Scan gets stuck with a certain rule

[djlukic]

Hi,

I wrote a rule to match certain condition within PKZIP format but if I try to scan 1000 random files with that rule scan never finishes.

I tried this command line: .\yara64.exe .\ruleset.yara "C:\Program Files" -r

rule ZIP_test {

    strings:

        $header = { 50 4B 03 04 }

    condition:

        $header at 0 and filesize < 5MB and
        for any i in (0 .. #header) : (
            uint8(@header[i] + 30 + uint32(@header[i] + 26) - 1) == 0x20 and

            for any j in (0 .. #header) : (         
                uint8(@header[j] + 30 + uint32(@header[i] + 26)) == 0x2F and

                for all k in (0 .. uint32(@header[i] + 26) - 1) : (
                    uint8(@header[j] + 30 + k) == uint8(@header[i] + 30 + k)
                )
            )       
        )

}

If I try to scan a matching ZIP archive or several of them, there is no problem, they get detected.

Yara version is 4.3.1

Thanks!

[plusvic]

Bear in mind that this rule can be extremely slow for files containing multiple occurrences of { 50 4B 03 04 }. My guess is that some of the random files have a multiple occurrences of that string and it apparently takes forever to complete. It would be great if try to identify which of those 1000 files is actually taking too long.