Update changelog entry to use American English spelling: changed 'Add AVX2 and SSE2 optimisation' to 'Add AVX2 and SSE2 optimization'. This is a documentation-only change with no code impact.
Delete obsolete boolean-version check from db/language::_setLang. The early return for when version === false (WAYBACK support) was legacy compatibility and is no longer needed, simplifying the language detection control flow.
Normalize indentation and spacing across multiple YARA rule files. Changes are whitespace/formatting-only (alignment of comments, blocks, and string sections) and do not modify rule logic or conditions. Updated files: yara_rules/DiE_BasicHeuristics_by_DosX.yar, yara_rules/DiE_EnhancedHeuristics_by_DosX.yar, yara_rules/DiE_InterestingThings_by_DosX.yar, yara_rules/crypto_signature.yar, yara_rules/malware_analisys.yar, yara_rules/packer.yar, yara_rules/packer_compiler_signatures.yar, yara_rules/peid.yar.
Consolidate spaced byte-wildcards across many YARA signatures in yara_rules/peid.yar (e.g. "?? ?? ??" -> "??????" and similar) to make wildcard runs consistent and more compact. This is a bulk normalization change to improve readability and ensure uniform pattern expressions across multiple rules at the PE entry-point signatures.
Normalize indentation and formatting in yara_rules/packer_compiler_signatures.yar: convert tabs/irregular spacing to consistent spaces, align comments and condition blocks, and standardize meta/strings formatting across many rules. This is a whitespace/style-only change — no detection logic or rule conditions were altered.
Reformat yara_rules/packer.yar: standardize 'meta' author lines and normalize hex string patterns for readability and consistency. Consecutive 00 bytes and wildcard groups (??) were compacted/standardized, spacing in byte sequences was unified, and several pattern placeholders were adjusted to a consistent notation. No functional rule logic was changed—these are formatting/normalization edits to make maintenance of YARA signatures easier.
Reformatted yara_rules/malware_analisys.yar by merging multi-line "condition:" labels and their expressions onto single lines across many rules for consistent styling and readability. These are purely formatting/whitespace changes and do not alter rule logic.
Refactor many YARA rule string literals to collapse repeated byte sequences (e.g. runs of 0x00, 0x90, etc.) into compact continuous hex tokens across multiple rules. This normalizes formatting of the pe.entry_point patterns for readability and consistency without changing rule conditions or semantics.
Normalize formatting in yara_rules/peid.yar by collapsing multi-line 'strings' and 'condition' blocks into single-line declarations and adjusting indentation across many rules. This is purely a stylistic/whitespace change to make the file more compact; no rule logic or signatures were modified.
Standardize db/MSDOS filenames by adding type prefixes (compiler_, cryptor_, protector_, sfx_, other_PK_). Rename multiple detection rule files accordingly. Also normalize file modes for protector_DAEMON_Protect.2.sg and sfx_Disk_eXPress.1.sg (100755 -> 100644) and apply minor formatting/whitespace normalization; no detection logic changes.
Relax detection in scanForPackersAndCryptors_NET_and_Native(): accept the third section as read-write in addition to read, and treat CopyContext as an alternative to ExitProcess when identifying UPX-like layouts. This accommodates variants such as UPX-Patcher while preserving the original RWX/RWX/ R pattern detection logic.
Fix PE section lookup in tool_UPX-Patcher by using dosxSection.Number when computing fishSectionByIndex. Previously the code used dosxSection directly (which can be an object), producing an incorrect index; this change ensures a numeric index is used and prevents detection failures.
Introduce reusable SECTION_FLAGS_* constants and derived RWX masks to avoid duplicated local constants. Add a heuristic for detecting UPX-like binaries (3-section layout + RWX checks + common imports) and mark such files as a suspicious packer. Refactor packer/protector detection flow to use an isPackerOrProtectionNotDetected guard and to emit a "UPX-like" suspicion when appropriate. Also replace local RWX_MASK/RWX_CODE_MASK usage in scanForObfuscations_Native with the new global masks.
Treat the floating-point FNOP opcode the same as NOP in scanForObfuscations_Native by adding FNOP to the initial opcode check. This ensures sequences starting with FNOP are identified as NOPs and improves detection of NOP-equivalent obfuscation patterns.
