Make it fast !

**anduril462** · 01-05-2011

You're talking about a different method than the one I proposed. I don't know where you got it from, but yes, it does suffer a gross performance degradation when there are initial wildcards in a signature.

The method I'm describing doesn't check against initial wildcards to determine whether to do a full signature check. It only checks against the first non-wildcard character of a signature, not just the first character regardless. My method never uses a wildcard character to determine if we should examine the whole signature. This gives fewer or no false positives, while also maintaining the speed advantage of not checking every signature in it's entirety.

If we have the signature {-1, 'f', 'o', 'o'}, my method requires that we also specify the first non-wildcard character, which exists at offset 1 in the signature. The very rough pseudo code looks like this:

Code:

signature = {-1, 'f', 'o', 'o'};
first_non_wild_card = 1; // this can and should be precomputed
for (i = 0; i < data_length - signature_length; i++)
    // match data[1] to signature[1], an 'f', not a wildcard
    if (data[i + first_non_wild_card] == signature[first_non_wild_card])
        check_full_signature(&data[i], signature)

Notice that this code allows for initial wild cards by ensuring that the first character matched ('f') is not at offset 0 in the data, but is at least at offset 1. It only calls check_full_signature if it matched a specific, non-wildcard character.

Furthermore, my original proposal, in post #12 doesn't even use explicit wildcard items in the signature. Thus, it would be impossible for that method to use a wildcard match to determine whether to do a full signature check. It simply checks that the mandatory bytes exist with the right gaps between them. It would only check the full signature if it had good cause, being a matching byte in an appropriate place. Heck, that method will be noticeably faster than yours if there are large chunks of wildcards in a signature, because I don't check wildcard bytes individually, I just skip over them.

I am done arguing this point. I am content that my method runs with the same or better time complexity as yours while providing more accurate matching.

**Adak** · 01-05-2011

CT is thinking of his own algorithm for it, and hasn't grokked the difference to your way, just yet.

I'm looking for my Grandma's excess ear wax removal remedy, for him, atm.

**quzah** · 01-05-2011

I'll abuse C99 a bit here:

Code:

int DLL_EXPORT scansig( BYTE *file, int fileLen, short sig[], int sigLen )
{
    struct jump
    {
        size_t offset;
        short key;
    } check[ sigLen ];

    size_t x, keysize;

    FILE *endoffile = file + whateverittakestobetheend;
    FILE *here = file;
    
    for( x = keysize = 0; x < sigLen; x++ )
    {
        if( sig[ x ] > -1 )
        {
            check[ keysize ].offset = x;
            check[ keysize ].key = sig[ x ];
            keysize++;
        }
    }

    while( here < endoffile )
    {
        for( x = 0; x < keysize; x++ )
        {
            if( here[ check[ x ].offset ] != check[ x ].key )
                break;
                
        }
        if( x == keysize )
            return here - file;

        here +=  fileLen; /* assuming this is the actual record length, if not, add sigLen */
    }

    return -1;
}

There you go. That looks about right.

Quzah.

Thread: Make it fast !

Thread Tools

Search Thread

Display

Similar Threads

HELP!wanting to make full screen game windowed

I want to make a fast scroll

make all rule

Question about atheists

How can I make a button not visible but make it so I can still click on it?