Rule rebuild on plyara.utils.rebuild_yara_rule using external variable as a part of loop condition - bug

[rakovskij-stanislav]

Here is the case.

File test.txt:

test test test test test

rule:

rule sanity_check_external_variables {
    meta:
        author = "Rakovskij Stanislav / disasm.me"
        date = "22.08.2020"
    strings:
        $a = "test"
    condition:
        for count_of_test i in (1..#a) : ( @a[i] < 100 )
}

Sanity check using yara engine:

/testing_rules> yara d6.yar -d count_of_test=1 test.txt
sanity_check_external_variables test.txt
/testing_rules> yara d6.yar -d count_of_test=3 test.txt
sanity_check_external_variables test.txt
/testing_rules> yara d6.yar -d count_of_test=5 test.txt
sanity_check_external_variables test.txt
/testing_rules> yara d6.yar -d count_of_test=6 test.txt

Test case using plyara 2.1.1:

m = """rule sanity_check_external_variables {
    meta:
        author = "Rakovskij Stanislav / disasm.me"
        date = "22.08.2020"
    strings:
        $a = "test"
    condition:
        for count_of_test i in (1..#a) : ( @a[i] < 100 )
}
"""

parser = plyara.Plyara()
parser.parse_string(m)

y = plyara.utils.rebuild_yara_rule(parser.rules[0])
print(y)

Output:

rule sanity_check_external_variables
{
	meta:
		author = "Rakovskij Stanislav / disasm.me"
		date = "22.08.2020"

	strings:
		$a = "test"

	condition:
		for count_of_testi in (1..#a) : (@a[i]<100)
}

Expected condition: for count_of_test i in (1..#a) : (@a[i]<100)

I think the error is here - https://github.com/plyara/plyara/blob/master/plyara/utils.py#L470

To solve this problem you should check is this condition a part of for ... ... in block or not.

[utkonos]

@rakovskij-stanislav Thanks for the report. I'll get this fixed.