function OptimizeSignatures()
{
global $g_DBShe, $g_FlexDBShe, $gX_FlexDBShe, $gXX_FlexDBShe;
global $g_JSVirSig, $gX_JSVirSig;
global $g_AdwareSig;
global $g_PhishingSig;
global $g_ExceptFlex, $g_SusDBPrio, $g_SusDB;
AI_EXPERT == 2 && ($g_FlexDBShe = array_merge($g_FlexDBShe, $gX_FlexDBShe, $gXX_FlexDBShe));
AI_EXPERT == 1 && ($g_FlexDBShe = array_merge($g_FlexDBShe, $gX_FlexDBShe));
$gX_FlexDBShe = $gXX_FlexDBShe = array();
AI_EXPERT == 2 && ($g_JSVirSig = array_merge($g_JSVirSig, $gX_JSVirSig));
$gX_JSVirSig = array();
$count = count($g_FlexDBShe);
for ($i = 0; $i < $count; $i++) {
if ($g_FlexDBShe[$i] == '[a-zA-Z0-9_]+?\\(\\s*[a-zA-Z0-9_]+?=\\s*\\)') {
$g_FlexDBShe[$i] = '\\((?<=[a-zA-Z0-9_].)\\s*[a-zA-Z0-9_]++=\\s*\\)';
}
if ($g_FlexDBShe[$i] == '([^\\?\\s])\\({0,1}\\.[\\+\\*]\\){0,1}\\2[a-z]*e') {
$g_FlexDBShe[$i] = '(?J)\\.[+*](?<=(?<d>[^\\?\\s])\\(..|(?<d>[^\\?\\s])..)\\)?\\g{d}[a-z]*e';
}
if ($g_FlexDBShe[$i] == '$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.') {
$g_FlexDBShe[$i] = '\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.';
}
$g_FlexDBShe[$i] = str_replace('http://.+?/.+?\\.php\\?a', 'http://[^?\\s]++(?<=\\.php)\\?a', $g_FlexDBShe[$i]);
$g_FlexDBShe[$i] = preg_replace('~\\[a-zA-Z0-9_\\]\\+\\K\\?~', '+', $g_FlexDBShe[$i]);
$g_FlexDBShe[$i] = preg_replace('~^\\\\[d]\\+&@~', '&@(?<=\\d..)', $g_FlexDBShe[$i]);
$g_FlexDBShe[$i] = str_replace('\\s*[\'"]{0,1}.+?[\'"]{0,1}\\s*', '.+?', $g_FlexDBShe[$i]);
$g_FlexDBShe[$i] = str_replace('[\'"]{0,1}.+?[\'"]{0,1}', '.+?', $g_FlexDBShe[$i]);
$g_FlexDBShe[$i] = preg_replace('~^\\[\'"\\]\\{0,1\\}\\.?|^@\\*|^\\\\s\\*~', '', $g_FlexDBShe[$i]);
$g_FlexDBShe[$i] = preg_replace('~^\\[\'"\\]\\{0,1\\}\\.?|^@\\*|^\\\\s\\*~', '', $g_FlexDBShe[$i]);
}
optSig($g_FlexDBShe);
optSig($g_JSVirSig);
optSig($g_AdwareSig);
optSig($g_PhishingSig);
optSig($g_SusDB);
//optSig($g_SusDBPrio);
//optSig($g_ExceptFlex);
// convert exception rules
$cnt = count($g_ExceptFlex);
for ($i = 0; $i < $cnt; $i++) {
$g_ExceptFlex[$i] = trim(UnwrapObfu($g_ExceptFlex[$i]));
if (!strlen($g_ExceptFlex[$i])) {
unset($g_ExceptFlex[$i]);
}
}
$g_ExceptFlex = array_values($g_ExceptFlex);
}
function OptimizeSignatures()
{
global $g_DBShe, $g_FlexDBShe, $gX_FlexDBShe, $gXX_FlexDBShe;
global $g_JSVirSig, $gX_JSVirSig;
global $g_AdwareSig;
global $g_PhishingSig;
AI_EXPERT == 2 && ($g_FlexDBShe = array_merge($g_FlexDBShe, $gX_FlexDBShe, $gXX_FlexDBShe));
AI_EXPERT == 1 && ($g_FlexDBShe = array_merge($g_FlexDBShe, $gX_FlexDBShe));
$gX_FlexDBShe = $gXX_FlexDBShe = array();
AI_EXPERT == 2 && ($g_JSVirSig = array_merge($g_JSVirSig, $gX_JSVirSig));
$gX_JSVirSig = array();
$count = count($g_FlexDBShe);
for ($i = 0; $i < $count; $i++) {
if ($g_FlexDBShe[$i] == 'http://.+?/.+?\\.php\\?a=\\d+&c=[a-zA-Z0-9_]+?&s=') {
$g_FlexDBShe[$i] = 'http://[^?\\s]++(?<=\\.php)\\?a=\\d+&c=[a-zA-Z0-9_]+?&s=';
}
if ($g_FlexDBShe[$i] == '[a-zA-Z0-9_]+?\\(\\s*[a-zA-Z0-9_]+?=\\s*\\)') {
$g_FlexDBShe[$i] = '\\((?<=[a-zA-Z0-9_].)\\s*[a-zA-Z0-9_]++=\\s*\\)';
}
if ($g_FlexDBShe[$i] == '([^\\?\\s])\\({0,1}\\.[\\+\\*]\\){0,1}\\2[a-z]*e') {
$g_FlexDBShe[$i] = '(?J)\\.[+*](?<=(?<d>[^\\?\\s])\\(..|(?<d>[^\\?\\s])..)\\)?\\g{d}[a-z]*e';
}
if ($g_FlexDBShe[$i] == '$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.') {
$g_FlexDBShe[$i] = '\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.';
}
$g_FlexDBShe[$i] = preg_replace('~\\[a-zA-Z0-9_\\]\\+\\K\\?~', '+', $g_FlexDBShe[$i]);
$g_FlexDBShe[$i] = preg_replace('~^\\\\[d]\\+&@~', '&@(?<=\\d..)', $g_FlexDBShe[$i]);
$g_FlexDBShe[$i] = str_replace('\\s*[\'"]{0,1}.+?[\'"]{0,1}\\s*', '.+?', $g_FlexDBShe[$i]);
$g_FlexDBShe[$i] = str_replace('[\'"]{0,1}.+?[\'"]{0,1}', '.+?', $g_FlexDBShe[$i]);
$g_FlexDBShe[$i] = preg_replace('~^\\[\'"\\]\\{0,1\\}\\.?|^@\\*|^\\\\s\\*~', '', $g_FlexDBShe[$i]);
$g_FlexDBShe[$i] = preg_replace('~^\\[\'"\\]\\{0,1\\}\\.?|^@\\*|^\\\\s\\*~', '', $g_FlexDBShe[$i]);
}
optSig($g_FlexDBShe);
optSig($g_JSVirSig);
optSig($g_AdwareSig);
optSig($g_PhishingSig);
}
