=============
Hex string #1
=============

rule my_rule {
    strings:
        $str = { A4 (F1 [1-] DE | (((FE) 45) | (4E [1-10] 45)) AA) EE }
    condition:
        true
}

---

(yara_file
    (rule
        head: (rule_head
            id: (identifier)
        )
        body: (rule_body
            strings: (strings_list
                (string
                    id: (string_identifier)
                    value: (hex_str
                        (hex_str_sequence
                            (hex_str_parentheses
                                (hex_str_alt
                                    lop: (hex_str_sequence
                                        (hex_str_jump
                                            lower: (hex_str_jump_number)
                                        )
                                    )
                                    rop: (hex_str_sequence
                                        (hex_str_parentheses
                                            (hex_str_alt
                                                lop: (hex_str_sequence
                                                    (hex_str_parentheses
                                                        (hex_str_sequence
                                                            (hex_str_parentheses
                                                                (hex_str_sequence)
                                                            )
                                                        )
                                                    )
                                                )
                                                rop: (hex_str_sequence
                                                    (hex_str_parentheses
                                                        (hex_str_sequence
                                                            (hex_str_jump
                                                                lower: (hex_str_jump_number)
                                                                upper: (hex_str_jump_number)
                                                            )
                                                        )
                                                    )
                                                )
                                            )
                                        )
                                    )
                                )
                            )
                        )
                    )
                )
            )
            
            condition: (bool_literal)
        )
    )
)


=============
Hex string #2
=============

rule my_rule {
    strings:
        $str = { 0? ?? (AAAA | 99 [1-3] BB (CC | DD)) 88 } private
        $str1 = { 88 }
    condition:
        $str
}

---

(yara_file
    (rule
        head: (rule_head
            id: (identifier)
        )
        body: (rule_body
            strings: (strings_list
                (string
                    id: (string_identifier)
                    value: (hex_str
                        (hex_str_sequence
                            (hex_str_parentheses
                                (hex_str_alt
                                    lop: (hex_str_sequence)
                                    rop: (hex_str_sequence
                                        (hex_str_jump
                                            lower: (hex_str_jump_number)
                                            upper: (hex_str_jump_number)
                                        )
                                        (hex_str_parentheses
                                            (hex_str_alt
                                                lop: (hex_str_sequence)
                                                rop: (hex_str_sequence)
                                            )
                                        )
                                    )
                                )
                            )
                        )
                    )
                    mods: (str_mod_list
                        (str_mod)
                    )
                )
                (string
                    id: (string_identifier)
                    value: (hex_str
                        (hex_str_sequence)
                    )
                )
            )
            
            condition: (string_identifier)
        )
    )
)


========
Regex #1
========

rule my_rule {
    strings:
        $regexp = /[ab]|(de{3,}f((\r\n)|\n))/is
    condition:
        true
}

---

(yara_file
    (rule
        head: (rule_head
            id: (identifier)
        )
        body: (rule_body
            strings: (strings_list
                (string
                    id: (string_identifier)
                    value: (regexp
                        body: (regexp_body
                            (regexp_alt
                                (regexp_class
                                    (regexp_class_char)
                                    (regexp_class_char)
                                )
                                (regexp_group
                                    (regexp_cat
                                        (regexp_cat
                                            (regexp_cat
                                                (regexp_char)
                                                (regexp_rep
                                                    base: (regexp_char)
                                                    quant: (regexp_rep_quantifier
                                                        lower: (regexp_rep_quantifier_number
                                                            (dec_uint_literal_value_imm)
                                                        )
                                                    )
                                                )
                                            )
                                            (regexp_char)
                                        )
                                        (regexp_group
                                            (regexp_alt
                                                (regexp_group
                                                    (regexp_cat
                                                        (regexp_esc_seq)
                                                        (regexp_esc_seq)
                                                    )
                                                )
                                                (regexp_esc_seq)
                                            )
                                        )
                                    )
                                )
                            )
                        )
                        flags: (regexp_flags)
                    )
                )
            )
            condition: (bool_literal)
        )
    )
)


========
Regex #2
========

rule my_rule {
    strings:
        $regexp = /a*b{6}[^a-z]|cb??-[-]/ nocase
    condition:
        true
}

---

(yara_file
    (rule
        (rule_head
            (identifier)
        )
        (rule_body
            (strings_list
                (string
                    (string_identifier)
                    (regexp
                        (regexp_body
                            (regexp_alt
                                (regexp_cat
                                    (regexp_cat
                                        (regexp_rep
                                            (regexp_char)
                                            (regexp_rep_quantifier)
                                        )
                                        (regexp_rep
                                            (regexp_char)
                                            (regexp_rep_quantifier
                                                (regexp_rep_quantifier_number
                                                    (dec_uint_literal_value_imm)
                                                )
                                            )
                                        )
                                    )
                                    (regexp_class
                                        (regexp_class_neg)
                                        (regexp_class_range
                                            (regexp_class_char)
                                            (hyphen)
                                            (regexp_class_char)
                                        )
                                    )
                                )
                                (regexp_cat
                                    (regexp_cat
                                        (regexp_cat
                                            (regexp_char)
                                            (regexp_rep
                                                (regexp_char)
                                                (regexp_rep_quantifier
                                                    (regexp_rep_quantifier_greedy)
                                                )
                                            )
                                        )
                                        (regexp_char)
                                    )
                                    (regexp_class
                                        (hyphen)
                                    )
                                )
                            )
                        )
                    )
                    (str_mod_list
                        (str_mod)
                    )
                )
            )
            (bool_literal)
        )
    )
)


