More fixes and improvements to pattern matching (#64)

* Support pattern negated byte

* Optimize pattern sub-matches

* Fix one-off pattern mismatch

* Fix test

* Fix test

* Revert "Optimize pattern sub-matches"

This reverts commit 6f4badc.

* Simplify data_end calculation

---------

Co-authored-by: Stephen Eckels <[email protected]>
Co-authored-by: Stephen Eckels <[email protected]>

objfile/patterns.go

@@ -207,6 +207,24 @@ func RegexpPatternFromYaraPattern(pattern string) (*RegexAndNeedle, error) {
 			continue
 		}
 
+		// input: ~AB
+		// output: [^\xAB]
+		if c == "~" {
+			if len(pattern) < i+3 {
+				return nil, errors.New("incomplete negated byte")
+			}
+			e := pattern[i+2 : i+3]
+
+			regex_pattern += "[^"
+			regex_pattern += `\x` + strings.ToUpper(d+e)
+			regex_pattern += "]"
+
+			i += 3
+			resetNeedle()
+			sequenceLen = 1
+			continue
+		}
+
 		return nil, errors.New("unexpected value")
 	}
 
@@ -229,15 +247,15 @@ func FindRegex(data []byte, regexInfo *RegexAndNeedle) []int {
 	for _, needleMatch := range needleMatches {
 		// adjust the window to the pattern start and end
 		data_start := needleMatch - regexInfo.needleOffset
-		data_end := needleMatch + regexInfo.len - regexInfo.needleOffset
+		data_end := data_start + regexInfo.len
 		if data_start >= data_len {
 			continue
-		} else if data_start <= 0 {
+		}
+		if data_start < 0 {
 			data_start = 0
 		}
-
-		if data_end >= data_len {
-			data_end = data_len - 1
+		if data_end > data_len {
+			data_end = data_len
 		}
 
 		// do the full regex scan on a very small chunk

objfile/patterns_test.go

@@ -146,7 +146,7 @@ func TestRegexpPatternFromYaraPattern(t *testing.T) {
 		}
 
 		// manually translated
-		if reg.rawre != `\x8D.....\xEB..{0,50}\x8B..\x01\x00\x00\x8B...\x85.\x75.` {
+		if reg.rawre != `\x8D.....\xEB..{0,50}?\x8B..\x01\x00\x00\x8B...\x85.\x75.` {
 			t.Errorf("incorrect pattern")
 		}