What would be a good regex for finding a DES Key from a memory dump? I'm using Sysinternal Strings to open up a process dump from RAM and need to identify possible candidate keys (i.e. data that matches a 64 bit DES Key)
I'm using Notepad and have used the following for find 8
[0-9a-fA-F] [0-9a-fA-F] [0-9a-fA-F] [0-9a-fA-F] [0-9a-fA-F] [0-9a-fA-F] [0-9a-fA-F] [0-9a-fA-F]
However, this returns results with 64 bits. It should only find strings with 8 hex values
CodePudding user response:
You can visit olafneuman's website to generate a regex as per your needs. You just need to paste the text that you're trying to extract the content out of and the tools suggests various areas from where you can generate regex.
Simple and self-explanatory website: Regex Generator Olafneuman
Since you're new, as advice to get actual answers to your question: It would be good if you could add some example text, like what text you have in your memory dump and which part of it you need the regex for.
CodePudding user response:
It is hard to create a regex without having samples of the text. Based on your description, you could use the following regex:
(([A-Fa-f0-9]{2}){8})
- This regex will find pairs of A-Fa-f0-9, and
- Find 8 consecutive pairs (so you will get 8 hex numbers).
If you have also longer keys, you need to identify in your text how to differentiate them from the shorter ones you are interested. Any string with more than 8 pairs of hex values by definition also has 8 pairs. Perhaps in your text, the ones you want finish with a dot? or have a space after it? Then you can add that to the regex I wrote above so you get only the ones of 8 hex values.