From 4170f3c8d34e922dd20c6bf422d50e94c77bd7e8 Mon Sep 17 00:00:00 2001
From: Takahiro Haruyama <takahiro.haruyama@gmail.com>
Date: Thu, 25 Jul 2024 12:26:53 +0900
Subject: [PATCH] Update HC-128 (variation used in Winnti malware)

---
 .../hc-128/encrypt-data-using-hc-128-via-wolfssl.yml      | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml
index 31a17bf3..8211d5e0 100755
--- a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml
+++ b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml
@@ -23,5 +23,9 @@ rule:
       - number: 0x17 = 23 from line 153, tem0 = rotrFixed((ctx->T[(v)]),23);
       - number: 0xA = 10 from line 154, tem1 = rotrFixed((ctx->X[(c)]),10);
       - number: 0x8 = 8 from line 155, tem2 = rotrFixed((ctx->X[(b)]),8);
-      - number: 0x3FC = Compiler optimized size used in ANDs for the 1024 sized buffer
-      - count(mnemonic(rol)): 48
+      - or:
+        - number: 0x3FC = Compiler optimized size used in ANDs for the 1024 sized buffer
+        - number: 0x3FF = 0x3FF from line 105, ctx->counter1024 = (ctx->counter1024 + 16) & 0x3ff;
+      - or:
+        - count(mnemonic(rol)): 48
+        - count(mnemonic(ror)): 48