From d2167ff9cdced9f7189382ff73c5c6399958f760 Mon Sep 17 00:00:00 2001
From: David Cannings <david@edeca.net>
Date: Mon, 13 Apr 2026 18:07:08 +0100
Subject: [PATCH 1/2] ADd rule for LZMA decompression

---
 .../decompress-data-using-lzma.yml            | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 data-manipulation/compression/decompress-data-using-lzma.yml

diff --git a/data-manipulation/compression/decompress-data-using-lzma.yml b/data-manipulation/compression/decompress-data-using-lzma.yml
new file mode 100644
index 000000000..6de2c718d
--- /dev/null
+++ b/data-manipulation/compression/decompress-data-using-lzma.yml
@@ -0,0 +1,41 @@
+rule:
+  meta:
+    name: decompress data using LZMA
+    namespace: data-manipulation/compression
+    authors:
+      - david@edeca.net
+    description: detects the LzmaProps_Decode routine from LZMA decompression
+    scopes:
+      static: function
+      dynamic: unsupported  # requires number, characteristic, mnemonic features
+    mbc:
+      - Data::Decompress Data [C0025]
+    references:
+      - https://github.com/welovegit/LZMA-SDK/blob/main/C/LzmaDec.c
+    examples:
+      - 414b979bfc0a903f49a81f30d08aaa2f300f43ce4ae1ea5fffacc2926dc04f75:0x793750
+  features:
+    - and:
+      - instruction:
+        - description: if (d >= (9 * 5 * 5))
+        - mnemonic: cmp
+        - number: 0xE1
+      - instruction:
+        - description: if (dicSize < LZMA_DIC_MIN)
+        - mnemonic: cmp
+        - number: 0x1000 = LZMA_DIC_MIN
+      - or:
+        - and:
+          - instruction:
+            - description: unoptimised divide by 5 or modulo 5
+            - number: 5
+          - instruction:
+            - description: unoptimised divide by 9 or modulo 9
+            - number: 9
+        - and:
+          - instruction:
+            - description: optimized divide by 9
+            - number: 0x38E38E39
+          - instruction:
+            - description: optimized divide by 5
+            - number: 0x66666667
\ No newline at end of file

From bded9bed23d2b744bbec5d890cb707729e7ecad0 Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Wed, 3 Jun 2026 10:28:05 +0200
Subject: [PATCH 2/2] Apply suggestion from @mr-tz

---
 data-manipulation/compression/decompress-data-using-lzma.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data-manipulation/compression/decompress-data-using-lzma.yml b/data-manipulation/compression/decompress-data-using-lzma.yml
index 6de2c718d..076efc27f 100644
--- a/data-manipulation/compression/decompress-data-using-lzma.yml
+++ b/data-manipulation/compression/decompress-data-using-lzma.yml
@@ -38,4 +38,4 @@ rule:
             - number: 0x38E38E39
           - instruction:
             - description: optimized divide by 5
-            - number: 0x66666667
\ No newline at end of file
+            - number: 0x66666667