Igor’s Tip of the Week #129: Searching for text in database

Using the string list is one way to look for text in the binary but it has its downsides: building the list takes time for big binaries, some strings may be missing initially so you may need several tries to get the options right, and then you need to actually find what you need in the list.

If you already know the text you want to find (e.g. from the output of the program), there is a quicker way.

Using binary search for text

The binary search action can be invoked via Search > Sequence of bytes… menu, or the AltB shortcut. Although its primary use is for binding known byte sequences, you can also use it for finding text embedded in the binary. For this, surround the text string with double quotes ("). The closing quote is optional.

Once a quote is present in the input box, the String encoding dropdown is enabled. It allows you to choose in which encoding(s) to look for the string.

After confirming, IDA will print in the Output window the exact byte patterns it’s looking for:

Searching down CASE-INSENSITIVELY for binary patterns:
UTF-8: 4A 61 6E
UTF-16LE: 4A 00 61 00 6E 00
UTF-32LE: 4A 00 00 00 61 00 00 00 6E 00 00 00
Search completed. Found at 1001A9C4.

You can also mix string literals and byte values. For example, to find “Jan” but not “January”, add 0 for the C string terminator:

To continue the search, use Search > Next sequence of bytes…, or shortcut CtrlB.

See also:

Igor’s tip of the week #48: Searching in IDA

IDA Help: Search for substring in the file

IDA Help: Binary string format