{"componentChunkName":"component---src-templates-post-template-js","path":"/clamav-signature-basic-en","result":{"data":{"markdownRemark":{"id":"79282b43-8624-5f3d-9508-813bafa02da6","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/clamav-signature-basic\">original page</a>.</p>\n</blockquote>\n<p>This time, I used a SECCON 2022 challenge called Devil Hunter as a theme to summarize ClamAV signature notation and analysis methods.</p>\n<p>Reference: <a href=\"https://github.com/SECCON/SECCON2022_online_CTF/tree/main/reversing/devil_hunter\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">SECCON2022<em>online</em>CTF/reversing/devil<em>hunter at main · SECCON/SECCON2022</em>online_CTF</a></p>\n<p>Reference: <a href=\"/clamav-note01-en\">Summary of building ClamAV from source and setting up OnAccessScan</a></p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#challenge-overview-devil-hunter-rev\">Challenge Overview: Devil Hunter (Rev)</a></li>\n<li><a href=\"#database-format-signatures-cdv-cld\">Database-format Signatures (CDV, CLD)</a></li>\n<li>\n<p><a href=\"#body-based-signatures\">Body-based Signatures</a></p>\n<ul>\n<li><a href=\"#extended-signatures\">Extended Signatures</a></li>\n<li><a href=\"#logical-signatures\">Logical Signatures</a></li>\n<li><a href=\"#container-metadata-signatures\">Container Metadata Signatures</a></li>\n<li><a href=\"#bytecode-signatures\">Bytecode Signatures</a></li>\n<li><a href=\"#phishing-signatures-phishing-url-signatures\">Phishing Signatures (Phishing URL Signatures)</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#hash-based-signatures\">Hash-based Signatures</a></p>\n<ul>\n<li><a href=\"#file-hash-signatures\">File Hash Signatures</a></li>\n<li><a href=\"#pe-section-hash-signatures\">PE Section Hash Signatures</a></li>\n</ul>\n</li>\n<li><a href=\"#yara-rule-format\">YARA Rule Format</a></li>\n<li><a href=\"#configuring-allow-rules\">Configuring Allow Rules</a></li>\n<li><a href=\"#sigtool-usage-examples\">sigtool Usage Examples</a></li>\n<li>\n<p><a href=\"#bytecode-signatures-tutorial\">Bytecode Signatures Tutorial</a></p>\n<ul>\n<li><a href=\"#preparing-the-bytecode-compiler\">Preparing the Bytecode Compiler</a></li>\n<li><a href=\"#logical-signature-bytecodes-algorithmic-detection-bytecodes\">Logical Signature Bytecodes (Algorithmic Detection Bytecodes)</a></li>\n<li><a href=\"#specifying-malware-names-and-targets\">Specifying Malware Names and Targets</a></li>\n<li><a href=\"#specifying-flevel\">Specifying FLEVEL</a></li>\n<li><a href=\"#declarations-and-definitions\">Declarations and Definitions</a></li>\n<li><a href=\"#defining-the-logical-signature-function\">Defining the Logical Signature Function</a></li>\n<li><a href=\"#defining-the-signature\">Defining the Signature</a></li>\n<li><a href=\"#compiling-and-scanning-bytecode-signatures\">Compiling and Scanning Bytecode Signatures</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#using-bytecode-signatures\">Using Bytecode Signatures</a></p>\n<ul>\n<li><a href=\"#using-file-properties-collection-analysis\">Using File Properties Collection Analysis</a></li>\n<li><a href=\"#using-regular-expressions\">Using Regular Expressions</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#analyzing-bytecode-signatures\">Analyzing Bytecode Signatures</a></p>\n<ul>\n<li><a href=\"#displaying-bytecode-signature-summary-information\">Displaying Bytecode Signature Summary Information</a></li>\n<li><a href=\"#viewing-the-source-code-of-a-bytecode-signature\">Viewing the Source Code of a Bytecode Signature</a></li>\n<li><a href=\"#disassembling-a-bytecode-signature\">Disassembling a Bytecode Signature</a></li>\n<li><a href=\"#debugging-bytecode-signatures\">Debugging Bytecode Signatures</a></li>\n<li><a href=\"#enabling-bytecode-signature-debug-traces-in-libclamav\">Enabling Bytecode Signature Debug Traces in libclamav</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#solving-devil-hunter-by-analyzing-the-bytecode-signature\">Solving Devil Hunter by Analyzing the Bytecode Signature</a></p>\n<ul>\n<li><a href=\"#inspecting-the-cbc-file-information\">Inspecting the CBC File Information</a></li>\n<li><a href=\"#investigating-func2\">Investigating Func2</a></li>\n<li><a href=\"#investigating-func1\">Investigating Func1</a></li>\n<li><a href=\"#creating-a-solver-to-identify-the-flag\">Creating a Solver to Identify the Flag</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"challenge-overview-devil-hunter-rev\" style=\"position:relative;\"><a href=\"#challenge-overview-devil-hunter-rev\" aria-label=\"challenge overview devil hunter rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Challenge Overview: Devil Hunter (Rev)</h2>\n<blockquote>\n<p>Clam Devil; Asari no Akuma</p>\n</blockquote>\n<p>The challenge provides <code class=\"language-text\">flag.cbc</code> and <code class=\"language-text\">check.sh</code> as the problem binaries.</p>\n<p>Looking at <code class=\"language-text\">check.sh</code>, you can see that the text detected when scanning with <code class=\"language-text\">clamscan</code> and <code class=\"language-text\">flag.cbc</code>, as shown below, becomes the Flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"sh\"><pre class=\"language-sh\"><code class=\"language-sh\">#!/bin/sh\nif [ -z &quot;$1&quot; ]\nthen\n    echo &quot;[+] ${0} &lt;flag.txt&gt;&quot;\n    exit 1\nelse\n    clamscan --bytecode-unsigned=yes --quiet -dflag.cbc &quot;$1&quot;\n    if [ $? -eq 1 ]\n    then\n        echo &quot;Correct!&quot;\n    else\n        echo &quot;Wrong...&quot;\n    fi\nfi</code></pre></div>\n<p><code class=\"language-text\">flag.cbc</code> contained the following text.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">ClamBCafhaio<span class=\"token variable\"><span class=\"token variable\">`</span>lfcf<span class=\"token operator\">|</span>aa<span class=\"token variable\">`</span></span>`<span class=\"token variable\"><span class=\"token variable\">`</span>c<span class=\"token variable\">`</span></span><span class=\"token variable\"><span class=\"token variable\">`</span>a<span class=\"token variable\">`</span></span>`<span class=\"token variable\"><span class=\"token variable\">`</span><span class=\"token operator\">|</span>ah<span class=\"token variable\">`</span></span>cnbac<span class=\"token variable\"><span class=\"token variable\">`</span>cecnb<span class=\"token variable\">`</span></span>c`<span class=\"token variable\"><span class=\"token variable\">`</span>beaacp<span class=\"token variable\">`</span></span>clamcoincidencejb:4096\nSeccon.Reversing.<span class=\"token punctuation\">{</span>FLAG<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>Engine:56-255,Target:0<span class=\"token punctuation\">;</span><span class=\"token number\">0</span><span class=\"token punctuation\">;</span><span class=\"token number\">0</span>:534543434f4e7b\nTeddaaahdabahdacahdadahdaeahdafahdagahebdeebaddbdbahebndebceaacb<span class=\"token variable\"><span class=\"token variable\">`</span>bbadb<span class=\"token variable\">`</span></span>baacb<span class=\"token variable\"><span class=\"token variable\">`</span>bb<span class=\"token variable\">`</span></span>bb<span class=\"token variable\"><span class=\"token variable\">`</span>bdaib<span class=\"token variable\">`</span></span>bdbfaah\nEaeacabbae<span class=\"token operator\">|</span>aebgefafdf`<span class=\"token variable\"><span class=\"token variable\">`</span>adbbe<span class=\"token operator\">|</span>aecgefefkf<span class=\"token variable\">`</span></span><span class=\"token variable\"><span class=\"token variable\">`</span>aebae<span class=\"token operator\">|</span>amcgefdgfgifbgegcgnfafmfef<span class=\"token variable\">`</span></span><span class=\"token variable\"><span class=\"token variable\">`</span>\nG<span class=\"token variable\">`</span></span>ad<span class=\"token variable\"><span class=\"token variable\">`</span>@<span class=\"token variable\">`</span></span>bdeBceBefBcfBcfBofBnfBnbBbeBefBfgBefBbgBcgBifBnfBgfBnbBfdBldBadBgd@<span class=\"token variable\"><span class=\"token variable\">`</span>bad@Aa<span class=\"token variable\">`</span></span>bad@Aa<span class=\"token variable\"><span class=\"token variable\">`</span>\nA<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bLabaa<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>Faeac\nBaa`<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>abTaa<span class=\"token variable\"><span class=\"token variable\">`</span>aaab\nBb<span class=\"token variable\">`</span></span>baaabbaeAc<span class=\"token variable\"><span class=\"token variable\">`</span>BeadTbaab\nBTcab<span class=\"token variable\">`</span></span>b@dE\nA<span class=\"token variable\"><span class=\"token variable\">`</span>aaLbhfb<span class=\"token variable\">`</span></span>dab<span class=\"token variable\"><span class=\"token variable\">`</span>dab<span class=\"token variable\">`</span></span>daahabndabad<span class=\"token variable\"><span class=\"token variable\">`</span>bndabad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>d<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>ah<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>Fbcgah\nBbadaedbbodad@dbadagdbbodaf@db<span class=\"token variable\"><span class=\"token variable\">`</span>bahabbadAgd@db<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bb@habTbaab\nBaaaiiab<span class=\"token variable\">`</span></span>dbbaBdbhb<span class=\"token variable\"><span class=\"token variable\">`</span>d<span class=\"token variable\">`</span></span>bbbbaabTaaaiabac\nBb<span class=\"token variable\"><span class=\"token variable\">`</span>dajbbabajb<span class=\"token variable\">`</span></span>dakh<span class=\"token variable\"><span class=\"token variable\">`</span>ajB<span class=\"token variable\">`</span></span>bhb<span class=\"token variable\"><span class=\"token variable\">`</span>dalj<span class=\"token variable\">`</span></span>akB<span class=\"token variable\"><span class=\"token variable\">`</span>bhb<span class=\"token variable\">`</span></span>bamn<span class=\"token variable\"><span class=\"token variable\">`</span>albadandbbodad@dbadaocbbadanamb<span class=\"token variable\">`</span></span>bb<span class=\"token variable\"><span class=\"token variable\">`</span>aabbabaoAadaabaanab<span class=\"token variable\">`</span></span>bb<span class=\"token variable\"><span class=\"token variable\">`</span>aAadb<span class=\"token variable\">`</span></span>dbbaa<span class=\"token variable\"><span class=\"token variable\">`</span>ajAahb<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bb@h<span class=\"token variable\">`</span></span>Taabaaagaa\nBb<span class=\"token variable\"><span class=\"token variable\">`</span>bbcaabbabacAadaabdakab<span class=\"token variable\">`</span></span>bbca@dahbeabbacbeaaabfaeaahbeaBmgaaabgak<span class=\"token variable\"><span class=\"token variable\">`</span>bdabfab<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bb@h<span class=\"token variable\">`</span></span>Taabgaadag\nBb<span class=\"token variable\"><span class=\"token variable\">`</span>bbhaabbabacAadaabiakab<span class=\"token variable\">`</span></span>bbha@db<span class=\"token variable\"><span class=\"token variable\">`</span>d<span class=\"token variable\">`</span></span>bb@haab<span class=\"token variable\"><span class=\"token variable\">`</span>d<span class=\"token variable\">`</span></span>bb@h<span class=\"token variable\"><span class=\"token variable\">`</span>Taabiaagae\nBb<span class=\"token variable\">`</span></span>dbjabbaabjab<span class=\"token variable\"><span class=\"token variable\">`</span>dbkah<span class=\"token variable\">`</span></span>bjaB<span class=\"token variable\"><span class=\"token variable\">`</span>bhb<span class=\"token variable\">`</span></span>dblaj<span class=\"token variable\"><span class=\"token variable\">`</span>bkaB<span class=\"token variable\">`</span></span>bhb<span class=\"token variable\"><span class=\"token variable\">`</span>bbman<span class=\"token variable\">`</span></span>blabadbnadbbodad@dbadboacbbadbnabmab<span class=\"token variable\"><span class=\"token variable\">`</span>bb<span class=\"token variable\">`</span></span>bgbboab<span class=\"token variable\"><span class=\"token variable\">`</span>bbab<span class=\"token variable\">`</span></span>baacb<span class=\"token variable\"><span class=\"token variable\">`</span>bb<span class=\"token variable\">`</span></span>dbbbh<span class=\"token variable\"><span class=\"token variable\">`</span>bjaBnahb<span class=\"token variable\">`</span></span>dbcbj<span class=\"token variable\"><span class=\"token variable\">`</span>bbbB<span class=\"token variable\">`</span></span>bhb<span class=\"token variable\"><span class=\"token variable\">`</span>bbdbn<span class=\"token variable\">`</span></span>bcbb<span class=\"token variable\"><span class=\"token variable\">`</span>bbebc<span class=\"token variable\">`</span></span>Add@dbadbfbcbbadagbebb<span class=\"token variable\"><span class=\"token variable\">`</span>bbgbc<span class=\"token variable\">`</span></span>Addbdbbadbhbcbbadbfbbgbb<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>fbbabbhbb<span class=\"token variable\"><span class=\"token variable\">`</span>dbiba<span class=\"token variable\">`</span></span>bjaAdhaabjbiab<span class=\"token variable\"><span class=\"token variable\">`</span>dbibBdbhb<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bbbibaaTaabjbaeaf\nBb<span class=\"token variable\">`</span></span>bbkbgbagaablbeab<span class=\"token variable\"><span class=\"token variable\">`</span>bbkbHbj<span class=\"token variable\">`</span></span>hnicgdb<span class=\"token variable\"><span class=\"token variable\">`</span>bbmbc<span class=\"token variable\">`</span></span>Add@dbadbnbcbbadagbmbb<span class=\"token variable\"><span class=\"token variable\">`</span>bbobc<span class=\"token variable\">`</span></span>AddAadbadb<span class=\"token variable\"><span class=\"token variable\">`</span>ccbbadbnbbobb<span class=\"token variable\">`</span></span>bbacgbb<span class=\"token variable\"><span class=\"token variable\">`</span>caabbceab<span class=\"token variable\">`</span></span>bbacHcj<span class=\"token variable\"><span class=\"token variable\">`</span>hnjjcdaabcck<span class=\"token variable\">`</span></span>blbbbcb<span class=\"token variable\"><span class=\"token variable\">`</span>bbdcc<span class=\"token variable\">`</span></span>Add@dbadbeccbbadagbdcb<span class=\"token variable\"><span class=\"token variable\">`</span>bbfcc<span class=\"token variable\">`</span></span>AddAbdbadbgccbbadbecbfcb<span class=\"token variable\"><span class=\"token variable\">`</span>bbhcgbbgcaabiceab<span class=\"token variable\">`</span></span>bbhcHoigndjkcdaabjck<span class=\"token variable\"><span class=\"token variable\">`</span>bccbicb<span class=\"token variable\">`</span></span>bbkcc<span class=\"token variable\"><span class=\"token variable\">`</span>Add@dbadblccbbadagbkcb<span class=\"token variable\">`</span></span>bbmcc<span class=\"token variable\"><span class=\"token variable\">`</span>AddAcdbadbnccbbadblcbmcb<span class=\"token variable\">`</span></span>bbocgbbncaab<span class=\"token variable\"><span class=\"token variable\">`</span>deab<span class=\"token variable\">`</span></span>bbocHcoaljkhgdaabadk<span class=\"token variable\"><span class=\"token variable\">`</span>bjcb<span class=\"token variable\">`</span></span>db<span class=\"token variable\"><span class=\"token variable\">`</span>bbbdc<span class=\"token variable\">`</span></span>Add@dbadbcdcbbadagbbdb<span class=\"token variable\"><span class=\"token variable\">`</span>bbddc<span class=\"token variable\">`</span></span>AddAddbadbedcbbadbcdbddb<span class=\"token variable\"><span class=\"token variable\">`</span>bbfdgbbedaabgdeab<span class=\"token variable\">`</span></span>bbfdHcoalionedaabhdk<span class=\"token variable\"><span class=\"token variable\">`</span>badbgdb<span class=\"token variable\">`</span></span>bbidc<span class=\"token variable\"><span class=\"token variable\">`</span>Add@dbadbjdcbbadagbidb<span class=\"token variable\">`</span></span>bbkdc<span class=\"token variable\"><span class=\"token variable\">`</span>AddAedbadbldcbbadbjdbkdb<span class=\"token variable\">`</span></span>bbmdgbbldaabndeab<span class=\"token variable\"><span class=\"token variable\">`</span>bbmdHoilnikkcdaabodk<span class=\"token variable\">`</span></span>bhdbndb<span class=\"token variable\"><span class=\"token variable\">`</span>bb<span class=\"token variable\">`</span></span>ec<span class=\"token variable\"><span class=\"token variable\">`</span>Add@dbadbaecbbadagb<span class=\"token variable\">`</span></span>eb<span class=\"token variable\"><span class=\"token variable\">`</span>bbbec<span class=\"token variable\">`</span></span>AddAfdbadbcecbbadbaebbeb<span class=\"token variable\"><span class=\"token variable\">`</span>bbdegbbceaabeeeab<span class=\"token variable\">`</span></span>bbdeHdochfheedaabfek<span class=\"token variable\"><span class=\"token variable\">`</span>bodbeeb<span class=\"token variable\">`</span></span>bbgec<span class=\"token variable\"><span class=\"token variable\">`</span>Add@dbadbhecbbadagbgeb<span class=\"token variable\">`</span></span>bbiec<span class=\"token variable\"><span class=\"token variable\">`</span>AddAgdbadbjecbbadbhebieb<span class=\"token variable\">`</span></span>bbkegbbjeaableeab<span class=\"token variable\"><span class=\"token variable\">`</span>bbkeHdiemjoeedaabmek<span class=\"token variable\">`</span></span>bfebleb<span class=\"token variable\"><span class=\"token variable\">`</span>bbnec<span class=\"token variable\">`</span></span>Add@dbadboecbbadagbneb<span class=\"token variable\"><span class=\"token variable\">`</span>bb<span class=\"token variable\">`</span></span>fc<span class=\"token variable\"><span class=\"token variable\">`</span>AddAhdbadbafcbbadboeb<span class=\"token variable\">`</span></span>fb<span class=\"token variable\"><span class=\"token variable\">`</span>bbbfgbbafaabcfeab<span class=\"token variable\">`</span></span>bbbfHoimmoklfdaabdfk<span class=\"token variable\"><span class=\"token variable\">`</span>bmebcfb<span class=\"token variable\">`</span></span>dbefo<span class=\"token variable\"><span class=\"token variable\">`</span>bdfb<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bbbef<span class=\"token variable\">`</span></span>Tbaag\nBb<span class=\"token variable\"><span class=\"token variable\">`</span>dbffbb<span class=\"token variable\">`</span></span>bffaabgfn<span class=\"token variable\"><span class=\"token variable\">`</span>bffTcaaabgfE\nAab<span class=\"token variable\">`</span></span>bLbaab<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>dab<span class=\"token variable\">`</span></span>dab<span class=\"token variable\"><span class=\"token variable\">`</span>d<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>d<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>Fbfaac\nBb<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bb@habb<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bbG<span class=\"token variable\">`</span></span>lckjljhaaTbaaa\nBb<span class=\"token variable\"><span class=\"token variable\">`</span>dacbbaaacb<span class=\"token variable\">`</span></span>dadbbabadb<span class=\"token variable\"><span class=\"token variable\">`</span>baen<span class=\"token variable\">`</span></span>acb<span class=\"token variable\"><span class=\"token variable\">`</span>bafn<span class=\"token variable\">`</span></span>adb<span class=\"token variable\"><span class=\"token variable\">`</span>bagh<span class=\"token variable\">`</span></span>afAcdb<span class=\"token variable\"><span class=\"token variable\">`</span>bahi<span class=\"token variable\">`</span></span><span class=\"token variable\"><span class=\"token variable\">`</span>agb<span class=\"token variable\">`</span></span>baik<span class=\"token variable\"><span class=\"token variable\">`</span>ahBoodb<span class=\"token variable\">`</span></span>bajm<span class=\"token variable\"><span class=\"token variable\">`</span>aiaeb<span class=\"token variable\">`</span></span>bakh<span class=\"token variable\"><span class=\"token variable\">`</span>ajAhdb<span class=\"token variable\">`</span></span>bali<span class=\"token variable\"><span class=\"token variable\">`</span>aeBhadb<span class=\"token variable\">`</span></span>baml<span class=\"token variable\"><span class=\"token variable\">`</span>akalb<span class=\"token variable\">`</span></span>bana<span class=\"token variable\"><span class=\"token variable\">`</span>afAadaaaoeab<span class=\"token variable\">`</span></span>banAddb<span class=\"token variable\"><span class=\"token variable\">`</span>db<span class=\"token variable\">`</span></span>ao<span class=\"token variable\"><span class=\"token variable\">`</span>anb<span class=\"token variable\">`</span></span>dbaao<span class=\"token variable\"><span class=\"token variable\">`</span>amb<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bbb<span class=\"token variable\">`</span></span>aabb<span class=\"token variable\"><span class=\"token variable\">`</span>d<span class=\"token variable\">`</span></span>bbbaaaaTaaaoabaa\nBTcab<span class=\"token variable\"><span class=\"token variable\">`</span>bamE\nSnfofdg<span class=\"token variable\">`</span></span>bcgof<span class=\"token variable\"><span class=\"token variable\">`</span>befafcgig<span class=\"token variable\">`</span></span>bjc<span class=\"token variable\"><span class=\"token variable\">`</span>ej<span class=\"token variable\">`</span></span></code></pre></div>\n<p>Since this CBC file is a ClamAV bytecode signature, the way to obtain the Flag seems to be to identify the text that matches this signature.</p>\n<p>Reference: <a href=\"https://docs.clamav.net/manual/Signatures/BytecodeSignatures.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Bytecode Signatures - ClamAV Documentation</a></p>\n<p>Before solving the challenge, I decided to first read through the documentation on ClamAV signatures.</p>\n<p>Reference: <a href=\"https://docs.clamav.net/manual/Signatures.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Signatures - ClamAV Documentation</a></p>\n<p>ClamAV signatures appear to fall broadly into the following categories.</p>\n<ul>\n<li>Database-format signatures (CDV/CLD)</li>\n<li>Body-based signatures</li>\n</ul>\n<p>From here on, I will organize the documentation for each type of ClamAV signature.</p>\n<h2 id=\"database-format-signatures-cdv-cld\" style=\"position:relative;\"><a href=\"#database-format-signatures-cdv-cld\" aria-label=\"database format signatures cdv cld permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Database-format Signatures (CDV, CLD)</h2>\n<p>In ClamAV, signatures are distributed as archive files in database formats called CDV and CLD.</p>\n<p>CLD files are created when updates are applied through a differential update mechanism called CDIFF.</p>\n<p>Reference: <a href=\"https://docs.clamav.net/appendix/Terminology.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Terminology - ClamAV Documentation</a></p>\n<p>Reference: <a href=\"https://blog.clamav.net/2021/03/clamav-cvds-cdiffs-and-magic-behind.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ClamAV® blog: ClamAV, CVDs, CDIFFs and the magic behind the curtain</a></p>\n<p>A CVD is a compressed signature database archive that is digitally signed and distributed by Cisco-Talos.</p>\n<p>On machines that use ClamAV, CVD files are normally downloaded by the <code class=\"language-text\">freshclam</code> module.</p>\n<p>The extension for a CVD is <code class=\"language-text\">.cvd</code>, but when a CVD or CLD database is updated with a CDIFF patch file, the extension becomes <code class=\"language-text\">.cld</code>.</p>\n<p>In addition to the CDV databases distributed by Cisco-Talos, ClamAV can also perform scans using custom database files.</p>\n<h2 id=\"body-based-signatures\" style=\"position:relative;\"><a href=\"#body-based-signatures\" aria-label=\"body based signatures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Body-based Signatures</h2>\n<p>In ClamAV, you can use Body-based signatures in addition to database-format signatures.</p>\n<p>A Body-based signature is a signature that defines detection conditions based on specific byte sequences in the scan target, rather than hashes.</p>\n<p>The main types of Body-based signatures available in ClamAV are as follows.</p>\n<p>Note: Signatures whose extension ends with <code class=\"language-text\">u</code> are loaded only when PUA signatures are enabled.</p>\n<ul>\n<li><code class=\"language-text\">*.ndb / *.ndu</code>: Extended signatures</li>\n<li><code class=\"language-text\">*.ldb / *.ldu / *.idb</code>: Logical Signatures</li>\n<li><code class=\"language-text\">*.cdb</code>: Container Metadata Signatures</li>\n<li><code class=\"language-text\">*.cbc</code>: Bytecode Signatures</li>\n<li><code class=\"language-text\">*.pdb / *.gdb / *.wdb</code>: Phishing URL Signatures</li>\n</ul>\n<p>The bytecode signature (<code class=\"language-text\">.cbc</code>) used in this challenge is also one type of Body-based signature.</p>\n<h3 id=\"extended-signatures\" style=\"position:relative;\"><a href=\"#extended-signatures\" aria-label=\"extended signatures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Extended Signatures</h3>\n<p><code class=\"language-text\">*.ndb / *.ndu</code> refers to extended signatures.</p>\n<p>Extended signatures can be written in the following format, defining items such as TargetType, Virus offset, and FLEVEL in addition to the hex signature.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">MalwareName:TargetType:Offset:HexSignature<span class=\"token punctuation\">[</span>:min_flevel:<span class=\"token punctuation\">[</span>max_flevel<span class=\"token punctuation\">]</span><span class=\"token punctuation\">]</span></code></pre></div>\n<p>Reference: <a href=\"https://docs.clamav.net/manual/Signatures/ExtendedSignatures.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Extended Signatures - ClamAV Documentation</a></p>\n<p><code class=\"language-text\">MalwareName</code> can be any value, but official signatures are usually defined according to the following naming convention.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token punctuation\">{</span>platform<span class=\"token punctuation\">}</span>.<span class=\"token punctuation\">{</span>category<span class=\"token punctuation\">}</span>.<span class=\"token punctuation\">{</span>name<span class=\"token punctuation\">}</span>-<span class=\"token punctuation\">{</span>signature id<span class=\"token punctuation\">}</span>-<span class=\"token punctuation\">{</span>revision<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Reference: <a href=\"https://docs.clamav.net/manual/Signatures.html#signature-names\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Signatures - ClamAV Documentation</a></p>\n<p><code class=\"language-text\">TargetType</code> specifies the type of file to scan.</p>\n<p>If you want the signature to target arbitrary files, specify <code class=\"language-text\">0</code>.</p>\n<p>Reference: <a href=\"https://docs.clamav.net/appendix/FileTypes.html#Target-Types\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ClamAV File Types and Target Types - ClamAV Documentation</a></p>\n<p>For example, you can define an extended signature that detects files under the detection name <code class=\"language-text\">TEST_EXTENDED_SIG</code> as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">TEST_EXTENDED_SIG:0:*:48656c6c6f2c20436c616d4156</code></pre></div>\n<p>With this signature, you can detect the string <code class=\"language-text\">Hello, ClamAV</code>, represented as a hex dump with <code class=\"language-text\">sigtool --hex-dump</code>, in files of any type.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 304px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/87d76b4303ad28107bec681294fa02b2/c1724/image-20240730221051779.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 23.333333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABEUlEQVQY0z1QR3KDQBDkBZJASAYfKFURTFgWMMEki0XBJZ95mV7cZsYuH7Z2ekL39GhFHaAZIvSTwKBSiMzFWyIRRhGSJEFZlmiaBnVdI45jOI6DPM/R9z2itYfy8zxz7XA4QGuHHJ+qhJA+3psQVSMRxQJSSiYiwqIokGUZPM+DbdvwfZ9JXddFmqZo2xZhGP4Sns9qVflYtxGwXl5XpQRf9zuu1yuqqsJms4Gu69hutzBNkx9hwzCw3++x2+04dzweYVkWtMf3A7fbDeM4YhgHdF2LaZp4s67ruHa5XNgi2aM+pRRj+u+r+PP5ZMskoJE1AnQPIQTHQRD84+jvlhSTVaoTJvsU0/yyLDidTrzlD1E1mQ+u7nZgAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/87d76b4303ad28107bec681294fa02b2/8ac56/image-20240730221051779.webp 240w,\n/static/87d76b4303ad28107bec681294fa02b2/e6f1a/image-20240730221051779.webp 304w\"\n              sizes=\"(max-width: 304px) 100vw, 304px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/87d76b4303ad28107bec681294fa02b2/8ff5a/image-20240730221051779.png 240w,\n/static/87d76b4303ad28107bec681294fa02b2/c1724/image-20240730221051779.png 304w\"\n            sizes=\"(max-width: 304px) 100vw, 304px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/87d76b4303ad28107bec681294fa02b2/c1724/image-20240730221051779.png\"\n            alt=\"image-20240730221051779\"\n            title=\"image-20240730221051779\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When I actually scanned with the command <code class=\"language-text\">clamscan --database=TEST_EXTENDED_SIG.ndb test1.txt</code>, I was able to detect files containing the text <code class=\"language-text\">Hello, ClamAV</code> under the detection name <code class=\"language-text\">TEST_EXTENDED_SIG</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 666px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/cd249c40519c10b4dc4de14da6e1229d/ace37/image-20240730221234979.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 120%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAYCAYAAAD6S912AAAACXBIWXMAAAsTAAALEwEAmpwYAAACOElEQVQ4y5WV6ZKbQAyE5yF8X/gE24AZcy1JKpX3fyqFTxu5Zr1xwv5QafAwPS2pGztfplKUiWR5KlmWyfF4lNPpJNvtVmaz2eCYTqeaXfPmpWpyadpGrtdUdrudxHEsURTJZDIZFCGwy4tEfHWRwt8UKEkSBTWmh8NBg73z+azr/X7/yFQCu9FopOCu+9bIz1/fJdpGkqaZtD3Ty+XSs71K0zRSFIWG917KstT1/X7X/eVyqRflea57m81GXBwnPauzlsgPsGNNDtnwHK4JGPEulQD8B/C9TAJwO0jJ/Ha73bRU3kvTVNmzzwABGI/HGo+S1+u1ENAHgAOUBBN+W61WmunT3+J52q7rukdf6ANAsAulMEQuD0AaD5gFzYbpYrH48PIr8E+AdV3rNGHHJCl/Pp/ri6YzOzSEsYMVQAAzgKqqNNM3m/j/wMJ+uqp+B0BLAFvwTOlM9CsWdGVZ9UPxehi2MLVeEkjDyg4zUglbYhZ0ZZ1J98PL/rgT3wO3bau6gyFrFAAwmT6jPwJ5oU1EHUqrH0olb12r1mOTgyZ0A0PQBEBkLuNSGHHGZoCvXXyK1Xpoz8xuNkQ6BLfb2gIlUKaJ38zhzGoAUQLAZPPqK4eEUgr764wZAJRkpfLMjXbzEFF/sJ4JG3bE88uvvPsJEJfQUPve2Qc2tN5zif8EBIwwhrSAJj/r7EvWo2SznIHTVyRhThkC9mAIEAGQBVqjl/afMdh65l2+g2Y9wHACmSmbrYYA/wawRJYJtTb5iQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/cd249c40519c10b4dc4de14da6e1229d/8ac56/image-20240730221234979.webp 240w,\n/static/cd249c40519c10b4dc4de14da6e1229d/d3be9/image-20240730221234979.webp 480w,\n/static/cd249c40519c10b4dc4de14da6e1229d/be082/image-20240730221234979.webp 666w\"\n              sizes=\"(max-width: 666px) 100vw, 666px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/cd249c40519c10b4dc4de14da6e1229d/8ff5a/image-20240730221234979.png 240w,\n/static/cd249c40519c10b4dc4de14da6e1229d/e85cb/image-20240730221234979.png 480w,\n/static/cd249c40519c10b4dc4de14da6e1229d/ace37/image-20240730221234979.png 666w\"\n            sizes=\"(max-width: 666px) 100vw, 666px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/cd249c40519c10b4dc4de14da6e1229d/ace37/image-20240730221234979.png\"\n            alt=\"image-20240730221234979\"\n            title=\"image-20240730221234979\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"logical-signatures\" style=\"position:relative;\"><a href=\"#logical-signatures\" aria-label=\"logical signatures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Logical Signatures</h3>\n<p>Signatures with the extensions <code class=\"language-text\">*.ldb / *.ldu / *.idb</code> are logical signatures.</p>\n<p>Logical signatures can combine multiple signatures using logical operators.</p>\n<p>The format of a logical signature is as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">SignatureName<span class=\"token punctuation\">;</span>TargetDescriptionBlock<span class=\"token punctuation\">;</span>LogicalExpression<span class=\"token punctuation\">;</span>Subsig0<span class=\"token punctuation\">;</span>Subsig1<span class=\"token punctuation\">;</span>Subsig2<span class=\"token punctuation\">;</span><span class=\"token punctuation\">..</span>.</code></pre></div>\n<p>In <code class=\"language-text\">TargetDescriptionBlock</code>, information about the engine and target files is written as comma-separated pairs.</p>\n<p>Although <code class=\"language-text\">TargetDescriptionBlock</code> can include items other than <code class=\"language-text\">Engine</code>, it is recommended to place the <code class=\"language-text\">Engine</code> specification first for compatibility reasons.</p>\n<p>The <code class=\"language-text\">Engine</code> field is written in a format such as <code class=\"language-text\">Engine:81-255</code>.</p>\n<p>This <code class=\"language-text\">Engine</code> setting is especially important for signatures that use features added in specific versions.</p>\n<p>Incidentally, this field is expressed as a range of FLEVEL values. An FLEVEL value of 81 corresponds to version 0.99.</p>\n<p>Reference: <a href=\"https://docs.clamav.net/appendix/FunctionalityLevels.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ClamAV Versions and Functionality Levels - ClamAV Documentation</a></p>\n<p>Other values that can be specified in <code class=\"language-text\">TargetDescriptionBlock</code> include <code class=\"language-text\">Target</code>, <code class=\"language-text\">FileSize</code>, and <code class=\"language-text\">EntryPoint</code> offsets, among others.</p>\n<p><code class=\"language-text\">Target</code> lets you specify the file to be scanned. As with extended signatures, <code class=\"language-text\">0</code> means an arbitrary file.</p>\n<p>Reference: <a href=\"https://docs.clamav.net/appendix/FileTypes.html#Target-Types\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ClamAV File Types and Target Types - ClamAV Documentation</a></p>\n<p>In the following <code class=\"language-text\">LogicalExpression</code> section, you write the logical expression that defines the relationships among the sub-signatures that follow.</p>\n<p>You can define up to 64 sub-signatures, and they are referenced in order as <code class=\"language-text\">0</code>, <code class=\"language-text\">1</code>, <code class=\"language-text\">2</code>, and so on.</p>\n<p>The implementation is a little hard to grasp, but these sub-signatures can contain expressions and values.</p>\n<p>For example, in the following signature, which is the same as the sample in the documentation, the logical expression <code class=\"language-text\">0&amp;1</code> defines a signature that detects the target file only when both Subsig0 (<code class=\"language-text\">41414141::i</code>) and Subsig1 (<code class=\"language-text\">424242424242::i</code>) match.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">TEST_LOGICAL_SIG<span class=\"token punctuation\">;</span>Engine:81-255,Target:0<span class=\"token punctuation\">;</span><span class=\"token number\">0</span><span class=\"token operator\">&amp;</span><span class=\"token number\">1</span><span class=\"token punctuation\">;</span><span class=\"token number\">41414141</span>::i<span class=\"token punctuation\">;</span><span class=\"token number\">424242424242</span>::i</code></pre></div>\n<p><code class=\"language-text\">::i</code> is an option that instructs ClamAV to ignore case.</p>\n<p>In other words, the above signature detects a file when both <code class=\"language-text\">AAAA</code> (or <code class=\"language-text\">aaaa</code>) and <code class=\"language-text\">BBBBBB</code> (or <code class=\"language-text\">bbbbbb</code>) are present in the file.</p>\n<p>If you actually test this signature against the text files from <code class=\"language-text\">test1</code> to <code class=\"language-text\">test4</code>, you can confirm that detection occurs only when both <code class=\"language-text\">AAAA</code> (or <code class=\"language-text\">aaaa</code>) and <code class=\"language-text\">BBBBBB</code> (or <code class=\"language-text\">bbbbbb</code>) are present in the file.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 672px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/31b3e9028e0c618c1bdc66745bddd30e/30d16/image-20240731220015849.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 118.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAYCAYAAAD6S912AAAACXBIWXMAAAsTAAALEwEAmpwYAAACXklEQVQ4y5WV2ZbaQAxE/RHsO8Z4X7BZDIfA0/z/L2l8NRHxEJwhDzrdNq3qklRlnCh15XSNJUp8SdNc4jiWPM/lcrnI7XaT+Xwuu91OiqKQ9Xotg8FARqPRyxgOh+IUlS/3j1zyMpGqOkiWpQqUpqmUZangSZLIbDbTJABJZLV9G9SJM1fqX6HEWdAkFwpS17UyAuxwOCj4drsV13Vls9nIarXSPUEF/X5fQxmWZSG3+7VJ8MTztnI8HiUIAo39fq/ssizTiyjdWEdRpKy5iGcITCYTcTzPa5JD7Q8HuBUGPMPGmDzHcrlUVpzzfV+ByXdICsNQGfGDlfR1UaBD4h0rwRmCvfWy1+v9KRlU+mD0KaWqKgWcTqf6npXDz/Fq0g5Nt/4YEIzG4/EjqSv51XsHMJoPGI1lopRKg9sJr5I7AU+n0wOQZtvhZ611Mf0LECADtJXeMZz2Bf9yyAOQ3qEzegkQFxCUzvSRyE+svlkvTbMHAAJF2FwAGGxh+Gw3ApnY+/bUnawI5Xpvpuu76orz+axgXMAe1kjJBsZlPBMMj7YwQJOWkxeZnC91I5eNqp4WcBhNkkySAXARgmaPvGDE71RC3m+nfFkP9ZvlFouF7tGjfRRYCdMpQcmAmDnUy/SIHwHisCXZCgN+sw8G7+y99a4tL8fMThLlcBD6PFMSjiHwq3mWYN9pPXpg9rMvByDvyKTTKSZwGg7jtvXasvjJLSpsYwkgYDTZdPbf1jOn8IEAEHD2Nllzyjtg3wBxCCytn4iY8pHPu2AKiDsAYRgAAGwuoLcwtL/Od4A/AVuamqzYjLQhAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/31b3e9028e0c618c1bdc66745bddd30e/8ac56/image-20240731220015849.webp 240w,\n/static/31b3e9028e0c618c1bdc66745bddd30e/d3be9/image-20240731220015849.webp 480w,\n/static/31b3e9028e0c618c1bdc66745bddd30e/0fa99/image-20240731220015849.webp 672w\"\n              sizes=\"(max-width: 672px) 100vw, 672px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/31b3e9028e0c618c1bdc66745bddd30e/8ff5a/image-20240731220015849.png 240w,\n/static/31b3e9028e0c618c1bdc66745bddd30e/e85cb/image-20240731220015849.png 480w,\n/static/31b3e9028e0c618c1bdc66745bddd30e/30d16/image-20240731220015849.png 672w\"\n            sizes=\"(max-width: 672px) 100vw, 672px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/31b3e9028e0c618c1bdc66745bddd30e/30d16/image-20240731220015849.png\"\n            alt=\"image-20240731220015849\"\n            title=\"image-20240731220015849\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Since <code class=\"language-text\">test3</code> and <code class=\"language-text\">test4</code> contain only one of <code class=\"language-text\">AAAA</code> or <code class=\"language-text\">BBBBBB</code>, they are not detected by this signature.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 651px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b6b52f65f08f2155abd167b19de4f4ec/1ac66/image-20240731220037513.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 109.16666666666669%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAAsTAAALEwEAmpwYAAACBklEQVQ4y52VWXLCQAxE5xLsu81qMN4NBu5/LYWnKpGBJJTJh0qKM9NqSa3BxclOTk0qQbiQ3W4nRVFIFEWy2Wwkz3M5Ho+y3+8lSRKND4eDxHGsZ5bLpdpsNlM/HA7FxfFRsiyXMAhlOp0q0Gq10kMWY+v1+hHzPQxD6XQ6Mh6PNRHJt9utODvABbIsFgsFns/n0u/3W1uv11Pv7DLemFAWDAaDgZaBt0u+/fbN0TeYAURvzMMUsNFopN5n8crKN1dVlQ4Cy7JMy8deM/uM3pXuAKrrWgFpLAwpH2ZtGP0ARA4ww5gW7Ci32+1+zE4By7JQjZ1OJ0nTVD2GBGBLgo+mDKso+hYuA2HKCBdA9AhbMy76HntimBepnJtKon2kZd9uN2UK4PV61ST0czKZqIiJfY8BjshVNnGyva9ecl+9uZZpivdXD8YkwajA1tE2hyEiPZK4NM2kqmoVMgK3PQ6CQIHQKQn4TowRA0S5gJGoLEv9n2OiXAaQmJ5RBge5QCl+D/1e2jDsnJYMCNnwMCELA+IbGwK4bcpfk30aioHB0J4kQCmfHf5t9XygV1B3uVwe2mNjrEfvHoO3wmZq/uMJUyvzX6sHq/P5rAzZZ5ODCfbj1YMhwzAxI25iQGGLbwv2YIiAm6bRHvKc8TdtgC0DawumgLCif2gRpvYjBTvY2svTluUX3YVeA6w6R6YAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b6b52f65f08f2155abd167b19de4f4ec/8ac56/image-20240731220037513.webp 240w,\n/static/b6b52f65f08f2155abd167b19de4f4ec/d3be9/image-20240731220037513.webp 480w,\n/static/b6b52f65f08f2155abd167b19de4f4ec/be1d0/image-20240731220037513.webp 651w\"\n              sizes=\"(max-width: 651px) 100vw, 651px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b6b52f65f08f2155abd167b19de4f4ec/8ff5a/image-20240731220037513.png 240w,\n/static/b6b52f65f08f2155abd167b19de4f4ec/e85cb/image-20240731220037513.png 480w,\n/static/b6b52f65f08f2155abd167b19de4f4ec/1ac66/image-20240731220037513.png 651w\"\n            sizes=\"(max-width: 651px) 100vw, 651px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b6b52f65f08f2155abd167b19de4f4ec/1ac66/image-20240731220037513.png\"\n            alt=\"image-20240731220037513\"\n            title=\"image-20240731220037513\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>There are a great many sub-signature notations, so I will not cover them in this article.</p>\n<p>The details are summarized in the following documentation.</p>\n<p>Reference: <a href=\"https://docs.clamav.net/manual/Signatures/LogicalSignatures.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Logical Signatures - ClamAV Documentation</a></p>\n<h3 id=\"container-metadata-signatures\" style=\"position:relative;\"><a href=\"#container-metadata-signatures\" aria-label=\"container metadata signatures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Container Metadata Signatures</h3>\n<p>Container metadata signatures are defined in files with the <code class=\"language-text\">*.cdb</code> extension.</p>\n<p>The format of the signature is as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">VirusName:ContainerType:ContainerSize:FileNameREGEX:FileSizeInContainer:FileSizeReal:IsEncrypted:FilePos:Res1:Res2<span class=\"token punctuation\">[</span>:MinFL<span class=\"token punctuation\">[</span>:MaxFL<span class=\"token punctuation\">]</span><span class=\"token punctuation\">]</span></code></pre></div>\n<p>For <code class=\"language-text\">ContainerType</code>, you specify archive file types defined by ClamAV itself, such as <code class=\"language-text\">CL_TYPE_ZIP</code> and <code class=\"language-text\">CL_TYPE_7Z</code>.</p>\n<p>It appears that <code class=\"language-text\">*</code> can be used to specify an arbitrary file type.</p>\n<p>Reference: <a href=\"https://docs.clamav.net/appendix/FileTypes.html#file-types\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ClamAV File Types and Target Types - ClamAV Documentation</a></p>\n<p>There is not much information about container metadata signatures, but they seem to be signatures that can detect archive files by specifying various conditions such as file type and size.</p>\n<p>For example, with the following signature that specifies only <code class=\"language-text\">CL_TYPE_ZIP</code> for <code class=\"language-text\">ContainerType</code>, you can detect any ZIP file.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">TEST_CONTAINER_METADATA_SIG:CL_TYPE_ZIP:*:*:*:*:*:*:*:*</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 656px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f4ab5918c17f8a7c2bf74329cf09898f/748f4/image-20240801191401840.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 98.33333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB/ElEQVQ4y5WUWXLCQAxE5wj8sC9mX23jBbOluP+xFD8lTREqlcCHENbMtFqa1oSi2tn5I7X5amlxVlqW7a2qKlssFlYUhZVlaXme237/FT8ej/59uVxsvV7bdrv1fVmW2XK5tJAkqWX73IaDgY3Hka1Wq9qPbTKZ2Hw+t+l06v8x/rM2m83cNxoN6/V6nny32/l6AIBMoM9qABY5wCKArCVJYmma+qE4jp0V5zabjRtniXEuiM1oNLqXIPrExCyKIv/GhsOhm2KDujp8v9+3QAaQYQMYALBksd1uW6fTcd9qtf419oXr9eqNpuEYCSin2+3+AMS/YgGw0+l0v1EYwo7Fx8yvAoc4ib3ZyAJ28oCqX++wDEVR+iVQbl57mHKrANNbGAP2qoXT+Vj3sHKW51qs9NTBv8XMBZEZvcnor7yMPfiQZmsr62mJpmPbxKmzgzHs0B7ftEB6xCQt9pBQukSCASaHw8E1hd5Y1IRIlxig8lSDTpvNpp/jGxwfPamdw2QjKLHDgNJUznOJuijF2Bv4Qel4AKCuuVRcmnw2gf64FHqieaZnAgVMWbHfZPNbLNxuN3+KEDciV5+eWT2y+VOHNBPTi0L/Huf3GfBfYUsKyEBy0KQwJZT+1qRQKrKhbAT9ONfcOBJ6c/QKLxnJAKInnvJ5TAGl9FdBPwH5TyvsLNqEoAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f4ab5918c17f8a7c2bf74329cf09898f/8ac56/image-20240801191401840.webp 240w,\n/static/f4ab5918c17f8a7c2bf74329cf09898f/d3be9/image-20240801191401840.webp 480w,\n/static/f4ab5918c17f8a7c2bf74329cf09898f/31099/image-20240801191401840.webp 656w\"\n              sizes=\"(max-width: 656px) 100vw, 656px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f4ab5918c17f8a7c2bf74329cf09898f/8ff5a/image-20240801191401840.png 240w,\n/static/f4ab5918c17f8a7c2bf74329cf09898f/e85cb/image-20240801191401840.png 480w,\n/static/f4ab5918c17f8a7c2bf74329cf09898f/748f4/image-20240801191401840.png 656w\"\n            sizes=\"(max-width: 656px) 100vw, 656px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f4ab5918c17f8a7c2bf74329cf09898f/748f4/image-20240801191401840.png\"\n            alt=\"image-20240801191401840\"\n            title=\"image-20240801191401840\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In addition, the <code class=\"language-text\">ContainerSize</code> option lets you specify the size of the container file itself, such as a ZIP, in bytes.</p>\n<p>If you change the value of <code class=\"language-text\">ContainerSize</code> to <code class=\"language-text\">80000000-90000000</code>, <code class=\"language-text\">testzip.zip</code> is no longer detected, but <code class=\"language-text\">bigsizezip.zip</code>, whose file size is 88843043, is detected.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">TEST_CONTAINER_METADATA_SIG:CL_TYPE_ZIP:80000000-90000000:*:*:*:*:*:*:*</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 767px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9519b0160acf36162018cf21cc5d9ca5/6c2f2/image-20240801191920008.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 99.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAACSElEQVQ4y5VU6dLaMAzMQwCBJOROIAe5yDG8/4NttQZ9Y2inLT80lhNrtZLWdu5Li/XRYVo3zMuKaZqwLAsejwfu97vx53lGP47IiwJt2yJNU5zPZ4RhhCSNUF5lzWLEaQ6nH2pMc4tr02AYJ1TXqwGlFQLA4DyKUCUJijg2QEfPw+l0EvPg+R6Cswc/8MUP4LRdiX6qkJYlumFAVVVY19UwHIXVVRLkWYY6S9HGES5RiDwMDeDxeDR2OLhwae4BzrwMmNceSZ6j6wfDjKDKsu+lHVI6kyyynyVJmWcmEVvBs67r/oA7TdOirhskUk4mTGjxy4+kVPo0+pGsgZS82+/Nt1KqYkveAHkwkf7wB3tmShS2DHiWc3gzDaa/F2Cu3PM7zSEA2XAl/bquDTh75Pv+W6/UbEafe0ebz37cbjdTBoE0ox6295+AtjkE0gGQHWXBALu8f4H8BkhmFHHf94at6i8UefwPiF22MwyjAIo0BIigg2iRCciWgLvdzjTfNh2Q7u1KnGnusGwDsvKCRa7fJnrjcMi86zozcQ6skZukg+MQ9Tur0TYZhtN9lCvXGY1dLhfUrwAG2pNX49AYSCC9BG9TZqaiKF9Zn5npU5tcGcggJqPxv7LTlQxVj0bYKm7+5GvCwCAITA95mL4aJaW+J4+EavWnZD5PHALpa5942G70502xZfUpLwNIME6YgGTFzHbwV7LhNKk9FTbLZRlazp+u2l+FrUDPp6o3K1vAYXAoXwNSyPqQbttmSmcCfuNtoXC/Af0FzQMqKYuoQcEAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9519b0160acf36162018cf21cc5d9ca5/8ac56/image-20240801191920008.webp 240w,\n/static/9519b0160acf36162018cf21cc5d9ca5/d3be9/image-20240801191920008.webp 480w,\n/static/9519b0160acf36162018cf21cc5d9ca5/e0ad8/image-20240801191920008.webp 767w\"\n              sizes=\"(max-width: 767px) 100vw, 767px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9519b0160acf36162018cf21cc5d9ca5/8ff5a/image-20240801191920008.png 240w,\n/static/9519b0160acf36162018cf21cc5d9ca5/e85cb/image-20240801191920008.png 480w,\n/static/9519b0160acf36162018cf21cc5d9ca5/6c2f2/image-20240801191920008.png 767w\"\n            sizes=\"(max-width: 767px) 100vw, 767px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9519b0160acf36162018cf21cc5d9ca5/6c2f2/image-20240801191920008.png\"\n            alt=\"image-20240801191920008\"\n            title=\"image-20240801191920008\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>You can also detect container files by specifying various other conditions, such as the container file name, compressed size, and whether it is encrypted.</p>\n<h3 id=\"bytecode-signatures\" style=\"position:relative;\"><a href=\"#bytecode-signatures\" aria-label=\"bytecode signatures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Bytecode Signatures</h3>\n<p>Signatures with the <code class=\"language-text\">.cbc</code> extension, like the one provided as the Devil Hunter challenge binary, are bytecode signatures.</p>\n<p>Reference: <a href=\"https://docs.clamav.net/manual/Signatures/BytecodeSignatures.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Bytecode Signatures - ClamAV Documentation</a></p>\n<p>In ClamAV, you can implement more complex pattern matching by writing C code that analyzes content.</p>\n<p>At that point, signatures written in C are compiled into an intermediate language called <code class=\"language-text\">bytecode</code>.</p>\n<p>This <code class=\"language-text\">bytecode</code> is generated as an ASCII-format <code class=\"language-text\">.cbc</code> file and can be distributed in <code class=\"language-text\">.cvd / .cld</code> database files.</p>\n<p>I will explain how to write and compile bytecode signatures later.</p>\n<h3 id=\"phishing-signatures-phishing-url-signatures\" style=\"position:relative;\"><a href=\"#phishing-signatures-phishing-url-signatures\" aria-label=\"phishing signatures phishing url signatures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Phishing Signatures (Phishing URL Signatures)</h3>\n<p>ClamAV can inspect the displayed links in HTML, such as those contained in email, and the actual destination addresses of those links.</p>\n<p>Reference: <a href=\"https://docs.clamav.net/manual/Signatures/PhishSigs.html?search=\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Phishing Signatures - ClamAV Documentation</a></p>\n<p>The documentation contains a great deal of information about phishing signatures, but I will omit them this time.</p>\n<h2 id=\"hash-based-signatures\" style=\"position:relative;\"><a href=\"#hash-based-signatures\" aria-label=\"hash based signatures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Hash-based Signatures</h2>\n<p>ClamAV can use Hash-based signatures to detect files by checking file hashes.</p>\n<p>There are two types of Hash-based signatures.</p>\n<ul>\n<li><code class=\"language-text\">*.hdb *.hsb *.hdu *.hsu</code>: File hash signatures</li>\n<li><code class=\"language-text\">*.mdb *.msb *.mdu *.msu</code>: PE section hash signatures</li>\n</ul>\n<h3 id=\"file-hash-signatures\" style=\"position:relative;\"><a href=\"#file-hash-signatures\" aria-label=\"file hash signatures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>File Hash Signatures</h3>\n<p>File hash signatures are defined in the following format.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">HashString:FileSize:MalwareName</code></pre></div>\n<p>You can use MD5, SHA1, SHA256, and other hashes for file hashes, and you can create a file hash signature for a specific file with <code class=\"language-text\">sigtool</code> as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">sigtool --md5 test1.txt <span class=\"token operator\">></span> test.hdb\nsigtool --sha1 test1.txt <span class=\"token operator\">></span> test.hdb\nsigtool --sha256 test1.txt <span class=\"token operator\">></span> test.hdb</code></pre></div>\n<p>The file hash signatures generated by these commands can be used for static matching.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 656px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/05efb3db880614f5cf9868dd71b41e54/748f4/image-20240802003159509.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 50%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABG0lEQVQoz5VS146DQBDbr6CXEHqLCCW0//8unzzSnKIInXIPlodZ7PEsmKpJMS41sjJF3nRo2xbP5xP3+13qvu9RVRXquhYuyxJFUSBJEti2Dcdx4LoufN+XZ0PB67UgTVPcbjcxoZiCpmkE74Za05QGURTJO9M0iYcpi/LXJMsy5HkuZnEci4g9ctd1IuQ5a02k6RTG8zwEQQAyjSigkNPYJ8IwlCRkilhzVRp+wlDMeyG4PhNxLSbU6WTLsgQUKdP0E2bfd5zniXVdsW2brM8hTPw++Up81TePxwPjOIJMaDIeaqq/DC4NueowDHLZTEhwVb2/b83EcFkW+e+O4wBrrq49/T3+ZciEKmYy3uM8z/KReEbWtb8x/QFLDRRtAEVUCgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/05efb3db880614f5cf9868dd71b41e54/8ac56/image-20240802003159509.webp 240w,\n/static/05efb3db880614f5cf9868dd71b41e54/d3be9/image-20240802003159509.webp 480w,\n/static/05efb3db880614f5cf9868dd71b41e54/31099/image-20240802003159509.webp 656w\"\n              sizes=\"(max-width: 656px) 100vw, 656px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/05efb3db880614f5cf9868dd71b41e54/8ff5a/image-20240802003159509.png 240w,\n/static/05efb3db880614f5cf9868dd71b41e54/e85cb/image-20240802003159509.png 480w,\n/static/05efb3db880614f5cf9868dd71b41e54/748f4/image-20240802003159509.png 656w\"\n            sizes=\"(max-width: 656px) 100vw, 656px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/05efb3db880614f5cf9868dd71b41e54/748f4/image-20240802003159509.png\"\n            alt=\"image-20240802003159509\"\n            title=\"image-20240802003159509\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Note that the file hash signatures generated by <code class=\"language-text\">sigtool</code> include the target file’s size in the <code class=\"language-text\">FileSize</code> field.</p>\n<p>However, if the file size is unknown and only the hash is known, you can also detect it by replacing <code class=\"language-text\">FileSize</code> with a wildcard as shown below.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">bf47ba8d5e3af20bd79fa2c9ed028c5a9501a00f:*:test1.txt:73</code></pre></div>\n<p>When using this notation, you need to append a value at the end to specify a minimum engine level of 73 or higher.</p>\n<h3 id=\"pe-section-hash-signatures\" style=\"position:relative;\"><a href=\"#pe-section-hash-signatures\" aria-label=\"pe section hash signatures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>PE Section Hash Signatures</h3>\n<p>ClamAV can use not only file hashes but also hash signatures for specific sections within PE files for detection.</p>\n<p>PE section hash signatures can also be created with <code class=\"language-text\">sigtool</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">sigtool --mdb /path/to/32bit/PE/file</code></pre></div>\n<p>However, as of the time of writing this article (August 2024), even the latest version of ClamAV does not appear to support creating section hash signatures for 64-bit PE binaries.</p>\n<p>Note: PE import table hash signatures are likewise supported only for 32-bit files.</p>\n<h2 id=\"yara-rule-format\" style=\"position:relative;\"><a href=\"#yara-rule-format\" aria-label=\"yara rule format permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>YARA Rule Format</h2>\n<p>Because ClamAV can process YARA rules, you can define signatures with the <code class=\"language-text\">.yar / .yara</code> extensions that contain YARA rules.</p>\n<p>However, ClamAV has some limitations on the YARA rules it can handle, so caution is required.</p>\n<p>I will omit the detailed limitations and usage in this article.</p>\n<p>Reference: <a href=\"https://docs.clamav.net/manual/Signatures/YaraRules.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">YARA Rules - ClamAV Documentation</a></p>\n<h2 id=\"configuring-allow-rules\" style=\"position:relative;\"><a href=\"#configuring-allow-rules\" aria-label=\"configuring allow rules permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Configuring Allow Rules</h2>\n<p>ClamAV lets you configure several allow rules to suppress false positives.</p>\n<p>Allow rules can be configured either per file hash or per signature.</p>\n<p>Creating an allow rule that suppresses detection for a specific file is simple: just add a line output by <code class=\"language-text\">sigtool</code>, much like a file hash signature.</p>\n<p>When adding a SHA1 or SHA256 hash as an allow rule, use <code class=\"language-text\">.sfp</code> as the extension for the allow list.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">sigtool --sha256 ~/Downloads/eicar.com <span class=\"token operator\">>></span> /var/lib/clamav/false-positives.sfp</code></pre></div>\n<h2 id=\"sigtool-usage-examples\" style=\"position:relative;\"><a href=\"#sigtool-usage-examples\" aria-label=\"sigtool usage examples permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>sigtool Usage Examples</h2>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># Check the hex string to use for signatures</span>\n<span class=\"token builtin class-name\">echo</span> -n <span class=\"token string\">\"test\"</span> <span class=\"token operator\">|</span> sigtool --hex-dump\n\n<span class=\"token comment\"># Create file hash signatures</span>\nsigtool --md5 test1.txt <span class=\"token operator\">></span> test.hdb\nsigtool --sha1 test1.txt <span class=\"token operator\">></span> test.hdb\nsigtool --sha256 test1.txt <span class=\"token operator\">></span> test.hdb\n\n<span class=\"token comment\"># Create allowlist rules</span>\nsigtool --sha256 ~/Downloads/eicar.com <span class=\"token operator\">>></span> /var/lib/clamav/false-positives.sfp</code></pre></div>\n<p>Reference: <a href=\"https://docs.clamav.net/manual/Signatures.html#using-sigtool\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Signatures - ClamAV Documentation</a></p>\n<h2 id=\"bytecode-signatures-tutorial\" style=\"position:relative;\"><a href=\"#bytecode-signatures-tutorial\" aria-label=\"bytecode signatures tutorial permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Bytecode Signatures Tutorial</h2>\n<p>To solve Devil Hunter, the challenge covered in this post, I dug deeper into the documentation on bytecode signatures.</p>\n<p>Reference: <a href=\"https://github.com/Cisco-Talos/clamav-bytecode-compiler/blob/main/docs/user/clambc-user.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">clamav-bytecode-compiler/docs/user/clambc-user.pdf at main · Cisco-Talos/clamav-bytecode-compiler</a></p>\n<h3 id=\"preparing-the-bytecode-compiler\" style=\"position:relative;\"><a href=\"#preparing-the-bytecode-compiler\" aria-label=\"preparing the bytecode compiler permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Preparing the Bytecode Compiler</h3>\n<p>First, prepare the bytecode compiler.</p>\n<p>Install clang and LLVM, which are required to build the bytecode compiler.</p>\n<p>clang and LLVM need to use matching versions, and version 8 appears to be the recommended one.</p>\n<p>I tried using the latest version 18 available through apt, but the build failed, so I decided to use Docker to prepare an environment with clang/LLVM version 8.</p>\n<p>Reference: <a href=\"https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav-bytecode-compiler/README.md\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">clamav-docker/clamav-bytecode-compiler/README.md at main · Cisco-Talos/clamav-docker</a></p>\n<p>With any directory set as the current directory, run the following command:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">docker</span> run -v <span class=\"token variable\"><span class=\"token variable\">`</span><span class=\"token builtin class-name\">pwd</span><span class=\"token variable\">`</span></span>:/src -it clamav/clambc-compiler:stable /bin/bash</code></pre></div>\n<p>This makes it possible to run <code class=\"language-text\">clambc-compiler</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 693px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/8dcdbd359b0c17785ddfcbbeab7e75cf/61c63/image-20240803015241622.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 76.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAABh0lEQVQ4y32TV4oDQQxE+w7OOec4zhjjP9//SDKvoGAxvfNRI02HUih12m63cTwe43w+x+Vykc/a6XTSGn632435fC7baDSi2WwKf30jLRaLmE6n0e/3dWE0Gsnv9XoxGAx0qFarCfV6XSS2OdJE5NVqFRBDUK1Wo1KpiHgymSgYe8vlUuAf22638xm2Wi0dKopCByEdj8ciAWTN5U6nI9j/t2QuHA6HeDwewm63i+FwKFA6AV3iL7IlE42yLY5LgpgMc1mUikIGVpmyUfr5fMbn8xExYvwSlAURoYUBm81G2VH+bDaTMBaFFpSRiZCPe4YYlAwR8Bo+tozImSdUY4jf77cuMjaIgFj0F8tMeqjLoAwhpIfX6zXW67XKpgWUDgktAR4XrDPyP+CMMvyN4I39fi+RCIYlAGv8U5Gfp/dY527KqUfZHEaY2+0mazImgLX7/S7fZzhPy1JONXqIqpBgIQK0g7YwBc7Yk+ERS7lBZYPX83q9FBkCP0sImARKZo0AvHvf/QKabp58uQkJDQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/8dcdbd359b0c17785ddfcbbeab7e75cf/8ac56/image-20240803015241622.webp 240w,\n/static/8dcdbd359b0c17785ddfcbbeab7e75cf/d3be9/image-20240803015241622.webp 480w,\n/static/8dcdbd359b0c17785ddfcbbeab7e75cf/1fd2f/image-20240803015241622.webp 693w\"\n              sizes=\"(max-width: 693px) 100vw, 693px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/8dcdbd359b0c17785ddfcbbeab7e75cf/8ff5a/image-20240803015241622.png 240w,\n/static/8dcdbd359b0c17785ddfcbbeab7e75cf/e85cb/image-20240803015241622.png 480w,\n/static/8dcdbd359b0c17785ddfcbbeab7e75cf/61c63/image-20240803015241622.png 693w\"\n            sizes=\"(max-width: 693px) 100vw, 693px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/8dcdbd359b0c17785ddfcbbeab7e75cf/61c63/image-20240803015241622.png\"\n            alt=\"image-20240803015241622\"\n            title=\"image-20240803015241622\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"logical-signature-bytecodes-algorithmic-detection-bytecodes\" style=\"position:relative;\"><a href=\"#logical-signature-bytecodes-algorithmic-detection-bytecodes\" aria-label=\"logical signature bytecodes algorithmic detection bytecodes permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Logical Signature Bytecodes (Algorithmic Detection Bytecodes)</h3>\n<p>Logical signature bytecodes (also known as Algorithmic detection bytecodes) are bytecode signatures triggered by signatures equivalent to Logical signatures (<code class=\"language-text\">.ldb</code>).</p>\n<p>The CDV/CLV signatures officially distributed by ClamAV also fall into the category of bytecode signatures.</p>\n<p>By default, however, ClamAV treats any bytecode signature other than those officially distributed by Cisco as an “untrusted” signature.</p>\n<p>Because of this, when scanning with a custom bytecode signature you created yourself, be aware that you must explicitly enable the option in <code class=\"language-text\">clamscan</code> or <code class=\"language-text\">clamd</code> that allows the use of untrusted bytecode signatures.</p>\n<p>Reference: <a href=\"https://blog.clamav.net/2014/11/brief-re-introduction-to-clamav.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ClamAV® blog: Brief Re-introduction to ClamAV Bytecode Signatures</a></p>\n<p>Using Logical signature bytecodes lets you define more complex detection logic that can run faster than using Logical signatures directly.</p>\n<p>Algorithmic detection bytecodes are broadly made up of the following elements:</p>\n<ul>\n<li>The signature and its corresponding malware name</li>\n<li>Pattern definitions (for logical subexpressions)</li>\n<li>A Logical signature written as a simple C function (<code class=\"language-text\">bool logical_trigger(void)</code>)</li>\n<li>The signature triggered when the Logical signature matches (<code class=\"language-text\">int entrypoint(void)</code></li>\n<li>(Optional) Other functions and constants used by the entrypoint</li>\n</ul>\n<h3 id=\"specifying-malware-names-and-targets\" style=\"position:relative;\"><a href=\"#specifying-malware-names-and-targets\" aria-label=\"specifying malware names and targets permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Specifying Malware Names and Targets</h3>\n<p>In a bytecode signature, you define the required <code class=\"language-text\">VIRUSNAME_PREFIX</code> and the optional <code class=\"language-text\">VIRUSNAMES</code> as the malware names used for detection.</p>\n<p>The name specified in <code class=\"language-text\">VIRUSNAME_PREFIX</code> is always used when a detection occurs.</p>\n<p>The optional values defined in <code class=\"language-text\">VIRUSNAMES</code>, separated by commas, are appended after <code class=\"language-text\">VIRUSNAME_PREFIX</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// TESTMALWARE.001.A</span>\n<span class=\"token comment\">// TESTMALWARE.001.B</span>\n<span class=\"token function\">VIRUSNAME_PREFIX</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"TESTMALWARE.001\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">VIRUSNAMES</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"A\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"B\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>This optional part is determined by passing a value like <code class=\"language-text\">foundVirus(\"A\");</code> as the argument to the <code class=\"language-text\">foundVirus</code> function inside the bytecode signature.</p>\n<p>You also need to specify an integer in <code class=\"language-text\">TARGET</code> that indicates the type the bytecode signature will scan.</p>\n<p>As with the other signatures used so far, this integer should use one of the values listed in the following documentation.</p>\n<p>Reference: <a href=\"https://docs.clamav.net/appendix/FileTypes.html#Target-Types\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ClamAV File Types and Target Types - ClamAV Documentation</a></p>\n<p>For example, the following specifies <code class=\"language-text\">HTML(normalized)</code> as the target.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// HTML(normalized)</span>\n<span class=\"token comment\">// HTML - Whitespace transformed to spaces, tags/tag attributes normalized, all lowercase.</span>\n<span class=\"token function\">TARGET</span><span class=\"token punctuation\">(</span><span class=\"token number\">3</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>When <code class=\"language-text\">HTML(normalized)</code> is specified as the target, note that whitespace and tags are transformed and all text is interpreted as lowercase. (Signatures that target uppercase text will no longer work as intended.)</p>\n<h3 id=\"specifying-flevel\" style=\"position:relative;\"><a href=\"#specifying-flevel\" aria-label=\"specifying flevel permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Specifying FLEVEL</h3>\n<p>Bytecode signatures can also specify the minimum required FLEVEL.</p>\n<p>When you define it inside a bytecode signature, you do not use the integer FLEVEL value directly. Instead, you specify a value such as <code class=\"language-text\">FUNC_LEVEL_098_5</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// FUNC_LEVEL_098_5 = 78</span>\n<span class=\"token function\">FUNCTIONALITY_LEVEL_MIN</span><span class=\"token punctuation\">(</span>FUNC_LEVEL_098_5<span class=\"token punctuation\">)</span></code></pre></div>\n<p>For the possible values, use the entries in the <code class=\"language-text\">FunctionalityLevel (bytecode enum)</code> column in the documentation below.</p>\n<p>Reference: <a href=\"https://docs.clamav.net/appendix/FunctionalityLevels.html#versions--functionality-levels-flevels\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ClamAV Versions and Functionality Levels - ClamAV Documentation</a></p>\n<h3 id=\"declarations-and-definitions\" style=\"position:relative;\"><a href=\"#declarations-and-definitions\" aria-label=\"declarations and definitions permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Declarations and Definitions</h3>\n<p>Inside a bytecode signature, you can define Declarations and Definitions.</p>\n<p>Declarations are used like variable declarations, while Definitions are used like variable definitions.</p>\n<p>Because of that, Declarations must always come before Definitions.</p>\n<p>In the following example, two Declarations are defined: <code class=\"language-text\">magic</code> and <code class=\"language-text\">trojan</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// Declarations</span>\nSIGNATURES_DECL_BEGIN\n<span class=\"token function\">DECLARE_SIGNATURE</span><span class=\"token punctuation\">(</span>magic<span class=\"token punctuation\">)</span>\n<span class=\"token function\">DECLARE_SIGNATURE</span><span class=\"token punctuation\">(</span>trojan<span class=\"token punctuation\">)</span>\nSIGNATURES_DECL_END</code></pre></div>\n<p>The Definitions corresponding to these Declarations can be written as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// Definitions </span>\nSIGNATURES_DEF_BEGIN\n<span class=\"token function\">DEFINE_SIGNATURE</span><span class=\"token punctuation\">(</span>magic<span class=\"token punctuation\">,</span><span class=\"token string\">\"61616161\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">DEFINE_SIGNATURE</span><span class=\"token punctuation\">(</span>trojan<span class=\"token punctuation\">,</span><span class=\"token string\">\"74726f6a616e\"</span><span class=\"token punctuation\">)</span>\nSIGNATURES_END</code></pre></div>\n<p>This registers two global variables, <code class=\"language-text\">magic</code> and <code class=\"language-text\">trojan</code>, so you can use these values inside the bytecode signature logic.</p>\n<p>Also, if you want a signature to detect a specific string, you need to specify the hex-dumped string just as you would with Logical signatures.</p>\n<p>In the example above, because the target string is <code class=\"language-text\">aaaa</code>, the definition uses <code class=\"language-text\">DEFINE_SIGNATURE(magic,\"61616161\")</code> instead of <code class=\"language-text\">DEFINE_SIGNATURE(magic,\"aaaa\")</code>.</p>\n<h3 id=\"defining-the-logical-signature-function\" style=\"position:relative;\"><a href=\"#defining-the-logical-signature-function\" aria-label=\"defining the logical signature function permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Defining the Logical Signature Function</h3>\n<p>In a bytecode signature, the actual signature (<code class=\"language-text\">int entrypoint(void)</code>) is triggered when the pattern in the Logical signature written as a simple C function (<code class=\"language-text\">bool logical_trigger(void)</code>) matches.</p>\n<p>So first, define the <code class=\"language-text\">logical_trigger</code> function as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// All bytecode triggered by logical signatures must have this function</span>\nbool <span class=\"token function\">logical_trigger</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">return</span> <span class=\"token function\">count_match</span><span class=\"token punctuation\">(</span>Signatures<span class=\"token punctuation\">.</span>magic<span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The <code class=\"language-text\">count_match</code> function counts how many times a specific pattern matched and returns that count.</p>\n<p>In the example above, it returns the number of matches for the pattern defined by <code class=\"language-text\">magic</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// This is the bytecode function that is actually executed when the logical signature matched</span>\n<span class=\"token keyword\">int</span> <span class=\"token function\">entrypoint</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">matches</span><span class=\"token punctuation\">(</span>Signatures<span class=\"token punctuation\">.</span>deadbeef<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span> <span class=\"token function\">foundVirus</span> <span class=\"token punctuation\">(</span><span class=\"token string\">\"A\"</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">;</span> <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span> <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"B\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token punctuation\">}</span>\n\n    <span class=\"token comment\">// success, return 0</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h3 id=\"defining-the-signature\" style=\"position:relative;\"><a href=\"#defining-the-signature\" aria-label=\"defining the signature permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Defining the Signature</h3>\n<p>Define the actual bytecode signature body (<code class=\"language-text\">int entrypoint(void)</code>), which is called when the Logical signature matches.</p>\n<p>If the <code class=\"language-text\">entrypoint</code> processing succeeds, it is recommended that this function always return 0.</p>\n<p>Also, use the <code class=\"language-text\">foundVirus</code> function when a malware condition matches.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// This is the bytecode function that is actually executed when the logical signature matched</span>\n<span class=\"token keyword\">int</span> <span class=\"token function\">entrypoint</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">matches</span><span class=\"token punctuation\">(</span>Signatures<span class=\"token punctuation\">.</span>trojan<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span> <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"A\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span> <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"B\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token punctuation\">}</span>\n\n    <span class=\"token comment\">// success, return 0</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>In the example above, if the pattern <code class=\"language-text\">matches(Signatures.deadbeef)</code> matches, it uses <code class=\"language-text\">A</code>, the optional <code class=\"language-text\">VIRUSNAMES</code> value, and if it does not match, it uses <code class=\"language-text\">B</code> for detection.</p>\n<p>The full signature created this time is shown below.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// TESTMALWARE.001.A</span>\n<span class=\"token comment\">// TESTMALWARE.001.B</span>\n<span class=\"token function\">VIRUSNAME_PREFIX</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"TESTMALWARE.001\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">VIRUSNAMES</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"A\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"B\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">TARGET</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\">// FUNC_LEVEL_098_5 = 78</span>\n<span class=\"token function\">FUNCTIONALITY_LEVEL_MIN</span><span class=\"token punctuation\">(</span>FUNC_LEVEL_098_5<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\">// Declarations</span>\nSIGNATURES_DECL_BEGIN\n<span class=\"token function\">DECLARE_SIGNATURE</span><span class=\"token punctuation\">(</span>magic<span class=\"token punctuation\">)</span>\n<span class=\"token function\">DECLARE_SIGNATURE</span><span class=\"token punctuation\">(</span>trojan<span class=\"token punctuation\">)</span>\nSIGNATURES_DECL_END\n\n<span class=\"token comment\">// Definitions </span>\nSIGNATURES_DEF_BEGIN\n<span class=\"token function\">DEFINE_SIGNATURE</span><span class=\"token punctuation\">(</span>magic<span class=\"token punctuation\">,</span><span class=\"token string\">\"61616161\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">DEFINE_SIGNATURE</span><span class=\"token punctuation\">(</span>trojan<span class=\"token punctuation\">,</span><span class=\"token string\">\"74726f6a616e\"</span><span class=\"token punctuation\">)</span>\nSIGNATURES_END\n\n<span class=\"token comment\">// All bytecode triggered by logical signatures must have this function</span>\nbool <span class=\"token function\">logical_trigger</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">return</span> <span class=\"token function\">count_match</span><span class=\"token punctuation\">(</span>Signatures<span class=\"token punctuation\">.</span>magic<span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token comment\">// This is the bytecode function that is actually executed when the logical signature matched</span>\n<span class=\"token keyword\">int</span> <span class=\"token function\">entrypoint</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">matches</span><span class=\"token punctuation\">(</span>Signatures<span class=\"token punctuation\">.</span>trojan<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span> <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"A\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span> <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"B\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token punctuation\">}</span>\n\n    <span class=\"token comment\">// success, return 0</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h3 id=\"compiling-and-scanning-bytecode-signatures\" style=\"position:relative;\"><a href=\"#compiling-and-scanning-bytecode-signatures\" aria-label=\"compiling and scanning bytecode signatures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Compiling and Scanning Bytecode Signatures</h3>\n<p>Now compile the bytecode signature created so far and scan with it.</p>\n<p>The directory structure is as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ tree\n<span class=\"token builtin class-name\">.</span>\n├── bytecodes\n│   └── TESTCODE001.c\n├── samplefiles\n│   ├── TEST001.html\n│   └── TEST001.txt\n└── up_bytecodes.sh</code></pre></div>\n<p>First, pull and start the <code class=\"language-text\">clambc-compiler</code> container image.</p>\n<p>At this point, the volume directory is set to the <code class=\"language-text\">bytecodes</code> directory that contains the C file.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># Pull and start the clambc-compiler Docker container</span>\n<span class=\"token function\">docker</span> run -v ./bytecodes:/src -it clamav/clambc-compiler:stable /bin/bash\n\n<span class=\"token comment\"># Compile TESTCODE001.c to TESTCODE001.cbc</span>\n<span class=\"token builtin class-name\">cd</span> /src\nclambc-compiler /src/TESTCODE001.c -o TESTCODE001.cbc -O2</code></pre></div>\n<p>In the example above, <code class=\"language-text\">-O2</code> is specified as the optimization option.</p>\n<p>You can use any optimization option from <code class=\"language-text\">-O0</code> to <code class=\"language-text\">-O3</code>, but it seems to be recommended to use at least <code class=\"language-text\">-O1</code> or higher.</p>\n<p>Once this is done, you can scan using the compiled CBC file.</p>\n<p>When using a bytecode signature not distributed by Cisco, you must use the <code class=\"language-text\">--bytecode-unsigned=yes</code> option.</p>\n<p>Also, if detection does not work as intended, you can investigate with the <code class=\"language-text\">--debug</code> option.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">clamscan --bytecode-unsigned<span class=\"token operator\">=</span>yes --disable-cache -d ./bytecodes/TESTCODE001.cbc ./samplefiles/TEST001.txt</code></pre></div>\n<p>This time, because the target file type is specified as <code class=\"language-text\">HTML(normalized)</code>, a txt file is not detected even if it contains strings such as <code class=\"language-text\">aaaa</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/54738b0f03a99be166905315107f4530/e3189/image-20240810140541309.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 36.66666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAA1ElEQVQoz5WQWW6EMBBEfQn2VWCbgeANcf+rVSgrRow0SpSPp7YM/brcwocv7E5BG4uX8VBKYZomSCkxzzP6vkdd1+i6LtZ0btsWTdPEc4J3wgeL3azQ64rdOuhLuCzLzbZtcQAxxsTKIYSCcRwxDEOsvBPzLK80CvJKQ5n6EWqt7+ayLCNsZKosy5DnOYqiiPWJ4NMIkxA2VVUVBWx4kiRpwCdECAHnecI5F3eWRL81pe9p0JuQouM4YK3Feu0xLff5418D3oQUcdne+zspd/cfyZNvpte9VUiTMAcAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/54738b0f03a99be166905315107f4530/8ac56/image-20240810140541309.webp 240w,\n/static/54738b0f03a99be166905315107f4530/d3be9/image-20240810140541309.webp 480w,\n/static/54738b0f03a99be166905315107f4530/e46b2/image-20240810140541309.webp 960w,\n/static/54738b0f03a99be166905315107f4530/77d2c/image-20240810140541309.webp 1035w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/54738b0f03a99be166905315107f4530/8ff5a/image-20240810140541309.png 240w,\n/static/54738b0f03a99be166905315107f4530/e85cb/image-20240810140541309.png 480w,\n/static/54738b0f03a99be166905315107f4530/d9199/image-20240810140541309.png 960w,\n/static/54738b0f03a99be166905315107f4530/e3189/image-20240810140541309.png 1035w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/54738b0f03a99be166905315107f4530/d9199/image-20240810140541309.png\"\n            alt=\"image-20240810140541309\"\n            title=\"image-20240810140541309\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>On the other hand, if you scan an HTML file that contains <code class=\"language-text\">trojan</code> and at least two occurrences of <code class=\"language-text\">aaaa</code>, it is detected as <code class=\"language-text\">TESTMALWARE.001.A</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4511707357c7e607f52bea0b8c906968/ee9b6/image-20240810140618893.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 21.666666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAmElEQVQY022PWxLCIAxFWUVboA8sr4JYq+5/bVeSmVYd+3EmN4E5mQgfHNb1Bus9lNLo+/6HruvQNA3Tti3z3e95R1h3wfa4I6bMAq11Fas/8TAMPKf3aZqOOeVxHI+ZeL62KouwISLnK2KMTEqp9pkrfbbWopQCYwwLzoS0VHgfQIR6cgiUP3WeZyzLAuccZ1okpTw9f+cNB2NsuuT1EDIAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4511707357c7e607f52bea0b8c906968/8ac56/image-20240810140618893.webp 240w,\n/static/4511707357c7e607f52bea0b8c906968/d3be9/image-20240810140618893.webp 480w,\n/static/4511707357c7e607f52bea0b8c906968/e46b2/image-20240810140618893.webp 960w,\n/static/4511707357c7e607f52bea0b8c906968/e0a35/image-20240810140618893.webp 1041w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4511707357c7e607f52bea0b8c906968/8ff5a/image-20240810140618893.png 240w,\n/static/4511707357c7e607f52bea0b8c906968/e85cb/image-20240810140618893.png 480w,\n/static/4511707357c7e607f52bea0b8c906968/d9199/image-20240810140618893.png 960w,\n/static/4511707357c7e607f52bea0b8c906968/ee9b6/image-20240810140618893.png 1041w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4511707357c7e607f52bea0b8c906968/d9199/image-20240810140618893.png\"\n            alt=\"image-20240810140618893\"\n            title=\"image-20240810140618893\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>If the file contains only two or more occurrences of <code class=\"language-text\">aaaa</code>, the condition <code class=\"language-text\">if (matches(Signatures.trojan)) { foundVirus(\"A\"); }</code> no longer matches, so it is detected as <code class=\"language-text\">TESTMALWARE.001.B</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1bc5583c4c91a35270ee5aa2681c8eb4/1ff84/image-20240810140647040.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 19.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAlUlEQVQY05VPSQ6EMAzrK4CCBF1Qmy5Smf8/zoMjMeI6B8uxEyuJkXIiSoWPJ0IISCkhxqjsnMM8z3/BXJ8LWQTLYm8smKZJmU1rrWLbNmV667qqJj/1A2pTWkZIgtI6cs4/lFJQa9Vrj+NQLfdiXs1P9n1Xn33vvTJ7prV2D4uGGaLuvWuY3hhDh+lzET8geO1Tv/EFHvFtKU963DwAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1bc5583c4c91a35270ee5aa2681c8eb4/8ac56/image-20240810140647040.webp 240w,\n/static/1bc5583c4c91a35270ee5aa2681c8eb4/d3be9/image-20240810140647040.webp 480w,\n/static/1bc5583c4c91a35270ee5aa2681c8eb4/e46b2/image-20240810140647040.webp 960w,\n/static/1bc5583c4c91a35270ee5aa2681c8eb4/02506/image-20240810140647040.webp 1040w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1bc5583c4c91a35270ee5aa2681c8eb4/8ff5a/image-20240810140647040.png 240w,\n/static/1bc5583c4c91a35270ee5aa2681c8eb4/e85cb/image-20240810140647040.png 480w,\n/static/1bc5583c4c91a35270ee5aa2681c8eb4/d9199/image-20240810140647040.png 960w,\n/static/1bc5583c4c91a35270ee5aa2681c8eb4/1ff84/image-20240810140647040.png 1040w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1bc5583c4c91a35270ee5aa2681c8eb4/d9199/image-20240810140647040.png\"\n            alt=\"image-20240810140647040\"\n            title=\"image-20240810140647040\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reference: <a href=\"https://blog.clamav.net/2014/11/sample-file-properties-collection.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ClamAV® blog: Sample File Properties Collection Analysis Bytecode Signature Walkthrough</a></p>\n<h2 id=\"using-bytecode-signatures\" style=\"position:relative;\"><a href=\"#using-bytecode-signatures\" aria-label=\"using bytecode signatures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Using Bytecode Signatures</h2>\n<p>From here, I would like to try out various bytecode signature techniques.</p>\n<h3 id=\"using-file-properties-collection-analysis\" style=\"position:relative;\"><a href=\"#using-file-properties-collection-analysis\" aria-label=\"using file properties collection analysis permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Using File Properties Collection Analysis</h3>\n<p>If <code class=\"language-text\">libclamav</code> is configured to generate File Properties Collection JSON, a bytecode signature can use the generated JSON object as a detection condition.</p>\n<p>Reference: <a href=\"https://blog.clamav.net/2014/11/sample-file-properties-collection.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ClamAV® blog: Sample File Properties Collection Analysis Bytecode Signature Walkthrough</a></p>\n<p>The following is a customized version of the sample signature in the ClamAV repository.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token function\">VIRUSNAME_PREFIX</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"SUBMIT.filetype\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">VIRUSNAMES</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"CL_TYPE_MSWORD\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_MSPPT\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_MSXL\"</span><span class=\"token punctuation\">,</span>\n           <span class=\"token string\">\"CL_TYPE_OOXML_WORD\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_OOXML_PPT\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_OOXML_XL\"</span><span class=\"token punctuation\">,</span>\n           <span class=\"token string\">\"CL_TYPE_MSEXE\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_PDF\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_MSOLE2\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_UNKNOWN\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"InActive\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\">/* Target type is 0, all relevant files */</span>\n<span class=\"token function\">TARGET</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\">/* JSON API call will require FUNC_LEVEL_098_5 = 78 */</span>\n<span class=\"token comment\">/* PRECLASS_HOOK_DECLARE will require FUNC_LEVEL_098_7 = 80 */</span>\n<span class=\"token function\">FUNCTIONALITY_LEVEL_MIN</span><span class=\"token punctuation\">(</span>FUNC_LEVEL_098_7<span class=\"token punctuation\">)</span>\n\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name\">STR_MAXLEN</span> <span class=\"token expression\"><span class=\"token number\">256</span></span></span>\n\n<span class=\"token comment\">// Declarations</span>\nSIGNATURES_DECL_BEGIN\n<span class=\"token function\">DECLARE_SIGNATURE</span><span class=\"token punctuation\">(</span>magic<span class=\"token punctuation\">)</span>\nSIGNATURES_DECL_END\n\n<span class=\"token comment\">// Definitions </span>\nSIGNATURES_DEF_BEGIN\n<span class=\"token function\">DEFINE_SIGNATURE</span><span class=\"token punctuation\">(</span>magic<span class=\"token punctuation\">,</span><span class=\"token string\">\"73616d706c65\"</span><span class=\"token punctuation\">)</span>\nSIGNATURES_END\n\n<span class=\"token comment\">// All bytecode triggered by logical signatures must have this function</span>\nbool <span class=\"token function\">logical_trigger</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">return</span> <span class=\"token function\">matches</span><span class=\"token punctuation\">(</span>Signatures<span class=\"token punctuation\">.</span>magic<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">entrypoint</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token class-name\">int32_t</span> objid<span class=\"token punctuation\">,</span> type<span class=\"token punctuation\">,</span> strlen<span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">char</span> str<span class=\"token punctuation\">[</span>STR_MAXLEN<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">/* check is json is available, alerts on inactive (optional) */</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span><span class=\"token function\">json_is_active</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"InActive\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">/* acquire the filetype object */</span>\n    objid <span class=\"token operator\">=</span> <span class=\"token function\">json_get_object</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"FileType\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>objid <span class=\"token operator\">&lt;=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">debug_print_str</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"json object has no filetype!\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    type <span class=\"token operator\">=</span> <span class=\"token function\">json_get_type</span><span class=\"token punctuation\">(</span>objid<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>type <span class=\"token operator\">!=</span> JSON_TYPE_STRING<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">debug_print_str</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"json object filetype property is not string!\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">44</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token comment\">/* acquire string length, note +1 is for the NULL terminator */</span>\n    strlen <span class=\"token operator\">=</span> <span class=\"token function\">json_get_string_length</span><span class=\"token punctuation\">(</span>objid<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    <span class=\"token comment\">/* prevent buffer overflow */</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>strlen <span class=\"token operator\">></span> STR_MAXLEN<span class=\"token punctuation\">)</span>\n        strlen <span class=\"token operator\">=</span> STR_MAXLEN<span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">/* acquire string data, note strlen includes NULL terminator */</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">json_get_string</span><span class=\"token punctuation\">(</span>str<span class=\"token punctuation\">,</span> strlen<span class=\"token punctuation\">,</span> objid<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token comment\">/* debug print str (with '\\n' and prepended message */</span>\n        <span class=\"token function\">debug_print_str</span><span class=\"token punctuation\">(</span>str<span class=\"token punctuation\">,</span> strlen<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n        <span class=\"token comment\">/* check the contained object's filetype */</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>strlen <span class=\"token operator\">==</span> <span class=\"token number\">14</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token operator\">!</span><span class=\"token function\">memcmp</span><span class=\"token punctuation\">(</span>str<span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_MSEXE\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"CL_TYPE_MSEXE\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>strlen <span class=\"token operator\">==</span> <span class=\"token number\">12</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token operator\">!</span><span class=\"token function\">memcmp</span><span class=\"token punctuation\">(</span>str<span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_PDF\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"CL_TYPE_PDF\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>strlen <span class=\"token operator\">==</span> <span class=\"token number\">19</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token operator\">!</span><span class=\"token function\">memcmp</span><span class=\"token punctuation\">(</span>str<span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_OOXML_WORD\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">19</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"CL_TYPE_OOXML_WORD\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>strlen <span class=\"token operator\">==</span> <span class=\"token number\">18</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token operator\">!</span><span class=\"token function\">memcmp</span><span class=\"token punctuation\">(</span>str<span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_OOXML_PPT\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">18</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"CL_TYPE_OOXML_PPT\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>strlen <span class=\"token operator\">==</span> <span class=\"token number\">17</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token operator\">!</span><span class=\"token function\">memcmp</span><span class=\"token punctuation\">(</span>str<span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_OOXML_XL\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">17</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"CL_TYPE_OOXML_XL\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>strlen <span class=\"token operator\">==</span> <span class=\"token number\">15</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token operator\">!</span><span class=\"token function\">memcmp</span><span class=\"token punctuation\">(</span>str<span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_MSWORD\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"CL_TYPE_MSWORD\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>strlen <span class=\"token operator\">==</span> <span class=\"token number\">14</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token operator\">!</span><span class=\"token function\">memcmp</span><span class=\"token punctuation\">(</span>str<span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_MSPPT\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"CL_TYPE_MSPPT\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>strlen <span class=\"token operator\">==</span> <span class=\"token number\">13</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token operator\">!</span><span class=\"token function\">memcmp</span><span class=\"token punctuation\">(</span>str<span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_MSXL\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"CL_TYPE_MSXL\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>strlen <span class=\"token operator\">==</span> <span class=\"token number\">15</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token operator\">!</span><span class=\"token function\">memcmp</span><span class=\"token punctuation\">(</span>str<span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_MSOLE2\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"CL_TYPE_MSOLE2\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n\n        <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"CL_TYPE_UNKNOWN\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>In the signature above, <code class=\"language-text\">json_is_active()</code> checks whether File Properties Collection JSON is being generated. If it is not, the file is detected as <code class=\"language-text\">InActive</code>.</p>\n<p>If JSON is being generated, you can detect the target file type by comparing the string value of the <code class=\"language-text\">FileType</code> element.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>strlen <span class=\"token operator\">==</span> <span class=\"token number\">14</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token operator\">!</span><span class=\"token function\">memcmp</span><span class=\"token punctuation\">(</span>str<span class=\"token punctuation\">,</span> <span class=\"token string\">\"CL_TYPE_MSEXE\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"CL_TYPE_MSEXE\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>You can scan with the CBC file compiled from this signature using the following command.</p>\n<p>When using <code class=\"language-text\">clamscan</code>, you need to specify the <code class=\"language-text\">--gen-json</code> option.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">clamscan --gen-json --bytecode-unsigned<span class=\"token operator\">=</span>yes --disable-cache -d ./bytecodes/TESTCODE002.cbc  ./samplefiles/doc_sample.docx</code></pre></div>\n<p>When you scan the sample Word file with this signature, the file is detected as <code class=\"language-text\">SUBMIT.filetype.CL_TYPE_OOXML_WORD</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/de8cd5f3d8196b8af3b9d242c28e1ce1/d5c6f/image-20240812123022567.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 9.166666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAW0lEQVQI102KQQrAIAwE/YSKoAc1KdVI6f8/t21ChR6GXYZxxzgh1405pzHGgIgYvXfbtRZKKcg5o7UGIgIzm9NG3cbRK/gLdqiR/lqr/T8pJXjvEUJAjNH2zwPjrje0MIhpWQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/de8cd5f3d8196b8af3b9d242c28e1ce1/8ac56/image-20240812123022567.webp 240w,\n/static/de8cd5f3d8196b8af3b9d242c28e1ce1/d3be9/image-20240812123022567.webp 480w,\n/static/de8cd5f3d8196b8af3b9d242c28e1ce1/e46b2/image-20240812123022567.webp 960w,\n/static/de8cd5f3d8196b8af3b9d242c28e1ce1/8f19f/image-20240812123022567.webp 1261w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/de8cd5f3d8196b8af3b9d242c28e1ce1/8ff5a/image-20240812123022567.png 240w,\n/static/de8cd5f3d8196b8af3b9d242c28e1ce1/e85cb/image-20240812123022567.png 480w,\n/static/de8cd5f3d8196b8af3b9d242c28e1ce1/d9199/image-20240812123022567.png 960w,\n/static/de8cd5f3d8196b8af3b9d242c28e1ce1/d5c6f/image-20240812123022567.png 1261w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/de8cd5f3d8196b8af3b9d242c28e1ce1/d9199/image-20240812123022567.png\"\n            alt=\"image-20240812123022567\"\n            title=\"image-20240812123022567\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Also, if you use the <code class=\"language-text\">--debug</code> option with <code class=\"language-text\">clamscan</code>, you can dump the generated JSON object.</p>\n<p>In this case, the following JSON was dumped.</p>\n<div class=\"gatsby-highlight\" data-language=\"json\"><pre class=\"language-json\"><code class=\"language-json\"><span class=\"token punctuation\">{</span>\n  <span class=\"token property\">\"Magic\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CLAMJSONv0\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"RootFileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_OOXML_WORD\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"doc_sample.docx\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_OOXML_WORD\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">29864</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"1d45f29f2c0523d334d4665acd30a208\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"CoreProperties\"</span><span class=\"token operator\">:</span><span class=\"token punctuation\">{</span>\n    <span class=\"token property\">\"Attributes\"</span><span class=\"token operator\">:</span><span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"cp\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"http://schemas.openxmlformats.org/package/2006/metadata/core-properties\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"dc\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"http://purl.org/dc/elements/1.1/\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"dcterms\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"http://purl.org/dc/terms/\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"dcmitype\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"http://purl.org/dc/dcmitype/\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"xsi\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"http://www.w3.org/2001/XMLSchema-instance\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token property\">\"Title\"</span><span class=\"token operator\">:</span><span class=\"token punctuation\">{</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token property\">\"Keywords\"</span><span class=\"token operator\">:</span><span class=\"token punctuation\">{</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token property\">\"Created\"</span><span class=\"token operator\">:</span><span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"Value\"</span><span class=\"token operator\">:</span><span class=\"token punctuation\">[</span>\n        <span class=\"token string\">\"2024-07-26T03:53:00Z\"</span>\n      <span class=\"token punctuation\">]</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token property\">\"Modified\"</span><span class=\"token operator\">:</span><span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"Value\"</span><span class=\"token operator\">:</span><span class=\"token punctuation\">[</span>\n        <span class=\"token string\">\"2024-07-26T03:53:00Z\"</span>\n      <span class=\"token punctuation\">]</span>\n    <span class=\"token punctuation\">}</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"CorePropertiesFileCount\"</span><span class=\"token operator\">:</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"CustomPropertiesFileCount\"</span><span class=\"token operator\">:</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"ContainedObjects\"</span><span class=\"token operator\">:</span><span class=\"token punctuation\">[</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"app.xml\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-05142ae220fd85d0de8aa5fdbb679e88.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">1105</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"133656865921af498aa28ec5b4f77b24\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\".rels\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-1e11204e3c8bc451adce2bbf9684d61f.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">877</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"834bb9f139e2c89042bc5f73ca3681ac\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"core.xml\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-16f795eae2e129a3bc2d6b6d045d7ec6.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">602</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"48d63fac37f1798301b4a380bc7fbd47\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"document.xml\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-df7bee169e6486afa59bea2b33a0c6aa.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">16079</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"7caa4d90df6f35547e9a0212c52c3cfb\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"webSettings.xml\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-e66fe6b6cdc5505ef6837c41f64a7dc9.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">976</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"e6ef4ee039cfbbe805db5fd64c9285d6\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"document.xml.rels\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-fcb2cd75df0a7781452fb1173c41b495.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">1962</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"a272a252c4514589d0f0b4095edbf65b\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"theme11.xml\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-1196c9448d0bd47e20333d0bdd69f464.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">6808</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"d4c5d9b2fbc2334a7d960978173fcbc1\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"item3.xml\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-c2d5f805bdde863a8c614f7b89a9ebda.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">219</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"5eca9e027b94e6cd1bc64f2a06dcee92\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"itemProps31.xml\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-5c0ec7b9b208dd18bc16221dd74383a8.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">335</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"08962c42256ecf756d4c628af592ff6f\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"item3.xml.rels\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-5fef1f0b8a132ec493b0cb870a6ffc2d.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">293</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"14d033452b3fba1be7138b73fa7d2e4b\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"settings.xml\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-99884602b93a2ddf9d3eeaa0e70f0967.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">6081</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"de6f78fd2ae424ff5fd54310e161a25b\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"fontTable.xml\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-b2a1927c2e99604e8697311d48fd4e48.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">3025</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"aadd621b59bb8af6b1324ce4579db1d8\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"item22.xml\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-bce3cc1fe0e193e1f97ad4aa8bded549.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">1131</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"1aa7d8c84bbb518b7eec09d8fa79bdf7\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"itemProps22.xml\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-c1f279419e99fb98be3876f2ffaa58bc.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">614</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"bbb569ce2200d3b8e0f5af2fd0ee87f2\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"item22.xml.rels\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-68018783a654cc1de6c75725876934cf.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">293</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"1b52716de290d728812bdd805e6ee277\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"item13.xml\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-1cb43cc91c383ab4dc962120b926aafb.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">306</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"217ee5ba5f9835428ff1ab7501faf018\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"itemProps13.xml\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-1832e99cda5310119c2166934cca1c9c.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">341</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"f8fb694a3d90c965a676bdfec949186a\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"item13.xml.rels\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-395ccc11d1cb463e8e27d5075cd0f4ed.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">293</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"4c767529172a3f3e3f06c29757972fd2\"</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"FileName\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"styles.xml\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FilePath\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"/tmp/20240812_032807-scantemp.57234350df/clamav-5e22fe74d8b0fa6e8b63533680ba5d43.tmp\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileType\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"CL_TYPE_TEXT_ASCII\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileSize\"</span><span class=\"token operator\">:</span><span class=\"token number\">51823</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"FileMD5\"</span><span class=\"token operator\">:</span><span class=\"token string\">\"6092dcc046c92f52c15c83ef435e4f35\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"Viruses\"</span><span class=\"token operator\">:</span><span class=\"token punctuation\">[</span>\n        <span class=\"token string\">\"SUBMIT.filetype.CL_TYPE_OOXML_WORD\"</span>\n      <span class=\"token punctuation\">]</span>\n    <span class=\"token punctuation\">}</span>\n  <span class=\"token punctuation\">]</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h3 id=\"using-regular-expressions\" style=\"position:relative;\"><a href=\"#using-regular-expressions\" aria-label=\"using regular expressions permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Using Regular Expressions</h3>\n<p>You can use POSIX regular expressions inside bytecode signatures.</p>\n<p>Here, it looks like you can also use features such as specifying scan positions with <code class=\"language-text\">seek</code> and loop processing.</p>\n<p>For details, please refer to the official documentation.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">int</span> <span class=\"token function\">entrypoint</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    REGEX_SCANNER<span class=\"token punctuation\">;</span>\n    \n    <span class=\"token function\">seek</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">SEEK_SET</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">;</span><span class=\"token punctuation\">;</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        REGEX_LOOP_BEGIN\n        <span class=\"token comment\">/* \n         * ! re2c\n         * ANY = [^];\n         * \n         * \"eval(\" [a-zA-Z_] [a-zA-Z_0-9]* \".unescape\" {\n         *     long pos = REGEX_POS;\n         *     if (pos &lt; 0)\n         *         continue;\n         *     debug(\"unescape found at: \");\n         *     debug(pos);\n         * }\n         * ANY {\n         *     continue;\n         * }\n         */</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h2 id=\"analyzing-bytecode-signatures\" style=\"position:relative;\"><a href=\"#analyzing-bytecode-signatures\" aria-label=\"analyzing bytecode signatures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Analyzing Bytecode Signatures</h2>\n<h3 id=\"displaying-bytecode-signature-summary-information\" style=\"position:relative;\"><a href=\"#displaying-bytecode-signature-summary-information\" aria-label=\"displaying bytecode signature summary information permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Displaying Bytecode Signature Summary Information</h3>\n<p>Using the <code class=\"language-text\">clambc --info</code> command, you can display summary information for a compiled bytecode signature.</p>\n<p>Below is an example of dumping information from TESTCODE001.cbc.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/10c9e72c94830abd927c0712f82c1692/aa08e/image-20240812133304509.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 41.66666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA7UlEQVQoz4WRWW6EMBBEOQQ7Y/YtgIk9wEfQ5P7HqqFamiiKNPFH4baxn6vanr1/wtgV2ljMi8Y0fWAcR/R9j7Iskee5jEopxHGMKIpkfCdP3RSGYcT344F5mq56wLIsqOtaIARWVYWiKP4F/QB935fDX+cJa62445yANE2RJAmyLJM6DEOnPH7ogDCtNYwxUk+XW8ZumkacUryEjjlSv9fYFkqALPZ9x7ZtEnmeZ1nrug5t28qFdE05gUEQyKHzikwg3fEHN756xzlrApyRCWQsgtZ1xXEc4pAAvuhfOR/lFZm9o9g7Rnh3wAV9AhnZ2cVV6TNvAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/10c9e72c94830abd927c0712f82c1692/8ac56/image-20240812133304509.webp 240w,\n/static/10c9e72c94830abd927c0712f82c1692/d3be9/image-20240812133304509.webp 480w,\n/static/10c9e72c94830abd927c0712f82c1692/e46b2/image-20240812133304509.webp 960w,\n/static/10c9e72c94830abd927c0712f82c1692/9d28c/image-20240812133304509.webp 967w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/10c9e72c94830abd927c0712f82c1692/8ff5a/image-20240812133304509.png 240w,\n/static/10c9e72c94830abd927c0712f82c1692/e85cb/image-20240812133304509.png 480w,\n/static/10c9e72c94830abd927c0712f82c1692/d9199/image-20240812133304509.png 960w,\n/static/10c9e72c94830abd927c0712f82c1692/aa08e/image-20240812133304509.png 967w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/10c9e72c94830abd927c0712f82c1692/d9199/image-20240812133304509.png\"\n            alt=\"image-20240812133304509\"\n            title=\"image-20240812133304509\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From the dump result above, you can understand information such as the Logical signature details and the number of functions inside the bytecode signature.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">bytecode logical signature: TESTMALWARE.001.<span class=\"token punctuation\">{</span>A,B<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>Engine:79-255,Target:3<span class=\"token punctuation\">;</span><span class=\"token punctuation\">(</span><span class=\"token operator\"><span class=\"token file-descriptor important\">0</span>></span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span><span class=\"token number\">61616161</span><span class=\"token punctuation\">;</span>74726f6a616e</code></pre></div>\n<h3 id=\"viewing-the-source-code-of-a-bytecode-signature\" style=\"position:relative;\"><a href=\"#viewing-the-source-code-of-a-bytecode-signature\" aria-label=\"viewing the source code of a bytecode signature permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Viewing the Source Code of a Bytecode Signature</h3>\n<p>Using the <code class=\"language-text\">clambc --printsrc</code> command, you can view the original source code used to build the bytecode signature, as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 832px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d89d592b1bd280bf01d8b9492c9003b5/ef6b9/image-20240812134504034.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 91.25000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAABnklEQVQ4y5WU6Y6CQBCE5yE88T5RwVtwAwbjn/X9n6h3v07ajEh29UdlZhqm6KruxkVxKPnlLF+XQtIslzAMpdfryWAwUPT7fZlOpzIej3WdzWYab7Va0mw2dfXh0vQs9++75FkmyekkURQpuNjpdKTRaEi9Xn8CMSMrk7rdbifb7Va63a4EQaAvlFHOwlCZ4Xw+lziOZblcKhaLhcoz2XzoL9IXQqRBiHeTyUR9AuwBHn5EuNlsJEkSOR6P6t1wOHz4VPbqHWKX/RYjz3O5Xq9SFIWSI9e//FGGSF2tVg/JeFYm+YhwvV5rVlQbYjxrt9sKX/K7lXZIBbfbTaXjKR85HA5CBxhxFap60dEqVBngHUA2xQFkbDEfxCozpO+oLoRkt9/v1c/RaKSw9qE3LWZxG4SXPuRlXkAiZ/Zcspmt1Wov4+ePoG+BI3VmlhV59lMwVEm1PfeA/9wxFTZ2yOZs/gFIUWAqAHGzwWJ21lmGjJZhtQuWoZ3JBPkmzceTZDyzeYYUAl8qNrDSPm81NhlSZS7aX8bPopzRf5PzA3xX5naGtlFuAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d89d592b1bd280bf01d8b9492c9003b5/8ac56/image-20240812134504034.webp 240w,\n/static/d89d592b1bd280bf01d8b9492c9003b5/d3be9/image-20240812134504034.webp 480w,\n/static/d89d592b1bd280bf01d8b9492c9003b5/de44a/image-20240812134504034.webp 832w\"\n              sizes=\"(max-width: 832px) 100vw, 832px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d89d592b1bd280bf01d8b9492c9003b5/8ff5a/image-20240812134504034.png 240w,\n/static/d89d592b1bd280bf01d8b9492c9003b5/e85cb/image-20240812134504034.png 480w,\n/static/d89d592b1bd280bf01d8b9492c9003b5/ef6b9/image-20240812134504034.png 832w\"\n            sizes=\"(max-width: 832px) 100vw, 832px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d89d592b1bd280bf01d8b9492c9003b5/ef6b9/image-20240812134504034.png\"\n            alt=\"image-20240812134504034\"\n            title=\"image-20240812134504034\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>As you can see from the clambc code, this source code is embedded in encoded form in lines beginning with <code class=\"language-text\">S</code> inside the compiled bytecode signature.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">static</span> <span class=\"token keyword\">void</span> <span class=\"token function\">print_src</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">const</span> <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>file<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">char</span> buf<span class=\"token punctuation\">[</span><span class=\"token number\">4096</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">int</span> nread<span class=\"token punctuation\">,</span> i<span class=\"token punctuation\">,</span> found <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> lcnt <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    FILE <span class=\"token operator\">*</span>f <span class=\"token operator\">=</span> <span class=\"token function\">fopen</span><span class=\"token punctuation\">(</span>file<span class=\"token punctuation\">,</span> <span class=\"token string\">\"r\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span>f<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">fprintf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stderr</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"Unable to reopen %s\\n\"</span><span class=\"token punctuation\">,</span> file<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>\n        nread <span class=\"token operator\">=</span> <span class=\"token function\">fread</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> f<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;</span> nread <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span> i<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token char\">'\\n'</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n                lcnt<span class=\"token operator\">++</span><span class=\"token punctuation\">;</span>\n            <span class=\"token punctuation\">}</span>\n            <span class=\"token comment\">/* skip over the logical trigger */</span>\n            <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>lcnt <span class=\"token operator\">>=</span> <span class=\"token number\">2</span> <span class=\"token operator\">&amp;&amp;</span> buf<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token char\">'\\n'</span> <span class=\"token operator\">&amp;&amp;</span> buf<span class=\"token punctuation\">[</span>i <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token char\">'S'</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n                found <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n                i <span class=\"token operator\">+=</span> <span class=\"token number\">2</span><span class=\"token punctuation\">;</span>\n                <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n            <span class=\"token punctuation\">}</span>\n        <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span>found <span class=\"token operator\">&amp;&amp;</span> <span class=\"token punctuation\">(</span>nread <span class=\"token operator\">==</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>debug_flag<span class=\"token punctuation\">)</span>\n        <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"[clambc] Source code:\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">+</span> <span class=\"token number\">1</span> <span class=\"token operator\">&lt;</span> nread<span class=\"token punctuation\">;</span> i<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token char\">'S'</span> <span class=\"token operator\">||</span> buf<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token char\">'\\n'</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n                <span class=\"token function\">putc</span><span class=\"token punctuation\">(</span><span class=\"token char\">'\\n'</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">stdout</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n                <span class=\"token keyword\">continue</span><span class=\"token punctuation\">;</span>\n            <span class=\"token punctuation\">}</span>\n            <span class=\"token function\">putc</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xf</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">|</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">[</span>i <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xf</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">stdout</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            i<span class=\"token operator\">++</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">==</span> nread <span class=\"token operator\">-</span> <span class=\"token number\">1</span> <span class=\"token operator\">&amp;&amp;</span> nread <span class=\"token operator\">!=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n            <span class=\"token function\">fseek</span><span class=\"token punctuation\">(</span>f<span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">SEEK_CUR</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        i     <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n        nread <span class=\"token operator\">=</span> <span class=\"token function\">fread</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> f<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>nread <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">fclose</span><span class=\"token punctuation\">(</span>f<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>This code extracts the source using <code class=\"language-text\">(buf[i] &amp; 0xf) | ((buf[i + 1] &amp; 0xf) &lt;&lt; 4)</code>.</p>\n<p>Reference: <a href=\"https://github.com/Cisco-Talos/clamav/blob/main/clambc/bcrun.c\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">clamav/clambc/bcrun.c at main · Cisco-Talos/clamav</a></p>\n<p>Next, we create the following Python script and confirm that the source code embedded in the bytecode signature can in fact be decoded.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">code <span class=\"token operator\">=</span> <span class=\"token triple-quoted-string string\">r\"\"\"Sobob`bdeedcedemdadldgeadbeednb`c`cacnbadSobob`bdeedcedemdadldgeadbeednb`c`cacnbbdSfeidbeeecendadmdedoe`ebeedfdidhehbbbdeedcedemdadldgeadbeednb`c`cacbbibSfeidbeeecendadmdedcehbbbadbblbbbbdbbib\ndeadbegdeddehbccibSSobob`bfdeendcdoeldedfeedldoe`cichcoeec`bmc`bgchcSfdeendcddeidodndadldiddeieoeldedfeedldoemdidndhbfdeendcdoeldedfeedldoe`cichcoeecibSSobob`bddefcflfafbgafdgifofnfcg\nceidgdndaddeeebeedceoeddedcdldoebdedgdidndSddedcdldadbeedoeceidgdndaddeeebeedhbmfafgfifcfibSddedcdldadbeedoeceidgdndaddeeebeedhbdgbgofjfafnfibSceidgdndaddeeebeedceoeddedcdldoeednddd\nSobob`bddefffifnfifdgifofnfcg`bSceidgdndaddeeebeedceoeddedfdoebdedgdidndSddedfdidndedoeceidgdndaddeeebeedhbmfafgfifcflbbbfcacfcacfcacfcacbbibSddedfdidndedoeceidgdndaddeeebeedhbdgbgofjfafnflbbbgcdcgcbcfcfffcaffcacfcefbbib\nceidgdndaddeeebeedceoeedndddSSobob`badlflf`bbfigdgefcfofdfef`bdgbgifgfgfefbgefdf`bbfig`blfofgfifcfaflf`bcgifgfnfafdgegbgefcg`bmfegcgdg`bhfaffgef`bdghfifcg`bffegnfcfdgifofnf\nbfofoflf`blfofgfifcfaflfoedgbgifgfgfefbghbfgofifdfibSkgSbgefdgegbgnf`bcfofegnfdgoemfafdgcfhfhbceifgfnfafdgegbgefcgnbmfafgfifcfib`bnc`backcSmgSSobob`bdehfifcg`bifcg`bdghfef`bbfigdgefcfofdfef`bffegnfcfdgifofnf`bdghfafdg`bifcg`bafcfdgegaflflfig`befhgefcfegdgefdf`bgghfefnf`bdghfef`blfofgfifcfaflf`bcgifgfnfafdgegbgef`bmfafdgcfhfefdf\nifnfdg`befnfdgbgig`gofifnfdghbfgofifdfibSkgSifff`bhbmfafdgcfhfefcghbceifgfnfafdgegbgefcgnbdgbgofjfafnfibib`bkg`bffofegnfdffeifbgegcghbbbadbbibkc`bmgSeflfcgef`bkg`bffofegnfdffeifbgegcghbbbbdbbibkc`bmg\nSobob`bcgegcfcfefcgcglb`bbgefdgegbgnf`b`cSbgefdgegbgnf`b`ckcSmg\"\"\"</span>\n\ni <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n<span class=\"token keyword\">while</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> i <span class=\"token operator\">>=</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>code<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">break</span>\n    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">if</span> code<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">\"S\"</span> <span class=\"token keyword\">or</span> code<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n            i <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n        <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n            w <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span>code<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xf</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">|</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span>code<span class=\"token punctuation\">[</span>i<span class=\"token operator\">+</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xf</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">4</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>w<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n            i <span class=\"token operator\">+=</span> <span class=\"token number\">2</span></code></pre></div>\n<p>Running the Python script above shows that, just as when using clambc, we can recover the original source code used for compilation.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 838px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6659b0d69854244750e035312d7edda4/a1dd2/image-20240812162154366.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 118.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAYCAYAAAD6S912AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB0klEQVQ4y52UV47DQAxDfYj03ntDAqTnI/c/lBZPAAPF62Tt/SCmeIYmJY2Ser1u7XbbhsOhzedzm0wm1ul0rN/v+5yRdaPRsGq1arVa7RfifsLBSqXiFxaLhQ0GA1+nL7PWfhqRNEEhC1SgcjweO/FsNrPRaOR7OGAfxfwQsJ+l/EVYKpX8EGTY1AW+Ay4K2su03Gq1DDSbTQe2yuWy45PFr5ZRdL1e7XK52OFwsF6vZ/qJ1Gcl4mNSHo+HPZ9P2+/3tlqtPNOA+KE4D2FEAgnB1gZWiSeQbanIQ+6Eu93OttutbTYbH8mwMk5iiqhMuAzpdDr1y5QIo1DUtsfwfr8bI8lZr9duU4hZzGWZ7B6PR8/y6XTyOkyrKqSQOClmEKkGQVad/Ul4u91MQCEZp2QY+UGRGnTC8/nsRIzY1ZtVo+BQjOmn+L4IUUOGY9si091u18GakRekPeYg6yV52SyXS1ekOiSe8bLmQOXEPDaIN4XqLswBVhm5pE4UodeklxSR6K8ogRjIktRorTPRdtpJQiPAMsAy6nRA1uJPImHWvhMSP2KnRoHd2ME5TDuLfVJ9Mz1/yzLkZDjWWOH2xduFjNYO2TeSXG+Z2GHvv08tjR9t3YJzQ8i63gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6659b0d69854244750e035312d7edda4/8ac56/image-20240812162154366.webp 240w,\n/static/6659b0d69854244750e035312d7edda4/d3be9/image-20240812162154366.webp 480w,\n/static/6659b0d69854244750e035312d7edda4/7820a/image-20240812162154366.webp 838w\"\n              sizes=\"(max-width: 838px) 100vw, 838px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6659b0d69854244750e035312d7edda4/8ff5a/image-20240812162154366.png 240w,\n/static/6659b0d69854244750e035312d7edda4/e85cb/image-20240812162154366.png 480w,\n/static/6659b0d69854244750e035312d7edda4/a1dd2/image-20240812162154366.png 838w\"\n            sizes=\"(max-width: 838px) 100vw, 838px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6659b0d69854244750e035312d7edda4/a1dd2/image-20240812162154366.png\"\n            alt=\"image-20240812162154366\"\n            title=\"image-20240812162154366\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When bytecode signatures distributed officially or used in CTF problems are involved, it seems the source-code portion inside the bytecode signature is sometimes removed or replaced so that the source cannot be easily recovered with clambc.</p>\n<p>In fact, in the Devil Hunter challenge binary, fake data generated by the following code was embedded so that the original source could not be viewed with the clambc command.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">fake <span class=\"token operator\">=</span> b<span class=\"token string\">\"not so easy :P<span class=\"token entity\" title=\"\\n\">\\n</span>\"</span>\nline <span class=\"token operator\">=</span> <span class=\"token string\">\"S\"</span>\n<span class=\"token keyword\">for</span> <span class=\"token for-or-select variable\">c</span> <span class=\"token keyword\">in</span> fake:\n    line <span class=\"token operator\">+=</span> chr<span class=\"token punctuation\">(</span>0x60 + <span class=\"token punctuation\">(</span>c <span class=\"token operator\">&amp;</span> 0xf<span class=\"token punctuation\">))</span>\n    line <span class=\"token operator\">+=</span> chr<span class=\"token punctuation\">(</span>0x60 + <span class=\"token variable\"><span class=\"token punctuation\">((</span>c<span class=\"token operator\">>></span><span class=\"token number\">4</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xf</span><span class=\"token punctuation\">))</span></span>\nprint<span class=\"token punctuation\">(</span>line<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Reference: <a href=\"https://github.com/SECCON/SECCON2022_online_CTF/blob/main/reversing/devil_hunter/builds/gen.py\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">SECCON2022<em>online</em>CTF/reversing/devil<em>hunter/builds/gen.py at main · SECCON/SECCON2022</em>online_CTF</a></p>\n<h3 id=\"disassembling-a-bytecode-signature\" style=\"position:relative;\"><a href=\"#disassembling-a-bytecode-signature\" aria-label=\"disassembling a bytecode signature permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Disassembling a Bytecode Signature</h3>\n<p>If <code class=\"language-text\">clambc --printsrc</code> cannot be used, you can use <code class=\"language-text\">clambc --printbcir</code> to display the bytecode signature as readable text and analyze it.</p>\n<p>For example, analyzing TESTCODE001.cbc, which we have been using so far, gives the following result.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ clambc --printbcir ./bytecodes/TESTCODE001.cbc \n\nfound <span class=\"token number\">19</span> extra types of <span class=\"token number\">83</span> total, starting at tid <span class=\"token number\">69</span>\nTID  KIND                INTERNAL\n------------------------------------------------------------------------\n <span class=\"token number\">65</span>: DPointerType        i8*\n <span class=\"token number\">66</span>: DPointerType        i16*\n <span class=\"token number\">67</span>: DPointerType        i32*\n <span class=\"token number\">68</span>: DPointerType        i64*\n <span class=\"token number\">69</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">1</span> x i8<span class=\"token punctuation\">]</span>\n <span class=\"token number\">70</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">2</span> x i8<span class=\"token punctuation\">]</span>\n <span class=\"token number\">71</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">3</span> x i8<span class=\"token punctuation\">]</span>\n <span class=\"token number\">72</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">4</span> x i8<span class=\"token punctuation\">]</span>\n <span class=\"token number\">73</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">5</span> x i8<span class=\"token punctuation\">]</span>\n <span class=\"token number\">74</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">6</span> x i8<span class=\"token punctuation\">]</span>\n <span class=\"token number\">75</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">7</span> x i8<span class=\"token punctuation\">]</span>\n <span class=\"token number\">76</span>: DPointerType        <span class=\"token punctuation\">[</span><span class=\"token number\">64</span> x i32<span class=\"token punctuation\">]</span>*\n <span class=\"token number\">77</span>: DPointerType        <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> x i8<span class=\"token punctuation\">]</span>*\n <span class=\"token number\">78</span>: DPointerType        i32**\n <span class=\"token number\">79</span>: DPointerType        i8**\n <span class=\"token number\">80</span>: DFunctionType       i32 func <span class=\"token punctuation\">(</span> i32 i32 <span class=\"token punctuation\">)</span>\n <span class=\"token number\">81</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> x i8<span class=\"token punctuation\">]</span>\n <span class=\"token number\">82</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">64</span> x i32<span class=\"token punctuation\">]</span>\n------------------------------------------------------------------------\n<span class=\"token comment\">########################################################################</span>\n<span class=\"token comment\">####################### Function id   0 ################################</span>\n<span class=\"token comment\">########################################################################</span>\nfound a total of <span class=\"token number\">9</span> globals\nGID  ID    VALUE\n------------------------------------------------------------------------\n  <span class=\"token number\">0</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>: i0 unknown\n  <span class=\"token number\">1</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>: <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> x i8<span class=\"token punctuation\">]</span> unknown\n  <span class=\"token number\">2</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">2</span><span class=\"token punctuation\">]</span>: <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> x i8<span class=\"token punctuation\">]</span> unknown\n  <span class=\"token number\">3</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>: i32* unknown\n  <span class=\"token number\">4</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>: i32* unknown\n  <span class=\"token number\">5</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">5</span><span class=\"token punctuation\">]</span>: i8* unknown\n  <span class=\"token number\">6</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">6</span><span class=\"token punctuation\">]</span>: i8* unknown\n  <span class=\"token number\">7</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">7</span><span class=\"token punctuation\">]</span>: i8* unknown\n  <span class=\"token number\">8</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">8</span><span class=\"token punctuation\">]</span>: i8* unknown\n------------------------------------------------------------------------\nfound <span class=\"token number\">4</span> values with <span class=\"token number\">0</span> arguments and <span class=\"token number\">4</span> locals\nVID  ID    VALUE\n------------------------------------------------------------------------\n  <span class=\"token number\">0</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>: i32\n  <span class=\"token number\">1</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>: i1\n  <span class=\"token number\">2</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">2</span><span class=\"token punctuation\">]</span>: i32\n  <span class=\"token number\">3</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>: i32\n------------------------------------------------------------------------\nfound a total of <span class=\"token number\">4</span> constants\nCID  ID    VALUE\n------------------------------------------------------------------------\n  <span class=\"token number\">0</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n  <span class=\"token number\">1</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">5</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">17</span><span class=\"token punctuation\">(</span>0x11<span class=\"token punctuation\">)</span>\n  <span class=\"token number\">2</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">6</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">17</span><span class=\"token punctuation\">(</span>0x11<span class=\"token punctuation\">)</span>\n  <span class=\"token number\">3</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">7</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n------------------------------------------------------------------------\nfound a total of <span class=\"token number\">8</span> total values\n------------------------------------------------------------------------\nFUNCTION ID: F.0 -<span class=\"token operator\">></span> NUMINSTS <span class=\"token number\">8</span>\nBB   IDX  OPCODE              <span class=\"token punctuation\">[</span>ID /IID/MOD<span class=\"token punctuation\">]</span>  INST\n------------------------------------------------------------------------\n  <span class=\"token number\">0</span>    <span class=\"token number\">0</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">0</span> <span class=\"token operator\">&lt;</span>- p.-2147483644\n  <span class=\"token number\">0</span>    <span class=\"token number\">1</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">1</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">0</span> <span class=\"token operator\">==</span> <span class=\"token number\">4</span><span class=\"token punctuation\">)</span>\n  <span class=\"token number\">0</span>    <span class=\"token number\">2</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">1</span> ? bb.2 <span class=\"token builtin class-name\">:</span> bb.1\n\n  <span class=\"token number\">1</span>    <span class=\"token number\">3</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">2</span> <span class=\"token operator\">=</span> setvirusname<span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.-2147483640, <span class=\"token number\">5</span><span class=\"token punctuation\">)</span>\n  <span class=\"token number\">1</span>    <span class=\"token number\">4</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> / <span class=\"token number\">90</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb.3\n\n  <span class=\"token number\">2</span>    <span class=\"token number\">5</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">3</span> <span class=\"token operator\">=</span> setvirusname<span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.-2147483642, <span class=\"token number\">6</span><span class=\"token punctuation\">)</span>\n  <span class=\"token number\">2</span>    <span class=\"token number\">6</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> / <span class=\"token number\">90</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb.3\n\n  <span class=\"token number\">3</span>    <span class=\"token number\">7</span>  OP_BC_RET           <span class=\"token punctuation\">[</span><span class=\"token number\">19</span> / <span class=\"token number\">98</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  ret <span class=\"token number\">7</span>\n------------------------------------------------------------------------</code></pre></div>\n<p>The code in TESTCODE001.c was as follows.</p>\n<p>Since this bytecode signature has only a single function, the entrypoint, only <code class=\"language-text\">Function id   0</code> appears in the dump result as well.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// TESTMALWARE.001.A</span>\n<span class=\"token comment\">// TESTMALWARE.001.B</span>\n<span class=\"token function\">VIRUSNAME_PREFIX</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"TESTMALWARE.001\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">VIRUSNAMES</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"A\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"B\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">TARGET</span><span class=\"token punctuation\">(</span><span class=\"token number\">3</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\">// FUNC_LEVEL_098_5 = 78</span>\n<span class=\"token function\">FUNCTIONALITY_LEVEL_MIN</span><span class=\"token punctuation\">(</span>FUNC_LEVEL_098_5<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\">// Declarations</span>\nSIGNATURES_DECL_BEGIN\n<span class=\"token function\">DECLARE_SIGNATURE</span><span class=\"token punctuation\">(</span>magic<span class=\"token punctuation\">)</span>\n<span class=\"token function\">DECLARE_SIGNATURE</span><span class=\"token punctuation\">(</span>trojan<span class=\"token punctuation\">)</span>\nSIGNATURES_DECL_END\n\n<span class=\"token comment\">// Definitions </span>\nSIGNATURES_DEF_BEGIN\n<span class=\"token function\">DEFINE_SIGNATURE</span><span class=\"token punctuation\">(</span>magic<span class=\"token punctuation\">,</span><span class=\"token string\">\"61616161\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">DEFINE_SIGNATURE</span><span class=\"token punctuation\">(</span>trojan<span class=\"token punctuation\">,</span><span class=\"token string\">\"74726f6a616e\"</span><span class=\"token punctuation\">)</span>\nSIGNATURES_END\n\n<span class=\"token comment\">// All bytecode triggered by logical signatures must have this function</span>\nbool <span class=\"token function\">logical_trigger</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">return</span> <span class=\"token function\">count_match</span><span class=\"token punctuation\">(</span>Signatures<span class=\"token punctuation\">.</span>magic<span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token comment\">// This is the bytecode function that is actually executed when the logical signature matched</span>\n<span class=\"token keyword\">int</span> <span class=\"token function\">entrypoint</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">matches</span><span class=\"token punctuation\">(</span>Signatures<span class=\"token punctuation\">.</span>trojan<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span> <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"A\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span> <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"B\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token punctuation\">}</span>\n\n    <span class=\"token comment\">// success, return 0</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>From here, we will organize and interpret the disassembled code.</p>\n<p>Because there is almost no public information about this disassembly output, I will work through it by trial and error while referring to the ClamAV source code.</p>\n<p>Reference: <a href=\"https://github.com/Cisco-Talos/clamav/blob/main/libclamav/bytecode.c\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">clamav/libclamav/bytecode.c at main · Cisco-Talos/clamav</a></p>\n<p>Reference: <a href=\"https://github.com/Cisco-Talos/clamav/blob/main/libclamav/bytecode_vm.c\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">clamav/libclamav/bytecode_vm.c at main · Cisco-Talos/clamav</a></p>\n<p>Reference: <a href=\"https://github.com/Cisco-Talos/clamav/blob/main/libclamav/clambc.h\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">clamav/libclamav/clambc.h at main · Cisco-Talos/clamav</a></p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">BB   IDX  OPCODE              <span class=\"token punctuation\">[</span>ID /IID/MOD<span class=\"token punctuation\">]</span>  INST\n------------------------------------------------------------------------\n<span class=\"token number\">0</span>    <span class=\"token number\">0</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">0</span> <span class=\"token operator\">&lt;</span>- p.-2147483644\n<span class=\"token number\">0</span>    <span class=\"token number\">1</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">1</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">0</span> <span class=\"token operator\">==</span> <span class=\"token number\">4</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">2</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">1</span> ? bb.2 <span class=\"token builtin class-name\">:</span> bb.1\n<span class=\"token number\">1</span>    <span class=\"token number\">3</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">2</span> <span class=\"token operator\">=</span> setvirusname<span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.-2147483640, <span class=\"token number\">5</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">4</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> / <span class=\"token number\">90</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb.3\n<span class=\"token number\">2</span>    <span class=\"token number\">5</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">3</span> <span class=\"token operator\">=</span> setvirusname<span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.-2147483642, <span class=\"token number\">6</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span>    <span class=\"token number\">6</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> / <span class=\"token number\">90</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb.3\n<span class=\"token number\">3</span>    <span class=\"token number\">7</span>  OP_BC_RET           <span class=\"token punctuation\">[</span><span class=\"token number\">19</span> / <span class=\"token number\">98</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  ret <span class=\"token number\">7</span></code></pre></div>\n<p>First, the initial <code class=\"language-text\">OP_BC_LOAD</code> appears to load some value into a variable (probably the variable with ID 0).</p>\n<p>The following <code class=\"language-text\">OP_BC_ICMP_EQ</code> stores the result of comparing two operands into a variable (probably the variable with ID 1).</p>\n<p>In this case, it seems to be comparing against the constant 0 with ID 4.</p>\n<p><code class=\"language-text\">OP_BC_BRANCH</code> then determines whether to jump to <code class=\"language-text\">bb.2</code> or <code class=\"language-text\">bb.1</code> depending on the comparison result.</p>\n<p>Values such as VIRUSNAME are represented as <code class=\"language-text\">p.-2147483640</code>, so we cannot tell which is which from that alone, but looking at the source code confirms that the structure is <code class=\"language-text\">condition ? True : False</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// control operations (termination instructions)</span>\n<span class=\"token keyword\">case</span> OP_BC_BRANCH<span class=\"token operator\">:</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"br %d ? bb.%d : bb.%d\"</span><span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>u<span class=\"token punctuation\">.</span>branch<span class=\"token punctuation\">.</span>condition<span class=\"token punctuation\">,</span>inst<span class=\"token operator\">-></span>u<span class=\"token punctuation\">.</span>branch<span class=\"token punctuation\">.</span>br_true<span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>u<span class=\"token punctuation\">.</span>branch<span class=\"token punctuation\">.</span>br_false<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>bbnum<span class=\"token punctuation\">)</span><span class=\"token operator\">++</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Because having many signature variables makes it hard to read, next we will disassemble a bytecode signature generated from the following code.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">int</span> <span class=\"token function\">entrypoint</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">int</span> a <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">int</span> b <span class=\"token operator\">=</span> <span class=\"token number\">2</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">int</span> c<span class=\"token punctuation\">;</span>\n\n    c <span class=\"token operator\">=</span> a <span class=\"token operator\">*</span> <span class=\"token function\">count_match</span><span class=\"token punctuation\">(</span>Signatures<span class=\"token punctuation\">.</span>magic<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> b <span class=\"token operator\">*</span> <span class=\"token function\">count_match</span><span class=\"token punctuation\">(</span>Signatures<span class=\"token punctuation\">.</span>trojan<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>c <span class=\"token operator\">></span> <span class=\"token number\">5</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span> <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"A\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span> <span class=\"token function\">foundVirus</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"B\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token punctuation\">}</span>\n\n    <span class=\"token comment\">// success, return 0</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Disassembling the bytecode signature generated from this code gives the following result.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">found <span class=\"token number\">7</span> values with <span class=\"token number\">0</span> arguments and <span class=\"token number\">7</span> locals\nVID  ID    VALUE\n------------------------------------------------------------------------\n<span class=\"token number\">0</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">1</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">2</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">2</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">3</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">4</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">5</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">5</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">6</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">6</span><span class=\"token punctuation\">]</span>: i32\n------------------------------------------------------------------------\nfound a total of <span class=\"token number\">5</span> constants\nCID  ID    VALUE\n------------------------------------------------------------------------\n<span class=\"token number\">0</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">7</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1</span><span class=\"token punctuation\">(</span>0x1<span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">8</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">5</span><span class=\"token punctuation\">(</span>0x5<span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">9</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">17</span><span class=\"token punctuation\">(</span>0x11<span class=\"token punctuation\">)</span>\n<span class=\"token number\">3</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">10</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">17</span><span class=\"token punctuation\">(</span>0x11<span class=\"token punctuation\">)</span>\n<span class=\"token number\">4</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">11</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n------------------------------------------------------------------------\nfound a total of <span class=\"token number\">12</span> total values\n------------------------------------------------------------------------\nFUNCTION ID: F.0 -<span class=\"token operator\">></span> NUMINSTS <span class=\"token number\">11</span>\nBB   IDX  OPCODE              <span class=\"token punctuation\">[</span>ID /IID/MOD<span class=\"token punctuation\">]</span>  INST\n------------------------------------------------------------------------\n<span class=\"token number\">0</span>    <span class=\"token number\">0</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">0</span> <span class=\"token operator\">&lt;</span>- p.-2147483642\n<span class=\"token number\">0</span>    <span class=\"token number\">1</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">1</span> <span class=\"token operator\">&lt;</span>- p.-2147483643\n<span class=\"token number\">0</span>    <span class=\"token number\">2</span>  OP_BC_SHL           <span class=\"token punctuation\">[</span><span class=\"token number\">8</span>  / <span class=\"token number\">43</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">2</span> <span class=\"token operator\">=</span> <span class=\"token number\">1</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">7</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">3</span>  OP_BC_ADD           <span class=\"token punctuation\">[</span><span class=\"token number\">1</span>  /  <span class=\"token number\">8</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">3</span> <span class=\"token operator\">=</span> <span class=\"token number\">2</span> + <span class=\"token number\">0</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">4</span>  OP_BC_ICMP_SGT      <span class=\"token punctuation\">[</span><span class=\"token number\">27</span> /138/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">4</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">3</span> <span class=\"token operator\">></span> <span class=\"token number\">8</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">5</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">4</span> ? bb.1 <span class=\"token builtin class-name\">:</span> bb.2\n\n<span class=\"token number\">1</span>    <span class=\"token number\">6</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">5</span> <span class=\"token operator\">=</span> setvirusname<span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.-2147483638, <span class=\"token number\">9</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">7</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> / <span class=\"token number\">90</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb.3\n\n<span class=\"token number\">2</span>    <span class=\"token number\">8</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">6</span> <span class=\"token operator\">=</span> setvirusname<span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.-2147483640, <span class=\"token number\">10</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span>    <span class=\"token number\">9</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> / <span class=\"token number\">90</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb.3\n\n<span class=\"token number\">3</span>   <span class=\"token number\">10</span>  OP_BC_RET           <span class=\"token punctuation\">[</span><span class=\"token number\">19</span> / <span class=\"token number\">98</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  ret <span class=\"token number\">11</span>\n------------------------------------------------------------------------</code></pre></div>\n<p>First, it stores the counts of magic and trojan in variables 0 and 1.</p>\n<p>After that, it stores the result of shifting variable 1 left by one bit (that is, multiplying by 2) into variable 2, and then adds variable 0 to it.</p>\n<p>The computation up to this point corresponds to the following code.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">int</span> a <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">int</span> b <span class=\"token operator\">=</span> <span class=\"token number\">2</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">int</span> c<span class=\"token punctuation\">;</span>\nc <span class=\"token operator\">=</span> a <span class=\"token operator\">*</span> <span class=\"token function\">count_match</span><span class=\"token punctuation\">(</span>Signatures<span class=\"token punctuation\">.</span>magic<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> b <span class=\"token operator\">*</span> <span class=\"token function\">count_match</span><span class=\"token punctuation\">(</span>Signatures<span class=\"token punctuation\">.</span>trojan<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>It then uses <code class=\"language-text\">OP_BC_ICMP_SGT</code> to compare whether the computed result (variable 3) is greater than 5, and branches accordingly.</p>\n<p>In this way, the disassembly output of a bytecode signature can be read much like VM code.</p>\n<h3 id=\"debugging-bytecode-signatures\" style=\"position:relative;\"><a href=\"#debugging-bytecode-signatures\" aria-label=\"debugging bytecode signatures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Debugging Bytecode Signatures</h3>\n<p>You can debug the VM execution of a bytecode signature to some extent using gdb.</p>\n<p>You can run the debugging session with the following commands.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">gdb ~/clamav/build/clamscan/clamscan\n\n<span class=\"token comment\"># Load libclamav</span>\nrun --bytecode-unsigned<span class=\"token operator\">=</span>yes --disable-cache -d ./bytecodes/TESTCODE001.cbc ./samplefiles/TEST001.txt\n\n<span class=\"token comment\"># Set a breakpoint and run</span>\nb cli_vm_execute\nrun --bytecode-unsigned<span class=\"token operator\">=</span>yes --disable-cache -d ./bytecodes/TESTCODE001.cbc ./samplefiles/TEST001.txt</code></pre></div>\n<p><code class=\"language-text\">cli_vm_execute</code> is a function defined in bytecode_vm.c that is responsible for interpreting and executing the opcodes and operands inside a bytecode signature.</p>\n<p>Reference: <a href=\"https://github.com/Cisco-Talos/clamav/blob/main/libclamav/bytecode_vm.c\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">clamav/libclamav/bytecode_vm.c at main · Cisco-Talos/clamav</a></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/03c17fc94e1025ab242b1865885875ba/11a8f/image-20240814221102543.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 76.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACSklEQVQ4y31T23KjMBTjJxLuxuAbBpKUNgkk7f//llY2TSfdzeyDhmMMOpaOnAzWYHItJtuhkw26poasK9SS0BbCODSdgeo8irJEVdcQUm7PpoFst7qsKuRFgaTvDT6/FhyPY8Tl+gHnBPRYQh4vEH5EZwco2cPy58t8wPubh+d/zmq0UkAIgbKskOU5Em0M1vWGcZwwTRPm+QPaNGhUjq7tIbIMVZ5hv99B82SjtfBUpbXeiIocJfdFXcY60UrhfD6zYw/vPU6nNygtKDmH5MlaqVAVlEPiiWSD71GVBQqepqbMmnJz1hn3AxLLjz6/vnA8nSIulwXWSUidQ7gJrRshlYse+a7DOB3YeIBxDtPhACnb6F2W5ZtkQ8kPBPmGDbTR6FQbu8fO/DDPC6T8KeU6EJS14JCquN72NyTBi5LTC34EgjRNsdvt6Nk+IqwDaXw+1eljL9RPSIxV7FTAjAfc73esyxKlhAYt5YRmG3n6C49GfyPp6EuaZsxTS8JPLCQMQzqSdKangbSqCjYIAyiJrS4o+xVp4gdmTCt4pzB6G4lDpqp6y1ZR0A6GvSGEqFGTLKwFGxXfYX5Gsiwrhp6TPnus7z3GwTK4Qwxt3/so/SExKAnYvN3/8u7Hw0CouxbLbHF944Stgx1HtMynIaHsVCRteM1anl7x/WPyLz00hmGl7NNxYr5cjE3IVvYdkUdksogta0FaHQZGW/6RXNGHMIh1XeMtuV6vcR3i9ByZn9i8kPlLcpBzu90i4TzPEeH2PDL5Stb/8AdpspwNy0vcyQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/03c17fc94e1025ab242b1865885875ba/8ac56/image-20240814221102543.webp 240w,\n/static/03c17fc94e1025ab242b1865885875ba/d3be9/image-20240814221102543.webp 480w,\n/static/03c17fc94e1025ab242b1865885875ba/e46b2/image-20240814221102543.webp 960w,\n/static/03c17fc94e1025ab242b1865885875ba/4cec6/image-20240814221102543.webp 1272w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/03c17fc94e1025ab242b1865885875ba/8ff5a/image-20240814221102543.png 240w,\n/static/03c17fc94e1025ab242b1865885875ba/e85cb/image-20240814221102543.png 480w,\n/static/03c17fc94e1025ab242b1865885875ba/d9199/image-20240814221102543.png 960w,\n/static/03c17fc94e1025ab242b1865885875ba/11a8f/image-20240814221102543.png 1272w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/03c17fc94e1025ab242b1865885875ba/d9199/image-20240814221102543.png\"\n            alt=\"image-20240814221102543\"\n            title=\"image-20240814221102543\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>If you continue debugging this function, you can reach the execution code for handling each opcode as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/57126eb30b0e11b2b089f086f0a6a4cb/d0c2f/image-20240814224438808.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 70.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACH0lEQVQ4y41TWXabQBDkFFpgmH2DYRASRpL9Yt//VpUeJCey4rzkox5bd1Fd1VN13iD3DsEqBKeQooUzLYTlkMMEmQaEMMGpCC0FQnSwVKtcgCQIKeG9R9ty7Pc1qjxmvH+8o1xP8wnXtzdq4hBeQk5niJThfIbmGlMXcDwvmE5HTPMLtCdSJRFjBOeFcI+qPCzLgr7vMY4jjscTrCOFpFIqC8EaNHUNRkjWIncRkRRprcEFJzAI0aJtaux2O1QdFVwuF3Rdh5wHnE4zjGVoNRWGRKM7SEnEDUcymtR4OGdgnAeXikZtYY1B0zBSSISRiA7ThD4lDDmTygMs+WqCBVMGe1JWUBOkkBDawIYOxljwtiEwMFJXxr2P3K3FNZkq+gyuNARvwRjDdrtdx/hEef6C8u7h+zpy3weSe/vDfH3DOI3IA3mVE/lkqHFzK/5C/nT/8JMqBL+SbesGOk+UnIch/6TkpLz5U9U/UKVhID80PO3WcDiQ2Y4IW2gyuhB+erO7o9w3FETd3L8Vj/e/US3LGV0w+LjQ2vQWJo1QoUcJK9MaMXZrLj43dN09efaMldAZgR9LXE+MignKRyhKsSTKSE1ZWiEElFLU9KD4O0JHng1Dwkg7GGOgYxaoUWLzGcLaeCMoiZYRGReoGft+5LLxr6+vOJ/PmOcZ1+sVE+3lY4K/sLubv9n8PZRCWE5KIStEiRbcUCBr8k97+D/4CVdAgPSBy9YaAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/57126eb30b0e11b2b089f086f0a6a4cb/8ac56/image-20240814224438808.webp 240w,\n/static/57126eb30b0e11b2b089f086f0a6a4cb/d3be9/image-20240814224438808.webp 480w,\n/static/57126eb30b0e11b2b089f086f0a6a4cb/e46b2/image-20240814224438808.webp 960w,\n/static/57126eb30b0e11b2b089f086f0a6a4cb/66be3/image-20240814224438808.webp 1362w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/57126eb30b0e11b2b089f086f0a6a4cb/8ff5a/image-20240814224438808.png 240w,\n/static/57126eb30b0e11b2b089f086f0a6a4cb/e85cb/image-20240814224438808.png 480w,\n/static/57126eb30b0e11b2b089f086f0a6a4cb/d9199/image-20240814224438808.png 960w,\n/static/57126eb30b0e11b2b089f086f0a6a4cb/d0c2f/image-20240814224438808.png 1362w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/57126eb30b0e11b2b089f086f0a6a4cb/d9199/image-20240814224438808.png\"\n            alt=\"image-20240814224438808\"\n            title=\"image-20240814224438808\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"enabling-bytecode-signature-debug-traces-in-libclamav\" style=\"position:relative;\"><a href=\"#enabling-bytecode-signature-debug-traces-in-libclamav\" aria-label=\"enabling bytecode signature debug traces in libclamav permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enabling Bytecode Signature Debug Traces in libclamav</h3>\n<p>Although this article does not use it, when debugging bytecode signatures, a very convenient approach is to modify the libclamav source code so that it outputs debug traces.</p>\n<p>I have summarized the details in the following article.</p>\n<p>Reference: <a href=\"/clamav-debug-signature-libclamav-en\">How to Enable Bytecode Signature Debug Traces in libclamav</a></p>\n<h2 id=\"solving-devil-hunter-by-analyzing-the-bytecode-signature\" style=\"position:relative;\"><a href=\"#solving-devil-hunter-by-analyzing-the-bytecode-signature\" aria-label=\"solving devil hunter by analyzing the bytecode signature permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Solving Devil Hunter by Analyzing the Bytecode Signature</h2>\n<p>Now that I have mostly organized my understanding of ClamAV signatures, it is finally time to solve the Devil Hunter challenge.</p>\n<p>The Devil Hunter challenge binary was the following cbc file.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">ClamBCafhaio<span class=\"token variable\"><span class=\"token variable\">`</span>lfcf<span class=\"token operator\">|</span>aa<span class=\"token variable\">`</span></span>`<span class=\"token variable\"><span class=\"token variable\">`</span>c<span class=\"token variable\">`</span></span><span class=\"token variable\"><span class=\"token variable\">`</span>a<span class=\"token variable\">`</span></span>`<span class=\"token variable\"><span class=\"token variable\">`</span><span class=\"token operator\">|</span>ah<span class=\"token variable\">`</span></span>cnbac<span class=\"token variable\"><span class=\"token variable\">`</span>cecnb<span class=\"token variable\">`</span></span>c`<span class=\"token variable\"><span class=\"token variable\">`</span>beaacp<span class=\"token variable\">`</span></span>clamcoincidencejb:4096\nSeccon.Reversing.<span class=\"token punctuation\">{</span>FLAG<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>Engine:56-255,Target:0<span class=\"token punctuation\">;</span><span class=\"token number\">0</span><span class=\"token punctuation\">;</span><span class=\"token number\">0</span>:534543434f4e7b\nTeddaaahdabahdacahdadahdaeahdafahdagahebdeebaddbdbahebndebceaacb<span class=\"token variable\"><span class=\"token variable\">`</span>bbadb<span class=\"token variable\">`</span></span>baacb<span class=\"token variable\"><span class=\"token variable\">`</span>bb<span class=\"token variable\">`</span></span>bb<span class=\"token variable\"><span class=\"token variable\">`</span>bdaib<span class=\"token variable\">`</span></span>bdbfaah\nEaeacabbae<span class=\"token operator\">|</span>aebgefafdf`<span class=\"token variable\"><span class=\"token variable\">`</span>adbbe<span class=\"token operator\">|</span>aecgefefkf<span class=\"token variable\">`</span></span><span class=\"token variable\"><span class=\"token variable\">`</span>aebae<span class=\"token operator\">|</span>amcgefdgfgifbgegcgnfafmfef<span class=\"token variable\">`</span></span><span class=\"token variable\"><span class=\"token variable\">`</span>\nG<span class=\"token variable\">`</span></span>ad<span class=\"token variable\"><span class=\"token variable\">`</span>@<span class=\"token variable\">`</span></span>bdeBceBefBcfBcfBofBnfBnbBbeBefBfgBefBbgBcgBifBnfBgfBnbBfdBldBadBgd@<span class=\"token variable\"><span class=\"token variable\">`</span>bad@Aa<span class=\"token variable\">`</span></span>bad@Aa<span class=\"token variable\"><span class=\"token variable\">`</span>\nA<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bLabaa<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>Faeac\nBaa`<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>abTaa<span class=\"token variable\"><span class=\"token variable\">`</span>aaab\nBb<span class=\"token variable\">`</span></span>baaabbaeAc<span class=\"token variable\"><span class=\"token variable\">`</span>BeadTbaab\nBTcab<span class=\"token variable\">`</span></span>b@dE\nA<span class=\"token variable\"><span class=\"token variable\">`</span>aaLbhfb<span class=\"token variable\">`</span></span>dab<span class=\"token variable\"><span class=\"token variable\">`</span>dab<span class=\"token variable\">`</span></span>daahabndabad<span class=\"token variable\"><span class=\"token variable\">`</span>bndabad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>d<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>ah<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>bad<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>bad<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>aa<span class=\"token variable\">`</span></span>Fbcgah\nBbadaedbbodad@dbadagdbbodaf@db<span class=\"token variable\"><span class=\"token variable\">`</span>bahabbadAgd@db<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bb@habTbaab\nBaaaiiab<span class=\"token variable\">`</span></span>dbbaBdbhb<span class=\"token variable\"><span class=\"token variable\">`</span>d<span class=\"token variable\">`</span></span>bbbbaabTaaaiabac\nBb<span class=\"token variable\"><span class=\"token variable\">`</span>dajbbabajb<span class=\"token variable\">`</span></span>dakh<span class=\"token variable\"><span class=\"token variable\">`</span>ajB<span class=\"token variable\">`</span></span>bhb<span class=\"token variable\"><span class=\"token variable\">`</span>dalj<span class=\"token variable\">`</span></span>akB<span class=\"token variable\"><span class=\"token variable\">`</span>bhb<span class=\"token variable\">`</span></span>bamn<span class=\"token variable\"><span class=\"token variable\">`</span>albadandbbodad@dbadaocbbadanamb<span class=\"token variable\">`</span></span>bb<span class=\"token variable\"><span class=\"token variable\">`</span>aabbabaoAadaabaanab<span class=\"token variable\">`</span></span>bb<span class=\"token variable\"><span class=\"token variable\">`</span>aAadb<span class=\"token variable\">`</span></span>dbbaa<span class=\"token variable\"><span class=\"token variable\">`</span>ajAahb<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bb@h<span class=\"token variable\">`</span></span>Taabaaagaa\nBb<span class=\"token variable\"><span class=\"token variable\">`</span>bbcaabbabacAadaabdakab<span class=\"token variable\">`</span></span>bbca@dahbeabbacbeaaabfaeaahbeaBmgaaabgak<span class=\"token variable\"><span class=\"token variable\">`</span>bdabfab<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bb@h<span class=\"token variable\">`</span></span>Taabgaadag\nBb<span class=\"token variable\"><span class=\"token variable\">`</span>bbhaabbabacAadaabiakab<span class=\"token variable\">`</span></span>bbha@db<span class=\"token variable\"><span class=\"token variable\">`</span>d<span class=\"token variable\">`</span></span>bb@haab<span class=\"token variable\"><span class=\"token variable\">`</span>d<span class=\"token variable\">`</span></span>bb@h<span class=\"token variable\"><span class=\"token variable\">`</span>Taabiaagae\nBb<span class=\"token variable\">`</span></span>dbjabbaabjab<span class=\"token variable\"><span class=\"token variable\">`</span>dbkah<span class=\"token variable\">`</span></span>bjaB<span class=\"token variable\"><span class=\"token variable\">`</span>bhb<span class=\"token variable\">`</span></span>dblaj<span class=\"token variable\"><span class=\"token variable\">`</span>bkaB<span class=\"token variable\">`</span></span>bhb<span class=\"token variable\"><span class=\"token variable\">`</span>bbman<span class=\"token variable\">`</span></span>blabadbnadbbodad@dbadboacbbadbnabmab<span class=\"token variable\"><span class=\"token variable\">`</span>bb<span class=\"token variable\">`</span></span>bgbboab<span class=\"token variable\"><span class=\"token variable\">`</span>bbab<span class=\"token variable\">`</span></span>baacb<span class=\"token variable\"><span class=\"token variable\">`</span>bb<span class=\"token variable\">`</span></span>dbbbh<span class=\"token variable\"><span class=\"token variable\">`</span>bjaBnahb<span class=\"token variable\">`</span></span>dbcbj<span class=\"token variable\"><span class=\"token variable\">`</span>bbbB<span class=\"token variable\">`</span></span>bhb<span class=\"token variable\"><span class=\"token variable\">`</span>bbdbn<span class=\"token variable\">`</span></span>bcbb<span class=\"token variable\"><span class=\"token variable\">`</span>bbebc<span class=\"token variable\">`</span></span>Add@dbadbfbcbbadagbebb<span class=\"token variable\"><span class=\"token variable\">`</span>bbgbc<span class=\"token variable\">`</span></span>Addbdbbadbhbcbbadbfbbgbb<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>fbbabbhbb<span class=\"token variable\"><span class=\"token variable\">`</span>dbiba<span class=\"token variable\">`</span></span>bjaAdhaabjbiab<span class=\"token variable\"><span class=\"token variable\">`</span>dbibBdbhb<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bbbibaaTaabjbaeaf\nBb<span class=\"token variable\">`</span></span>bbkbgbagaablbeab<span class=\"token variable\"><span class=\"token variable\">`</span>bbkbHbj<span class=\"token variable\">`</span></span>hnicgdb<span class=\"token variable\"><span class=\"token variable\">`</span>bbmbc<span class=\"token variable\">`</span></span>Add@dbadbnbcbbadagbmbb<span class=\"token variable\"><span class=\"token variable\">`</span>bbobc<span class=\"token variable\">`</span></span>AddAadbadb<span class=\"token variable\"><span class=\"token variable\">`</span>ccbbadbnbbobb<span class=\"token variable\">`</span></span>bbacgbb<span class=\"token variable\"><span class=\"token variable\">`</span>caabbceab<span class=\"token variable\">`</span></span>bbacHcj<span class=\"token variable\"><span class=\"token variable\">`</span>hnjjcdaabcck<span class=\"token variable\">`</span></span>blbbbcb<span class=\"token variable\"><span class=\"token variable\">`</span>bbdcc<span class=\"token variable\">`</span></span>Add@dbadbeccbbadagbdcb<span class=\"token variable\"><span class=\"token variable\">`</span>bbfcc<span class=\"token variable\">`</span></span>AddAbdbadbgccbbadbecbfcb<span class=\"token variable\"><span class=\"token variable\">`</span>bbhcgbbgcaabiceab<span class=\"token variable\">`</span></span>bbhcHoigndjkcdaabjck<span class=\"token variable\"><span class=\"token variable\">`</span>bccbicb<span class=\"token variable\">`</span></span>bbkcc<span class=\"token variable\"><span class=\"token variable\">`</span>Add@dbadblccbbadagbkcb<span class=\"token variable\">`</span></span>bbmcc<span class=\"token variable\"><span class=\"token variable\">`</span>AddAcdbadbnccbbadblcbmcb<span class=\"token variable\">`</span></span>bbocgbbncaab<span class=\"token variable\"><span class=\"token variable\">`</span>deab<span class=\"token variable\">`</span></span>bbocHcoaljkhgdaabadk<span class=\"token variable\"><span class=\"token variable\">`</span>bjcb<span class=\"token variable\">`</span></span>db<span class=\"token variable\"><span class=\"token variable\">`</span>bbbdc<span class=\"token variable\">`</span></span>Add@dbadbcdcbbadagbbdb<span class=\"token variable\"><span class=\"token variable\">`</span>bbddc<span class=\"token variable\">`</span></span>AddAddbadbedcbbadbcdbddb<span class=\"token variable\"><span class=\"token variable\">`</span>bbfdgbbedaabgdeab<span class=\"token variable\">`</span></span>bbfdHcoalionedaabhdk<span class=\"token variable\"><span class=\"token variable\">`</span>badbgdb<span class=\"token variable\">`</span></span>bbidc<span class=\"token variable\"><span class=\"token variable\">`</span>Add@dbadbjdcbbadagbidb<span class=\"token variable\">`</span></span>bbkdc<span class=\"token variable\"><span class=\"token variable\">`</span>AddAedbadbldcbbadbjdbkdb<span class=\"token variable\">`</span></span>bbmdgbbldaabndeab<span class=\"token variable\"><span class=\"token variable\">`</span>bbmdHoilnikkcdaabodk<span class=\"token variable\">`</span></span>bhdbndb<span class=\"token variable\"><span class=\"token variable\">`</span>bb<span class=\"token variable\">`</span></span>ec<span class=\"token variable\"><span class=\"token variable\">`</span>Add@dbadbaecbbadagb<span class=\"token variable\">`</span></span>eb<span class=\"token variable\"><span class=\"token variable\">`</span>bbbec<span class=\"token variable\">`</span></span>AddAfdbadbcecbbadbaebbeb<span class=\"token variable\"><span class=\"token variable\">`</span>bbdegbbceaabeeeab<span class=\"token variable\">`</span></span>bbdeHdochfheedaabfek<span class=\"token variable\"><span class=\"token variable\">`</span>bodbeeb<span class=\"token variable\">`</span></span>bbgec<span class=\"token variable\"><span class=\"token variable\">`</span>Add@dbadbhecbbadagbgeb<span class=\"token variable\">`</span></span>bbiec<span class=\"token variable\"><span class=\"token variable\">`</span>AddAgdbadbjecbbadbhebieb<span class=\"token variable\">`</span></span>bbkegbbjeaableeab<span class=\"token variable\"><span class=\"token variable\">`</span>bbkeHdiemjoeedaabmek<span class=\"token variable\">`</span></span>bfebleb<span class=\"token variable\"><span class=\"token variable\">`</span>bbnec<span class=\"token variable\">`</span></span>Add@dbadboecbbadagbneb<span class=\"token variable\"><span class=\"token variable\">`</span>bb<span class=\"token variable\">`</span></span>fc<span class=\"token variable\"><span class=\"token variable\">`</span>AddAhdbadbafcbbadboeb<span class=\"token variable\">`</span></span>fb<span class=\"token variable\"><span class=\"token variable\">`</span>bbbfgbbafaabcfeab<span class=\"token variable\">`</span></span>bbbfHoimmoklfdaabdfk<span class=\"token variable\"><span class=\"token variable\">`</span>bmebcfb<span class=\"token variable\">`</span></span>dbefo<span class=\"token variable\"><span class=\"token variable\">`</span>bdfb<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bbbef<span class=\"token variable\">`</span></span>Tbaag\nBb<span class=\"token variable\"><span class=\"token variable\">`</span>dbffbb<span class=\"token variable\">`</span></span>bffaabgfn<span class=\"token variable\"><span class=\"token variable\">`</span>bffTcaaabgfE\nAab<span class=\"token variable\">`</span></span>bLbaab<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>dab<span class=\"token variable\">`</span></span>dab<span class=\"token variable\"><span class=\"token variable\">`</span>d<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>d<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>b<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>aa<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>b<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>Fbfaac\nBb<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bb@habb<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bbG<span class=\"token variable\">`</span></span>lckjljhaaTbaaa\nBb<span class=\"token variable\"><span class=\"token variable\">`</span>dacbbaaacb<span class=\"token variable\">`</span></span>dadbbabadb<span class=\"token variable\"><span class=\"token variable\">`</span>baen<span class=\"token variable\">`</span></span>acb<span class=\"token variable\"><span class=\"token variable\">`</span>bafn<span class=\"token variable\">`</span></span>adb<span class=\"token variable\"><span class=\"token variable\">`</span>bagh<span class=\"token variable\">`</span></span>afAcdb<span class=\"token variable\"><span class=\"token variable\">`</span>bahi<span class=\"token variable\">`</span></span><span class=\"token variable\"><span class=\"token variable\">`</span>agb<span class=\"token variable\">`</span></span>baik<span class=\"token variable\"><span class=\"token variable\">`</span>ahBoodb<span class=\"token variable\">`</span></span>bajm<span class=\"token variable\"><span class=\"token variable\">`</span>aiaeb<span class=\"token variable\">`</span></span>bakh<span class=\"token variable\"><span class=\"token variable\">`</span>ajAhdb<span class=\"token variable\">`</span></span>bali<span class=\"token variable\"><span class=\"token variable\">`</span>aeBhadb<span class=\"token variable\">`</span></span>baml<span class=\"token variable\"><span class=\"token variable\">`</span>akalb<span class=\"token variable\">`</span></span>bana<span class=\"token variable\"><span class=\"token variable\">`</span>afAadaaaoeab<span class=\"token variable\">`</span></span>banAddb<span class=\"token variable\"><span class=\"token variable\">`</span>db<span class=\"token variable\">`</span></span>ao<span class=\"token variable\"><span class=\"token variable\">`</span>anb<span class=\"token variable\">`</span></span>dbaao<span class=\"token variable\"><span class=\"token variable\">`</span>amb<span class=\"token variable\">`</span></span>d<span class=\"token variable\"><span class=\"token variable\">`</span>bbb<span class=\"token variable\">`</span></span>aabb<span class=\"token variable\"><span class=\"token variable\">`</span>d<span class=\"token variable\">`</span></span>bbbaaaaTaaaoabaa\nBTcab<span class=\"token variable\"><span class=\"token variable\">`</span>bamE\nSnfofdg<span class=\"token variable\">`</span></span>bcgof<span class=\"token variable\"><span class=\"token variable\">`</span>befafcgig<span class=\"token variable\">`</span></span>bjc<span class=\"token variable\"><span class=\"token variable\">`</span>ej<span class=\"token variable\">`</span></span></code></pre></div>\n<h3 id=\"inspecting-the-cbc-file-information\" style=\"position:relative;\"><a href=\"#inspecting-the-cbc-file-information\" aria-label=\"inspecting the cbc file information permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Inspecting the CBC File Information</h3>\n<p>First, I checked the file information with <code class=\"language-text\">clambc --info</code>.</p>\n<p>The logical signature that triggers this bytecode signature appears to be the one defined with <code class=\"language-text\">534543434f4e7b(SECCON{)</code> as the signature.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ clambc --info flag.cbc\n\nBytecode <span class=\"token function\">format</span> functionality level: <span class=\"token number\">6</span>\nBytecode metadata:\n        compiler version: <span class=\"token number\">0.105</span>.0\n        compiled on: <span class=\"token punctuation\">(</span><span class=\"token number\">1668026257</span><span class=\"token punctuation\">)</span> Wed Nov  <span class=\"token number\">9</span> <span class=\"token number\">20</span>:37:37 <span class=\"token number\">2022</span>\n        compiled by:\n        target exclude: <span class=\"token number\">0</span>\n        bytecode type: logical only\n        bytecode functionality level: <span class=\"token number\">0</span> - <span class=\"token number\">0</span>\n        bytecode logical signature: Seccon.Reversing.<span class=\"token punctuation\">{</span>FLAG<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>Engine:56-255,Target:0<span class=\"token punctuation\">;</span><span class=\"token number\">0</span><span class=\"token punctuation\">;</span><span class=\"token number\">0</span>:534543434f4e7b\n        virusname prefix: <span class=\"token punctuation\">(</span>null<span class=\"token punctuation\">)</span>\n        virusnames: <span class=\"token number\">0</span>\n        bytecode triggered on: files matching logical signature\n        number of functions: <span class=\"token number\">3</span>\n        number of types: <span class=\"token number\">21</span>\n        number of global constants: <span class=\"token number\">4</span>\n        number of debug nodes: <span class=\"token number\">0</span>\n        bytecode APIs used:\n         read, seek, setvirusname</code></pre></div>\n<p>Unfortunately, the source-code information seems to have been tampered with, and I could not retrieve it even with <code class=\"language-text\">clambc --printsrc</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 873px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d571f266980f711aa9e779997bfb861e/35751/image-20240815015927581.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 9.583333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAdklEQVQI1y2OSw7CMAwFu2xrh8Tkg6oi2LBIHAnE/Q/3cEMXI2tGb+Fpf2y4G+WWkXJBTAXvzxdVO9pJbQf6x1xVB7VW9G6b1oYfd3q2gv11BfkFMwnWS8TixDyCQwaFNNpqbWY/ug8eQQKIyB6IcI4hImBm/AAR4TRKcCx5nwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d571f266980f711aa9e779997bfb861e/8ac56/image-20240815015927581.webp 240w,\n/static/d571f266980f711aa9e779997bfb861e/d3be9/image-20240815015927581.webp 480w,\n/static/d571f266980f711aa9e779997bfb861e/d21af/image-20240815015927581.webp 873w\"\n              sizes=\"(max-width: 873px) 100vw, 873px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d571f266980f711aa9e779997bfb861e/8ff5a/image-20240815015927581.png 240w,\n/static/d571f266980f711aa9e779997bfb861e/e85cb/image-20240815015927581.png 480w,\n/static/d571f266980f711aa9e779997bfb861e/35751/image-20240815015927581.png 873w\"\n            sizes=\"(max-width: 873px) 100vw, 873px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d571f266980f711aa9e779997bfb861e/35751/image-20240815015927581.png\"\n            alt=\"image-20240815015927581\"\n            title=\"image-20240815015927581\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I decided to inspect the output of <code class=\"language-text\">clambc --printbc</code> instead.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ clambc --printbc flag.cbc\nfound <span class=\"token number\">21</span> extra types of <span class=\"token number\">85</span> total, starting at tid <span class=\"token number\">69</span>\nTID  KIND                INTERNAL\n------------------------------------------------------------------------\n<span class=\"token number\">65</span>: DPointerType        i8*\n<span class=\"token number\">66</span>: DPointerType        i16*\n<span class=\"token number\">67</span>: DPointerType        i32*\n<span class=\"token number\">68</span>: DPointerType        i64*\n<span class=\"token number\">69</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">1</span> x i8<span class=\"token punctuation\">]</span>\n<span class=\"token number\">70</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">2</span> x i8<span class=\"token punctuation\">]</span>\n<span class=\"token number\">71</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">3</span> x i8<span class=\"token punctuation\">]</span>\n<span class=\"token number\">72</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">4</span> x i8<span class=\"token punctuation\">]</span>\n<span class=\"token number\">73</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">5</span> x i8<span class=\"token punctuation\">]</span>\n<span class=\"token number\">74</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">6</span> x i8<span class=\"token punctuation\">]</span>\n<span class=\"token number\">75</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">7</span> x i8<span class=\"token punctuation\">]</span>\n<span class=\"token number\">76</span>: DPointerType        <span class=\"token punctuation\">[</span><span class=\"token number\">22</span> x i8<span class=\"token punctuation\">]</span>*\n<span class=\"token number\">77</span>: DPointerType        i8**\n<span class=\"token number\">78</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">36</span> x i8<span class=\"token punctuation\">]</span>\n<span class=\"token number\">79</span>: DPointerType        <span class=\"token punctuation\">[</span><span class=\"token number\">36</span> x i8<span class=\"token punctuation\">]</span>*\n<span class=\"token number\">80</span>: DPointerType        <span class=\"token punctuation\">[</span><span class=\"token number\">9</span> x i32<span class=\"token punctuation\">]</span>*\n<span class=\"token number\">81</span>: DFunctionType       i32 func <span class=\"token punctuation\">(</span> i32 i32 <span class=\"token punctuation\">)</span>\n<span class=\"token number\">82</span>: DFunctionType       i32 func <span class=\"token punctuation\">(</span> i32 i32 <span class=\"token punctuation\">)</span>\n<span class=\"token number\">83</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">9</span> x i32<span class=\"token punctuation\">]</span>\n<span class=\"token number\">84</span>: DArrayType          <span class=\"token punctuation\">[</span><span class=\"token number\">22</span> x i8<span class=\"token punctuation\">]</span>\n------------------------------------------------------------------------\n<span class=\"token comment\">########################################################################</span>\n<span class=\"token comment\">####################### Function id   0 ################################</span>\n<span class=\"token comment\">########################################################################</span>\nfound a total of <span class=\"token number\">4</span> globals\nGID  ID    VALUE\n------------------------------------------------------------------------\n<span class=\"token number\">0</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>: i0 unknown\n<span class=\"token number\">1</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>: <span class=\"token punctuation\">[</span><span class=\"token number\">22</span> x i8<span class=\"token punctuation\">]</span> unknown\n<span class=\"token number\">2</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">2</span><span class=\"token punctuation\">]</span>: i8* unknown\n<span class=\"token number\">3</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>: i8* unknown\n------------------------------------------------------------------------\nfound <span class=\"token number\">2</span> values with <span class=\"token number\">0</span> arguments and <span class=\"token number\">2</span> locals\nVID  ID    VALUE\n------------------------------------------------------------------------\n<span class=\"token number\">0</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">1</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>: i32\n------------------------------------------------------------------------\nfound a total of <span class=\"token number\">2</span> constants\nCID  ID    VALUE\n------------------------------------------------------------------------\n<span class=\"token number\">0</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">2</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">21</span><span class=\"token punctuation\">(</span>0x15<span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n------------------------------------------------------------------------\nfound a total of <span class=\"token number\">4</span> total values\n------------------------------------------------------------------------\nFUNCTION ID: F.0 -<span class=\"token operator\">></span> NUMINSTS <span class=\"token number\">5</span>\nBB   IDX  OPCODE              <span class=\"token punctuation\">[</span>ID /IID/MOD<span class=\"token punctuation\">]</span>  INST\n------------------------------------------------------------------------\n<span class=\"token number\">0</span>    <span class=\"token number\">0</span>  OP_BC_CALL_DIRECT   <span class=\"token punctuation\">[</span><span class=\"token number\">32</span> /160/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">0</span> <span class=\"token operator\">=</span> call F.1 <span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">1</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">0</span> ? bb.1 <span class=\"token builtin class-name\">:</span> bb.2\n\n<span class=\"token number\">1</span>    <span class=\"token number\">2</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">1</span> <span class=\"token operator\">=</span> setvirusname<span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.-2147483645, <span class=\"token number\">2</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">3</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> / <span class=\"token number\">90</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb.2\n\n<span class=\"token number\">2</span>    <span class=\"token number\">4</span>  OP_BC_RET           <span class=\"token punctuation\">[</span><span class=\"token number\">19</span> / <span class=\"token number\">98</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  ret <span class=\"token number\">3</span>\n------------------------------------------------------------------------\n<span class=\"token comment\">########################################################################</span>\n<span class=\"token comment\">####################### Function id   1 ################################</span>\n<span class=\"token comment\">########################################################################</span>\nfound a total of <span class=\"token number\">4</span> globals\nGID  ID    VALUE\n------------------------------------------------------------------------\n<span class=\"token number\">0</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>: i0 unknown\n<span class=\"token number\">1</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>: <span class=\"token punctuation\">[</span><span class=\"token number\">22</span> x i8<span class=\"token punctuation\">]</span> unknown\n<span class=\"token number\">2</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">2</span><span class=\"token punctuation\">]</span>: i8* unknown\n<span class=\"token number\">3</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>: i8* unknown\n------------------------------------------------------------------------\nfound <span class=\"token number\">104</span> values with <span class=\"token number\">0</span> arguments and <span class=\"token number\">104</span> locals\nVID  ID    VALUE\n------------------------------------------------------------------------\n<span class=\"token number\">0</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>: alloc i64\n<span class=\"token number\">1</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>: alloc i64\n<span class=\"token number\">2</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">2</span><span class=\"token punctuation\">]</span>: alloc i64\n<span class=\"token number\">3</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>: alloc i8\n<span class=\"token number\">4</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>: alloc <span class=\"token punctuation\">[</span><span class=\"token number\">36</span> x i8<span class=\"token punctuation\">]</span>\n<span class=\"token number\">5</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">5</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">6</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">6</span><span class=\"token punctuation\">]</span>: alloc <span class=\"token punctuation\">[</span><span class=\"token number\">36</span> x i8<span class=\"token punctuation\">]</span>\n<span class=\"token number\">7</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">7</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">8</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">8</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">9</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">9</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">10</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">10</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">11</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">11</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">12</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">12</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">13</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">13</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">14</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">14</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">15</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">15</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">16</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">16</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">17</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">17</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">18</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">18</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">19</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">19</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">20</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">20</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">21</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">21</span><span class=\"token punctuation\">]</span>: i8\n<span class=\"token number\">22</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">22</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">23</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">23</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">24</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">24</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">25</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">25</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">26</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">26</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">27</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">27</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">28</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">28</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">29</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">29</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">30</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">30</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">31</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">31</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">32</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">32</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">33</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">33</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">34</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">34</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">35</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">35</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">36</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">36</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">37</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">37</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">38</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">38</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">39</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">39</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">40</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">40</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">41</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">41</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">42</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">42</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">43</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">43</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">44</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">44</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">45</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">45</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">46</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">46</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">47</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">47</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">48</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">48</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">49</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">49</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">50</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">50</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">51</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">51</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">52</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">52</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">53</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">53</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">54</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">54</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">55</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">55</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">56</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">56</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">57</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">57</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">58</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">58</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">59</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">59</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">60</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">60</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">61</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">61</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">62</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">62</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">63</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">63</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">64</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">64</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">65</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">65</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">66</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">66</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">67</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">67</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">68</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">68</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">69</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">69</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">70</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">70</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">71</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">71</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">72</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">72</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">73</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">73</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">74</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">74</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">75</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">75</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">76</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">76</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">77</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">77</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">78</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">78</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">79</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">79</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">80</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">80</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">81</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">81</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">82</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">82</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">83</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">83</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">84</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">84</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">85</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">85</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">86</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">86</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">87</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">87</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">88</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">88</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">89</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">89</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">90</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">90</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">91</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">91</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">92</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">92</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">93</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">93</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">94</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">94</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">95</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">95</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">96</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">96</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">97</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">97</span><span class=\"token punctuation\">]</span>: i8*\n<span class=\"token number\">98</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">98</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">99</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">99</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">100</span> <span class=\"token punctuation\">[</span><span class=\"token number\">100</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">101</span> <span class=\"token punctuation\">[</span><span class=\"token number\">101</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">102</span> <span class=\"token punctuation\">[</span><span class=\"token number\">102</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">103</span> <span class=\"token punctuation\">[</span><span class=\"token number\">103</span><span class=\"token punctuation\">]</span>: i1\n------------------------------------------------------------------------\nfound a total of <span class=\"token number\">72</span> constants\nCID  ID    VALUE\n------------------------------------------------------------------------\n<span class=\"token number\">0</span> <span class=\"token punctuation\">[</span><span class=\"token number\">104</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span> <span class=\"token punctuation\">[</span><span class=\"token number\">105</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span> <span class=\"token punctuation\">[</span><span class=\"token number\">106</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">7</span><span class=\"token punctuation\">(</span>0x7<span class=\"token punctuation\">)</span>\n<span class=\"token number\">3</span> <span class=\"token punctuation\">[</span><span class=\"token number\">107</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">4</span> <span class=\"token punctuation\">[</span><span class=\"token number\">108</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span> <span class=\"token punctuation\">[</span><span class=\"token number\">109</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">36</span><span class=\"token punctuation\">(</span>0x24<span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span> <span class=\"token punctuation\">[</span><span class=\"token number\">110</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">32</span><span class=\"token punctuation\">(</span>0x20<span class=\"token punctuation\">)</span>\n<span class=\"token number\">7</span> <span class=\"token punctuation\">[</span><span class=\"token number\">111</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">32</span><span class=\"token punctuation\">(</span>0x20<span class=\"token punctuation\">)</span>\n<span class=\"token number\">8</span> <span class=\"token punctuation\">[</span><span class=\"token number\">112</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">9</span> <span class=\"token punctuation\">[</span><span class=\"token number\">113</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1</span><span class=\"token punctuation\">(</span>0x1<span class=\"token punctuation\">)</span>\n<span class=\"token number\">10</span> <span class=\"token punctuation\">[</span><span class=\"token number\">114</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1</span><span class=\"token punctuation\">(</span>0x1<span class=\"token punctuation\">)</span>\n<span class=\"token number\">11</span> <span class=\"token punctuation\">[</span><span class=\"token number\">115</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1</span><span class=\"token punctuation\">(</span>0x1<span class=\"token punctuation\">)</span>\n<span class=\"token number\">12</span> <span class=\"token punctuation\">[</span><span class=\"token number\">116</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">13</span> <span class=\"token punctuation\">[</span><span class=\"token number\">117</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1</span><span class=\"token punctuation\">(</span>0x1<span class=\"token punctuation\">)</span>\n<span class=\"token number\">14</span> <span class=\"token punctuation\">[</span><span class=\"token number\">118</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">15</span> <span class=\"token punctuation\">[</span><span class=\"token number\">119</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">125</span><span class=\"token punctuation\">(</span>0x7d<span class=\"token punctuation\">)</span>\n<span class=\"token number\">16</span> <span class=\"token punctuation\">[</span><span class=\"token number\">120</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">17</span> <span class=\"token punctuation\">[</span><span class=\"token number\">121</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1</span><span class=\"token punctuation\">(</span>0x1<span class=\"token punctuation\">)</span>\n<span class=\"token number\">18</span> <span class=\"token punctuation\">[</span><span class=\"token number\">122</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">19</span> <span class=\"token punctuation\">[</span><span class=\"token number\">123</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">20</span> <span class=\"token punctuation\">[</span><span class=\"token number\">124</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">21</span> <span class=\"token punctuation\">[</span><span class=\"token number\">125</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">32</span><span class=\"token punctuation\">(</span>0x20<span class=\"token punctuation\">)</span>\n<span class=\"token number\">22</span> <span class=\"token punctuation\">[</span><span class=\"token number\">126</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">32</span><span class=\"token punctuation\">(</span>0x20<span class=\"token punctuation\">)</span>\n<span class=\"token number\">23</span> <span class=\"token punctuation\">[</span><span class=\"token number\">127</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">24</span> <span class=\"token punctuation\">[</span><span class=\"token number\">128</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">30</span><span class=\"token punctuation\">(</span>0x1e<span class=\"token punctuation\">)</span>\n<span class=\"token number\">25</span> <span class=\"token punctuation\">[</span><span class=\"token number\">129</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">32</span><span class=\"token punctuation\">(</span>0x20<span class=\"token punctuation\">)</span>\n<span class=\"token number\">26</span> <span class=\"token punctuation\">[</span><span class=\"token number\">130</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">27</span> <span class=\"token punctuation\">[</span><span class=\"token number\">131</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">28</span> <span class=\"token punctuation\">[</span><span class=\"token number\">132</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">29</span> <span class=\"token punctuation\">[</span><span class=\"token number\">133</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">30</span> <span class=\"token punctuation\">[</span><span class=\"token number\">134</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">36</span><span class=\"token punctuation\">(</span>0x24<span class=\"token punctuation\">)</span>\n<span class=\"token number\">31</span> <span class=\"token punctuation\">[</span><span class=\"token number\">135</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1939767458</span><span class=\"token punctuation\">(</span>0x739e80a2<span class=\"token punctuation\">)</span>\n<span class=\"token number\">32</span> <span class=\"token punctuation\">[</span><span class=\"token number\">136</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">33</span> <span class=\"token punctuation\">[</span><span class=\"token number\">137</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">34</span> <span class=\"token punctuation\">[</span><span class=\"token number\">138</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">35</span> <span class=\"token punctuation\">[</span><span class=\"token number\">139</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1</span><span class=\"token punctuation\">(</span>0x1<span class=\"token punctuation\">)</span>\n<span class=\"token number\">36</span> <span class=\"token punctuation\">[</span><span class=\"token number\">140</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">984514723</span><span class=\"token punctuation\">(</span>0x3aae80a3<span class=\"token punctuation\">)</span>\n<span class=\"token number\">37</span> <span class=\"token punctuation\">[</span><span class=\"token number\">141</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">38</span> <span class=\"token punctuation\">[</span><span class=\"token number\">142</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">39</span> <span class=\"token punctuation\">[</span><span class=\"token number\">143</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">40</span> <span class=\"token punctuation\">[</span><span class=\"token number\">144</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">2</span><span class=\"token punctuation\">(</span>0x2<span class=\"token punctuation\">)</span>\n<span class=\"token number\">41</span> <span class=\"token punctuation\">[</span><span class=\"token number\">145</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1000662943</span><span class=\"token punctuation\">(</span>0x3ba4e79f<span class=\"token punctuation\">)</span>\n<span class=\"token number\">42</span> <span class=\"token punctuation\">[</span><span class=\"token number\">146</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">43</span> <span class=\"token punctuation\">[</span><span class=\"token number\">147</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">44</span> <span class=\"token punctuation\">[</span><span class=\"token number\">148</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">45</span> <span class=\"token punctuation\">[</span><span class=\"token number\">149</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">3</span><span class=\"token punctuation\">(</span>0x3<span class=\"token punctuation\">)</span>\n<span class=\"token number\">46</span> <span class=\"token punctuation\">[</span><span class=\"token number\">150</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">2025505267</span><span class=\"token punctuation\">(</span>0x78bac1f3<span class=\"token punctuation\">)</span>\n<span class=\"token number\">47</span> <span class=\"token punctuation\">[</span><span class=\"token number\">151</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">48</span> <span class=\"token punctuation\">[</span><span class=\"token number\">152</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">49</span> <span class=\"token punctuation\">[</span><span class=\"token number\">153</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">50</span> <span class=\"token punctuation\">[</span><span class=\"token number\">154</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">51</span> <span class=\"token punctuation\">[</span><span class=\"token number\">155</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1593426419</span><span class=\"token punctuation\">(</span>0x5ef9c1f3<span class=\"token punctuation\">)</span>\n<span class=\"token number\">52</span> <span class=\"token punctuation\">[</span><span class=\"token number\">156</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">53</span> <span class=\"token punctuation\">[</span><span class=\"token number\">157</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">54</span> <span class=\"token punctuation\">[</span><span class=\"token number\">158</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">55</span> <span class=\"token punctuation\">[</span><span class=\"token number\">159</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">5</span><span class=\"token punctuation\">(</span>0x5<span class=\"token punctuation\">)</span>\n<span class=\"token number\">56</span> <span class=\"token punctuation\">[</span><span class=\"token number\">160</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1002040479</span><span class=\"token punctuation\">(</span>0x3bb9ec9f<span class=\"token punctuation\">)</span>\n<span class=\"token number\">57</span> <span class=\"token punctuation\">[</span><span class=\"token number\">161</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">58</span> <span class=\"token punctuation\">[</span><span class=\"token number\">162</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">59</span> <span class=\"token punctuation\">[</span><span class=\"token number\">163</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">60</span> <span class=\"token punctuation\">[</span><span class=\"token number\">164</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">6</span><span class=\"token punctuation\">(</span>0x6<span class=\"token punctuation\">)</span>\n<span class=\"token number\">61</span> <span class=\"token punctuation\">[</span><span class=\"token number\">165</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1434878964</span><span class=\"token punctuation\">(</span>0x558683f4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">62</span> <span class=\"token punctuation\">[</span><span class=\"token number\">166</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">63</span> <span class=\"token punctuation\">[</span><span class=\"token number\">167</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">64</span> <span class=\"token punctuation\">[</span><span class=\"token number\">168</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">65</span> <span class=\"token punctuation\">[</span><span class=\"token number\">169</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">7</span><span class=\"token punctuation\">(</span>0x7<span class=\"token punctuation\">)</span>\n<span class=\"token number\">66</span> <span class=\"token punctuation\">[</span><span class=\"token number\">170</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1442502036</span><span class=\"token punctuation\">(</span>0x55fad594<span class=\"token punctuation\">)</span>\n<span class=\"token number\">67</span> <span class=\"token punctuation\">[</span><span class=\"token number\">171</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">68</span> <span class=\"token punctuation\">[</span><span class=\"token number\">172</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">69</span> <span class=\"token punctuation\">[</span><span class=\"token number\">173</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">70</span> <span class=\"token punctuation\">[</span><span class=\"token number\">174</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">8</span><span class=\"token punctuation\">(</span>0x8<span class=\"token punctuation\">)</span>\n<span class=\"token number\">71</span> <span class=\"token punctuation\">[</span><span class=\"token number\">175</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1824513439</span><span class=\"token punctuation\">(</span>0x6cbfdd9f<span class=\"token punctuation\">)</span>\n------------------------------------------------------------------------\nfound a total of <span class=\"token number\">176</span> total values\n------------------------------------------------------------------------\nFUNCTION ID: F.1 -<span class=\"token operator\">></span> NUMINSTS <span class=\"token number\">115</span>\nBB   IDX  OPCODE              <span class=\"token punctuation\">[</span>ID /IID/MOD<span class=\"token punctuation\">]</span>  INST\n------------------------------------------------------------------------\n<span class=\"token number\">0</span>    <span class=\"token number\">0</span>  OP_BC_GEPZ          <span class=\"token punctuation\">[</span><span class=\"token number\">36</span> /184/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">5</span> <span class=\"token operator\">=</span> gepz p.4 + <span class=\"token punctuation\">(</span><span class=\"token number\">104</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">1</span>  OP_BC_GEPZ          <span class=\"token punctuation\">[</span><span class=\"token number\">36</span> /184/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">7</span> <span class=\"token operator\">=</span> gepz p.6 + <span class=\"token punctuation\">(</span><span class=\"token number\">105</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">2</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">8</span> <span class=\"token operator\">=</span> seek<span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span><span class=\"token number\">106</span>, <span class=\"token number\">107</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">3</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">108</span> -<span class=\"token operator\">></span> <span class=\"token number\">2</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">4</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> / <span class=\"token number\">90</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb.2\n\n<span class=\"token number\">1</span>    <span class=\"token number\">5</span>  OP_BC_ICMP_ULT      <span class=\"token punctuation\">[</span><span class=\"token number\">25</span> /129/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">9</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">18</span> <span class=\"token operator\">&lt;</span> <span class=\"token number\">109</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">6</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">18</span> -<span class=\"token operator\">></span> <span class=\"token number\">2</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">7</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">9</span> ? bb.2 <span class=\"token builtin class-name\">:</span> bb.3\n\n<span class=\"token number\">2</span>    <span class=\"token number\">8</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">2</span> -<span class=\"token operator\">></span> <span class=\"token number\">10</span>\n<span class=\"token number\">2</span>    <span class=\"token number\">9</span>  OP_BC_SHL           <span class=\"token punctuation\">[</span><span class=\"token number\">8</span>  / <span class=\"token number\">44</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">11</span> <span class=\"token operator\">=</span> <span class=\"token number\">10</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">110</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">10</span>  OP_BC_ASHR          <span class=\"token punctuation\">[</span><span class=\"token number\">10</span> / <span class=\"token number\">54</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">12</span> <span class=\"token operator\">=</span> <span class=\"token number\">11</span> <span class=\"token operator\">>></span> <span class=\"token number\">111</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">11</span>  OP_BC_TRUNC         <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> / <span class=\"token number\">73</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">13</span> <span class=\"token operator\">=</span> <span class=\"token number\">12</span> trunc ffffffffffffffff\n<span class=\"token number\">2</span>   <span class=\"token number\">12</span>  OP_BC_GEPZ          <span class=\"token punctuation\">[</span><span class=\"token number\">36</span> /184/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">14</span> <span class=\"token operator\">=</span> gepz p.4 + <span class=\"token punctuation\">(</span><span class=\"token number\">112</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">13</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">15</span> <span class=\"token operator\">=</span> gep1 p.14 + <span class=\"token punctuation\">(</span><span class=\"token number\">13</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">14</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">16</span> <span class=\"token operator\">=</span> read<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.15, <span class=\"token number\">113</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">15</span>  OP_BC_ICMP_SLT      <span class=\"token punctuation\">[</span><span class=\"token number\">30</span> /153/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">17</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">16</span> <span class=\"token operator\">&lt;</span> <span class=\"token number\">114</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">16</span>  OP_BC_ADD           <span class=\"token punctuation\">[</span><span class=\"token number\">1</span>  /  <span class=\"token number\">9</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">18</span> <span class=\"token operator\">=</span> <span class=\"token number\">10</span> + <span class=\"token number\">115</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">17</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">116</span> -<span class=\"token operator\">></span> <span class=\"token number\">0</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">18</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">17</span> ? bb.7 <span class=\"token builtin class-name\">:</span> bb.1\n\n<span class=\"token number\">3</span>   <span class=\"token number\">19</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">19</span> <span class=\"token operator\">=</span> read<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.3, <span class=\"token number\">117</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">3</span>   <span class=\"token number\">20</span>  OP_BC_ICMP_SGT      <span class=\"token punctuation\">[</span><span class=\"token number\">27</span> /138/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">20</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">19</span> <span class=\"token operator\">></span> <span class=\"token number\">118</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">3</span>   <span class=\"token number\">21</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /171/  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">3</span> -<span class=\"token operator\">></span> <span class=\"token number\">21</span>\n<span class=\"token number\">3</span>   <span class=\"token number\">22</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /106/  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">22</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">21</span> <span class=\"token operator\">==</span> <span class=\"token number\">119</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">3</span>   <span class=\"token number\">23</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">55</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">23</span> <span class=\"token operator\">=</span> <span class=\"token number\">20</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">22</span>\n<span class=\"token number\">3</span>   <span class=\"token number\">24</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">120</span> -<span class=\"token operator\">></span> <span class=\"token number\">0</span>\n<span class=\"token number\">3</span>   <span class=\"token number\">25</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">23</span> ? bb.4 <span class=\"token builtin class-name\">:</span> bb.7\n\n<span class=\"token number\">4</span>   <span class=\"token number\">26</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">24</span> <span class=\"token operator\">=</span> read<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.3, <span class=\"token number\">121</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">4</span>   <span class=\"token number\">27</span>  OP_BC_ICMP_SGT      <span class=\"token punctuation\">[</span><span class=\"token number\">27</span> /138/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">25</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">24</span> <span class=\"token operator\">></span> <span class=\"token number\">122</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">4</span>   <span class=\"token number\">28</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">123</span> -<span class=\"token operator\">></span> <span class=\"token number\">1</span>\n<span class=\"token number\">4</span>   <span class=\"token number\">29</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">124</span> -<span class=\"token operator\">></span> <span class=\"token number\">0</span>\n<span class=\"token number\">4</span>   <span class=\"token number\">30</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">25</span> ? bb.7 <span class=\"token builtin class-name\">:</span> bb.5\n\n<span class=\"token number\">5</span>   <span class=\"token number\">31</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">1</span> -<span class=\"token operator\">></span> <span class=\"token number\">26</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">32</span>  OP_BC_SHL           <span class=\"token punctuation\">[</span><span class=\"token number\">8</span>  / <span class=\"token number\">44</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">27</span> <span class=\"token operator\">=</span> <span class=\"token number\">26</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">125</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">33</span>  OP_BC_ASHR          <span class=\"token punctuation\">[</span><span class=\"token number\">10</span> / <span class=\"token number\">54</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">28</span> <span class=\"token operator\">=</span> <span class=\"token number\">27</span> <span class=\"token operator\">>></span> <span class=\"token number\">126</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">34</span>  OP_BC_TRUNC         <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> / <span class=\"token number\">73</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">29</span> <span class=\"token operator\">=</span> <span class=\"token number\">28</span> trunc ffffffffffffffff\n<span class=\"token number\">5</span>   <span class=\"token number\">35</span>  OP_BC_GEPZ          <span class=\"token punctuation\">[</span><span class=\"token number\">36</span> /184/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">30</span> <span class=\"token operator\">=</span> gepz p.4 + <span class=\"token punctuation\">(</span><span class=\"token number\">127</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">36</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">31</span> <span class=\"token operator\">=</span> gep1 p.30 + <span class=\"token punctuation\">(</span><span class=\"token number\">29</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">37</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">32</span> <span class=\"token operator\">&lt;</span>- p.31\n<span class=\"token number\">5</span>   <span class=\"token number\">38</span>  OP_BC_CALL_DIRECT   <span class=\"token punctuation\">[</span><span class=\"token number\">32</span> /163/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">33</span> <span class=\"token operator\">=</span> call F.2 <span class=\"token punctuation\">(</span><span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">39</span>  OP_BC_SHL           <span class=\"token punctuation\">[</span><span class=\"token number\">8</span>  / <span class=\"token number\">44</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">34</span> <span class=\"token operator\">=</span> <span class=\"token number\">26</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">128</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">40</span>  OP_BC_ASHR          <span class=\"token punctuation\">[</span><span class=\"token number\">10</span> / <span class=\"token number\">54</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">35</span> <span class=\"token operator\">=</span> <span class=\"token number\">34</span> <span class=\"token operator\">>></span> <span class=\"token number\">129</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">41</span>  OP_BC_TRUNC         <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> / <span class=\"token number\">73</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">36</span> <span class=\"token operator\">=</span> <span class=\"token number\">35</span> trunc ffffffffffffffff\n<span class=\"token number\">5</span>   <span class=\"token number\">42</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">37</span> <span class=\"token operator\">=</span> <span class=\"token number\">130</span> * <span class=\"token number\">131</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">43</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">38</span> <span class=\"token operator\">=</span> gep1 p.7 + <span class=\"token punctuation\">(</span><span class=\"token number\">37</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">44</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">39</span> <span class=\"token operator\">=</span> <span class=\"token number\">132</span> * <span class=\"token number\">36</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">45</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">40</span> <span class=\"token operator\">=</span> gep1 p.38 + <span class=\"token punctuation\">(</span><span class=\"token number\">39</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">46</span>  OP_BC_STORE         <span class=\"token punctuation\">[</span><span class=\"token number\">38</span> /193/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  store <span class=\"token number\">33</span> -<span class=\"token operator\">></span> p.40\n<span class=\"token number\">5</span>   <span class=\"token number\">47</span>  OP_BC_ADD           <span class=\"token punctuation\">[</span><span class=\"token number\">1</span>  /  <span class=\"token number\">9</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">41</span> <span class=\"token operator\">=</span> <span class=\"token number\">26</span> + <span class=\"token number\">133</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">48</span>  OP_BC_ICMP_ULT      <span class=\"token punctuation\">[</span><span class=\"token number\">25</span> /129/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">42</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">41</span> <span class=\"token operator\">&lt;</span> <span class=\"token number\">134</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">49</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">41</span> -<span class=\"token operator\">></span> <span class=\"token number\">1</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">50</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">42</span> ? bb.5 <span class=\"token builtin class-name\">:</span> bb.6\n\n<span class=\"token number\">6</span>   <span class=\"token number\">51</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">43</span> <span class=\"token operator\">&lt;</span>- p.7\n<span class=\"token number\">6</span>   <span class=\"token number\">52</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">44</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">43</span> <span class=\"token operator\">==</span> <span class=\"token number\">135</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">53</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">45</span> <span class=\"token operator\">=</span> <span class=\"token number\">136</span> * <span class=\"token number\">137</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">54</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">46</span> <span class=\"token operator\">=</span> gep1 p.7 + <span class=\"token punctuation\">(</span><span class=\"token number\">45</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">55</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">47</span> <span class=\"token operator\">=</span> <span class=\"token number\">138</span> * <span class=\"token number\">139</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">56</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">48</span> <span class=\"token operator\">=</span> gep1 p.46 + <span class=\"token punctuation\">(</span><span class=\"token number\">47</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">57</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">49</span> <span class=\"token operator\">&lt;</span>- p.48\n<span class=\"token number\">6</span>   <span class=\"token number\">58</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">50</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">49</span> <span class=\"token operator\">==</span> <span class=\"token number\">140</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">59</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">55</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">51</span> <span class=\"token operator\">=</span> <span class=\"token number\">44</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">50</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">60</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">52</span> <span class=\"token operator\">=</span> <span class=\"token number\">141</span> * <span class=\"token number\">142</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">61</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">53</span> <span class=\"token operator\">=</span> gep1 p.7 + <span class=\"token punctuation\">(</span><span class=\"token number\">52</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">62</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">54</span> <span class=\"token operator\">=</span> <span class=\"token number\">143</span> * <span class=\"token number\">144</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">63</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">55</span> <span class=\"token operator\">=</span> gep1 p.53 + <span class=\"token punctuation\">(</span><span class=\"token number\">54</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">64</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">56</span> <span class=\"token operator\">&lt;</span>- p.55\n<span class=\"token number\">6</span>   <span class=\"token number\">65</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">57</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">56</span> <span class=\"token operator\">==</span> <span class=\"token number\">145</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">66</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">55</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">58</span> <span class=\"token operator\">=</span> <span class=\"token number\">51</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">57</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">67</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">59</span> <span class=\"token operator\">=</span> <span class=\"token number\">146</span> * <span class=\"token number\">147</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">68</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">60</span> <span class=\"token operator\">=</span> gep1 p.7 + <span class=\"token punctuation\">(</span><span class=\"token number\">59</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">69</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">61</span> <span class=\"token operator\">=</span> <span class=\"token number\">148</span> * <span class=\"token number\">149</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">70</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">62</span> <span class=\"token operator\">=</span> gep1 p.60 + <span class=\"token punctuation\">(</span><span class=\"token number\">61</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">71</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">63</span> <span class=\"token operator\">&lt;</span>- p.62\n<span class=\"token number\">6</span>   <span class=\"token number\">72</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">64</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">63</span> <span class=\"token operator\">==</span> <span class=\"token number\">150</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">73</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">55</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">65</span> <span class=\"token operator\">=</span> <span class=\"token number\">58</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">64</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">74</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">66</span> <span class=\"token operator\">=</span> <span class=\"token number\">151</span> * <span class=\"token number\">152</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">75</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">67</span> <span class=\"token operator\">=</span> gep1 p.7 + <span class=\"token punctuation\">(</span><span class=\"token number\">66</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">76</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">68</span> <span class=\"token operator\">=</span> <span class=\"token number\">153</span> * <span class=\"token number\">154</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">77</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">69</span> <span class=\"token operator\">=</span> gep1 p.67 + <span class=\"token punctuation\">(</span><span class=\"token number\">68</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">78</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">70</span> <span class=\"token operator\">&lt;</span>- p.69\n<span class=\"token number\">6</span>   <span class=\"token number\">79</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">71</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">70</span> <span class=\"token operator\">==</span> <span class=\"token number\">155</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">80</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">55</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">72</span> <span class=\"token operator\">=</span> <span class=\"token number\">65</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">71</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">81</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">73</span> <span class=\"token operator\">=</span> <span class=\"token number\">156</span> * <span class=\"token number\">157</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">82</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">74</span> <span class=\"token operator\">=</span> gep1 p.7 + <span class=\"token punctuation\">(</span><span class=\"token number\">73</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">83</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">75</span> <span class=\"token operator\">=</span> <span class=\"token number\">158</span> * <span class=\"token number\">159</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">84</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">76</span> <span class=\"token operator\">=</span> gep1 p.74 + <span class=\"token punctuation\">(</span><span class=\"token number\">75</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">85</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">77</span> <span class=\"token operator\">&lt;</span>- p.76\n<span class=\"token number\">6</span>   <span class=\"token number\">86</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">78</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">77</span> <span class=\"token operator\">==</span> <span class=\"token number\">160</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">87</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">55</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">79</span> <span class=\"token operator\">=</span> <span class=\"token number\">72</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">78</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">88</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">80</span> <span class=\"token operator\">=</span> <span class=\"token number\">161</span> * <span class=\"token number\">162</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">89</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">81</span> <span class=\"token operator\">=</span> gep1 p.7 + <span class=\"token punctuation\">(</span><span class=\"token number\">80</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">90</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">82</span> <span class=\"token operator\">=</span> <span class=\"token number\">163</span> * <span class=\"token number\">164</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">91</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">83</span> <span class=\"token operator\">=</span> gep1 p.81 + <span class=\"token punctuation\">(</span><span class=\"token number\">82</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">92</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">84</span> <span class=\"token operator\">&lt;</span>- p.83\n<span class=\"token number\">6</span>   <span class=\"token number\">93</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">85</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">84</span> <span class=\"token operator\">==</span> <span class=\"token number\">165</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">94</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">55</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">86</span> <span class=\"token operator\">=</span> <span class=\"token number\">79</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">85</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">95</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">87</span> <span class=\"token operator\">=</span> <span class=\"token number\">166</span> * <span class=\"token number\">167</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">96</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">88</span> <span class=\"token operator\">=</span> gep1 p.7 + <span class=\"token punctuation\">(</span><span class=\"token number\">87</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">97</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">89</span> <span class=\"token operator\">=</span> <span class=\"token number\">168</span> * <span class=\"token number\">169</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">98</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">90</span> <span class=\"token operator\">=</span> gep1 p.88 + <span class=\"token punctuation\">(</span><span class=\"token number\">89</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>   <span class=\"token number\">99</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">91</span> <span class=\"token operator\">&lt;</span>- p.90\n<span class=\"token number\">6</span>  <span class=\"token number\">100</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">92</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">91</span> <span class=\"token operator\">==</span> <span class=\"token number\">170</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">101</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">55</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">93</span> <span class=\"token operator\">=</span> <span class=\"token number\">86</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">92</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">102</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">94</span> <span class=\"token operator\">=</span> <span class=\"token number\">171</span> * <span class=\"token number\">172</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">103</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">95</span> <span class=\"token operator\">=</span> gep1 p.7 + <span class=\"token punctuation\">(</span><span class=\"token number\">94</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">104</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">96</span> <span class=\"token operator\">=</span> <span class=\"token number\">173</span> * <span class=\"token number\">174</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">105</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">97</span> <span class=\"token operator\">=</span> gep1 p.95 + <span class=\"token punctuation\">(</span><span class=\"token number\">96</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">106</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">98</span> <span class=\"token operator\">&lt;</span>- p.97\n<span class=\"token number\">6</span>  <span class=\"token number\">107</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">99</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">98</span> <span class=\"token operator\">==</span> <span class=\"token number\">175</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">108</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">55</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">100</span> <span class=\"token operator\">=</span> <span class=\"token number\">93</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">99</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">109</span>  OP_BC_SEXT          <span class=\"token punctuation\">[</span><span class=\"token number\">15</span> / <span class=\"token number\">79</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">101</span> <span class=\"token operator\">=</span> <span class=\"token number\">100</span> sext <span class=\"token number\">1</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">110</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">101</span> -<span class=\"token operator\">></span> <span class=\"token number\">0</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">111</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> / <span class=\"token number\">90</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb.7\n\n<span class=\"token number\">7</span>  <span class=\"token number\">112</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">0</span> -<span class=\"token operator\">></span> <span class=\"token number\">102</span>\n<span class=\"token number\">7</span>  <span class=\"token number\">113</span>  OP_BC_TRUNC         <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> / <span class=\"token number\">70</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">103</span> <span class=\"token operator\">=</span> <span class=\"token number\">102</span> trunc ffffffffffffffff\n<span class=\"token number\">7</span>  <span class=\"token number\">114</span>  OP_BC_RET           <span class=\"token punctuation\">[</span><span class=\"token number\">19</span> / <span class=\"token number\">95</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  ret <span class=\"token number\">103</span>\n------------------------------------------------------------------------\n<span class=\"token comment\">########################################################################</span>\n<span class=\"token comment\">####################### Function id   2 ################################</span>\n<span class=\"token comment\">########################################################################</span>\nfound a total of <span class=\"token number\">4</span> globals\nGID  ID    VALUE\n------------------------------------------------------------------------\n<span class=\"token number\">0</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>: i0 unknown\n<span class=\"token number\">1</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>: <span class=\"token punctuation\">[</span><span class=\"token number\">22</span> x i8<span class=\"token punctuation\">]</span> unknown\n<span class=\"token number\">2</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">2</span><span class=\"token punctuation\">]</span>: i8* unknown\n<span class=\"token number\">3</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>: i8* unknown\n------------------------------------------------------------------------\nfound <span class=\"token number\">18</span> values with <span class=\"token number\">1</span> arguments and <span class=\"token number\">17</span> locals\nVID  ID    VALUE\n------------------------------------------------------------------------\n<span class=\"token number\">0</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>: i32 argument\n<span class=\"token number\">1</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>: alloc i64\n<span class=\"token number\">2</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">2</span><span class=\"token punctuation\">]</span>: alloc i64\n<span class=\"token number\">3</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">4</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">5</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">5</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">6</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">6</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">7</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">7</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">8</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">8</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">9</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">9</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">10</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">10</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">11</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">11</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">12</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">12</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">13</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">13</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">14</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">14</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">15</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">15</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">16</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">16</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">17</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">17</span><span class=\"token punctuation\">]</span>: i64\n------------------------------------------------------------------------\nfound a total of <span class=\"token number\">8</span> constants\nCID  ID    VALUE\n------------------------------------------------------------------------\n<span class=\"token number\">0</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">18</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">19</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">181056448</span><span class=\"token punctuation\">(</span>0xacab3c0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">20</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">3</span><span class=\"token punctuation\">(</span>0x3<span class=\"token punctuation\">)</span>\n<span class=\"token number\">3</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">21</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">255</span><span class=\"token punctuation\">(</span>0xff<span class=\"token punctuation\">)</span>\n<span class=\"token number\">4</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">22</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">8</span><span class=\"token punctuation\">(</span>0x8<span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">23</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">24</span><span class=\"token punctuation\">(</span>0x18<span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">24</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1</span><span class=\"token punctuation\">(</span>0x1<span class=\"token punctuation\">)</span>\n<span class=\"token number\">7</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">25</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n------------------------------------------------------------------------\nfound a total of <span class=\"token number\">26</span> total values\n------------------------------------------------------------------------\nFUNCTION ID: F.2 -<span class=\"token operator\">></span> NUMINSTS <span class=\"token number\">22</span>\nBB   IDX  OPCODE              <span class=\"token punctuation\">[</span>ID /IID/MOD<span class=\"token punctuation\">]</span>  INST\n------------------------------------------------------------------------\n<span class=\"token number\">0</span>    <span class=\"token number\">0</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">18</span> -<span class=\"token operator\">></span> <span class=\"token number\">2</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">1</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">19</span> -<span class=\"token operator\">></span> <span class=\"token number\">1</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">2</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> / <span class=\"token number\">90</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb.1\n\n<span class=\"token number\">1</span>    <span class=\"token number\">3</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">1</span> -<span class=\"token operator\">></span> <span class=\"token number\">3</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">4</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">2</span> -<span class=\"token operator\">></span> <span class=\"token number\">4</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">5</span>  OP_BC_TRUNC         <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> / <span class=\"token number\">73</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">5</span> <span class=\"token operator\">=</span> <span class=\"token number\">3</span> trunc ffffffffffffffff\n<span class=\"token number\">1</span>    <span class=\"token number\">6</span>  OP_BC_TRUNC         <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> / <span class=\"token number\">73</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">6</span> <span class=\"token operator\">=</span> <span class=\"token number\">4</span> trunc ffffffffffffffff\n<span class=\"token number\">1</span>    <span class=\"token number\">7</span>  OP_BC_SHL           <span class=\"token punctuation\">[</span><span class=\"token number\">8</span>  / <span class=\"token number\">43</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">7</span> <span class=\"token operator\">=</span> <span class=\"token number\">6</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">20</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">8</span>  OP_BC_LSHR          <span class=\"token punctuation\">[</span><span class=\"token number\">9</span>  / <span class=\"token number\">48</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">8</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span> <span class=\"token operator\">>></span> <span class=\"token number\">7</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">9</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">58</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">9</span> <span class=\"token operator\">=</span> <span class=\"token number\">8</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">21</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">10</span>  OP_BC_XOR           <span class=\"token punctuation\">[</span><span class=\"token number\">13</span> / <span class=\"token number\">68</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">10</span> <span class=\"token operator\">=</span> <span class=\"token number\">9</span> ^ <span class=\"token number\">5</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">11</span>  OP_BC_SHL           <span class=\"token punctuation\">[</span><span class=\"token number\">8</span>  / <span class=\"token number\">43</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">11</span> <span class=\"token operator\">=</span> <span class=\"token number\">10</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">22</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">12</span>  OP_BC_LSHR          <span class=\"token punctuation\">[</span><span class=\"token number\">9</span>  / <span class=\"token number\">48</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">12</span> <span class=\"token operator\">=</span> <span class=\"token number\">5</span> <span class=\"token operator\">>></span> <span class=\"token number\">23</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">13</span>  OP_BC_OR            <span class=\"token punctuation\">[</span><span class=\"token number\">12</span> / <span class=\"token number\">63</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">13</span> <span class=\"token operator\">=</span> <span class=\"token number\">11</span> <span class=\"token operator\">|</span> <span class=\"token number\">12</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">14</span>  OP_BC_ADD           <span class=\"token punctuation\">[</span><span class=\"token number\">1</span>  /  <span class=\"token number\">8</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">14</span> <span class=\"token operator\">=</span> <span class=\"token number\">6</span> + <span class=\"token number\">24</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">15</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">15</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">14</span> <span class=\"token operator\">==</span> <span class=\"token number\">25</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">16</span>  OP_BC_SEXT          <span class=\"token punctuation\">[</span><span class=\"token number\">15</span> / <span class=\"token number\">79</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">16</span> <span class=\"token operator\">=</span> <span class=\"token number\">14</span> sext <span class=\"token number\">20</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">17</span>  OP_BC_SEXT          <span class=\"token punctuation\">[</span><span class=\"token number\">15</span> / <span class=\"token number\">79</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">17</span> <span class=\"token operator\">=</span> <span class=\"token number\">13</span> sext <span class=\"token number\">20</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">18</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">16</span> -<span class=\"token operator\">></span> <span class=\"token number\">2</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">19</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">17</span> -<span class=\"token operator\">></span> <span class=\"token number\">1</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">20</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">15</span> ? bb.2 <span class=\"token builtin class-name\">:</span> bb.1\n\n<span class=\"token number\">2</span>   <span class=\"token number\">21</span>  OP_BC_RET           <span class=\"token punctuation\">[</span><span class=\"token number\">19</span> / <span class=\"token number\">98</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  ret <span class=\"token number\">13</span>\n------------------------------------------------------------------------</code></pre></div>\n<p>This signature appears to define three functions, with IDs 0 through 2.</p>\n<p>Among them, the function with ID 0 shown below looks like the entry point.</p>\n<p>Inside it, the result of <code class=\"language-text\">call F.1 ()</code> is evaluated, and if it is True, the implementation returns foundVirus.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">BB   IDX  OPCODE              <span class=\"token punctuation\">[</span>ID /IID/MOD<span class=\"token punctuation\">]</span>  INST\n------------------------------------------------------------------------\n<span class=\"token number\">0</span>    <span class=\"token number\">0</span>  OP_BC_CALL_DIRECT   <span class=\"token punctuation\">[</span><span class=\"token number\">32</span> /160/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">0</span> <span class=\"token operator\">=</span> call F.1 <span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">1</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">0</span> ? bb.1 <span class=\"token builtin class-name\">:</span> bb.2\n\n<span class=\"token number\">1</span>    <span class=\"token number\">2</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">1</span> <span class=\"token operator\">=</span> setvirusname<span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.-2147483645, <span class=\"token number\">2</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">3</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> / <span class=\"token number\">90</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb.2\n\n<span class=\"token number\">2</span>    <span class=\"token number\">4</span>  OP_BC_RET           <span class=\"token punctuation\">[</span><span class=\"token number\">19</span> / <span class=\"token number\">98</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  ret <span class=\"token number\">3</span></code></pre></div>\n<p>That suggests the correct Flag is the input for which <code class=\"language-text\">call F.1 ()</code> returns True.</p>\n<p>The function with ID 1 seems to compare some kind of values.</p>\n<p>It also executes the function with ID 2 via <code class=\"language-text\">call F.2 (32)</code>.</p>\n<h3 id=\"investigating-func2\" style=\"position:relative;\"><a href=\"#investigating-func2\" aria-label=\"investigating func2 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Investigating Func2</h3>\n<p>The function with ID 1 seems to contain the main logic, but I decided to examine the shorter function with ID 2 first.</p>\n<p>Below is the disassembly of the function with ID 2 (hereafter, Func2).</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\">########################################################################</span>\n<span class=\"token comment\">####################### Function id   2 ################################</span>\n<span class=\"token comment\">########################################################################</span>\nfound a total of <span class=\"token number\">4</span> globals\nGID  ID    VALUE\n------------------------------------------------------------------------\n<span class=\"token number\">0</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>: i0 unknown\n<span class=\"token number\">1</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>: <span class=\"token punctuation\">[</span><span class=\"token number\">22</span> x i8<span class=\"token punctuation\">]</span> unknown\n<span class=\"token number\">2</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">2</span><span class=\"token punctuation\">]</span>: i8* unknown\n<span class=\"token number\">3</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>: i8* unknown\n------------------------------------------------------------------------\nfound <span class=\"token number\">18</span> values with <span class=\"token number\">1</span> arguments and <span class=\"token number\">17</span> locals\nVID  ID    VALUE\n------------------------------------------------------------------------\n<span class=\"token number\">0</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>: i32 argument\n<span class=\"token number\">1</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>: alloc i64\n<span class=\"token number\">2</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">2</span><span class=\"token punctuation\">]</span>: alloc i64\n<span class=\"token number\">3</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">4</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">5</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">5</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">6</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">6</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">7</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">7</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">8</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">8</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">9</span> <span class=\"token punctuation\">[</span>  <span class=\"token number\">9</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">10</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">10</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">11</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">11</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">12</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">12</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">13</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">13</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">14</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">14</span><span class=\"token punctuation\">]</span>: i32\n<span class=\"token number\">15</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">15</span><span class=\"token punctuation\">]</span>: i1\n<span class=\"token number\">16</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">16</span><span class=\"token punctuation\">]</span>: i64\n<span class=\"token number\">17</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">17</span><span class=\"token punctuation\">]</span>: i64\n------------------------------------------------------------------------\nfound a total of <span class=\"token number\">8</span> constants\nCID  ID    VALUE\n------------------------------------------------------------------------\n<span class=\"token number\">0</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">18</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">19</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">181056448</span><span class=\"token punctuation\">(</span>0xacab3c0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">20</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">3</span><span class=\"token punctuation\">(</span>0x3<span class=\"token punctuation\">)</span>\n<span class=\"token number\">3</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">21</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">255</span><span class=\"token punctuation\">(</span>0xff<span class=\"token punctuation\">)</span>\n<span class=\"token number\">4</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">22</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">8</span><span class=\"token punctuation\">(</span>0x8<span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">23</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">24</span><span class=\"token punctuation\">(</span>0x18<span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">24</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1</span><span class=\"token punctuation\">(</span>0x1<span class=\"token punctuation\">)</span>\n<span class=\"token number\">7</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">25</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n------------------------------------------------------------------------\nfound a total of <span class=\"token number\">26</span> total values\n------------------------------------------------------------------------\nFUNCTION ID: F.2 -<span class=\"token operator\">></span> NUMINSTS <span class=\"token number\">22</span>\nBB   IDX  OPCODE              <span class=\"token punctuation\">[</span>ID /IID/MOD<span class=\"token punctuation\">]</span>  INST\n------------------------------------------------------------------------\n<span class=\"token number\">0</span>    <span class=\"token number\">0</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">18</span> -<span class=\"token operator\">></span> <span class=\"token number\">2</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">1</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">19</span> -<span class=\"token operator\">></span> <span class=\"token number\">1</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">2</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> / <span class=\"token number\">90</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb.1\n\n<span class=\"token number\">1</span>    <span class=\"token number\">3</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">1</span> -<span class=\"token operator\">></span> <span class=\"token number\">3</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">4</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">2</span> -<span class=\"token operator\">></span> <span class=\"token number\">4</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">5</span>  OP_BC_TRUNC         <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> / <span class=\"token number\">73</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">5</span> <span class=\"token operator\">=</span> <span class=\"token number\">3</span> trunc ffffffffffffffff\n<span class=\"token number\">1</span>    <span class=\"token number\">6</span>  OP_BC_TRUNC         <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> / <span class=\"token number\">73</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">6</span> <span class=\"token operator\">=</span> <span class=\"token number\">4</span> trunc ffffffffffffffff\n<span class=\"token number\">1</span>    <span class=\"token number\">7</span>  OP_BC_SHL           <span class=\"token punctuation\">[</span><span class=\"token number\">8</span>  / <span class=\"token number\">43</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">7</span> <span class=\"token operator\">=</span> <span class=\"token number\">6</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">20</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">8</span>  OP_BC_LSHR          <span class=\"token punctuation\">[</span><span class=\"token number\">9</span>  / <span class=\"token number\">48</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">8</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span> <span class=\"token operator\">>></span> <span class=\"token number\">7</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">9</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">58</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">9</span> <span class=\"token operator\">=</span> <span class=\"token number\">8</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">21</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">10</span>  OP_BC_XOR           <span class=\"token punctuation\">[</span><span class=\"token number\">13</span> / <span class=\"token number\">68</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">10</span> <span class=\"token operator\">=</span> <span class=\"token number\">9</span> ^ <span class=\"token number\">5</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">11</span>  OP_BC_SHL           <span class=\"token punctuation\">[</span><span class=\"token number\">8</span>  / <span class=\"token number\">43</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">11</span> <span class=\"token operator\">=</span> <span class=\"token number\">10</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">22</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">12</span>  OP_BC_LSHR          <span class=\"token punctuation\">[</span><span class=\"token number\">9</span>  / <span class=\"token number\">48</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">12</span> <span class=\"token operator\">=</span> <span class=\"token number\">5</span> <span class=\"token operator\">>></span> <span class=\"token number\">23</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">13</span>  OP_BC_OR            <span class=\"token punctuation\">[</span><span class=\"token number\">12</span> / <span class=\"token number\">63</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">13</span> <span class=\"token operator\">=</span> <span class=\"token number\">11</span> <span class=\"token operator\">|</span> <span class=\"token number\">12</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">14</span>  OP_BC_ADD           <span class=\"token punctuation\">[</span><span class=\"token number\">1</span>  /  <span class=\"token number\">8</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">14</span> <span class=\"token operator\">=</span> <span class=\"token number\">6</span> + <span class=\"token number\">24</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">15</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">15</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">14</span> <span class=\"token operator\">==</span> <span class=\"token number\">25</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">16</span>  OP_BC_SEXT          <span class=\"token punctuation\">[</span><span class=\"token number\">15</span> / <span class=\"token number\">79</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">16</span> <span class=\"token operator\">=</span> <span class=\"token number\">14</span> sext <span class=\"token number\">20</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">17</span>  OP_BC_SEXT          <span class=\"token punctuation\">[</span><span class=\"token number\">15</span> / <span class=\"token number\">79</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">17</span> <span class=\"token operator\">=</span> <span class=\"token number\">13</span> sext <span class=\"token number\">20</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">18</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">16</span> -<span class=\"token operator\">></span> <span class=\"token number\">2</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">19</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">17</span> -<span class=\"token operator\">></span> <span class=\"token number\">1</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">20</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">15</span> ? bb.2 <span class=\"token builtin class-name\">:</span> bb.1\n\n<span class=\"token number\">2</span>   <span class=\"token number\">21</span>  OP_BC_RET           <span class=\"token punctuation\">[</span><span class=\"token number\">19</span> / <span class=\"token number\">98</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  ret <span class=\"token number\">13</span>\n------------------------------------------------------------------------</code></pre></div>\n<p>This code has three BB sections.</p>\n<p>The first section is simple: it copies the values of several constants into local variables.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token number\">0</span>    <span class=\"token number\">0</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">18</span> -<span class=\"token operator\">></span> <span class=\"token number\">2</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">1</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">19</span> -<span class=\"token operator\">></span> <span class=\"token number\">1</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">2</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> / <span class=\"token number\">90</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb.1</code></pre></div>\n<p>The last section returns the variable with ID 13 via <code class=\"language-text\">ret 13</code>.</p>\n<p>The middle section is implemented as follows.</p>\n<p>The presence of <code class=\"language-text\">br 15 ? bb.2 : bb.1</code> shows that this block performs a loop.</p>\n<p>Also, the variable with ID 15 being evaluated here corresponds to the result of <code class=\"language-text\">OP_BC_ICMP_EQ 15 = (14 == 25)</code>.</p>\n<p>Since ID 25 is the constant <code class=\"language-text\">0x4</code>, it is reasonable to assume that the variable with ID 14 serves as a counter and that the loop runs four times.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token number\">1</span>    <span class=\"token number\">3</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">1</span> -<span class=\"token operator\">></span> <span class=\"token number\">3</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">4</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">2</span> -<span class=\"token operator\">></span> <span class=\"token number\">4</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">5</span>  OP_BC_TRUNC         <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> / <span class=\"token number\">73</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">5</span> <span class=\"token operator\">=</span> <span class=\"token number\">3</span> trunc ffffffffffffffff\n<span class=\"token number\">1</span>    <span class=\"token number\">6</span>  OP_BC_TRUNC         <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> / <span class=\"token number\">73</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">6</span> <span class=\"token operator\">=</span> <span class=\"token number\">4</span> trunc ffffffffffffffff\n<span class=\"token number\">1</span>    <span class=\"token number\">7</span>  OP_BC_SHL           <span class=\"token punctuation\">[</span><span class=\"token number\">8</span>  / <span class=\"token number\">43</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">7</span> <span class=\"token operator\">=</span> <span class=\"token number\">6</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">20</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">8</span>  OP_BC_LSHR          <span class=\"token punctuation\">[</span><span class=\"token number\">9</span>  / <span class=\"token number\">48</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">8</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span> <span class=\"token operator\">>></span> <span class=\"token number\">7</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">9</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">58</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">9</span> <span class=\"token operator\">=</span> <span class=\"token number\">8</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">21</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">10</span>  OP_BC_XOR           <span class=\"token punctuation\">[</span><span class=\"token number\">13</span> / <span class=\"token number\">68</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">10</span> <span class=\"token operator\">=</span> <span class=\"token number\">9</span> ^ <span class=\"token number\">5</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">11</span>  OP_BC_SHL           <span class=\"token punctuation\">[</span><span class=\"token number\">8</span>  / <span class=\"token number\">43</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">11</span> <span class=\"token operator\">=</span> <span class=\"token number\">10</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">22</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">12</span>  OP_BC_LSHR          <span class=\"token punctuation\">[</span><span class=\"token number\">9</span>  / <span class=\"token number\">48</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">12</span> <span class=\"token operator\">=</span> <span class=\"token number\">5</span> <span class=\"token operator\">>></span> <span class=\"token number\">23</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">13</span>  OP_BC_OR            <span class=\"token punctuation\">[</span><span class=\"token number\">12</span> / <span class=\"token number\">63</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">13</span> <span class=\"token operator\">=</span> <span class=\"token number\">11</span> <span class=\"token operator\">|</span> <span class=\"token number\">12</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">14</span>  OP_BC_ADD           <span class=\"token punctuation\">[</span><span class=\"token number\">1</span>  /  <span class=\"token number\">8</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">14</span> <span class=\"token operator\">=</span> <span class=\"token number\">6</span> + <span class=\"token number\">24</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">15</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">15</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">14</span> <span class=\"token operator\">==</span> <span class=\"token number\">25</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">16</span>  OP_BC_SEXT          <span class=\"token punctuation\">[</span><span class=\"token number\">15</span> / <span class=\"token number\">79</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">16</span> <span class=\"token operator\">=</span> <span class=\"token number\">14</span> sext <span class=\"token number\">20</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">17</span>  OP_BC_SEXT          <span class=\"token punctuation\">[</span><span class=\"token number\">15</span> / <span class=\"token number\">79</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">17</span> <span class=\"token operator\">=</span> <span class=\"token number\">13</span> sext <span class=\"token number\">20</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">18</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">16</span> -<span class=\"token operator\">></span> <span class=\"token number\">2</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">19</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">17</span> -<span class=\"token operator\">></span> <span class=\"token number\">1</span>\n<span class=\"token number\">1</span>   <span class=\"token number\">20</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">15</span> ? bb.2 <span class=\"token builtin class-name\">:</span> bb.1</code></pre></div>\n<p>Inside the loop, several variables are processed with XOR and shift operations.</p>\n<p><code class=\"language-text\">OP_BC_TRUNC</code> and <code class=\"language-text\">OP_BC_SEXT</code> were a little hard to interpret, but they most likely just mean bit truncation when copying an i64 variable into an i32 variable for TRUNC, and sign extension when copying an i32 variable into an i64 variable for SEXT, so in practice they can probably be treated as simple copy operations.</p>\n<p>Another key point is variable 0, which is logically right-shifted by <code class=\"language-text\">OP_BC_LSHR</code>. As indicated by <code class=\"language-text\">0 [  0]: i32 argument</code>, this stores the 32-bit argument received from Func1.</p>\n<p>Translating that behavior into C gave the following code.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token class-name\">uint32_t</span> <span class=\"token function\">func2</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint32_t</span> v0<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token class-name\">uint64_t</span> v1 <span class=\"token operator\">=</span> <span class=\"token number\">0xacab3c0</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">// v19 = 0xacab3c0</span>\n    <span class=\"token class-name\">uint64_t</span> v2 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">// v18 = 0</span>\n    <span class=\"token class-name\">uint32_t</span> v3<span class=\"token punctuation\">,</span> v4<span class=\"token punctuation\">,</span> v5<span class=\"token punctuation\">,</span> v6<span class=\"token punctuation\">,</span> v7<span class=\"token punctuation\">,</span> v8<span class=\"token punctuation\">,</span> v9<span class=\"token punctuation\">,</span> v10<span class=\"token punctuation\">,</span> v11<span class=\"token punctuation\">,</span> v12<span class=\"token punctuation\">,</span> v13<span class=\"token punctuation\">,</span> v14<span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;</span> <span class=\"token number\">4</span><span class=\"token punctuation\">;</span> i<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        v3 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">uint32_t</span><span class=\"token punctuation\">)</span>v1<span class=\"token punctuation\">;</span>\n        v4 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">uint32_t</span><span class=\"token punctuation\">)</span>v2<span class=\"token punctuation\">;</span>\n        \n        v5 <span class=\"token operator\">=</span> v3<span class=\"token punctuation\">;</span>\n        v6 <span class=\"token operator\">=</span> v4<span class=\"token punctuation\">;</span>\n        v7 <span class=\"token operator\">=</span> v6 <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">3</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">// v20 = 0x3</span>\n        v8 <span class=\"token operator\">=</span> v0 <span class=\"token operator\">>></span> v7<span class=\"token punctuation\">;</span>\n        v9 <span class=\"token operator\">=</span> v8 <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xFF</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">// v21 = 0xFF</span>\n        v10 <span class=\"token operator\">=</span> v9 <span class=\"token operator\">^</span> v5<span class=\"token punctuation\">;</span>\n        v11 <span class=\"token operator\">=</span> v10 <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">8</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">// v22 = 0x8</span>\n        v12 <span class=\"token operator\">=</span> v5 <span class=\"token operator\">>></span> <span class=\"token number\">24</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">// v23 = 0x18</span>\n        v13 <span class=\"token operator\">=</span> v11 <span class=\"token operator\">|</span> v12<span class=\"token punctuation\">;</span>\n\n        v2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>v6 <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">// v24 = 1</span>\n        v1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span>v13<span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token keyword\">return</span> v13<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Apparently, this function takes a 32-bit integer argument, splits it into four 8-bit chunks, and returns the result of performing shift and logical operations using those values.</p>\n<h3 id=\"investigating-func1\" style=\"position:relative;\"><a href=\"#investigating-func1\" aria-label=\"investigating func1 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Investigating Func1</h3>\n<p>After reading the implementation of Func2, I moved on to the code of Func1.</p>\n<p>Func1 defines a very large number of variables and constants, but the constants that stood out in particular were the following.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token number\">30</span> <span class=\"token punctuation\">[</span><span class=\"token number\">134</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">36</span><span class=\"token punctuation\">(</span>0x24<span class=\"token punctuation\">)</span>\n<span class=\"token number\">31</span> <span class=\"token punctuation\">[</span><span class=\"token number\">135</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1939767458</span><span class=\"token punctuation\">(</span>0x739e80a2<span class=\"token punctuation\">)</span>\n<span class=\"token number\">32</span> <span class=\"token punctuation\">[</span><span class=\"token number\">136</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">33</span> <span class=\"token punctuation\">[</span><span class=\"token number\">137</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">34</span> <span class=\"token punctuation\">[</span><span class=\"token number\">138</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">35</span> <span class=\"token punctuation\">[</span><span class=\"token number\">139</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1</span><span class=\"token punctuation\">(</span>0x1<span class=\"token punctuation\">)</span>\n<span class=\"token number\">36</span> <span class=\"token punctuation\">[</span><span class=\"token number\">140</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">984514723</span><span class=\"token punctuation\">(</span>0x3aae80a3<span class=\"token punctuation\">)</span>\n<span class=\"token number\">37</span> <span class=\"token punctuation\">[</span><span class=\"token number\">141</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">38</span> <span class=\"token punctuation\">[</span><span class=\"token number\">142</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">39</span> <span class=\"token punctuation\">[</span><span class=\"token number\">143</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">40</span> <span class=\"token punctuation\">[</span><span class=\"token number\">144</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">2</span><span class=\"token punctuation\">(</span>0x2<span class=\"token punctuation\">)</span>\n<span class=\"token number\">41</span> <span class=\"token punctuation\">[</span><span class=\"token number\">145</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1000662943</span><span class=\"token punctuation\">(</span>0x3ba4e79f<span class=\"token punctuation\">)</span>\n<span class=\"token number\">42</span> <span class=\"token punctuation\">[</span><span class=\"token number\">146</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">43</span> <span class=\"token punctuation\">[</span><span class=\"token number\">147</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">44</span> <span class=\"token punctuation\">[</span><span class=\"token number\">148</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">45</span> <span class=\"token punctuation\">[</span><span class=\"token number\">149</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">3</span><span class=\"token punctuation\">(</span>0x3<span class=\"token punctuation\">)</span>\n<span class=\"token number\">46</span> <span class=\"token punctuation\">[</span><span class=\"token number\">150</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">2025505267</span><span class=\"token punctuation\">(</span>0x78bac1f3<span class=\"token punctuation\">)</span>\n<span class=\"token number\">47</span> <span class=\"token punctuation\">[</span><span class=\"token number\">151</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">48</span> <span class=\"token punctuation\">[</span><span class=\"token number\">152</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">49</span> <span class=\"token punctuation\">[</span><span class=\"token number\">153</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">50</span> <span class=\"token punctuation\">[</span><span class=\"token number\">154</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">51</span> <span class=\"token punctuation\">[</span><span class=\"token number\">155</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1593426419</span><span class=\"token punctuation\">(</span>0x5ef9c1f3<span class=\"token punctuation\">)</span>\n<span class=\"token number\">52</span> <span class=\"token punctuation\">[</span><span class=\"token number\">156</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">53</span> <span class=\"token punctuation\">[</span><span class=\"token number\">157</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">54</span> <span class=\"token punctuation\">[</span><span class=\"token number\">158</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">55</span> <span class=\"token punctuation\">[</span><span class=\"token number\">159</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">5</span><span class=\"token punctuation\">(</span>0x5<span class=\"token punctuation\">)</span>\n<span class=\"token number\">56</span> <span class=\"token punctuation\">[</span><span class=\"token number\">160</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1002040479</span><span class=\"token punctuation\">(</span>0x3bb9ec9f<span class=\"token punctuation\">)</span>\n<span class=\"token number\">57</span> <span class=\"token punctuation\">[</span><span class=\"token number\">161</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">58</span> <span class=\"token punctuation\">[</span><span class=\"token number\">162</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">59</span> <span class=\"token punctuation\">[</span><span class=\"token number\">163</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">60</span> <span class=\"token punctuation\">[</span><span class=\"token number\">164</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">6</span><span class=\"token punctuation\">(</span>0x6<span class=\"token punctuation\">)</span>\n<span class=\"token number\">61</span> <span class=\"token punctuation\">[</span><span class=\"token number\">165</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1434878964</span><span class=\"token punctuation\">(</span>0x558683f4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">62</span> <span class=\"token punctuation\">[</span><span class=\"token number\">166</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">63</span> <span class=\"token punctuation\">[</span><span class=\"token number\">167</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">64</span> <span class=\"token punctuation\">[</span><span class=\"token number\">168</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">65</span> <span class=\"token punctuation\">[</span><span class=\"token number\">169</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">7</span><span class=\"token punctuation\">(</span>0x7<span class=\"token punctuation\">)</span>\n<span class=\"token number\">66</span> <span class=\"token punctuation\">[</span><span class=\"token number\">170</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1442502036</span><span class=\"token punctuation\">(</span>0x55fad594<span class=\"token punctuation\">)</span>\n<span class=\"token number\">67</span> <span class=\"token punctuation\">[</span><span class=\"token number\">171</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">68</span> <span class=\"token punctuation\">[</span><span class=\"token number\">172</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">0</span><span class=\"token punctuation\">(</span>0x0<span class=\"token punctuation\">)</span>\n<span class=\"token number\">69</span> <span class=\"token punctuation\">[</span><span class=\"token number\">173</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">4</span><span class=\"token punctuation\">(</span>0x4<span class=\"token punctuation\">)</span>\n<span class=\"token number\">70</span> <span class=\"token punctuation\">[</span><span class=\"token number\">174</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">8</span><span class=\"token punctuation\">(</span>0x8<span class=\"token punctuation\">)</span>\n<span class=\"token number\">71</span> <span class=\"token punctuation\">[</span><span class=\"token number\">175</span><span class=\"token punctuation\">]</span>: <span class=\"token number\">1824513439</span><span class=\"token punctuation\">(</span>0x6cbfdd9f<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Among these, nine total 32-bit integer values are defined, including <code class=\"language-text\">0x739e80a2</code> and <code class=\"language-text\">0x3aae80a3</code>.</p>\n<p>These values seemed likely to be used somehow in Flag verification.</p>\n<p>Func1 consists of BB blocks 0 through 7.</p>\n<p>The code of the first block is as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token number\">0</span>    <span class=\"token number\">0</span>  OP_BC_GEPZ          <span class=\"token punctuation\">[</span><span class=\"token number\">36</span> <span class=\"token operator\">/</span><span class=\"token number\">184</span><span class=\"token operator\">/</span>  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">5</span> <span class=\"token operator\">=</span> gepz p<span class=\"token punctuation\">.</span><span class=\"token number\">4</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token number\">104</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">1</span>  OP_BC_GEPZ          <span class=\"token punctuation\">[</span><span class=\"token number\">36</span> <span class=\"token operator\">/</span><span class=\"token number\">184</span><span class=\"token operator\">/</span>  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">7</span> <span class=\"token operator\">=</span> gepz p<span class=\"token punctuation\">.</span><span class=\"token number\">6</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token number\">105</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">2</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> <span class=\"token operator\">/</span><span class=\"token number\">168</span><span class=\"token operator\">/</span>  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">8</span> <span class=\"token operator\">=</span> seek<span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span><span class=\"token number\">106</span><span class=\"token punctuation\">,</span> <span class=\"token number\">107</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">3</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> <span class=\"token operator\">/</span><span class=\"token number\">174</span><span class=\"token operator\">/</span>  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  cp <span class=\"token number\">108</span> <span class=\"token operator\">-></span> <span class=\"token number\">2</span>\n<span class=\"token number\">0</span>    <span class=\"token number\">4</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> <span class=\"token operator\">/</span> <span class=\"token number\">90</span><span class=\"token operator\">/</span>  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb<span class=\"token punctuation\">.</span><span class=\"token number\">2</span></code></pre></div>\n<p><code class=\"language-text\">OP_BC_GEPZ</code> is defined in <code class=\"language-text\">bytecode_vm.c</code> as follows.</p>\n<p>The GEP in GEPZ is probably short for <em>GetElementPtr</em>, and it appears to perform pointer-address calculation just like LLVM’s GEP instruction.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token function\">DEFINE_OP</span><span class=\"token punctuation\">(</span>OP_BC_GEPZ<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token class-name\">int64_t</span> ptr<span class=\"token punctuation\">,</span> iptr<span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">int32_t</span> off<span class=\"token punctuation\">;</span>\n    <span class=\"token function\">READ32</span><span class=\"token punctuation\">(</span>off<span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>u<span class=\"token punctuation\">.</span>three<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">// negative values checking, valid for intermediate GEP calculations</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>off <span class=\"token operator\">&lt;</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">cli_dbgmsg</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"bytecode warning: found GEP with negative offset %d!\\n\"</span><span class=\"token punctuation\">,</span> off<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span><span class=\"token punctuation\">(</span>inst<span class=\"token operator\">-></span>interp_op <span class=\"token operator\">%</span> <span class=\"token number\">5</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token comment\">// how do negative offsets affect pointer initialization?</span>\n        <span class=\"token function\">WRITE64</span><span class=\"token punctuation\">(</span>inst<span class=\"token operator\">-></span>dest<span class=\"token punctuation\">,</span> <span class=\"token function\">ptr_compose</span><span class=\"token punctuation\">(</span>stackid<span class=\"token punctuation\">,</span>\n                                        inst<span class=\"token operator\">-></span>u<span class=\"token punctuation\">.</span>three<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> off<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">READ64</span><span class=\"token punctuation\">(</span>ptr<span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>u<span class=\"token punctuation\">.</span>three<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        off <span class=\"token operator\">+=</span> <span class=\"token punctuation\">(</span>ptr <span class=\"token operator\">&amp;</span> <span class=\"token number\">0x00000000ffffffffULL</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        iptr <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>ptr <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xffffffff00000000ULL</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>off<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token function\">WRITE64</span><span class=\"token punctuation\">(</span>inst<span class=\"token operator\">-></span>dest<span class=\"token punctuation\">,</span> iptr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>I do not know LLVM very well, but based on the reference, it seems to be a process for working with the value pointed to by a pointer address.</p>\n<p>Reference: <a href=\"https://llvm.org/docs/GetElementPtr.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">The Often Misunderstood GEP Instruction — LLVM 20.0.0git documentation</a></p>\n<p>In the next instruction, <code class=\"language-text\">8 = seek[3] (106, 107)</code>, it skips the first 7 bytes from the start of the data being scanned. (Constant ID 106 stores <code class=\"language-text\">7</code>, and constant ID 107 stores <code class=\"language-text\">0</code>, which means <code class=\"language-text\">SEEK_SET</code>.)</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">enum</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token comment\">/**set file position to specified absolute position */</span>\n    <span class=\"token constant\">SEEK_SET</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span>\n    <span class=\"token comment\">/**set file position relative to current position */</span>\n    <span class=\"token constant\">SEEK_CUR</span><span class=\"token punctuation\">,</span>\n    <span class=\"token comment\">/**set file position relative to file end*/</span>\n    <span class=\"token constant\">SEEK_END</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token comment\">/**\n\\group_file\n * Changes the current file position to the specified one.\n * @sa SEEK_SET, SEEK_CUR, SEEK_END\n * @param[in] pos offset (absolute or relative depending on \\p whence param)\n * @param[in] whence one of \\p SEEK_SET, \\p SEEK_CUR, \\p SEEK_END\n * @return absolute position in file\n */</span>\n<span class=\"token class-name\">int32_t</span> <span class=\"token function\">seek</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int32_t</span> pos<span class=\"token punctuation\">,</span> <span class=\"token class-name\">uint32_t</span> whence<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Reference: <a href=\"https://github.com/Cisco-Talos/clamav/blob/main/libclamav/bytecode_api.h\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">clamav/libclamav/bytecode_api.h at main · Cisco-Talos/clamav</a></p>\n<p>As we already saw from the logical-signature settings, this scan target contains the text <code class=\"language-text\">SECCON{</code>, so this is probably processing to ignore that string.</p>\n<p>In the final instruction, the value of constant ID 8 (<code class=\"language-text\">0</code>) is copied into variable ID 2, and then execution jumps to BB2.</p>\n<p>The code implemented in BB2 is as follows.</p>\n<p>From the definitions of <code class=\"language-text\">br 9 ? bb.2 : bb.3</code> and <code class=\"language-text\">br 17 ? bb.7 : bb.1</code>, we can see that some kind of conditional-branch loop processing is taking place.</p>\n<p>BB7 appears to be the failure path, so here we need to determine the branch that does not jump to BB7.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token number\">1</span>    <span class=\"token number\">5</span>  OP_BC_ICMP_ULT      <span class=\"token punctuation\">[</span><span class=\"token number\">25</span> /129/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">9</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">18</span> <span class=\"token operator\">&lt;</span> <span class=\"token number\">109</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">6</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">18</span> -<span class=\"token operator\">></span> <span class=\"token number\">2</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">7</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">9</span> ? bb.2 <span class=\"token builtin class-name\">:</span> bb.3\n\n<span class=\"token number\">2</span>    <span class=\"token number\">8</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">2</span> -<span class=\"token operator\">></span> <span class=\"token number\">10</span>\n<span class=\"token number\">2</span>    <span class=\"token number\">9</span>  OP_BC_SHL           <span class=\"token punctuation\">[</span><span class=\"token number\">8</span>  / <span class=\"token number\">44</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">11</span> <span class=\"token operator\">=</span> <span class=\"token number\">10</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">110</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">10</span>  OP_BC_ASHR          <span class=\"token punctuation\">[</span><span class=\"token number\">10</span> / <span class=\"token number\">54</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">12</span> <span class=\"token operator\">=</span> <span class=\"token number\">11</span> <span class=\"token operator\">>></span> <span class=\"token number\">111</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">11</span>  OP_BC_TRUNC         <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> / <span class=\"token number\">73</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">13</span> <span class=\"token operator\">=</span> <span class=\"token number\">12</span> trunc ffffffffffffffff\n<span class=\"token number\">2</span>   <span class=\"token number\">12</span>  OP_BC_GEPZ          <span class=\"token punctuation\">[</span><span class=\"token number\">36</span> /184/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">14</span> <span class=\"token operator\">=</span> gepz p.4 + <span class=\"token punctuation\">(</span><span class=\"token number\">112</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">13</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">15</span> <span class=\"token operator\">=</span> gep1 p.14 + <span class=\"token punctuation\">(</span><span class=\"token number\">13</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">14</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">16</span> <span class=\"token operator\">=</span> read<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.15, <span class=\"token number\">113</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">15</span>  OP_BC_ICMP_SLT      <span class=\"token punctuation\">[</span><span class=\"token number\">30</span> /153/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">17</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">16</span> <span class=\"token operator\">&lt;</span> <span class=\"token number\">114</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">16</span>  OP_BC_ADD           <span class=\"token punctuation\">[</span><span class=\"token number\">1</span>  /  <span class=\"token number\">9</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">18</span> <span class=\"token operator\">=</span> <span class=\"token number\">10</span> + <span class=\"token number\">115</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">17</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">116</span> -<span class=\"token operator\">></span> <span class=\"token number\">0</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">18</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">17</span> ? bb.7 <span class=\"token builtin class-name\">:</span> bb.1</code></pre></div>\n<p>I extracted the branching part and replaced the constants with their actual values.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token number\">1</span>    <span class=\"token number\">5</span>  OP_BC_ICMP_ULT      <span class=\"token punctuation\">[</span><span class=\"token number\">25</span> /129/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  v9 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>v18 <span class=\"token operator\">&lt;</span> 0x24<span class=\"token punctuation\">)</span>\n<span class=\"token number\">1</span>    <span class=\"token number\">6</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> v18 -<span class=\"token operator\">></span> v2\n<span class=\"token number\">1</span>    <span class=\"token number\">7</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">9</span> ? bb.2 <span class=\"token builtin class-name\">:</span> bb.3\n\n<span class=\"token number\">2</span>    <span class=\"token number\">8</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> v2 -<span class=\"token operator\">></span> v10\n\n<span class=\"token number\">2</span>   <span class=\"token number\">14</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  v16 <span class=\"token operator\">=</span> read<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.15, 0x1<span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">15</span>  OP_BC_ICMP_SLT      <span class=\"token punctuation\">[</span><span class=\"token number\">30</span> /153/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  v17 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>v16 <span class=\"token operator\">&lt;</span> 0x1<span class=\"token punctuation\">)</span>\n<span class=\"token number\">2</span>   <span class=\"token number\">16</span>  OP_BC_ADD           <span class=\"token punctuation\">[</span><span class=\"token number\">1</span>  /  <span class=\"token number\">9</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  v18 <span class=\"token operator\">=</span> v10 + 0x1\n\n<span class=\"token number\">2</span>   <span class=\"token number\">18</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br v17 ? bb.7 <span class=\"token builtin class-name\">:</span> bb.1</code></pre></div>\n<p>From this, we can see that the variable <code class=\"language-text\">v2</code> is used as a counter for a loop that runs 36 (<code class=\"language-text\">0x24</code>) times.</p>\n<p>Since <code class=\"language-text\">read</code> is being called, this is probably reading one character at a time from the seeked position of the scan target and repeating that 36 times.</p>\n<p>It is unclear what <code class=\"language-text\">p.15</code> points to, but judging from the implementation of the <code class=\"language-text\">read</code> function, it seems to point to the destination buffer for the data being read. (Perhaps variables prefixed with <code class=\"language-text\">p.</code> indicate that they are treated as pointers?)</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">/**\n\\group_file\n * Reads specified amount of bytes from the current file\n * into a buffer. Also moves current position in the file.\n * @param[in] size amount of bytes to read\n * @param[out] data pointer to buffer where data is read into\n * @return amount read.\n */</span>\n<span class=\"token class-name\">int32_t</span> <span class=\"token function\">read</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint8_t</span><span class=\"token operator\">*</span> data<span class=\"token punctuation\">,</span> <span class=\"token class-name\">int32_t</span> size<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>After reading 36 characters and storing them somewhere, the BB3 block is invoked.</p>\n<p>Here, it reads one additional character and appears to verify that the character matches <code class=\"language-text\">0x7d</code> (<code class=\"language-text\">}</code>), which is stored in variable ID 119.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token number\">3</span>   <span class=\"token number\">19</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">19</span> <span class=\"token operator\">=</span> read<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.3, <span class=\"token number\">117</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">3</span>   <span class=\"token number\">20</span>  OP_BC_ICMP_SGT      <span class=\"token punctuation\">[</span><span class=\"token number\">27</span> /138/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">20</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">19</span> <span class=\"token operator\">></span> <span class=\"token number\">118</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">3</span>   <span class=\"token number\">21</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /171/  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">3</span> -<span class=\"token operator\">></span> <span class=\"token number\">21</span>\n<span class=\"token number\">3</span>   <span class=\"token number\">22</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /106/  <span class=\"token number\">1</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">22</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">21</span> <span class=\"token operator\">==</span> <span class=\"token number\">119</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">3</span>   <span class=\"token number\">23</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">55</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">23</span> <span class=\"token operator\">=</span> <span class=\"token number\">20</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">22</span>\n<span class=\"token number\">3</span>   <span class=\"token number\">24</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">120</span> -<span class=\"token operator\">></span> <span class=\"token number\">0</span>\n<span class=\"token number\">3</span>   <span class=\"token number\">25</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">23</span> ? bb.4 <span class=\"token builtin class-name\">:</span> bb.7</code></pre></div>\n<p>From the information so far, we can see that the correct Flag has the form <code class=\"language-text\">SECCON{&lt;36-character string>}</code>.</p>\n<p>In the next block, it reads one more character and checks that the read probably fails.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token number\">4</span>   <span class=\"token number\">26</span>  OP_BC_CALL_API      <span class=\"token punctuation\">[</span><span class=\"token number\">33</span> /168/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">24</span> <span class=\"token operator\">=</span> read<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span>p.3, <span class=\"token number\">121</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">4</span>   <span class=\"token number\">27</span>  OP_BC_ICMP_SGT      <span class=\"token punctuation\">[</span><span class=\"token number\">27</span> /138/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">25</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">24</span> <span class=\"token operator\">></span> <span class=\"token number\">122</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">4</span>   <span class=\"token number\">28</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">123</span> -<span class=\"token operator\">></span> <span class=\"token number\">1</span>\n<span class=\"token number\">4</span>   <span class=\"token number\">29</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">124</span> -<span class=\"token operator\">></span> <span class=\"token number\">0</span>\n<span class=\"token number\">4</span>   <span class=\"token number\">30</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">25</span> ? bb.7 <span class=\"token builtin class-name\">:</span> bb.5</code></pre></div>\n<p>In other words, it is likely checking that the scan target ends with <code class=\"language-text\">}</code>.</p>\n<p>In the BB5 block, the variable with ID 26 appears to be used as a counter for another loop.</p>\n<p>The constant 134 used in the loop-termination branch (<code class=\"language-text\">OP_BC_ICMP_ULT 42 = (41 &lt; 134)</code>) is 36 (<code class=\"language-text\">0x24</code>), but the constant ID 133 added to the counter in each loop is 4 (<code class=\"language-text\">0x4</code>), so this loop appears to run 9 times.</p>\n<p>Inside it, the previously examined Func2 is also called.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token number\">5</span>   <span class=\"token number\">31</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">1</span> -<span class=\"token operator\">></span> <span class=\"token number\">26</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">32</span>  OP_BC_SHL           <span class=\"token punctuation\">[</span><span class=\"token number\">8</span>  / <span class=\"token number\">44</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">27</span> <span class=\"token operator\">=</span> <span class=\"token number\">26</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">125</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">33</span>  OP_BC_ASHR          <span class=\"token punctuation\">[</span><span class=\"token number\">10</span> / <span class=\"token number\">54</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">28</span> <span class=\"token operator\">=</span> <span class=\"token number\">27</span> <span class=\"token operator\">>></span> <span class=\"token number\">126</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">34</span>  OP_BC_TRUNC         <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> / <span class=\"token number\">73</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">29</span> <span class=\"token operator\">=</span> <span class=\"token number\">28</span> trunc ffffffffffffffff\n<span class=\"token number\">5</span>   <span class=\"token number\">35</span>  OP_BC_GEPZ          <span class=\"token punctuation\">[</span><span class=\"token number\">36</span> /184/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">30</span> <span class=\"token operator\">=</span> gepz p.4 + <span class=\"token punctuation\">(</span><span class=\"token number\">127</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">36</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">31</span> <span class=\"token operator\">=</span> gep1 p.30 + <span class=\"token punctuation\">(</span><span class=\"token number\">29</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">37</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">32</span> <span class=\"token operator\">&lt;</span>- p.31\n<span class=\"token number\">5</span>   <span class=\"token number\">38</span>  OP_BC_CALL_DIRECT   <span class=\"token punctuation\">[</span><span class=\"token number\">32</span> /163/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">33</span> <span class=\"token operator\">=</span> call F.2 <span class=\"token punctuation\">(</span><span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">39</span>  OP_BC_SHL           <span class=\"token punctuation\">[</span><span class=\"token number\">8</span>  / <span class=\"token number\">44</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">34</span> <span class=\"token operator\">=</span> <span class=\"token number\">26</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">128</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">40</span>  OP_BC_ASHR          <span class=\"token punctuation\">[</span><span class=\"token number\">10</span> / <span class=\"token number\">54</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">35</span> <span class=\"token operator\">=</span> <span class=\"token number\">34</span> <span class=\"token operator\">>></span> <span class=\"token number\">129</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">41</span>  OP_BC_TRUNC         <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> / <span class=\"token number\">73</span>/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">36</span> <span class=\"token operator\">=</span> <span class=\"token number\">35</span> trunc ffffffffffffffff\n<span class=\"token number\">5</span>   <span class=\"token number\">42</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">37</span> <span class=\"token operator\">=</span> <span class=\"token number\">130</span> * <span class=\"token number\">131</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">43</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">38</span> <span class=\"token operator\">=</span> gep1 p.7 + <span class=\"token punctuation\">(</span><span class=\"token number\">37</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">44</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">39</span> <span class=\"token operator\">=</span> <span class=\"token number\">132</span> * <span class=\"token number\">36</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">45</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">40</span> <span class=\"token operator\">=</span> gep1 p.38 + <span class=\"token punctuation\">(</span><span class=\"token number\">39</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">46</span>  OP_BC_STORE         <span class=\"token punctuation\">[</span><span class=\"token number\">38</span> /193/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  store <span class=\"token number\">33</span> -<span class=\"token operator\">></span> p.40\n<span class=\"token number\">5</span>   <span class=\"token number\">47</span>  OP_BC_ADD           <span class=\"token punctuation\">[</span><span class=\"token number\">1</span>  /  <span class=\"token number\">9</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">41</span> <span class=\"token operator\">=</span> <span class=\"token number\">26</span> + <span class=\"token number\">133</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">48</span>  OP_BC_ICMP_ULT      <span class=\"token punctuation\">[</span><span class=\"token number\">25</span> /129/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">42</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">41</span> <span class=\"token operator\">&lt;</span> <span class=\"token number\">134</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">49</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">41</span> -<span class=\"token operator\">></span> <span class=\"token number\">1</span>\n<span class=\"token number\">5</span>   <span class=\"token number\">50</span>  OP_BC_BRANCH        <span class=\"token punctuation\">[</span><span class=\"token number\">17</span> / <span class=\"token number\">85</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  br <span class=\"token number\">42</span> ? bb.5 <span class=\"token builtin class-name\">:</span> bb.6</code></pre></div>\n<p>The argument passed when calling Func2 is the variable with ID 32, but it is not at all clear what gets stored there.</p>\n<p>However, <code class=\"language-text\">p.4</code>, referenced by <code class=\"language-text\">OP_BC_GEPZ  30 = gepz p.4 + (127)</code> on an earlier line, appears to be the same one used when obtaining the pointer to where the input characters are stored.</p>\n<p>For that reason, and also considering the structure of the challenge itself, it seems reasonable to assume that the value passed as the argument to Func2 is obtained by taking 4 characters (32 bits) from the input.</p>\n<p>This return value then appears to be stored, on the line <code class=\"language-text\">OP_BC_STORE  store 33 -> p.40</code>, at the pointer address obtained from <code class=\"language-text\">OP_BC_GEP1  38 = gep1 p.7 + (37 * 65)</code>.</p>\n<p>In BB6, the final block, the values extracted from <code class=\"language-text\">p.7</code> are compared in order against the nine integer values confirmed earlier, such as <code class=\"language-text\">0x739e80a2</code>, and it appears to return 1 only if all checks succeed.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token punctuation\">{</span><span class=\"token punctuation\">[</span> <span class=\"token punctuation\">..</span>. <span class=\"token punctuation\">(</span>omitted<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">]</span><span class=\"token punctuation\">}</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">100</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">92</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">91</span> <span class=\"token operator\">==</span> <span class=\"token number\">170</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">101</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">55</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">93</span> <span class=\"token operator\">=</span> <span class=\"token number\">86</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">92</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">102</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">94</span> <span class=\"token operator\">=</span> <span class=\"token number\">171</span> * <span class=\"token number\">172</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">103</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">95</span> <span class=\"token operator\">=</span> gep1 p.7 + <span class=\"token punctuation\">(</span><span class=\"token number\">94</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">104</span>  OP_BC_MUL           <span class=\"token punctuation\">[</span><span class=\"token number\">3</span>  / <span class=\"token number\">18</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">96</span> <span class=\"token operator\">=</span> <span class=\"token number\">173</span> * <span class=\"token number\">174</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">105</span>  OP_BC_GEP1          <span class=\"token punctuation\">[</span><span class=\"token number\">35</span> /179/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">97</span> <span class=\"token operator\">=</span> gep1 p.95 + <span class=\"token punctuation\">(</span><span class=\"token number\">96</span> * <span class=\"token number\">65</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">106</span>  OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">98</span> <span class=\"token operator\">&lt;</span>- p.97\n<span class=\"token number\">6</span>  <span class=\"token number\">107</span>  OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">99</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">98</span> <span class=\"token operator\">==</span> <span class=\"token number\">175</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">108</span>  OP_BC_AND           <span class=\"token punctuation\">[</span><span class=\"token number\">11</span> / <span class=\"token number\">55</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">100</span> <span class=\"token operator\">=</span> <span class=\"token number\">93</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">99</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">109</span>  OP_BC_SEXT          <span class=\"token punctuation\">[</span><span class=\"token number\">15</span> / <span class=\"token number\">79</span>/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">101</span> <span class=\"token operator\">=</span> <span class=\"token number\">100</span> sext <span class=\"token number\">1</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">110</span>  OP_BC_COPY          <span class=\"token punctuation\">[</span><span class=\"token number\">34</span> /174/  <span class=\"token number\">4</span><span class=\"token punctuation\">]</span>  <span class=\"token function\">cp</span> <span class=\"token number\">101</span> -<span class=\"token operator\">></span> <span class=\"token number\">0</span>\n<span class=\"token number\">6</span>  <span class=\"token number\">111</span>  OP_BC_JMP           <span class=\"token punctuation\">[</span><span class=\"token number\">18</span> / <span class=\"token number\">90</span>/  <span class=\"token number\">0</span><span class=\"token punctuation\">]</span>  jmp bb.7</code></pre></div>\n<p>Based on everything confirmed so far, this bytecode signature seems to scan any file containing a Flag of the form <code class=\"language-text\">SECCON{&lt;36 characters>}</code>, extract the 36 characters inside the Flag as 32-bit integers four characters at a time, run them through Func2, and compare the results against hardcoded integer values.</p>\n<h3 id=\"creating-a-solver-to-identify-the-flag\" style=\"position:relative;\"><a href=\"#creating-a-solver-to-identify-the-flag\" aria-label=\"creating a solver to identify the flag permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Creating a Solver to Identify the Flag</h3>\n<p>Based on the findings so far, I tried creating a solver in Z3Py to identify an input that makes Func2 output the hardcoded values.</p>\n<p>I wrote the following solver, but even after various customizations I could not identify values that returned SAT. (I suspect I was not handling the types correctly, but I could not determine the exact cause.)</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> z3 <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\ns <span class=\"token operator\">=</span> Solver<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\nv0 <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"v0\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>  <span class=\"token comment\"># i32 argument</span>\nv1<span class=\"token punctuation\">,</span> v2 <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">\"v1\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">\"v2\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">)</span> <span class=\"token comment\"># v18 = 0 v19 = 0xacab3c0</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    v3 <span class=\"token operator\">=</span> Extract<span class=\"token punctuation\">(</span><span class=\"token number\">31</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span>v1<span class=\"token punctuation\">)</span>\n    v4 <span class=\"token operator\">=</span> Extract<span class=\"token punctuation\">(</span><span class=\"token number\">31</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span>v2<span class=\"token punctuation\">)</span>\n\n    v5 <span class=\"token operator\">=</span> v3\n    v6 <span class=\"token operator\">=</span> v4\n    v7 <span class=\"token operator\">=</span> v6 <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">0x3</span>  <span class=\"token comment\"># v20 = 0x3</span>\n    v8 <span class=\"token operator\">=</span> v0 <span class=\"token operator\">>></span> v7  <span class=\"token comment\"># Extend v0 to 64 bits to match operations</span>\n    v9 <span class=\"token operator\">=</span> v8 <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xFF</span>  <span class=\"token comment\"># v21 = 0xFF</span>\n    v10 <span class=\"token operator\">=</span> v9 <span class=\"token operator\">^</span> v5\n    v11 <span class=\"token operator\">=</span> v10 <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">0x8</span>  <span class=\"token comment\"># v22 = 0x8</span>\n    v12 <span class=\"token operator\">=</span> v5 <span class=\"token operator\">>></span> <span class=\"token number\">0x18</span>  <span class=\"token comment\"># v23 = 0x18</span>\n    v13 <span class=\"token operator\">=</span> v11 <span class=\"token operator\">|</span> v12\n\n    v14 <span class=\"token operator\">=</span> v6 <span class=\"token operator\">+</span> <span class=\"token number\">1</span>  <span class=\"token comment\"># v24 = 1</span>\n    v2 <span class=\"token operator\">=</span> v14  <span class=\"token comment\"># v16</span>\n    v1 <span class=\"token operator\">=</span> v13  <span class=\"token comment\"># v17</span>\n\nans <span class=\"token operator\">=</span> v13\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>ans<span class=\"token punctuation\">)</span>\n\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>v1 <span class=\"token operator\">==</span> <span class=\"token number\">0xacab3c0</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>v2 <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>ans <span class=\"token operator\">==</span> <span class=\"token number\">1939767458</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">if</span> s<span class=\"token punctuation\">.</span>check<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> sat<span class=\"token punctuation\">:</span>\n    m <span class=\"token operator\">=</span> s<span class=\"token punctuation\">.</span>model<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>m<span class=\"token punctuation\">)</span></code></pre></div>\n<p>So instead, I decided to identify the Flag by brute force using the following Func2 function implemented with <code class=\"language-text\">ctypes</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> ctypes\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">func2</span><span class=\"token punctuation\">(</span>v0<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    v1 <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint64<span class=\"token punctuation\">(</span><span class=\"token number\">0xacab3c0</span><span class=\"token punctuation\">)</span>  <span class=\"token comment\"># v19 = 0xacab3c0</span>\n    v2 <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint64<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>  <span class=\"token comment\"># v18 = 0</span>\n    \n    v3 <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint32<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    v4 <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint32<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    v5 <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint32<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    v6 <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint32<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    v7 <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint32<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    v8 <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint32<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    v9 <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint32<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    v10 <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint32<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    v11 <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint32<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    v12 <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint32<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    v13 <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint32<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    \n    <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        v3<span class=\"token punctuation\">.</span>value <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint32<span class=\"token punctuation\">(</span>v1<span class=\"token punctuation\">.</span>value <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xFFFFFFFF</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>value\n        v4<span class=\"token punctuation\">.</span>value <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint32<span class=\"token punctuation\">(</span>v2<span class=\"token punctuation\">.</span>value <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xFFFFFFFF</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>value\n        \n        v5<span class=\"token punctuation\">.</span>value <span class=\"token operator\">=</span> v3<span class=\"token punctuation\">.</span>value\n        v6<span class=\"token punctuation\">.</span>value <span class=\"token operator\">=</span> v4<span class=\"token punctuation\">.</span>value\n        \n        v7<span class=\"token punctuation\">.</span>value <span class=\"token operator\">=</span> v6<span class=\"token punctuation\">.</span>value <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">3</span>  <span class=\"token comment\"># v20 = 0x3</span>\n        v8<span class=\"token punctuation\">.</span>value <span class=\"token operator\">=</span> v0 <span class=\"token operator\">>></span> v7<span class=\"token punctuation\">.</span>value\n        v9<span class=\"token punctuation\">.</span>value <span class=\"token operator\">=</span> v8<span class=\"token punctuation\">.</span>value <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xFF</span>  <span class=\"token comment\"># v21 = 0xFF</span>\n        v10<span class=\"token punctuation\">.</span>value <span class=\"token operator\">=</span> v9<span class=\"token punctuation\">.</span>value <span class=\"token operator\">^</span> v5<span class=\"token punctuation\">.</span>value\n        v11<span class=\"token punctuation\">.</span>value <span class=\"token operator\">=</span> v10<span class=\"token punctuation\">.</span>value <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">8</span>  <span class=\"token comment\"># v22 = 0x8</span>\n        v12<span class=\"token punctuation\">.</span>value <span class=\"token operator\">=</span> v5<span class=\"token punctuation\">.</span>value <span class=\"token operator\">>></span> <span class=\"token number\">24</span>  <span class=\"token comment\"># v23 = 0x18</span>\n        v13<span class=\"token punctuation\">.</span>value <span class=\"token operator\">=</span> v11<span class=\"token punctuation\">.</span>value <span class=\"token operator\">|</span> v12<span class=\"token punctuation\">.</span>value\n        \n        v2<span class=\"token punctuation\">.</span>value <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint64<span class=\"token punctuation\">(</span>v6<span class=\"token punctuation\">.</span>value <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>value  <span class=\"token comment\"># v24 = 1</span>\n        v1<span class=\"token punctuation\">.</span>value <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_uint64<span class=\"token punctuation\">(</span>v13<span class=\"token punctuation\">.</span>value<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>value\n    \n    <span class=\"token keyword\">return</span> v13<span class=\"token punctuation\">.</span>value\n\nans <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0x739e80a2</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x3aae80a3</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x3ba4e79f</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x78bac1f3</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x5ef9c1f3</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x3bb9ec9f</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x558683f4</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x55fad594</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x6cbfdd9f</span><span class=\"token punctuation\">]</span>\nflag <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\"\"</span> <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">9</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">for</span> a <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x21</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x7e</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> b <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x21</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x7e</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">for</span> c <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x21</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x7e</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">for</span> d <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x21</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x7e</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                res <span class=\"token operator\">=</span> func2<span class=\"token punctuation\">(</span>\n                    a <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">24</span> <span class=\"token operator\">|</span> b <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">16</span> <span class=\"token operator\">|</span> c <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">8</span> <span class=\"token operator\">|</span> d\n                <span class=\"token punctuation\">)</span>\n                <span class=\"token keyword\">if</span> res <span class=\"token keyword\">in</span> ans<span class=\"token punctuation\">:</span>\n                    flag<span class=\"token punctuation\">[</span>ans<span class=\"token punctuation\">.</span>index<span class=\"token punctuation\">(</span>res<span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>d<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>b<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>a<span class=\"token punctuation\">)</span>\n                    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"SECCON{\"</span> <span class=\"token operator\">+</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token string\">\"}\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>By the time I finished writing it, I was thinking it might have been faster to write it in plain C instead of <code class=\"language-text\">ctypes</code>, but I was still able to identify the correct Flag using this solver.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 597px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/dfab62b5b29855ecb98294833e057946/17602/image-20240816215102126.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 32.08333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABDklEQVQY03VQ2XKEMAzjCBBYypEQcgAL7bal+/8fqNrZ7kNn2geN47GlSE7CZqHMgEtXo24kZN1QbTGMCi54KK3Rdj2aS4uirJBmApkokBPKsoAoBNUyIssyJOd5IoQA7wP2/RoHfd/FKqWEUiOsndF1L7GXskKSJP/jOHZMZoLzDsu6ELGDcxZVVUEIgaZpMJIo70zTFPt+6B9u/hL8+HzHTA6264adxFnQk3ie5yRawhgDrRX0pLFuK7113OU9ntV1/Vvwfv+Ki8frgdvtDeM4YPsherohIyyBbqloNmKeTTTAjg2/CfxZmqYPQY7JPzLJORejc++8J6KNJEvV0hn4rkziuCzwjM1png6/AUvOjCnAafT6AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/dfab62b5b29855ecb98294833e057946/8ac56/image-20240816215102126.webp 240w,\n/static/dfab62b5b29855ecb98294833e057946/d3be9/image-20240816215102126.webp 480w,\n/static/dfab62b5b29855ecb98294833e057946/9e35d/image-20240816215102126.webp 597w\"\n              sizes=\"(max-width: 597px) 100vw, 597px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/dfab62b5b29855ecb98294833e057946/8ff5a/image-20240816215102126.png 240w,\n/static/dfab62b5b29855ecb98294833e057946/e85cb/image-20240816215102126.png 480w,\n/static/dfab62b5b29855ecb98294833e057946/17602/image-20240816215102126.png 597w\"\n            sizes=\"(max-width: 597px) 100vw, 597px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/dfab62b5b29855ecb98294833e057946/17602/image-20240816215102126.png\"\n            alt=\"image-20240816215102126\"\n            title=\"image-20240816215102126\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Using this Flag also lets you get past the ClamAV scan.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 829px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d70784423799446f0da9c91f3cfddc6d/9d76a/image-20240816215138764.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAASklEQVQI1x3GQQqAIBBA0SCQMm3GadSgdq67//F+0eLBm67hjOfE7oVoMzErqXSiHCRtZOu/VBqbOGu275WUd4oVVBURwasTQuAFujgX4wnx3agAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d70784423799446f0da9c91f3cfddc6d/8ac56/image-20240816215138764.webp 240w,\n/static/d70784423799446f0da9c91f3cfddc6d/d3be9/image-20240816215138764.webp 480w,\n/static/d70784423799446f0da9c91f3cfddc6d/eb5c2/image-20240816215138764.webp 829w\"\n              sizes=\"(max-width: 829px) 100vw, 829px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d70784423799446f0da9c91f3cfddc6d/8ff5a/image-20240816215138764.png 240w,\n/static/d70784423799446f0da9c91f3cfddc6d/e85cb/image-20240816215138764.png 480w,\n/static/d70784423799446f0da9c91f3cfddc6d/9d76a/image-20240816215138764.png 829w\"\n            sizes=\"(max-width: 829px) 100vw, 829px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d70784423799446f0da9c91f3cfddc6d/9d76a/image-20240816215138764.png\"\n            alt=\"image-20240816215138764\"\n            title=\"image-20240816215138764\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I had been meaning to properly dig into ClamAV bytecode signatures someday, but about a year had already gone by, so I am glad I was finally able to work through it.</p>","fields":{"slug":"/clamav-signature-basic-en","tagSlugs":["/tag/clam-av-en/","/tag/malware-en/","/tag/english/"]},"frontmatter":{"date":"2024-08-16","description":"A summary of ClamAV signature syntax and analysis methods using the SECCON 2022 Devil Hunter challenge as a theme.","tags":["ClamAV (en)","Malware (en)","English"],"title":"Learning ClamAV Signature Creation and Analysis Through CTF","socialImage":{"publicURL":"/static/db944af72e92649853a357aaef5a7500/clamav-signature-basic.png"}}}},"pageContext":{"slug":"/clamav-signature-basic-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}