-
Notifications
You must be signed in to change notification settings - Fork 159
/
decompress-data-using-lzo.yml
45 lines (45 loc) · 1.23 KB
/
decompress-data-using-lzo.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
rule:
meta:
name: decompress data using LZO
namespace: data-manipulation/compression
authors:
- david@edeca.net
- david.cannings@pwc.com
description: detects the decompression routine from LZO
scope: function
mbc:
- Data::Decompress Data [C0025]
references:
- https://github.com/zenzhang/msgclient/blob/f7c346287022dd41b21aedc8664a281b32e4a1f1/src/framework/string/Compress.cpp
examples:
- ee3b869b668abec332d07c66d1a39f6dbf3a598cc1325b57a0504f8d24ac2e28.dll_:0x1000BB90
features:
- and:
- instruction:
- description: t += 255;
- mnemonic: add
- number: 0xFF
- or:
- instruction:
- or:
- mnemonic: and
- mnemonic: add
- number: 0xFFFFFFFC
- instruction:
- mnemonic: sub
- number: 4
- instruction:
- description: t &= 31;
- mnemonic: and
- number: 0x1F
- instruction:
- description: m_pos -= 0x4000;
- mnemonic: sub
- number: 0x4000
- instruction:
- description: m_pos -= t >> 2;
- mnemonic: shr
- number: 2
- or:
- characteristic: loop
- characteristic: tight loop