-
Notifications
You must be signed in to change notification settings - Fork 159
/
decompress-data-using-quicklz.yml
56 lines (56 loc) · 1.59 KB
/
decompress-data-using-quicklz.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
rule:
meta:
name: decompress data using QuickLZ
namespace: data-manipulation/compression
author: david@edeca.net
description: detects the inner decompression loop from QuickLZ
scope: function
mbc:
- Data::Decompress Data::QuickLZ [C0025.001]
references:
- http://www.quicklz.com/
examples:
- 64d9f7d96b99467f36e22fada623c3bb:0x10001510
- 234c8034e88b2d097d2da51a85253825:0x100015B0
- f54a09e966bb929e68f5c01fa3087a3a:0x10001590
- d115f4b2ec8579be33fe883219c00ae2:0x1800015E0
- 831083e1614090dbb5815dba36faa2f3:0x1800016E0
- 7e0b974f004e4e0523fe4d9b9d89e5ad:0x1800016B0
- 6a352c3e55e8ae5ed39dc1be7fb964b1:0x10010DE0
features:
- or:
- basic block:
- and:
- description: Mode 1 decompression
- mnemonic: xor
- mnemonic: shr
- mnemonic: and
- number: 0xC
- number: 0xFFF
- or:
- offset: 0x4000
- offset: 0x8000
- basic block:
- and:
- description: Mode 2 decompression
- mnemonic: shr
- mnemonic: and
- mnemonic: mov
- number: 0x5
- number: 0x1
- number: 0x7FF
- and:
- description: Mode 3 decompression
- basic block:
- and:
- mnemonic: shr
- mnemonic: and
- mnemonic: mov
- number: 0x2
- number: 0x3
- number: 0x3FFF
- basic block:
- and:
- mnemonic: shr
- mnemonic: and
- number: 0x3FF