function OptimizeSignatures() { global $g_DBShe, $g_FlexDBShe, $gX_FlexDBShe, $gXX_FlexDBShe; global $g_JSVirSig, $gX_JSVirSig; global $g_AdwareSig; global $g_PhishingSig; global $g_ExceptFlex, $g_SusDBPrio, $g_SusDB; AI_EXPERT == 2 && ($g_FlexDBShe = array_merge($g_FlexDBShe, $gX_FlexDBShe, $gXX_FlexDBShe)); AI_EXPERT == 1 && ($g_FlexDBShe = array_merge($g_FlexDBShe, $gX_FlexDBShe)); $gX_FlexDBShe = $gXX_FlexDBShe = array(); AI_EXPERT == 2 && ($g_JSVirSig = array_merge($g_JSVirSig, $gX_JSVirSig)); $gX_JSVirSig = array(); $count = count($g_FlexDBShe); for ($i = 0; $i < $count; $i++) { if ($g_FlexDBShe[$i] == '[a-zA-Z0-9_]+?\\(\\s*[a-zA-Z0-9_]+?=\\s*\\)') { $g_FlexDBShe[$i] = '\\((?<=[a-zA-Z0-9_].)\\s*[a-zA-Z0-9_]++=\\s*\\)'; } if ($g_FlexDBShe[$i] == '([^\\?\\s])\\({0,1}\\.[\\+\\*]\\){0,1}\\2[a-z]*e') { $g_FlexDBShe[$i] = '(?J)\\.[+*](?<=(?<d>[^\\?\\s])\\(..|(?<d>[^\\?\\s])..)\\)?\\g{d}[a-z]*e'; } if ($g_FlexDBShe[$i] == '$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.') { $g_FlexDBShe[$i] = '\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.'; } $g_FlexDBShe[$i] = str_replace('http://.+?/.+?\\.php\\?a', 'http://[^?\\s]++(?<=\\.php)\\?a', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = preg_replace('~\\[a-zA-Z0-9_\\]\\+\\K\\?~', '+', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = preg_replace('~^\\\\[d]\\+&@~', '&@(?<=\\d..)', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = str_replace('\\s*[\'"]{0,1}.+?[\'"]{0,1}\\s*', '.+?', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = str_replace('[\'"]{0,1}.+?[\'"]{0,1}', '.+?', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = preg_replace('~^\\[\'"\\]\\{0,1\\}\\.?|^@\\*|^\\\\s\\*~', '', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = preg_replace('~^\\[\'"\\]\\{0,1\\}\\.?|^@\\*|^\\\\s\\*~', '', $g_FlexDBShe[$i]); } optSig($g_FlexDBShe); optSig($g_JSVirSig); optSig($g_AdwareSig); optSig($g_PhishingSig); optSig($g_SusDB); //optSig($g_SusDBPrio); //optSig($g_ExceptFlex); // convert exception rules $cnt = count($g_ExceptFlex); for ($i = 0; $i < $cnt; $i++) { $g_ExceptFlex[$i] = trim(UnwrapObfu($g_ExceptFlex[$i])); if (!strlen($g_ExceptFlex[$i])) { unset($g_ExceptFlex[$i]); } } $g_ExceptFlex = array_values($g_ExceptFlex); }
function OptimizeSignatures() { global $g_DBShe, $g_FlexDBShe, $gX_FlexDBShe, $gXX_FlexDBShe; global $g_JSVirSig, $gX_JSVirSig; global $g_AdwareSig; global $g_PhishingSig; AI_EXPERT == 2 && ($g_FlexDBShe = array_merge($g_FlexDBShe, $gX_FlexDBShe, $gXX_FlexDBShe)); AI_EXPERT == 1 && ($g_FlexDBShe = array_merge($g_FlexDBShe, $gX_FlexDBShe)); $gX_FlexDBShe = $gXX_FlexDBShe = array(); AI_EXPERT == 2 && ($g_JSVirSig = array_merge($g_JSVirSig, $gX_JSVirSig)); $gX_JSVirSig = array(); $count = count($g_FlexDBShe); for ($i = 0; $i < $count; $i++) { if ($g_FlexDBShe[$i] == 'http://.+?/.+?\\.php\\?a=\\d+&c=[a-zA-Z0-9_]+?&s=') { $g_FlexDBShe[$i] = 'http://[^?\\s]++(?<=\\.php)\\?a=\\d+&c=[a-zA-Z0-9_]+?&s='; } if ($g_FlexDBShe[$i] == '[a-zA-Z0-9_]+?\\(\\s*[a-zA-Z0-9_]+?=\\s*\\)') { $g_FlexDBShe[$i] = '\\((?<=[a-zA-Z0-9_].)\\s*[a-zA-Z0-9_]++=\\s*\\)'; } if ($g_FlexDBShe[$i] == '([^\\?\\s])\\({0,1}\\.[\\+\\*]\\){0,1}\\2[a-z]*e') { $g_FlexDBShe[$i] = '(?J)\\.[+*](?<=(?<d>[^\\?\\s])\\(..|(?<d>[^\\?\\s])..)\\)?\\g{d}[a-z]*e'; } if ($g_FlexDBShe[$i] == '$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.') { $g_FlexDBShe[$i] = '\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.\\$[a-zA-Z0-9_]\\{\\d+\\}\\s*\\.'; } $g_FlexDBShe[$i] = preg_replace('~\\[a-zA-Z0-9_\\]\\+\\K\\?~', '+', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = preg_replace('~^\\\\[d]\\+&@~', '&@(?<=\\d..)', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = str_replace('\\s*[\'"]{0,1}.+?[\'"]{0,1}\\s*', '.+?', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = str_replace('[\'"]{0,1}.+?[\'"]{0,1}', '.+?', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = preg_replace('~^\\[\'"\\]\\{0,1\\}\\.?|^@\\*|^\\\\s\\*~', '', $g_FlexDBShe[$i]); $g_FlexDBShe[$i] = preg_replace('~^\\[\'"\\]\\{0,1\\}\\.?|^@\\*|^\\\\s\\*~', '', $g_FlexDBShe[$i]); } optSig($g_FlexDBShe); optSig($g_JSVirSig); optSig($g_AdwareSig); optSig($g_PhishingSig); }