Last active
July 19, 2017 20:40
-
-
Save Traderain/d6d780f294271427408774b4adea8271 to your computer and use it in GitHub Desktop.
Yara ruleset for "The Witcher 3: The Wild Hunt"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Yara ruleset for "The Witcher 3: The Wild Hunt" | |
| */ | |
| rule CR2W | |
| { | |
| meta: | |
| author = "Traderain" | |
| description = "Finds the magic of CR2W files." | |
| version = "0.1" | |
| strings: | |
| $IDString = { 43 52 32 57 } | |
| condition: | |
| $IDString | |
| } | |
| rule Bundle | |
| { | |
| meta: | |
| author = "Traderain" | |
| description = "Finds the magic of Bundle files." | |
| version = "0.1" | |
| strings: | |
| $IDString = { 50 4F 54 41 54 4F 37 30 } | |
| condition: | |
| $IDString | |
| } | |
| rule Metadata | |
| { | |
| meta: | |
| author = "Traderain" | |
| description = "Finds the magic of metadata.store files." | |
| version = "0.1" | |
| strings: | |
| $IDString = { 03 56 54 4D } | |
| condition: | |
| $IDString | |
| } | |
| rule TextureCache | |
| { | |
| meta: | |
| author = "Traderain" | |
| description = "Finds the magic of TextureCache files." | |
| version = "0.1" | |
| strings: | |
| $IDString = { 48 43 58 54 } | |
| condition: | |
| $IDString | |
| } | |
| rule ShaderCache | |
| { | |
| meta: | |
| author = "Traderain" | |
| description = "Finds the magic of ShaderCache files." | |
| version = "0.1" | |
| strings: | |
| $IDString = { 52 44 48 53 } | |
| condition: | |
| $IDString | |
| } | |
| rule CollisionCache | |
| { | |
| meta: | |
| author = "Traderain" | |
| description = "Finds the magic of CollisionCache files." | |
| version = "0.1" | |
| strings: | |
| $IDString = { 43 43 33 57 } | |
| condition: | |
| $IDString | |
| } | |
| rule DepCache | |
| { | |
| meta: | |
| author = "Traderain" | |
| description = "Finds the magic of DepCache files." | |
| version = "0.1" | |
| strings: | |
| $IDString = { 53 50 45 44 } | |
| condition: | |
| $IDString | |
| } | |
| rule FNV1A64_Hash | |
| { | |
| meta: | |
| author = "Traderain" | |
| description = "Detects the prime and initial of the FNV1A64 hash algorythm." | |
| version = "0.1" | |
| strings: | |
| $Initial = { cb f2 9c e4 84 22 23 25 } | |
| $Prime = { 01 00 00 00 01 b3 } | |
| condition: | |
| any of them | |
| } | |
| rule Bitlength_Change | |
| { | |
| meta: | |
| author = "Traderain" | |
| description = "Detects the conditions when the game tries to decide whether to use x32 or x64 file writing." | |
| version = "0.1" | |
| strings: | |
| $num = { FF FF FF FF FF FF FF FF } | |
| condition: | |
| $num | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment