt;</span><span class="cp"> </span> <span class="c1">// strings with &gt;= 4 characters are valid</span> <span class="cp">#define MIN_STRING_LENGTH 4 </span> <span class="k">static</span> <span class="kr">inline</span> <span class="n">bool</span> <span class="nf">is_char_valid</span><span class="p">(</span><span class="kt">char</span> <span class="n">ch</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">isspace</span><span class="p">(</span><span class="n">ch</span><span class="p">)</span> <span class="o">||</span> <span class="n">isalnum</span><span class="p">(</span><span class="n">ch</span><span class="p">)</span> <span class="o">||</span> <span class="n">ispunct</span><span class="p">(</span><span class="n">ch</span><span class="p">);</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">print_strings</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">s</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span> <span class="p">{</span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">end</span> <span class="o">=</span> <span class="n">s</span> <span class="o">+</span> <span class="n">len</span><span class="p">;</span> <span class="k">while</span><span class="p">(</span><span class="n">s</span> <span class="o">&lt;</span> <span class="n">end</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span><span class="p">(</span><span class="n">is_char_valid</span><span class="p">(</span><span class="o">*</span><span class="n">s</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// validate the character</span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">start</span> <span class="o">=</span> <span class="n">s</span><span class="p">;</span> <span class="c1">// continue scanning until end or</span> <span class="c1">// an invalid character is found</span> <span class="k">while</span><span class="p">(</span><span class="n">s</span> <span class="o">&lt;</span> <span class="n">end</span> <span class="o">&amp;&amp;</span> <span class="n">is_char_valid</span><span class="p">(</span><span class="o">*</span><span class="n">s</span><span class="p">))</span> <span class="n">s</span><span class="o">++</span><span class="p">;</span> <span class="c1">// did we find a valid string?</span> <span class="kt">int</span> <span class="n">n</span> <span class="o">=</span> <span class="n">s</span> <span class="o">-</span> <span class="n">start</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="n">n</span> <span class="o">&gt;=</span> <span class="n">MIN_STRING_LENGTH</span><span class="p">)</span> <span class="n">printf</span><span class="p">(</span><span class="s">"%.*s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">n</span><span class="p">,</span> <span class="n">start</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="c1">// non-alphanumeric, go ahead...</span> <span class="n">s</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>and this is the output from my sample executable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>TextOutA StartPage EndDoc DeleteObject DeleteDC GetSaveFileNameA GetOpenFileNameA PrintDlgA crackme.EXE WndProc 030=0F0K0X0i0o0y0}0 1)0-0 2)242 2P3U3l3q3 4$4*40464&lt;4B4H4N4T4Z4`4f4l4r4x4~4 5 5&amp;5,52585&gt;5D5J5P5V5\5b5h5n5 wwww wwwx wwwwwww wwwww TDDDDDDX DDDDDDDDDDDDDDDDTDDDDDDDDDDDU </code></pre> </div> <p>This is much better: whitespaces are now part of the strings and punctuations are accepted!<br> But as you can see, there are still gibberish strings mixed with valid ones.</p> <h2> Strategy #3: real world strings </h2> <p>Now the question is: how can we improve the detection algorithm in order to reduce false positives?<br> I did various tests and came to a conclusion that a string should be <br> considered gibberish if:</p> <ol> <li>there are more numbers or punctuations than alphabetic characters.</li> <li>one character dominates the string (eg. "aaaaaa").</li> <li>shannon entropy is below 2 </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Shannon entropy handles case 2 as well. Strings like "aaaaaa" have entropy 0' </code></pre> </div> <p>Also, we will do some refinements to our <code>is_char_valid()</code> function in order to become granular.<br> Instead of using <code>ctype.h</code> functions we check ASCII values ourself with the help of the <a href="https://www.asciitable.com" rel="noopener noreferrer">ASCII table</a>, we will also exclude <code>`</code> and <code>~</code> because are not very common characters.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include</span> <span class="cpf">&lt;math.h&gt;</span><span class="cp"> </span> <span class="cp">#define MIN_STRING_LENGTH 4 #define MAX_CHARS 256 #define CHARS_FREQ 0.7 // 70% #define MIN_ENTROPY 2.0 </span> <span class="k">static</span> <span class="kr">inline</span> <span class="n">bool</span> <span class="nf">is_char_valid</span><span class="p">(</span><span class="kt">char</span> <span class="n">c</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// whitespace and punctuation characters...</span> <span class="k">if</span><span class="p">(</span><span class="n">c</span> <span class="o">==</span> <span class="sc">' '</span> <span class="o">||</span> <span class="p">(</span><span class="n">c</span> <span class="o">&gt;=</span> <span class="sc">'!'</span> <span class="o">&amp;&amp;</span> <span class="n">c</span> <span class="o">&lt;=</span> <span class="sc">'/'</span><span class="p">)</span> <span class="o">||</span> <span class="p">(</span><span class="n">c</span> <span class="o">&gt;=</span> <span class="sc">':'</span> <span class="o">&amp;&amp;</span> <span class="n">c</span> <span class="o">&lt;=</span> <span class="sc">'@'</span><span class="p">)</span> <span class="o">||</span> <span class="p">(</span><span class="n">c</span> <span class="o">&gt;=</span> <span class="sc">'{'</span> <span class="o">&amp;&amp;</span> <span class="n">c</span> <span class="o">&lt;=</span> <span class="sc">'}'</span><span class="p">))</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="c1">// ...numbers...</span> <span class="k">if</span><span class="p">(</span><span class="n">c</span> <span class="o">&gt;=</span> <span class="sc">'0'</span> <span class="o">&amp;&amp;</span> <span class="n">c</span> <span class="o">&lt;=</span> <span class="sc">'9'</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="c1">// ...lowercase and uppercase letters...</span> <span class="k">if</span><span class="p">((</span><span class="n">c</span> <span class="o">&gt;=</span> <span class="sc">'a'</span> <span class="o">&amp;&amp;</span> <span class="n">c</span> <span class="o">&lt;=</span> <span class="sc">'z'</span><span class="p">)</span> <span class="o">||</span> <span class="p">(</span><span class="n">c</span> <span class="o">&gt;=</span> <span class="sc">'A'</span> <span class="o">&amp;&amp;</span> <span class="n">c</span> <span class="o">&lt;=</span> <span class="sc">'Z'</span><span class="p">))</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="k">return</span> <span class="nb">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">static</span> <span class="kt">double</span> <span class="nf">entropy</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">s</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">frequency</span><span class="p">[</span><span class="n">MAX_CHARS</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">len</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="n">frequency</span><span class="p">[(</span><span class="kt">int</span><span class="p">)</span><span class="n">s</span><span class="p">[</span><span class="n">i</span><span class="p">]]</span><span class="o">++</span><span class="p">;</span> <span class="kt">double</span> <span class="n">e</span> <span class="o">=</span> <span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">;</span> <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">MAX_CHARS</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span><span class="p">(</span><span class="n">frequency</span><span class="p">[</span><span class="n">i</span><span class="p">])</span> <span class="p">{</span> <span class="kt">double</span> <span class="n">prob</span> <span class="o">=</span> <span class="n">frequency</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">/</span> <span class="p">(</span><span class="kt">double</span><span class="p">)</span><span class="n">len</span><span class="p">;</span> <span class="n">e</span> <span class="o">-=</span> <span class="n">prob</span> <span class="o">*</span> <span class="n">log2</span><span class="p">(</span><span class="n">prob</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">e</span><span class="p">;</span> <span class="p">}</span> <span class="k">static</span> <span class="n">bool</span> <span class="nf">is_gibberish</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">s</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// strings smaller than threshold are gibberish</span> <span class="k">if</span><span class="p">(</span><span class="n">len</span> <span class="o">&lt;</span> <span class="n">MIN_STRING_LENGTH</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="kt">int</span> <span class="n">chars</span><span class="p">[</span><span class="n">MAX_CHARS</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="c1">// count character's occurrences</span> <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">len</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="n">chars</span><span class="p">[(</span><span class="kt">int</span><span class="p">)</span><span class="n">s</span><span class="p">[</span><span class="n">i</span><span class="p">]]</span><span class="o">++</span><span class="p">;</span> <span class="kt">int</span> <span class="n">nalpha</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// count lowercase characters</span> <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">c</span> <span class="o">=</span> <span class="sc">'a'</span><span class="p">;</span> <span class="n">c</span> <span class="o">&lt;=</span> <span class="sc">'z'</span><span class="p">;</span> <span class="n">c</span><span class="o">++</span><span class="p">)</span> <span class="n">nalpha</span> <span class="o">+=</span> <span class="n">chars</span><span class="p">[</span><span class="n">c</span><span class="p">];</span> <span class="c1">// count uppercase characters</span> <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">c</span> <span class="o">=</span> <span class="sc">'A'</span><span class="p">;</span> <span class="n">c</span> <span class="o">&lt;=</span> <span class="sc">'Z'</span><span class="p">;</span> <span class="n">c</span><span class="o">++</span><span class="p">)</span> <span class="n">nalpha</span> <span class="o">+=</span> <span class="n">chars</span><span class="p">[</span><span class="n">c</span><span class="p">];</span> <span class="c1">// check if there are enough alphabetic characters</span> <span class="k">if</span><span class="p">(</span><span class="n">nalpha</span> <span class="o">/</span> <span class="p">(</span><span class="kt">double</span><span class="p">)</span><span class="n">len</span> <span class="o">&lt;</span> <span class="n">CHARS_FREQ</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="c1">// catch strings like "aaaaaa" and other junk</span> <span class="k">return</span> <span class="n">entropy</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">len</span><span class="p">)</span> <span class="o">&lt;</span> <span class="n">MIN_ENTROPY</span><span class="p">;</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">print_strings</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">s</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span> <span class="p">{</span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">end</span> <span class="o">=</span> <span class="n">s</span> <span class="o">+</span> <span class="n">len</span><span class="p">;</span> <span class="k">while</span><span class="p">(</span><span class="n">s</span> <span class="o">&lt;</span> <span class="n">end</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span><span class="p">(</span><span class="n">is_char_valid</span><span class="p">(</span><span class="o">*</span><span class="n">s</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// validate the character</span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">start</span> <span class="o">=</span> <span class="n">s</span><span class="p">;</span> <span class="c1">// continue scanning until end or </span> <span class="c1">// an invalid character is found</span> <span class="k">while</span><span class="p">(</span><span class="n">s</span> <span class="o">&lt;</span> <span class="n">end</span> <span class="o">&amp;&amp;</span> <span class="n">is_char_valid</span><span class="p">(</span><span class="o">*</span><span class="n">s</span><span class="p">))</span> <span class="n">s</span><span class="o">++</span><span class="p">;</span> <span class="kt">int</span> <span class="n">len</span> <span class="o">=</span> <span class="n">s</span> <span class="o">-</span> <span class="n">start</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="n">is_gibberish</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">len</span><span class="p">))</span> <span class="c1">// did we find a string?</span> <span class="n">printf</span><span class="p">(</span><span class="s">"%.*s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">len</span><span class="p">,</span> <span class="n">start</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="c1">// non-alphanumeric, go ahead...</span> <span class="n">s</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Here is the output of the same file of the previous chapter:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>This program must be run under Win32 CODE .idata .edata @.reloc P.rsrc Try to crack me! No need to disasm the code! MENU REGIS ABOUT Good work! Great work, mate! Now try the next CrackMe! No luck! No luck there, mate! USER32.dll KERNEL32.dll COMCTL32.DLL COMDLG32.dll KillTimer GetSystemMetrics GetModuleHandleA ReadFile ExitProcess InitCommonControls CreateToolbarEx CreateToolbar TextOutA StartPage StartDocA GetTextMetricsA GetStockObject EndPage EndDoc DeleteObject DeleteDC GetSaveFileNameA GetOpenFileNameA PrintDlgA crackme.EXE WndProc </code></pre> </div> <p>There are still few gibberish strings, but it's a lot better than before!</p> <h2> Bonus strategy: special strings </h2> <p>So far so good, we have reduced the number of false positives and we are happy, but...<br> If we are going to look for strings in an executable file there are two particular kinds that don't really fit our detection algorithm:</p> <ul> <li>C-Style formatting patterns like <code>%s</code> and <code>%d</code> allow to find debug messages, logs and more.</li> <li>Strings surrounded by quotes and parenthesis.</li> </ul> <p>In these cases we can bypass our detection algorithm: we want to reduce the number of false positives but we don't need to be too aggressive and causing legal strings to be filtered out. </p> <p>We need to keep some balance.</p> <h3> 1: C-Style strings </h3> <p>We will build a table of valid formats and we compare the candidate string against them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="k">static</span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">c_formats</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span> <span class="s">"%c"</span><span class="p">,</span> <span class="s">"%d"</span><span class="p">,</span> <span class="s">"%e"</span><span class="p">,</span> <span class="s">"%E"</span><span class="p">,</span> <span class="s">"%f"</span><span class="p">,</span> <span class="s">"%g"</span><span class="p">,</span> <span class="s">"%G"</span><span class="p">,</span> <span class="s">"%hi"</span><span class="p">,</span> <span class="s">"%hu"</span><span class="p">,</span> <span class="s">"%i"</span><span class="p">,</span> <span class="s">"%ld"</span><span class="p">,</span> <span class="s">"%li"</span><span class="p">,</span> <span class="s">"%lf"</span><span class="p">,</span> <span class="s">"%Lf"</span><span class="p">,</span> <span class="s">"%lu"</span><span class="p">,</span> <span class="s">"%lli"</span><span class="p">,</span> <span class="s">"%lld"</span><span class="p">,</span> <span class="s">"%llu"</span><span class="p">,</span> <span class="s">"%o"</span><span class="p">,</span> <span class="s">"%p"</span><span class="p">,</span> <span class="s">"%s"</span><span class="p">,</span> <span class="s">"%u"</span><span class="p">,</span> <span class="s">"%x"</span><span class="p">,</span> <span class="s">"%X"</span><span class="p">,</span> <span class="s">"%n"</span><span class="p">,</span> <span class="s">"%%"</span><span class="p">,</span> <span class="p">};</span> <span class="cp">#define N_FORMATS (sizeof(c_formats) / sizeof(*c_formats)) </span> <span class="k">static</span> <span class="n">bool</span> <span class="nf">check_cformat</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">s</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span> <span class="p">{</span> <span class="k">for</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">N_FORMATS</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">fmtlen</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="n">c_formats</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span> <span class="k">if</span><span class="p">(</span><span class="n">fmtlen</span> <span class="o">==</span> <span class="n">len</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">strncmp</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">c_formats</span><span class="p">[</span><span class="n">i</span><span class="p">],</span> <span class="n">fmtlen</span><span class="p">))</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nb">false</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> 2: Surrounded strings </h3> <p>It's pretty simple, we check if a string start and ends with a specific character, also, we will ignore surrounded empty strings.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="k">static</span> <span class="n">bool</span> <span class="nf">validate_format</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">s</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span><span class="p">(</span><span class="n">len</span> <span class="o">&lt;=</span> <span class="mi">2</span><span class="p">)</span> <span class="k">return</span> <span class="nb">false</span><span class="p">;</span> <span class="c1">// ignore (), "", &lt;&gt;, ...</span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">e</span> <span class="o">=</span> <span class="n">s</span> <span class="o">+</span> <span class="n">len</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">// check if the string is surrounded</span> <span class="k">if</span><span class="p">(</span><span class="o">*</span><span class="n">s</span> <span class="o">==</span> <span class="sc">'\''</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="n">e</span> <span class="o">==</span> <span class="sc">'\''</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="o">*</span><span class="n">s</span> <span class="o">==</span> <span class="sc">'\"'</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="n">e</span> <span class="o">==</span> <span class="sc">'\"'</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="o">*</span><span class="n">s</span> <span class="o">==</span> <span class="sc">'&lt;'</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="n">e</span> <span class="o">==</span> <span class="sc">'&gt;'</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="o">*</span><span class="n">s</span> <span class="o">==</span> <span class="sc">'('</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="n">e</span> <span class="o">==</span> <span class="sc">')'</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="o">*</span><span class="n">s</span> <span class="o">==</span> <span class="sc">'['</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="n">e</span> <span class="o">==</span> <span class="sc">']'</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="o">*</span><span class="n">s</span> <span class="o">==</span> <span class="sc">'{'</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="n">e</span> <span class="o">==</span> <span class="sc">'}'</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="k">return</span> <span class="nb">false</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Putting all together </h2> <p>Now it's time to adjust our <code>is_gibberish()</code> function to use our new <code>validate_format()</code>, I will skip all functions defined before for reading speed and keep focus only on changes needed, so look above if you need to look at them again.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include</span> <span class="cpf">&lt;math.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;stdbool.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;stdlib.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;string.h&gt;</span><span class="cp"> </span> <span class="cp">#define MIN_STRING_LENGTH 4 #define MAX_CHARS 256 #define CHARS_FREQ 0.7 // 70% #define MIN_ENTROPY 2.0 </span> <span class="k">static</span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">c_formats</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span> <span class="s">"%c"</span><span class="p">,</span> <span class="s">"%d"</span><span class="p">,</span> <span class="s">"%e"</span><span class="p">,</span> <span class="s">"%E"</span><span class="p">,</span> <span class="s">"%f"</span><span class="p">,</span> <span class="s">"%g"</span><span class="p">,</span> <span class="s">"%G"</span><span class="p">,</span> <span class="s">"%hi"</span><span class="p">,</span> <span class="s">"%hu"</span><span class="p">,</span> <span class="s">"%i"</span><span class="p">,</span> <span class="s">"%ld"</span><span class="p">,</span> <span class="s">"%li"</span><span class="p">,</span> <span class="s">"%lf"</span><span class="p">,</span> <span class="s">"%Lf"</span><span class="p">,</span> <span class="s">"%lu"</span><span class="p">,</span> <span class="s">"%lli"</span><span class="p">,</span> <span class="s">"%lld"</span><span class="p">,</span> <span class="s">"%llu"</span><span class="p">,</span> <span class="s">"%o"</span><span class="p">,</span> <span class="s">"%p"</span><span class="p">,</span> <span class="s">"%s"</span><span class="p">,</span> <span class="s">"%u"</span><span class="p">,</span> <span class="s">"%x"</span><span class="p">,</span> <span class="s">"%X"</span><span class="p">,</span> <span class="s">"%n"</span><span class="p">,</span> <span class="s">"%%"</span><span class="p">,</span> <span class="p">};</span> <span class="cp">#define N_FORMATS (sizeof(c_formats) / sizeof(*c_formats)) </span> <span class="k">static</span> <span class="n">bool</span> <span class="nf">check_cformat</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">s</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span> <span class="p">{</span> <span class="k">for</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">N_FORMATS</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">fmtlen</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="n">c_formats</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span> <span class="k">if</span><span class="p">(</span><span class="n">fmtlen</span> <span class="o">==</span> <span class="n">len</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">strncmp</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">c_formats</span><span class="p">[</span><span class="n">i</span><span class="p">],</span> <span class="n">fmtlen</span><span class="p">))</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nb">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">static</span> <span class="n">bool</span> <span class="nf">validate_format</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">s</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// !!! check c-style formatting first !!!</span> <span class="k">if</span><span class="p">(</span><span class="o">*</span><span class="n">s</span> <span class="o">==</span> <span class="sc">'%'</span><span class="p">)</span> <span class="k">return</span> <span class="n">check_cformat</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span> <span class="c1">// ignore (), "", &lt;&gt;, ...</span> <span class="k">if</span><span class="p">(</span><span class="n">len</span> <span class="o">&lt;=</span> <span class="mi">2</span><span class="p">)</span> <span class="k">return</span> <span class="nb">false</span><span class="p">;</span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">e</span> <span class="o">=</span> <span class="n">s</span> <span class="o">+</span> <span class="n">len</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">// check if the string is surrounded</span> <span class="k">if</span><span class="p">(</span><span class="o">*</span><span class="n">s</span> <span class="o">==</span> <span class="sc">'\''</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="n">e</span> <span class="o">==</span> <span class="sc">'\''</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="o">*</span><span class="n">s</span> <span class="o">==</span> <span class="sc">'\"'</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="n">e</span> <span class="o">==</span> <span class="sc">'\"'</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="o">*</span><span class="n">s</span> <span class="o">==</span> <span class="sc">'&lt;'</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="n">e</span> <span class="o">==</span> <span class="sc">'&gt;'</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="o">*</span><span class="n">s</span> <span class="o">==</span> <span class="sc">'('</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="n">e</span> <span class="o">==</span> <span class="sc">')'</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="o">*</span><span class="n">s</span> <span class="o">==</span> <span class="sc">'['</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="n">e</span> <span class="o">==</span> <span class="sc">']'</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="o">*</span><span class="n">s</span> <span class="o">==</span> <span class="sc">'{'</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="n">e</span> <span class="o">==</span> <span class="sc">'}'</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="k">return</span> <span class="nb">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">static</span> <span class="n">bool</span> <span class="nf">is_gibberish</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">s</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// we found a "special" string</span> <span class="k">if</span><span class="p">(</span><span class="n">validate_format</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">len</span><span class="p">))</span> <span class="k">return</span> <span class="nb">false</span><span class="p">;</span> <span class="c1">// strings smaller than threshold are gibberish</span> <span class="k">if</span><span class="p">(</span><span class="n">len</span> <span class="o">&lt;</span> <span class="n">MIN_STRING_LENGTH</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="kt">int</span> <span class="n">chars</span><span class="p">[</span><span class="n">MAX_CHARS</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="c1">// count repetitions</span> <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">len</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="n">chars</span><span class="p">[(</span><span class="kt">int</span><span class="p">)</span><span class="n">s</span><span class="p">[</span><span class="n">i</span><span class="p">]]</span><span class="o">++</span><span class="p">;</span> <span class="kt">int</span> <span class="n">nalpha</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// count lowercase characters</span> <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">c</span> <span class="o">=</span> <span class="sc">'a'</span><span class="p">;</span> <span class="n">c</span> <span class="o">&lt;=</span> <span class="sc">'z'</span><span class="p">;</span> <span class="n">c</span><span class="o">++</span><span class="p">)</span> <span class="n">nalpha</span> <span class="o">+=</span> <span class="n">chars</span><span class="p">[</span><span class="n">c</span><span class="p">];</span> <span class="c1">// count uppercase characters</span> <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">c</span> <span class="o">=</span> <span class="sc">'A'</span><span class="p">;</span> <span class="n">c</span> <span class="o">&lt;=</span> <span class="sc">'Z'</span><span class="p">;</span> <span class="n">c</span><span class="o">++</span><span class="p">)</span> <span class="n">nalpha</span> <span class="o">+=</span> <span class="n">chars</span><span class="p">[</span><span class="n">c</span><span class="p">];</span> <span class="c1">// check if there are enough alphabetic characters</span> <span class="k">if</span><span class="p">(</span><span class="n">nalpha</span> <span class="o">/</span> <span class="p">(</span><span class="kt">double</span><span class="p">)</span><span class="n">len</span> <span class="o">&lt;</span> <span class="n">CHARS_FREQ</span><span class="p">)</span> <span class="k">return</span> <span class="nb">true</span><span class="p">;</span> <span class="c1">// catch strings like "aaaaaa" and other junk</span> <span class="k">return</span> <span class="n">entropy</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">len</span><span class="p">)</span> <span class="o">&lt;</span> <span class="n">MIN_ENTROPY</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Final Thoughts </h2> <p>String detection is a fundamental piece of binary analysis, it allows you to get a general idea about the content of a binary file.<br> It also gives hints about compressed or obfuscated data because usually you will not find strings there and if you perform an entropy analysis of the file you can find a high value (entropy &gt;= 7).<br> We began from a simple alphanumeric scanning, code was working but we noticed lots of false positives.<br> We then made our valid character set stricter by removing some uncommon characters, added entropy analysis and finally introduced some special rules for C-style strings and surrounded strings.<br><br> Feel free to tune the algorithm to suit your needs, change constant values and so on!</p> c binary algorithms QHexView 5.1 Release (and a little bit of history) Antonio Davide Sun, 08 Feb 2026 17:12:33 +0000 https://dev.to/dax89/qhexview-51-release-and-a-little-bit-of-history-24e8 https://dev.to/dax89/qhexview-51-release-and-a-little-bit-of-history-24e8 <p>Almost ~10 years ago I began to write a little widget to display binary data for one of <a href="https://github.com/PREF/PREF" rel="noopener noreferrer">my old projects</a> (now in sleep state) and today for <a href="https://github.com/REDasmOrg/REDasm" rel="noopener noreferrer">my own disassembler</a>, after a while I decided to isolate its code and move it to a dedicated repository hoping it will be useful to other developers.<br> Over the years I received issues and pull requests from other developers that increased the widget's release to version 4.x.</p> <p>That's great right? Yes it was!</p> <p>But the code was becoming messy and time consuming to maintain, so in 2022 I've decided to rewrite the widget from scratch.<br> The development began with <a href="https://github.com/Dax89/QHexView/issues/71" rel="noopener noreferrer">a dedicated thread</a> where I notify all contributors in order to make this release tailored to our needs.</p> <h2> Today </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhaiwdqitz2hhf2qbybel.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhaiwdqitz2hhf2qbybel.png" alt="QHexView" width="730" height="560"></a>A very common hex view</p> <p>This widget is now at release 5.1 which sports a new, written from scratch, renderer (the main reason why I have done this new release) along with some nice features like:</p> <ol> <li>Builtin pattern matcher.</li> <li>Completely customizable rendering: it's possible to highlight bytes by their value and/or by offset range (even in real time thanks to delegates).</li> <li>Clipboard support for various formats (visual copy, hex copy, etc...).</li> <li>It's also possible to highlight patched bytes via <code>setTrackChanges()</code> method.</li> <li>And lots of other minor features, but it's too long to list them here.</li> </ol> <h2> Final Thoughts </h2> <p>Thanks to the user's feedback, QHexView evolved far beyond my goals, it reached its fifth major release, the code is manageable and I'm very happy about that!</p> <p>Repo: <a href="https://github.com/Dax89/QHexView" rel="noopener noreferrer">https://github.com/Dax89/QHexView</a><br> Changelog: <a href="https://github.com/Dax89/QHexView/releases/tag/v5.1.0" rel="noopener noreferrer">5.1.0</a></p> cpp qt opensource showdev