42 lines
No EOL
1.2 KiB
Text
42 lines
No EOL
1.2 KiB
Text
private rule BoousetCode : Boouset Family
|
|
{
|
|
meta:
|
|
description = "Boouset code tricks"
|
|
author = "Seth Hardy"
|
|
last_modified = "2014-06-19"
|
|
|
|
strings:
|
|
$boousetdat = { C6 ?? ?? ?? ?? 00 62 C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 75 }
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
private rule BoousetStrings : Boouset Family
|
|
{
|
|
meta:
|
|
description = "Boouset Identifying Strings"
|
|
author = "Seth Hardy"
|
|
last_modified = "2014-06-19"
|
|
|
|
strings:
|
|
$ = "Q\x00\x00\x00\x00W\x00\x00\x00\x00E\x00\x00\x00\x00R\x00\x00\x00\x00T\x00\x00\x00\x00Y\x00\x00\x00\x00"
|
|
$ = "A\x00\x00\x00\x00S\x00\x00\x00\x00D\x00\x00\x00\x00F\x00\x00\x00\x00G\x00\x00\x00\x00H"
|
|
$ = "Z\x00\x00\x00\x00X\x00\x00\x00\x00C\x00\x00\x00\x00V\x00\x00\x00\x00B\x00\x00\x00\x00N\x00\x00\x00\x00"
|
|
$ = "\\~Z8314.tmp"
|
|
$ = "hulee midimap" wide ascii
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule Boouset : Family
|
|
{
|
|
meta:
|
|
description = "Boouset"
|
|
author = "Seth Hardy"
|
|
last_modified = "2014-06-19"
|
|
|
|
condition:
|
|
BoousetCode or BoousetStrings
|
|
} |