[Feature] Hex wildcard '??' support in 'Replace'

[bangstk]

What feature would you like to see?

I would like to be able to use '??', which works in Find Binary Pattern, in the 'Replace' dialog as well in order to be able to modify instances of a matching pattern without altering the ?? wildcard bytes. Currently if '??' is present, nothing happens when the Replace button is pressed.

For example, for 2 matched instances '07 10 EB 05 01 90 77 02 00' and '07 10 AC DF 01 90 77 02 00' that could be among the matches above, the result of the above replace with wildcards would be '01 10 EB 05 01 90 77 02 00' and '01 10 AC DF 01 90 77 02 00', leaving the third and fourth bytes alone since they were matched via the wildcard.

I tried to do this with Regex Replace instead but I am having difficulty getting Regex to match hex data consistently. For instance "\x02\x90\x77\x02" is not finding any matches despite "02 90 77 02" appearing in the hex view over a hundred times.

How will this feature be useful to you and others?

One example where this could be useful is replacing a value in all instances of a certain struct that contains a certain memory address, without touching other fields of those structs.

Request Type

• I can provide a PoC for this feature or am willing to work on it myself and submit a PR

Additional context?

No response

[paxcut]

That's very strange that search allows wildcards for searching but not for replacing. Perhaps searching and replacing were not coded at the same time hence their differing feature capabilities. Not having wildcards as part of the replace set makes the search using wildcards a lot less useful since applying a replace set for some large group that has ?? as part of their match is not going to be possible unless you change all of them to be the same.

About using regular expressions for searching I don't think that trying to match bytes {0x02 ,0x90, 0x77,0x02} with string "\x02\x90\x77\x02" is going to be inconsistent, it is just never going to work unless your encoding is the identity map which is not really an encoding in the normal sense. Regular expressions are used to march strings that may be encoded in the binary data as one of the possible encodings you can choose from (like ascii, utf-8, etc...)

[bangstk]

I see, I think a "binary" encoding mode for regex would be nice to be able to do more intricate pattern matches on hex data, but that is probably its own feature request.

Otherwise - for implementing '??' in Replace, instead of needing to associate each ?? with the ones that appeared in the search pattern, it can probably just generically replace each ?? with the corresponding byte in the data to be replaced, so for instance if ?? appears as the 4th byte in the Replace field then it would always become the original 4th byte in the data being replaced, regardless of what was in the Search field.

[paxcut]

Regular expressions are descriptions of textual information that can be used to match patterns of text. It isn't matter of defining binary encodings, the very definitions of how regular expressions work is only defined for text and it makes no sense for general binary values. Binary values are just numbers with no implicit meaning and all are treated the same way. Besides using ?? as wildcards you could specify intervals that would match values inside the interval (eg [1A-B2] would match any value in between them) or maybe use nibbles to match parts of bytes (as in A? or ?B) .

I never suggested that the wildcards need to be the same in search and replace. Your description of the meaning of wildcards in replacement is the only possible way to define wildcards. ?? matches any byte found at that location in the sequence. What I said before is that without wildcards in replacements it is generally impossible to change only the non ?? values of the sequences found during the search. That doesn't mean that the wildcards need to be always the same for search and for replace, it is just a simple example that shows why they are needed and that without them the ability to use wildcards during search becomes less useful because you are blocked from doing basic replacements on the non ?? parts of the sequence. you cant just search and replace the non ?? parts because the ?? restricts the possible matches that would be found if you didn't include them.