Xorhex uses an x86 FALLCHILL sample to demonstrate a YARA technique for resolving a near relative 0xE8 call target during malware hunting. The article explains that the called function address is calculated by adding the signed displacement in the call instruction to the address of the following instruction, then shows how YARA’s int32(), match offset, and match length operators can reproduce that calculation. The finished rule looks for the FALLCHILL call-site byte pattern and checks for an additional compare instruction near the resolved function, giving analysts a way to express control-flow-aware detection logic rather than relying only on static byte strings.