FlareOn11: 03 - Aray
The Challenge
First we are greeted with:
After downloading aray.7z, we can list the file contents:
$ 7z l aray.7z
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,22 CPUs Intel(R) Core(TM) Ultra 9 185H (A06A4),ASM,AES-NI)
Scanning the drive for archives:
1 file, 2927 bytes (3 KiB)
Listing archive: aray.7z
Enter password (will not be echoed):
--
Path = aray.7z
Type = 7z
Physical Size = 2927
Headers Size = 191
Method = LZMA2:14 7zAES
Solid = -
Blocks = 1
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2024-07-09 01:36:04 ....A 14343 2736 aray.yara
------------------- ----- ------------ ------------ ------------------------
2024-07-09 01:36:04 14343 2736 1 files
The yara rule
And if the title aray did not give it away, we are presented with a YARA, or yara, rule. A YARA rule is a pattern-matching rule used for malware detection and analysis. YARA, developed by Victor M. Alvarez, is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA, you can create descriptions of malware families based on textual or binary patterns or various characteristics specific to a file.
Here’s the basic structure of a YARA rule:
rule RuleName {
meta:
author = "Your Name"
description = "Description of what the rule matches"
date = "YYYY-MM-DD"
strings:
$a = "string_to_match"
$b = { B0 B1 B2 B3 B4 } // sequence of bytes
$c = /regex/
condition:
$a or ($b and $c)
}
In this structure:
rule RuleNameis the start of the rule, where RuleName is a unique identifier for the rule you are creating.- The `meta section provides metadata about the rule. This is where you can include information such as the author’s name, a description of the rule, and the date it was created or modified.
- The
stringssection is where you define the patterns that you want to search for within a file or a process’s memory. Variables like $a, $b, or $c are associated with literal strings, binary strings, or regular expressions that YARA will search for. - The
conditionsection determines the logic for when the rule should be considered a match. The condition must evaluate to true for YARA to declare a hit on the rule. It can consist of boolean operations, counts of matches for the strings (#), file property checks, and other logic.
YARA rules are an incredibly powerful way to scan files and detect patterns without executing them, which is especially useful in cybersecurity for identifying malware on a system or within a network. YARA can be used standalone or integrated into various security tools, systems, and workflows for automated scanning and malware detection purposes.
In our case we are presented with:
import "hash"
rule aray
{
meta:
description = "Matches on b7dc94ca98aa58dabb5404541c812db2"
condition:
filesize == 85 and hash.md5(0, filesize) == "b7dc94ca98aa58dabb5404541c812db2" and filesize ^ uint8(11) != 107 and uint8(55) & 128 == 0 and uint8(58) + 25 == 122 and uint8(7) & 128 == 0 and uint8(48) % 12 < 12 and uint8(17) > 31 and uint8(68) > 10 and uint8(56) < 155 and uint32(52) ^ 425706662 == 1495724241 and uint8(0) % 25 < 25 and filesize ^ uint8(75) != 25 and filesize ^ uint8(28) != 12 and uint8(35) < 160 and uint8(3) & 128 == 0 and uint8(56) & 128 == 0 and uint8(28) % 27 < 27 and uint8(4) > 30 and uint8(15) & 128 == 0 and uint8(68) % 19 < 19 and uint8(19) < 151 and filesize ^ uint8(73) != 17 and filesize ^ uint8(31) != 5 and uint8(38) % 24 < 24 and uint8(3) > 21 and uint8(54) & 128 == 0 and filesize ^ uint8(66) != 146 and uint32(17) - 323157430 == 1412131772 and hash.crc32(8, 2) == 0x61089c5c and filesize ^ uint8(77) != 22 and uint8(75) % 24 < 24 and uint8(66) < 133 and uint8(21) % 11 < 11 and uint8(46) < 154 and hash.crc32(34, 2) == 0x5888fc1b and uint8(55) > 5 and uint8(36) + 4 == 72 and filesize ^ uint8(82) != 228 and filesize ^ uint8(13) != 42 and filesize ^ uint8(6) != 39 and uint8(33) < 160 and filesize ^ uint8(55) != 244 and filesize ^ uint8(15) != 205 and filesize ^ uint8(3) != 43 and filesize ^ uint8(54) != 39 and uint8(28) & 128 == 0 and uint8(10) < 146 and filesize ^ uint8(56) != 246 and filesize ^ uint8(32) != 77 and uint8(73) > 26 and uint8(36) > 11 and uint8(70) > 6 and filesize ^ uint8(33) != 27 and uint8(48) & 128 == 0 and filesize ^ uint8(74) != 45 and uint8(27) ^ 21 == 40 and uint8(60) % 23 < 23 and filesize ^ uint8(67) != 63 and filesize ^ uint8(0) != 16 and uint8(51) % 15 < 15 and uint8(50) > 19 and uint8(27) < 147 and filesize ^ uint8(40) != 230 and filesize ^ uint8(2) != 205 and uint8(79) % 24 < 24 and uint8(69) < 148 and uint8(16) & 128 == 0 and uint8(61) % 26 < 26 and uint8(63) > 31 and uint8(14) & 128 == 0 and uint8(35) > 1 and filesize ^ uint8(11) != 33 and uint8(52) < 136 and uint8(54) > 15 and filesize ^ uint8(20) != 83 and uint8(43) > 24 and uint8(82) < 152 and uint32(59) ^ 512952669 == 1908304943 and filesize ^ uint8(79) != 186 and filesize ^ uint8(83) != 197 and uint8(39) < 134 and filesize ^ uint8(43) != 33 and uint8(72) > 10 and uint8(83) < 134 and uint8(44) % 27 < 27 and uint8(40) < 131 and uint8(80) % 31 < 31 and filesize ^ uint8(47) != 11 and uint8(55) % 11 < 11 and filesize ^ uint8(71) != 3 and uint8(65) - 29 == 70 and uint8(58) > 30 and filesize ^ uint8(37) != 37 and uint8(60) < 130 and uint8(27) & 128 == 0 and uint8(3) < 141 and uint8(73) & 128 == 0 and filesize ^ uint8(70) != 209 and filesize ^ uint8(2) != 54 and filesize ^ uint8(20) != 17 and uint8(33) > 18 and uint8(37) % 19 < 19 and filesize ^ uint8(62) != 15 and filesize ^ uint8(10) != 44 and uint8(7) % 12 < 12 and uint8(71) > 19 and filesize ^ uint8(50) != 86 and uint8(45) ^ 9 == 104 and uint8(8) < 133 and uint8(31) < 145 and uint8(14) > 20 and uint8(54) % 25 < 25 and filesize ^ uint8(49) != 156 and uint8(47) > 13 and uint8(29) > 22 and uint8(14) % 19 < 19 and filesize ^ uint8(17) != 16 and filesize ^ uint8(12) != 226 and filesize ^ uint8(65) != 28 and uint8(45) & 128 == 0 and filesize ^ uint8(6) != 129 and uint8(18) % 30 < 30 and filesize ^ uint8(62) != 246 and uint8(78) % 13 < 13 and uint8(36) & 128 == 0 and uint8(10) & 128 == 0 and uint8(62) > 1 and uint8(33) & 128 == 0 and filesize ^ uint8(83) != 31 and uint8(83) % 21 < 21 and uint8(11) > 18 and uint8(80) < 143 and uint8(81) % 14 < 14 and uint8(43) < 160 and uint8(1) > 19 and uint8(42) % 17 < 17 and uint8(44) < 147 and filesize ^ uint8(63) != 34 and filesize ^ uint8(44) != 17 and uint32(28) - 419186860 == 959764852 and uint8(74) + 11 == 116 and uint8(48) < 136 and uint8(47) < 142 and hash.crc32(63, 2) == 0x66715919 and uint8(58) < 146 and filesize ^ uint8(71) != 128 and uint8(45) < 136 and uint8(31) % 17 < 17 and uint8(43) & 128 == 0 and filesize ^ uint8(43) != 251 and uint8(65) > 1 and uint8(24) & 128 == 0 and uint8(37) < 139 and filesize ^ uint8(28) != 238 and uint8(78) & 128 == 0 and filesize ^ uint8(13) != 219 and uint8(19) % 30 < 30 and hash.sha256(14, 2) == "403d5f23d149670348b147a15eeb7010914701a7e99aad2e43f90cfa0325c76f" and filesize ^ uint8(53) != 243 and uint8(81) & 128 == 0 and uint8(46) % 28 < 28 and filesize ^ uint8(65) != 215 and filesize ^ uint8(0) != 41 and uint8(84) < 129 and uint8(60) & 128 == 0 and uint8(20) > 1 and uint8(2) % 28 < 28 and uint8(58) % 14 < 14 and uint8(34) & 128 == 0 and uint8(21) & 128 == 0 and uint8(84) % 18 < 18 and uint8(74) % 10 < 10 and uint8(9) < 151 and uint8(73) % 23 < 23 and filesize ^ uint8(39) != 49 and uint8(4) % 17 < 17 and filesize ^ uint8(60) != 142 and filesize ^ uint8(69) != 30 and uint8(30) > 6 and uint8(65) & 128 == 0 and uint8(39) % 11 < 11 and uint8(13) % 27 < 27 and uint8(17) % 11 < 11 and uint8(56) % 26 < 26 and uint8(29) < 157 and uint8(57) & 128 == 0 and filesize ^ uint8(29) != 37 and uint8(77) > 5 and filesize ^ uint8(16) != 144 and uint8(37) & 128 == 0 and filesize ^ uint8(25) != 47 and uint8(67) & 128 == 0 and filesize ^ uint8(24) != 94 and uint8(68) < 138 and uint8(57) < 138 and filesize ^ uint8(27) != 43 and filesize ^ uint8(30) != 18 and filesize ^ uint8(59) != 13 and uint8(27) % 26 < 26 and uint8(56) > 8 and uint8(69) & 128 == 0 and uint8(18) & 128 == 0 and uint8(64) < 154 and uint8(76) & 128 == 0 and uint8(71) % 28 < 28 and filesize ^ uint8(84) != 3 and filesize ^ uint8(38) != 84 and uint8(32) < 140 and filesize ^ uint8(42) != 91 and uint8(40) > 15 and uint8(27) > 23 and uint8(6) % 12 < 12 and uint8(10) % 10 < 10 and uint8(8) % 21 < 21 and filesize ^ uint8(18) != 234 and uint8(68) & 128 == 0 and uint8(7) < 131 and uint8(72) < 134 and uint8(16) > 25 and uint8(12) % 23 < 23 and uint8(41) % 27 < 27 and uint8(1) % 17 < 17 and uint8(26) > 31 and hash.sha256(56, 2) == "593f2d04aab251f60c9e4b8bbc1e05a34e920980ec08351a18459b2bc7dbf2f6" and uint8(65) < 149 and filesize ^ uint8(51) != 0 and uint8(66) > 30 and filesize ^ uint8(68) != 8 and uint8(25) % 23 < 23 and uint8(1) & 128 == 0 and filesize ^ uint8(81) != 7 and uint8(36) % 22 < 22 and uint8(24) < 148 and uint8(12) < 147 and uint8(74) < 152 and filesize ^ uint8(21) != 27 and filesize ^ uint8(23) != 18 and uint8(38) & 128 == 0 and uint8(26) % 25 < 25 and filesize ^ uint8(19) != 31 and uint8(82) > 3 and uint8(5) % 27 < 27 and uint8(5) & 128 == 0 and uint8(75) - 30 == 86 and uint8(54) < 152 and uint8(75) < 142 and uint8(20) % 28 < 28 and uint8(30) & 128 == 0 and uint32(66) ^ 310886682 == 849718389 and uint8(64) % 24 < 24 and uint32(10) + 383041523 == 2448764514 and uint8(79) & 128 == 0 and filesize ^ uint8(59) != 194 and uint8(61) & 128 == 0 and uint8(70) < 139 and uint8(77) & 128 == 0 and uint8(13) & 128 == 0 and uint8(21) < 138 and filesize ^ uint8(46) != 186 and uint8(43) % 26 < 26 and uint8(61) < 160 and filesize ^ uint8(34) != 39 and uint8(6) > 6 and uint8(35) & 128 == 0 and uint8(23) < 141 and filesize ^ uint8(82) != 32 and filesize ^ uint8(48) != 29 and uint8(59) & 128 == 0 and uint8(40) % 19 < 19 and filesize ^ uint8(39) != 18 and filesize ^ uint8(45) != 146 and uint8(80) & 128 == 0 and uint8(16) < 134 and uint8(74) > 1 and uint8(23) & 128 == 0 and uint8(32) & 128 == 0 and filesize ^ uint8(47) != 119 and filesize ^ uint8(63) != 135 and uint8(64) > 27 and uint32(37) + 367943707 == 1228527996 and uint8(82) % 28 < 28 and uint8(32) > 28 and filesize ^ uint8(24) != 217 and uint8(53) < 144 and uint8(29) & 128 == 0 and uint32(22) ^ 372102464 == 1879700858 and uint8(52) % 23 < 23 and filesize ^ uint8(76) != 88 and filesize ^ uint8(55) != 17 and uint8(26) & 128 == 0 and uint8(51) > 7 and uint8(12) > 19 and filesize ^ uint8(14) != 99 and filesize ^ uint8(37) != 141 and filesize ^ uint8(14) != 161 and uint8(45) % 17 < 17 and uint8(33) % 25 < 25 and filesize ^ uint8(67) != 55 and filesize ^ uint8(53) != 19 and uint8(30) < 131 and uint8(0) & 128 == 0 and uint8(66) & 128 == 0 and uint8(41) > 5 and uint8(71) & 128 == 0 and uint8(29) % 12 < 12 and uint8(4) < 139 and uint8(77) < 154 and filesize ^ uint8(12) != 116 and uint8(39) > 7 and uint8(75) & 128 == 0 and uint8(78) > 24 and uint8(69) > 25 and uint8(2) + 11 == 119 and uint8(15) < 156 and filesize ^ uint8(69) != 241 and filesize ^ uint8(35) != 18 and filesize ^ uint8(17) != 208 and hash.md5(0, 2) == "89484b14b36a8d5329426a3d944d2983" and filesize ^ uint8(4) != 23 and uint8(15) % 16 < 16 and filesize ^ uint8(75) != 35 and uint32(46) - 412326611 == 1503714457 and uint8(11) % 27 < 27 and hash.crc32(78, 2) == 0x7cab8d64 and uint8(83) & 128 == 0 and filesize ^ uint8(26) != 161 and uint8(49) % 13 < 13 and filesize ^ uint8(18) != 33 and uint8(6) < 155 and uint8(41) < 140 and filesize ^ uint8(68) != 135 and filesize ^ uint8(9) != 5 and uint8(9) & 128 == 0 and filesize ^ uint8(36) != 95 and uint8(7) > 18 and filesize ^ uint8(23) != 242 and uint8(62) < 146 and uint8(49) & 128 == 0 and uint8(62) & 128 == 0 and uint8(4) & 128 == 0 and filesize ^ uint8(58) != 12 and uint8(72) & 128 == 0 and uint8(18) > 13 and filesize ^ uint8(42) != 1 and uint8(59) % 23 < 23 and uint8(53) & 128 == 0 and filesize ^ uint8(78) != 163 and uint8(60) > 14 and uint8(47) % 18 < 18 and uint8(79) > 31 and uint8(22) < 152 and filesize ^ uint8(64) != 50 and filesize ^ uint8(19) != 222 and uint8(81) < 131 and uint8(7) - 15 == 82 and filesize ^ uint8(51) != 204 and uint8(28) > 27 and uint32(70) + 349203301 == 2034162376 and filesize ^ uint8(61) != 94 and uint8(76) > 2 and filesize ^ uint8(77) != 223 and uint8(19) > 4 and uint8(80) > 2 and filesize ^ uint8(35) != 120 and filesize ^ uint8(22) != 31 and uint8(10) > 9 and uint8(22) > 20 and uint8(38) < 135 and filesize ^ uint8(10) != 205 and uint8(25) & 128 == 0 and uint8(13) < 147 and uint8(42) & 128 == 0 and hash.md5(76, 2) == "f98ed07a4d5f50f7de1410d905f1477f" and filesize ^ uint8(48) != 99 and filesize ^ uint8(16) != 7 and uint8(11) < 154 and filesize ^ uint8(76) != 30 and uint8(30) % 15 < 15 and filesize ^ uint8(74) != 193 and filesize ^ uint8(52) != 22 and filesize ^ uint8(36) != 6 and uint8(22) % 22 < 22 and uint8(44) & 128 == 0 and uint8(50) & 128 == 0 and filesize ^ uint8(25) != 224 and uint8(15) > 26 and filesize ^ uint8(60) != 43 and uint8(22) & 128 == 0 and uint8(82) & 128 == 0 and uint32(80) - 473886976 == 69677856 and uint8(75) > 30 and uint8(32) % 17 < 17 and filesize ^ uint8(15) != 27 and uint8(67) % 16 < 16 and uint8(23) > 2 and uint8(62) % 13 < 13 and uint8(34) < 138 and filesize ^ uint8(31) != 32 and uint8(72) % 14 < 14 and filesize ^ uint8(81) != 242 and filesize ^ uint8(54) != 141 and uint8(63) & 128 == 0 and uint8(0) < 129 and uint8(70) % 21 < 21 and uint8(8) & 128 == 0 and uint8(61) > 12 and uint8(24) > 22 and uint8(53) % 23 < 23 and uint8(46) & 128 == 0 and uint8(24) % 26 < 26 and uint32(3) ^ 298697263 == 2108416586 and uint8(21) - 21 == 94 and uint8(67) < 144 and uint8(48) > 15 and uint8(37) > 16 and uint8(42) < 157 and uint8(16) ^ 7 == 115 and uint8(13) > 21 and filesize ^ uint8(45) != 19 and uint8(47) & 128 == 0 and filesize ^ uint8(80) != 56 and filesize ^ uint8(78) != 6 and uint8(76) % 24 < 24 and uint8(73) < 136 and filesize ^ uint8(52) != 238 and uint8(50) % 11 < 11 and filesize ^ uint8(7) != 15 and filesize ^ uint8(66) != 51 and uint8(59) > 4 and uint8(46) > 22 and filesize ^ uint8(3) != 147 and uint8(63) % 30 < 30 and uint8(36) < 146 and uint8(26) < 132 and uint8(6) & 128 == 0 and filesize ^ uint8(30) != 249 and uint32(41) + 404880684 == 1699114335 and filesize ^ uint8(5) != 243 and uint8(70) & 128 == 0 and uint8(9) % 22 < 22 and uint8(59) < 141 and filesize ^ uint8(79) != 104 and filesize ^ uint8(5) != 43 and filesize ^ uint8(72) != 219 and uint8(52) > 25 and uint8(74) & 128 == 0 and uint8(28) < 160 and uint8(51) & 128 == 0 and hash.md5(50, 2) == "657dae0913ee12be6fb2a6f687aae1c7" and uint8(83) > 16 and uint8(31) > 7 and uint8(84) & 128 == 0 and filesize ^ uint8(46) != 18 and uint8(2) > 20 and uint8(5) < 158 and filesize ^ uint8(32) != 30 and filesize ^ uint8(50) != 219 and uint8(26) - 7 == 25 and uint8(53) > 24 and uint8(77) % 24 < 24 and uint8(3) % 13 < 13 and filesize ^ uint8(9) != 164 and filesize ^ uint8(80) != 236 and uint8(65) % 22 < 22 and filesize ^ uint8(84) != 231 and filesize ^ uint8(49) != 10 and uint8(67) > 27 and uint8(34) % 19 < 19 and uint8(64) & 128 == 0 and filesize ^ uint8(27) != 244 and uint8(12) & 128 == 0 and uint8(51) < 139 and uint8(35) % 15 < 15 and uint8(5) > 14 and filesize ^ uint8(34) != 115 and filesize ^ uint8(38) != 8 and filesize ^ uint8(72) != 37 and uint8(20) & 128 == 0 and uint8(17) < 150 and filesize ^ uint8(70) != 41 and uint8(66) % 16 < 16 and uint8(17) & 128 == 0 and uint8(19) & 128 == 0 and filesize ^ uint8(33) != 157 and uint8(21) > 7 and uint8(58) & 128 == 0 and uint8(71) < 130 and uint8(41) & 128 == 0 and uint8(57) > 11 and hash.md5(32, 2) == "738a656e8e8ec272ca17cd51e12f558b" and filesize ^ uint8(8) != 2 and filesize ^ uint8(57) != 186 and uint8(11) & 128 == 0 and uint8(2) < 147 and uint8(23) % 16 < 16 and uint8(78) < 141 and uint8(38) > 18 and filesize ^ uint8(41) != 233 and uint8(18) < 137 and uint8(40) & 128 == 0 and filesize ^ uint8(21) != 188 and filesize ^ uint8(57) != 14 and filesize ^ uint8(4) != 253 and uint8(14) < 153 and uint8(31) & 128 == 0 and uint8(81) > 11 and uint8(2) & 128 == 0 and filesize ^ uint8(22) != 191 and uint8(44) > 5 and uint8(84) + 3 == 128 and uint8(20) < 135 and filesize ^ uint8(73) != 61 and filesize ^ uint8(26) != 44 and uint8(1) < 158 and filesize ^ uint8(29) != 158 and uint8(49) < 129 and filesize ^ uint8(64) != 158 and uint8(25) < 154 and uint8(63) < 129 and uint8(84) > 26 and uint8(39) & 128 == 0 and uint8(25) > 27 and uint8(49) > 27 and uint8(9) > 23 and filesize ^ uint8(7) != 221 and uint8(50) < 138 and uint8(76) < 156 and filesize ^ uint8(61) != 239 and uint8(57) % 27 < 27 and filesize ^ uint8(8) != 107 and uint8(79) < 146 and filesize ^ uint8(40) != 49 and uint8(0) > 30 and uint8(45) > 17 and uint8(16) % 31 < 31 and filesize ^ uint8(1) != 232 and filesize ^ uint8(56) != 22 and uint8(42) > 3 and uint8(52) & 128 == 0 and uint8(69) % 30 < 30 and uint8(55) < 153 and filesize ^ uint8(41) != 74 and filesize ^ uint8(1) != 0 and filesize ^ uint8(44) != 96 and filesize ^ uint8(58) != 77 and uint8(34) > 18 and uint8(8) > 3
}
We probably need to figure out what rule this is. Upon inspection, we see loads of conditions. So let’s digest:
We see that the first condition equals:
filesize == 85
so, the file size has to be 85 bytes. Next, the MD5sum of the file should be equal to “b7dc94ca98aa58dabb5404541c812db2”, etc.
I tried to solve this by first writing out all the coditions:
Solving the first part of the challenge
def parse_and_print_sorted_conditions(file_path):
with open(file_path, 'r') as file:
lines = file.readlines()
capture = False
captured_text = ""
# Find and concatenate the 'condition:' section.
for line in lines:
if line.strip().startswith('condition:'):
capture = True
continue
if capture:
captured_text += line.strip() + " "
# Split the conditions by ' and ', strip whitespace, and avoid empty strings.
conditions = [condition.strip() for condition in captured_text.split(' and ') if condition]
# Sort the conditions alphabetically.
sorted_conditions = sorted(conditions)
# Print each sorted condition on a new line.
for condition in sorted_conditions:
print(condition)
if __name__ == "__main__":
# Replace 'path_to_yara_rule_file.txt' with the actual path to your text file containing the YARA rule.
yara_file_path = 'aray.yara'
parse_and_print_sorted_conditions(yara_file_path)
This script writes all conditions, formatted one per line, to the terminal. Running this gives:
filesize == 85
filesize ^ uint8(0) != 16
filesize ^ uint8(0) != 41
filesize ^ uint8(1) != 0
filesize ^ uint8(1) != 232
filesize ^ uint8(10) != 205
filesize ^ uint8(10) != 44
filesize ^ uint8(11) != 107
filesize ^ uint8(11) != 33
filesize ^ uint8(12) != 116
filesize ^ uint8(12) != 226
filesize ^ uint8(13) != 219
filesize ^ uint8(13) != 42
filesize ^ uint8(14) != 161
filesize ^ uint8(14) != 99
filesize ^ uint8(15) != 205
filesize ^ uint8(15) != 27
filesize ^ uint8(16) != 144
filesize ^ uint8(16) != 7
filesize ^ uint8(17) != 16
filesize ^ uint8(17) != 208
filesize ^ uint8(18) != 234
filesize ^ uint8(18) != 33
filesize ^ uint8(19) != 222
filesize ^ uint8(19) != 31
filesize ^ uint8(2) != 205
filesize ^ uint8(2) != 54
filesize ^ uint8(20) != 17
filesize ^ uint8(20) != 83
filesize ^ uint8(21) != 188
filesize ^ uint8(21) != 27
filesize ^ uint8(22) != 191
filesize ^ uint8(22) != 31
filesize ^ uint8(23) != 18
filesize ^ uint8(23) != 242
filesize ^ uint8(24) != 217
filesize ^ uint8(24) != 94
filesize ^ uint8(25) != 224
filesize ^ uint8(25) != 47
filesize ^ uint8(26) != 161
filesize ^ uint8(26) != 44
filesize ^ uint8(27) != 244
filesize ^ uint8(27) != 43
filesize ^ uint8(28) != 12
filesize ^ uint8(28) != 238
filesize ^ uint8(29) != 158
filesize ^ uint8(29) != 37
filesize ^ uint8(3) != 147
filesize ^ uint8(3) != 43
filesize ^ uint8(30) != 18
filesize ^ uint8(30) != 249
filesize ^ uint8(31) != 32
filesize ^ uint8(31) != 5
filesize ^ uint8(32) != 30
filesize ^ uint8(32) != 77
filesize ^ uint8(33) != 157
filesize ^ uint8(33) != 27
filesize ^ uint8(34) != 115
filesize ^ uint8(34) != 39
filesize ^ uint8(35) != 120
filesize ^ uint8(35) != 18
filesize ^ uint8(36) != 6
filesize ^ uint8(36) != 95
filesize ^ uint8(37) != 141
filesize ^ uint8(37) != 37
filesize ^ uint8(38) != 8
filesize ^ uint8(38) != 84
filesize ^ uint8(39) != 18
filesize ^ uint8(39) != 49
filesize ^ uint8(4) != 23
filesize ^ uint8(4) != 253
filesize ^ uint8(40) != 230
filesize ^ uint8(40) != 49
filesize ^ uint8(41) != 233
filesize ^ uint8(41) != 74
filesize ^ uint8(42) != 1
filesize ^ uint8(42) != 91
filesize ^ uint8(43) != 251
filesize ^ uint8(43) != 33
filesize ^ uint8(44) != 17
filesize ^ uint8(44) != 96
filesize ^ uint8(45) != 146
filesize ^ uint8(45) != 19
filesize ^ uint8(46) != 18
filesize ^ uint8(46) != 186
filesize ^ uint8(47) != 11
filesize ^ uint8(47) != 119
filesize ^ uint8(48) != 29
filesize ^ uint8(48) != 99
filesize ^ uint8(49) != 10
filesize ^ uint8(49) != 156
filesize ^ uint8(5) != 243
filesize ^ uint8(5) != 43
filesize ^ uint8(50) != 219
filesize ^ uint8(50) != 86
filesize ^ uint8(51) != 0
filesize ^ uint8(51) != 204
filesize ^ uint8(52) != 22
filesize ^ uint8(52) != 238
filesize ^ uint8(53) != 19
filesize ^ uint8(53) != 243
filesize ^ uint8(54) != 141
filesize ^ uint8(54) != 39
filesize ^ uint8(55) != 17
filesize ^ uint8(55) != 244
filesize ^ uint8(56) != 22
filesize ^ uint8(56) != 246
filesize ^ uint8(57) != 14
filesize ^ uint8(57) != 186
filesize ^ uint8(58) != 12
filesize ^ uint8(58) != 77
filesize ^ uint8(59) != 13
filesize ^ uint8(59) != 194
filesize ^ uint8(6) != 129
filesize ^ uint8(6) != 39
filesize ^ uint8(60) != 142
filesize ^ uint8(60) != 43
filesize ^ uint8(61) != 239
filesize ^ uint8(61) != 94
filesize ^ uint8(62) != 15
filesize ^ uint8(62) != 246
filesize ^ uint8(63) != 135
filesize ^ uint8(63) != 34
filesize ^ uint8(64) != 158
filesize ^ uint8(64) != 50
filesize ^ uint8(65) != 215
filesize ^ uint8(65) != 28
filesize ^ uint8(66) != 146
filesize ^ uint8(66) != 51
filesize ^ uint8(67) != 55
filesize ^ uint8(67) != 63
filesize ^ uint8(68) != 135
filesize ^ uint8(68) != 8
filesize ^ uint8(69) != 241
filesize ^ uint8(69) != 30
filesize ^ uint8(7) != 15
filesize ^ uint8(7) != 221
filesize ^ uint8(70) != 209
filesize ^ uint8(70) != 41
filesize ^ uint8(71) != 128
filesize ^ uint8(71) != 3
filesize ^ uint8(72) != 219
filesize ^ uint8(72) != 37
filesize ^ uint8(73) != 17
filesize ^ uint8(73) != 61
filesize ^ uint8(74) != 193
filesize ^ uint8(74) != 45
filesize ^ uint8(75) != 25
filesize ^ uint8(75) != 35
filesize ^ uint8(76) != 30
filesize ^ uint8(76) != 88
filesize ^ uint8(77) != 22
filesize ^ uint8(77) != 223
filesize ^ uint8(78) != 163
filesize ^ uint8(78) != 6
filesize ^ uint8(79) != 104
filesize ^ uint8(79) != 186
filesize ^ uint8(8) != 107
filesize ^ uint8(8) != 2
filesize ^ uint8(80) != 236
filesize ^ uint8(80) != 56
filesize ^ uint8(81) != 242
filesize ^ uint8(81) != 7
filesize ^ uint8(82) != 228
filesize ^ uint8(82) != 32
filesize ^ uint8(83) != 197
filesize ^ uint8(83) != 31
filesize ^ uint8(84) != 231
filesize ^ uint8(84) != 3
filesize ^ uint8(9) != 164
filesize ^ uint8(9) != 5
hash.crc32(34, 2) == 0x5888fc1b
hash.crc32(63, 2) == 0x66715919
hash.crc32(78, 2) == 0x7cab8d64
hash.crc32(8, 2) == 0x61089c5c
hash.md5(0, 2) == "89484b14b36a8d5329426a3d944d2983"
hash.md5(0, filesize) == "b7dc94ca98aa58dabb5404541c812db2"
hash.md5(32, 2) == "738a656e8e8ec272ca17cd51e12f558b"
hash.md5(50, 2) == "657dae0913ee12be6fb2a6f687aae1c7"
hash.md5(76, 2) == "f98ed07a4d5f50f7de1410d905f1477f"
hash.sha256(14, 2) == "403d5f23d149670348b147a15eeb7010914701a7e99aad2e43f90cfa0325c76f"
hash.sha256(56, 2) == "593f2d04aab251f60c9e4b8bbc1e05a34e920980ec08351a18459b2bc7dbf2f6"
uint32(10) + 383041523 == 2448764514
uint32(17) - 323157430 == 1412131772
uint32(22) ^ 372102464 == 1879700858
uint32(28) - 419186860 == 959764852
uint32(3) ^ 298697263 == 2108416586
uint32(37) + 367943707 == 1228527996
uint32(41) + 404880684 == 1699114335
uint32(46) - 412326611 == 1503714457
uint32(52) ^ 425706662 == 1495724241
uint32(59) ^ 512952669 == 1908304943
uint32(66) ^ 310886682 == 849718389
uint32(70) + 349203301 == 2034162376
uint32(80) - 473886976 == 69677856
uint8(0) % 25 < 25
uint8(0) & 128 == 0
uint8(0) < 129
uint8(0) > 30
uint8(1) % 17 < 17
uint8(1) & 128 == 0
uint8(1) < 158
uint8(1) > 19
uint8(10) % 10 < 10
uint8(10) & 128 == 0
uint8(10) < 146
uint8(10) > 9
uint8(11) % 27 < 27
uint8(11) & 128 == 0
uint8(11) < 154
uint8(11) > 18
uint8(12) % 23 < 23
uint8(12) & 128 == 0
uint8(12) < 147
uint8(12) > 19
uint8(13) % 27 < 27
uint8(13) & 128 == 0
uint8(13) < 147
uint8(13) > 21
uint8(14) % 19 < 19
uint8(14) & 128 == 0
uint8(14) < 153
uint8(14) > 20
uint8(15) % 16 < 16
uint8(15) & 128 == 0
uint8(15) < 156
uint8(15) > 26
uint8(16) % 31 < 31
uint8(16) & 128 == 0
uint8(16) < 134
uint8(16) > 25
uint8(16) ^ 7 == 115
uint8(17) % 11 < 11
uint8(17) & 128 == 0
uint8(17) < 150
uint8(17) > 31
uint8(18) % 30 < 30
uint8(18) & 128 == 0
uint8(18) < 137
uint8(18) > 13
uint8(19) % 30 < 30
uint8(19) & 128 == 0
uint8(19) < 151
uint8(19) > 4
uint8(2) % 28 < 28
uint8(2) & 128 == 0
uint8(2) + 11 == 119
uint8(2) < 147
uint8(2) > 20
uint8(20) % 28 < 28
uint8(20) & 128 == 0
uint8(20) < 135
uint8(20) > 1
uint8(21) % 11 < 11
uint8(21) & 128 == 0
uint8(21) - 21 == 94
uint8(21) < 138
uint8(21) > 7
uint8(22) % 22 < 22
uint8(22) & 128 == 0
uint8(22) < 152
uint8(22) > 20
uint8(23) % 16 < 16
uint8(23) & 128 == 0
uint8(23) < 141
uint8(23) > 2
uint8(24) % 26 < 26
uint8(24) & 128 == 0
uint8(24) < 148
uint8(24) > 22
uint8(25) % 23 < 23
uint8(25) & 128 == 0
uint8(25) < 154
uint8(25) > 27
uint8(26) % 25 < 25
uint8(26) & 128 == 0
uint8(26) - 7 == 25
uint8(26) < 132
uint8(26) > 31
uint8(27) % 26 < 26
uint8(27) & 128 == 0
uint8(27) < 147
uint8(27) > 23
uint8(27) ^ 21 == 40
uint8(28) % 27 < 27
uint8(28) & 128 == 0
uint8(28) < 160
uint8(28) > 27
uint8(29) % 12 < 12
uint8(29) & 128 == 0
uint8(29) < 157
uint8(29) > 22
uint8(3) % 13 < 13
uint8(3) & 128 == 0
uint8(3) < 141
uint8(3) > 21
uint8(30) % 15 < 15
uint8(30) & 128 == 0
uint8(30) < 131
uint8(30) > 6
uint8(31) % 17 < 17
uint8(31) & 128 == 0
uint8(31) < 145
uint8(31) > 7
uint8(32) % 17 < 17
uint8(32) & 128 == 0
uint8(32) < 140
uint8(32) > 28
uint8(33) % 25 < 25
uint8(33) & 128 == 0
uint8(33) < 160
uint8(33) > 18
uint8(34) % 19 < 19
uint8(34) & 128 == 0
uint8(34) < 138
uint8(34) > 18
uint8(35) % 15 < 15
uint8(35) & 128 == 0
uint8(35) < 160
uint8(35) > 1
uint8(36) % 22 < 22
uint8(36) & 128 == 0
uint8(36) + 4 == 72
uint8(36) < 146
uint8(36) > 11
uint8(37) % 19 < 19
uint8(37) & 128 == 0
uint8(37) < 139
uint8(37) > 16
uint8(38) % 24 < 24
uint8(38) & 128 == 0
uint8(38) < 135
uint8(38) > 18
uint8(39) % 11 < 11
uint8(39) & 128 == 0
uint8(39) < 134
uint8(39) > 7
uint8(4) % 17 < 17
uint8(4) & 128 == 0
uint8(4) < 139
uint8(4) > 30
uint8(40) % 19 < 19
uint8(40) & 128 == 0
uint8(40) < 131
uint8(40) > 15
uint8(41) % 27 < 27
uint8(41) & 128 == 0
uint8(41) < 140
uint8(41) > 5
uint8(42) % 17 < 17
uint8(42) & 128 == 0
uint8(42) < 157
uint8(42) > 3
uint8(43) % 26 < 26
uint8(43) & 128 == 0
uint8(43) < 160
uint8(43) > 24
uint8(44) % 27 < 27
uint8(44) & 128 == 0
uint8(44) < 147
uint8(44) > 5
uint8(45) % 17 < 17
uint8(45) & 128 == 0
uint8(45) < 136
uint8(45) > 17
uint8(45) ^ 9 == 104
uint8(46) % 28 < 28
uint8(46) & 128 == 0
uint8(46) < 154
uint8(46) > 22
uint8(47) % 18 < 18
uint8(47) & 128 == 0
uint8(47) < 142
uint8(47) > 13
uint8(48) % 12 < 12
uint8(48) & 128 == 0
uint8(48) < 136
uint8(48) > 15
uint8(49) % 13 < 13
uint8(49) & 128 == 0
uint8(49) < 129
uint8(49) > 27
uint8(5) % 27 < 27
uint8(5) & 128 == 0
uint8(5) < 158
uint8(5) > 14
uint8(50) % 11 < 11
uint8(50) & 128 == 0
uint8(50) < 138
uint8(50) > 19
uint8(51) % 15 < 15
uint8(51) & 128 == 0
uint8(51) < 139
uint8(51) > 7
uint8(52) % 23 < 23
uint8(52) & 128 == 0
uint8(52) < 136
uint8(52) > 25
uint8(53) % 23 < 23
uint8(53) & 128 == 0
uint8(53) < 144
uint8(53) > 24
uint8(54) % 25 < 25
uint8(54) & 128 == 0
uint8(54) < 152
uint8(54) > 15
uint8(55) % 11 < 11
uint8(55) & 128 == 0
uint8(55) < 153
uint8(55) > 5
uint8(56) % 26 < 26
uint8(56) & 128 == 0
uint8(56) < 155
uint8(56) > 8
uint8(57) % 27 < 27
uint8(57) & 128 == 0
uint8(57) < 138
uint8(57) > 11
uint8(58) % 14 < 14
uint8(58) & 128 == 0
uint8(58) + 25 == 122
uint8(58) < 146
uint8(58) > 30
uint8(59) % 23 < 23
uint8(59) & 128 == 0
uint8(59) < 141
uint8(59) > 4
uint8(6) % 12 < 12
uint8(6) & 128 == 0
uint8(6) < 155
uint8(6) > 6
uint8(60) % 23 < 23
uint8(60) & 128 == 0
uint8(60) < 130
uint8(60) > 14
uint8(61) % 26 < 26
uint8(61) & 128 == 0
uint8(61) < 160
uint8(61) > 12
uint8(62) % 13 < 13
uint8(62) & 128 == 0
uint8(62) < 146
uint8(62) > 1
uint8(63) % 30 < 30
uint8(63) & 128 == 0
uint8(63) < 129
uint8(63) > 31
uint8(64) % 24 < 24
uint8(64) & 128 == 0
uint8(64) < 154
uint8(64) > 27
uint8(65) % 22 < 22
uint8(65) & 128 == 0
uint8(65) - 29 == 70
uint8(65) < 149
uint8(65) > 1
uint8(66) % 16 < 16
uint8(66) & 128 == 0
uint8(66) < 133
uint8(66) > 30
uint8(67) % 16 < 16
uint8(67) & 128 == 0
uint8(67) < 144
uint8(67) > 27
uint8(68) % 19 < 19
uint8(68) & 128 == 0
uint8(68) < 138
uint8(68) > 10
uint8(69) % 30 < 30
uint8(69) & 128 == 0
uint8(69) < 148
uint8(69) > 25
uint8(7) % 12 < 12
uint8(7) & 128 == 0
uint8(7) - 15 == 82
uint8(7) < 131
uint8(7) > 18
uint8(70) % 21 < 21
uint8(70) & 128 == 0
uint8(70) < 139
uint8(70) > 6
uint8(71) % 28 < 28
uint8(71) & 128 == 0
uint8(71) < 130
uint8(71) > 19
uint8(72) % 14 < 14
uint8(72) & 128 == 0
uint8(72) < 134
uint8(72) > 10
uint8(73) % 23 < 23
uint8(73) & 128 == 0
uint8(73) < 136
uint8(73) > 26
uint8(74) % 10 < 10
uint8(74) & 128 == 0
uint8(74) + 11 == 116
uint8(74) < 152
uint8(74) > 1
uint8(75) % 24 < 24
uint8(75) & 128 == 0
uint8(75) - 30 == 86
uint8(75) < 142
uint8(75) > 30
uint8(76) % 24 < 24
uint8(76) & 128 == 0
uint8(76) < 156
uint8(76) > 2
uint8(77) % 24 < 24
uint8(77) & 128 == 0
uint8(77) < 154
uint8(77) > 5
uint8(78) % 13 < 13
uint8(78) & 128 == 0
uint8(78) < 141
uint8(78) > 24
uint8(79) % 24 < 24
uint8(79) & 128 == 0
uint8(79) < 146
uint8(79) > 31
uint8(8) % 21 < 21
uint8(8) & 128 == 0
uint8(8) < 133
uint8(8) > 3 }
uint8(80) % 31 < 31
uint8(80) & 128 == 0
uint8(80) < 143
uint8(80) > 2
uint8(81) % 14 < 14
uint8(81) & 128 == 0
uint8(81) < 131
uint8(81) > 11
uint8(82) % 28 < 28
uint8(82) & 128 == 0
uint8(82) < 152
uint8(82) > 3
uint8(83) % 21 < 21
uint8(83) & 128 == 0
uint8(83) < 134
uint8(83) > 16
uint8(84) % 18 < 18
uint8(84) & 128 == 0
uint8(84) + 3 == 128
uint8(84) < 129
uint8(84) > 26
uint8(9) % 22 < 22
uint8(9) & 128 == 0
uint8(9) < 151
uint8(9) > 23
Solving the second part of the challenge
Now, we can inspect and use different properties of this to recreate the rule by inserting this into another python script:
import hashlib
import itertools
import string
import zlib
import re
def update_array_from_uint32_equation(arr, equation):
# Parse the equation using a regular expression to handle addition, subtraction, and XOR
match = re.match(r'uint32\((\d+)\) \s*([-+^]) \s*(\d+) == (\d+)', equation)
if match:
# Extract the position (N), the operation (add, subtract, or XOR), the value (X), and the result (Y)
position, operation, value, result = match.groups()
position, value, result = map(int, [position, value, result])
# Calculate the original value before the operation
if operation == '+':
original_value = result - value
elif operation == '-':
original_value = result + value
elif operation == '^':
original_value = result ^ value
# Convert the original value to a four-byte sequence
original_bytes = original_value.to_bytes(4, 'little', signed=False)
# Update the array at the specified position with the corresponding characters
for i, byte in enumerate(original_bytes):
arr[position + i] = chr(byte)
else:
print("Equation format is incorrect.")
def update_array_from_equation(arr, equation):
# Parse the equation using a regular expression
match = re.match(r'uint8\((\d+)\) \+ (\d+) == (\d+)', equation)
if match:
# Extract the position (N), the addition value (X), and the result (Y)
position, add_value, result = map(int, match.groups())
# Calculate the original value before addition
original_value = result - add_value
# Update the array at the specified position with the character corresponding to the original value
arr[position] = chr(original_value)
else:
print("Equation format is incorrect.")
def update_array_from_uint8_equation(arr, equation):
# Parse the equation using a regular expression to handle XOR and subtraction for uint8
match = re.match(r'uint8\((\d+)\) \s*([-^]) \s*(\d+) == (\d+)', equation)
if match:
# Extract the position (N), the operation (XOR or subtraction), the value (X), and the result (Y)
position, operation, value, result = match.groups()
position, value, result = map(int, [position, value, result])
# Calculate the original value before the operation
if operation == '^':
original_value = result ^ value
elif operation == '-':
original_value = result + value
# Convert the original value to a one-byte sequence
original_byte = original_value.to_bytes(1, 'little', signed=False)
# Update the array at the specified position with the corresponding character
arr[position] = chr(original_byte[0])
else:
print("Equation format is incorrect.")
def find_sha256_matches_and_update_array(arr, position_hashes):
# Define the printable character set
printable_chars = string.printable
# Loop over all positions and their respective target SHA256 hashes
for position, target_sha256 in position_hashes.items():
# Loop over all possible 2-character pairs from the printable character set
for pair in itertools.product(printable_chars, repeat=2):
# Join the pair to make a 2-character string
pair_str = ''.join(pair)
# Calculate the SHA256 hash of the string
sha256_hash = hashlib.sha256(pair_str.encode('utf-8')).hexdigest()
# Check if the calculated hash matches the target hash
if sha256_hash == target_sha256:
# Update the array at the specified position with the found pair
arr[position] = pair[0]
arr[position + 1] = pair[1]
break # Break out of the inner loop once a match is found
def find_md5_matches_and_update_array(arr, position_hashes):
# Define the printable character set
printable_chars = string.printable
# Loop over all positions and their respective target MD5 hashes
for position, target_md5 in position_hashes.items():
# Loop over all possible 2-character pairs from the printable character set
for pair in itertools.product(printable_chars, repeat=2):
# Join the pair to make a 2-character string
pair_str = ''.join(pair)
# Calculate the MD5 hash of the string
md5_hash = hashlib.md5(pair_str.encode('utf-8')).hexdigest()
# Check if the calculated hash matches the target hash
if md5_hash == target_md5:
# Update the array at the specified position with the found pair
arr[position] = pair[0]
arr[position + 1] = pair[1]
break # Break out of the inner loop once a match is found
def find_crc32_matches_and_update_array(arr, position_hashes):
# Define the printable character set
printable_chars = string.printable
# Loop over all positions and their respective target hashes
for position, target_crc32 in position_hashes.items():
# Loop over all possible 2-character pairs from the printable character set
for pair in itertools.product(printable_chars, repeat=2):
# Join the pair to make a 2-character string
pair_str = ''.join(pair)
# Calculate the CRC32 hash of the string
crc32_hash = zlib.crc32(pair_str.encode('utf-8')) & 0xffffffff
# Check if the calculated hash matches the target hash
if crc32_hash == target_crc32:
# Update the array at the specified position with the found pair
arr[position] = pair[0]
arr[position + 1] = pair[1]
break # Break out of the inner loop once a match is found
# The rest of the code remains the same
def modify_array(arr):
if len(arr) == 85:
# Define the string to be added
suffix = ""
# Calculate the starting index to insert the suffix
start_index = 85 - len(suffix)
# Insert the characters of the suffix into the array
for i, char in enumerate(suffix):
arr[start_index + i] = char
else:
print("Array is not of length 85.")
return arr
# Example usage:
# Initialize an array of length 85 with placeholder values
array = [''] * 85
# Call the function to modify the array
modify_array(array)
# Define the positions and their respective target CRC32 hashes
position_hashes = {
34: 0x5888fc1b,
63: 0x66715919,
78: 0x7cab8d64,
8: 0x61089c5c
}
# Call the function to find the matching pairs and update the array
find_crc32_matches_and_update_array(array, position_hashes)
position_md5_hashes = {
0: "89484b14b36a8d5329426a3d944d2983",
32: "738a656e8e8ec272ca17cd51e12f558b",
50: "657dae0913ee12be6fb2a6f687aae1c7",
76: "f98ed07a4d5f50f7de1410d905f1477f"
}
# Call the function to find the matching pairs and update the array
find_md5_matches_and_update_array(array, position_md5_hashes)
# Define the positions and their respective target SHA256 hashes
position_sha256_hashes = {
14: "403d5f23d149670348b147a15eeb7010914701a7e99aad2e43f90cfa0325c76f",
56: "593f2d04aab251f60c9e4b8bbc1e05a34e920980ec08351a18459b2bc7dbf2f6"
}
find_sha256_matches_and_update_array(array, position_sha256_hashes)
# List of equations to process
equations = [
"uint8(2) + 11 == 119",
"uint8(36) + 4 == 72",
"uint8(58) + 25 == 122",
"uint8(74) + 11 == 116",
"uint8(84) + 3 == 128"
]
# Process each equation and update the array
for eq in equations:
update_array_from_equation(array, eq)
# Example usage with addition, subtraction, and XOR equations:
uint32_equations = [
"uint32(10) + 383041523 == 2448764514",
"uint32(17) - 323157430 == 1412131772",
"uint32(22) ^ 372102464 == 1879700858",
"uint32(28) - 419186860 == 959764852",
"uint32(3) ^ 298697263 == 2108416586",
"uint32(37) + 367943707 == 1228527996",
"uint32(41) + 404880684 == 1699114335",
"uint32(46) - 412326611 == 1503714457",
"uint32(52) ^ 425706662 == 1495724241",
"uint32(59) ^ 512952669 == 1908304943",
"uint32(66) ^ 310886682 == 849718389",
"uint32(70) + 349203301 == 2034162376",
"uint32(80) - 473886976 == 69677856"
]
# Process each uint32 equation and update the array
for eq in uint32_equations:
update_array_from_uint32_equation(array, eq)
# Example usage with XOR and subtraction equations for uint8:
uint8_equations = [
"uint8(45) ^ 9 == 104",
"uint8(16) ^ 7 == 115",
"uint8(27) ^ 21 == 40",
"uint8(65) - 29 == 70",
"uint8(7) - 15 == 82",
"uint8(75) - 30 == 86",
"uint8(21) - 21 == 94",
"uint8(26) - 7 == 25"
]
for eq in uint8_equations:
update_array_from_uint8_equation(array, eq)
# Print the modified array
print(array)
# Convert the array back to a string
result_string = ''.join(array)
# Print the resulting string
print(result_string)
If we run this last script, we are presented with the original yara rule:
rule flareon { strings: $f = "1RuleADayK33p$Malw4r3Aw4y@flare-on.com" condition: $f