@@ -86,7 +86,7 @@ struct cli_ac_lsig {

     uint8_t type;

     union {

         char *logic;

-        void *other;

+        uint8_t *code_start;

     } u;

     const char *virname;

     struct cli_lsig_tdb tdb;

@@ -3402,30 +3402,31 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op

     /*** conditional verification step (ex. do we define too many strings versus used?)  ***/

     /*** additional string table population (ex. offsets), second translation table pass ***/

-    lsize = 3*ytable.tbl_cnt;

-    logic = cli_calloc(lsize, sizeof(char));

-    if (!logic) {

-        cli_errmsg("load_oneyara: cannot allocate memory for logic statement\n");

-        ytable_delete(&ytable);

-        return CL_EMEM;

-    }

-

-    if (rule->g_flags & RULE_ALL && rule->g_flags & RULE_THEM)

-        exp_op = "&";

-    else {

-        exp_op = "|";

-        if ((!(rule->g_flags & RULE_ANY && rule->g_flags & RULE_THEM) && ytable.tbl_cnt > 1) &&

-            !(rule->g_flags & RULE_EP && ytable.tbl_cnt == 1))

-            yara_complex++;

+    if (rule->g_flags & RULE_ALL ||  rule->g_flags & RULE_ANY) {

+        lsize = 3*ytable.tbl_cnt;

+        logic = cli_calloc(lsize, sizeof(char));

+        if (!logic) {

+            cli_errmsg("load_oneyara: cannot allocate memory for logic statement\n");

+            ytable_delete(&ytable);

+            return CL_EMEM;

+        }

+        

+        if (rule->g_flags & RULE_ALL && rule->g_flags & RULE_THEM)

+            exp_op = "&";

+        else {

+            exp_op = "|";

+            if ((!(rule->g_flags & RULE_ANY && rule->g_flags & RULE_THEM) && ytable.tbl_cnt > 1) &&

+                !(rule->g_flags & RULE_EP && ytable.tbl_cnt == 1))

+                yara_complex++;

+        }

+        

+        for (i=0; i<ytable.tbl_cnt; i++) {

+            size_t len=strlen(logic);

+            snprintf(logic+len, lsize-len, "%u%s", i, (i+1 == ytable.tbl_cnt) ? "" : exp_op);

+        }    

+        

+        /*** END CONDITIONAL HANDLING ***/

     }

-

-    for (i=0; i<ytable.tbl_cnt; i++) {

-        size_t len=strlen(logic);

-        snprintf(logic+len, lsize-len, "%u%s", i, (i+1 == ytable.tbl_cnt) ? "" : exp_op);

-    }    

-

-    /*** END CONDITIONAL HANDLING ***/

-

     /* TDB */

     if (rule->g_flags & RULE_EP && ytable.tbl_cnt == 1)

         target_str = cli_strdup(YARATARGET1);

@@ -3461,23 +3462,26 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op

         lsig->type = CLI_NORMAL_LSIG;

         lsig->u.logic = cli_mpool_strdup(engine->mempool, logic);

+        free(logic);

         if(!lsig->u.logic) {

             cli_errmsg("load_oneyara: Can't allocate memory for lsig->logic\n");

             FREE_TDB(tdb);

             ytable_delete(&ytable);

-            free(logic);

             mpool_free(engine->mempool, lsig);

             return CL_EMEM;

         }

     } else {

-        cli_errmsg("load_oneyara: Unsupported logic type\n");

-        FREE_TDB(tdb);

-        ytable_delete(&ytable);

-        free(logic);

-        mpool_free(engine->mempool, lsig);

-        return CL_EMEM;

+        if (NULL != (lsig->u.code_start = rule->code_start)) {

+        lsig->type = CLI_NORMAL_YARA;

+        } else {

+            cli_errmsg("load_oneyara: code start is NULL\n");

+            FREE_TDB(tdb);

+            ytable_delete(&ytable);

+            mpool_free(engine->mempool, lsig);

+            return CL_EMEM;

+        }

     }

-    free(logic);

+

     lsigid[0] = lsig->id = root->ac_lsigs;

@@ -4325,6 +4329,8 @@ int cl_engine_free(struct cl_engine *engine)

 		    for(j = 0; j < root->ac_lsigs; j++) {

 			if (root->ac_lsigtable[j]->type == CLI_NORMAL_LSIG)

 			    mpool_free(engine->mempool, root->ac_lsigtable[j]->u.logic);

+			else if (root->ac_lsigtable[j]->type == CLI_NORMAL_YARA)

+			    free(root->ac_lsigtable[j]->u.code_start);

 			FREE_TDB(root->ac_lsigtable[j]->tdb);

 			mpool_free(engine->mempool, root->ac_lsigtable[j]);

 		    }

@@ -295,7 +295,7 @@ void yr_arena_destroy(

   yr_free(arena);

 }

-#if REAL_YARA

+

 //

 // yr_arena_base_address

 //

@@ -333,7 +333,6 @@ void* yr_arena_base_address(

 // Returns:

 //    A pointer

 //

-#endif

 void* yr_arena_next_address(

   YR_ARENA* arena,

@@ -384,7 +383,7 @@ void* yr_arena_next_address(

   return NULL;

 }

-#if REAL_YARA

+

 //

 // yr_arena_coalesce

 //

@@ -488,7 +487,6 @@ int yr_arena_coalesce(

   return ERROR_SUCCESS;

 }

-#endif

 //

 // yr_arena_reserve_memory

@@ -539,6 +539,7 @@ struct _yc_rule {

     STAILQ_HEAD(sq, _yc_string) strings;

     char * identifier;

     uint32_t g_flags;

+    uint8_t * code_start;

 };

 typedef struct _yc_rule yc_rule;

 typedef struct _yc_string {

@@ -702,6 +702,7 @@ int yr_parser_reduce_rule_declaration(

   YR_RULE* rule;

   YR_STRING* string;

+  int8_t halt = OP_HALT;

   if (yr_hash_table_lookup(

         compiler->rules_table,

@@ -799,6 +800,19 @@ int yr_parser_reduce_rule_declaration(

   compiler->current_rule_strings = NULL;

 #else

   compiler->current_rule_flags = 0;

+  // Write halt instruction at the end of code.

+  yr_arena_write_data(

+      compiler->code_arena,

+      &halt,

+      sizeof(int8_t),

+      NULL);

+  //TBD: seems like we will need the following yr_arena_coalesce, but it is not working.

+  //Yara condition code will work OK as long as it is less than 64K.

+  //FAIL_ON_COMPILER_ERROR(yr_arena_coalesce(compiler->code_arena));

+  rule->code_start = yr_arena_base_address(compiler->code_arena);

+  compiler->code_arena->page_list_head->address = NULL;

+  yr_arena_destroy(compiler->code_arena);

+  FAIL_ON_COMPILER_ERROR(yr_arena_create(65536, 0, &compiler->code_arena));

   STAILQ_INSERT_TAIL(&compiler->rule_q, rule, link); 

 #endif

   return compiler->last_result;