From 113d6e67626ef762cd06dd5de029e94000e6fec3 Mon Sep 17 00:00:00 2001
From: priyank <priyank8445@gmail.com>
Date: Sun, 15 Mar 2026 13:14:40 +0530
Subject: [PATCH 1/5] Add rule for zlib fast inflate

---
 ...ecompress-data-using-zlib-fast-inflate.yml | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml

diff --git a/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml b/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml
new file mode 100644
index 000000000..c65d646e2
--- /dev/null
+++ b/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml
@@ -0,0 +1,28 @@
+rule:
+  meta:
+    name: decompress data using ZLIB fast inflate
+    namespace: data-manipulation/compression
+    authors:
+      - priyank766
+    description: detects Chris Anderson's x86 assembly implementation of zlib inflate_fast
+    scopes:
+      static: function
+      dynamic: unsupported  # requires bytes features
+    mbc:
+      - Data::Decompress Data [C0025]
+    references:
+      - https://github.com/madler/zlib/blob/cacf7f1d4e3d44d871b605da3b647f07d718623f/contrib/masmx86/inffas32.asm
+      - https://github.com/mandiant/capa-rules/issues/494
+    examples:
+      - c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll_:0x3FE40
+  features:
+    - and:
+      - description: Chris Anderson x86 assembly implementation of zlib inflate_fast
+      - string: Fast decoding Code from Chris Anderson
+      - string: invalid literal/length code
+      - string: invalid distance code
+      - string: invalid distance too far back
+      - bytes: 0F A2 81 FB 47 65 6E 75 75 38 81 F9 6E 74 65 6C 75 30 81 FA 69 6E 65 49 75 28
+        = cpuid GenuineIntel checks before enabling MMX
+      - bytes: 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 0F 00 00 00 1F 00 00 00 3F 00 00 00
+        = inflate_fast_mask table prefix
\ No newline at end of file

From 24857cc82bd981e86eb960908c91c9d2ef4157a1 Mon Sep 17 00:00:00 2001
From: priyank <priyank8445@gmail.com>
Date: Sun, 15 Mar 2026 13:37:10 +0530
Subject: [PATCH 2/5] Refine zlib fast inflate rule

---
 .../decompress-data-using-zlib-fast-inflate.yml   | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml b/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml
index c65d646e2..74cc68ea9 100644
--- a/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml
+++ b/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml
@@ -17,12 +17,9 @@ rule:
       - c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll_:0x3FE40
   features:
     - and:
-      - description: Chris Anderson x86 assembly implementation of zlib inflate_fast
-      - string: Fast decoding Code from Chris Anderson
-      - string: invalid literal/length code
-      - string: invalid distance code
-      - string: invalid distance too far back
-      - bytes: 0F A2 81 FB 47 65 6E 75 75 38 81 F9 6E 74 65 6C 75 30 81 FA 69 6E 65 49 75 28
-        = cpuid GenuineIntel checks before enabling MMX
-      - bytes: 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 0F 00 00 00 1F 00 00 00 3F 00 00 00
-        = inflate_fast_mask table prefix
\ No newline at end of file
+      - string: "Fast decoding Code from Chris Anderson"
+      - string: "invalid literal/length code"
+      - string: "invalid distance code"
+      - string: "invalid distance too far back"
+      - bytes: 0F A2 81 FB 47 65 6E 75 75 38 81 F9 6E 74 65 6C 75 30 81 FA 69 6E 65 49 75 28 = cpuid GenuineIntel checks before enabling MMX
+      - bytes: 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 0F 00 00 00 1F 00 00 00 3F 00 00 00 = inflate_fast_mask table prefix

From ea00ed66e0440a0bf2f5db9e75d0e5b6a516c8e0 Mon Sep 17 00:00:00 2001
From: priyank <priyank8445@gmail.com>
Date: Thu, 19 Mar 2026 21:44:21 +0530
Subject: [PATCH 3/5] Remove issue reference from zlib fast inflate rule

Signed-off-by: priyank <priyank8445@gmail.com>
---
 .../compression/decompress-data-using-zlib-fast-inflate.yml      | 1 -
 1 file changed, 1 deletion(-)

diff --git a/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml b/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml
index 74cc68ea9..ad9ebaaa8 100644
--- a/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml
+++ b/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml
@@ -12,7 +12,6 @@ rule:
       - Data::Decompress Data [C0025]
     references:
       - https://github.com/madler/zlib/blob/cacf7f1d4e3d44d871b605da3b647f07d718623f/contrib/masmx86/inffas32.asm
-      - https://github.com/mandiant/capa-rules/issues/494
     examples:
       - c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll_:0x3FE40
   features:

From 913b04161cda0d360c2047fdeeb7aa2727e6bebc Mon Sep 17 00:00:00 2001
From: priyank <priyank8445@gmail.com>
Date: Fri, 27 Mar 2026 22:50:17 +0530
Subject: [PATCH 4/5] fix(rule): remove unmatched features from zlib fast
 inflate

---
 .../compression/decompress-data-using-zlib-fast-inflate.yml     | 2 --
 1 file changed, 2 deletions(-)

diff --git a/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml b/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml
index ad9ebaaa8..a56001ee0 100644
--- a/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml
+++ b/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml
@@ -16,9 +16,7 @@ rule:
       - c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll_:0x3FE40
   features:
     - and:
-      - string: "Fast decoding Code from Chris Anderson"
       - string: "invalid literal/length code"
       - string: "invalid distance code"
       - string: "invalid distance too far back"
       - bytes: 0F A2 81 FB 47 65 6E 75 75 38 81 F9 6E 74 65 6C 75 30 81 FA 69 6E 65 49 75 28 = cpuid GenuineIntel checks before enabling MMX
-      - bytes: 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 0F 00 00 00 1F 00 00 00 3F 00 00 00 = inflate_fast_mask table prefix

From 0be98c0a125a840d6c7514813e6b6f873591418c Mon Sep 17 00:00:00 2001
From: priyank <priyank8445@gmail.com>
Date: Tue, 31 Mar 2026 18:25:32 +0530
Subject: [PATCH 5/5] fix(rule): replace bytes with mnemonic for zlib fast
 inflate

---
 .../compression/decompress-data-using-zlib-fast-inflate.yml   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml b/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml
index a56001ee0..7df8f5511 100644
--- a/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml
+++ b/data-manipulation/compression/decompress-data-using-zlib-fast-inflate.yml
@@ -7,7 +7,7 @@ rule:
     description: detects Chris Anderson's x86 assembly implementation of zlib inflate_fast
     scopes:
       static: function
-      dynamic: unsupported  # requires bytes features
+      dynamic: unsupported  # requires mnemonic features
     mbc:
       - Data::Decompress Data [C0025]
     references:
@@ -19,4 +19,4 @@ rule:
       - string: "invalid literal/length code"
       - string: "invalid distance code"
       - string: "invalid distance too far back"
-      - bytes: 0F A2 81 FB 47 65 6E 75 75 38 81 F9 6E 74 65 6C 75 30 81 FA 69 6E 65 49 75 28 = cpuid GenuineIntel checks before enabling MMX
+      - mnemonic: cpuid