I can't post a comment anywhere since this questions is already answered, I guess, but I think this needs to be said.
The approach you are taking is actually worse than converting each individual character into ASCII equivalent. You are actually converting each byte into 2 ASCII characters.
Just to reference a part of the REGEX pattern that you posted as a final/working pattern: 4[0-9a-fA-F]
You are attempting to find chars @ABCDEFGHIJKLMNO
. You have a-f
and A-F
because you are trying to account for the Hex code being stored in upper case or lower case. Hex code on a hard drive does not get stored in upper or lower case (it doesn't even get stored in hex codes). You are accounting for whatever tool is presenting this data to you - in ASCII.
What tool are you using to access this data?
If you are using python to read a dd image file, then you need to use a regex that goes after the raw data. That would be something like [\x40-\x4f]
to replicate the above. This is all unnecessary though because [@-O]
would accomplish the same thing.
I am not sure exactly how you are testing this, but I suspect that you are pasting hex codes into an online REGEX testing engine. That testing engine is then interpretting those hex codes as 2 individual characters, not as a pair of nibbles from a byte.