Update comment in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to include "native code emulation" among the heuristic analysis techniques and adjust surrounding wording for clarity. This is a documentation/comment-only change clarifying supported analysis methods.
Generalize CPUID detection to check for multiple suspicious opcodes near the entry point. Replaced the CPUID-specific flag with a generic isStrangeOpCodeNearEpPresent and iterate over an array of readable opcodes (Cpuid, Rdrsc, Rdtsc). For non-DLL x86 binaries the first 15 instructions are scanned (retaining the safety check); when a match is found the opcode is logged and the corresponding "<Op> near EP" option is added.
Add a heuristic signature for PELock (x32) to the PE heuristic database. The pattern "6A6068........E8........BF94" was inserted into the entries array in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to improve detection of 32-bit PELock-packed samples.
Insert a space between 'Thinstall' and '(VMware ThinApp)' in db/PE/protector_Thinstall.2.sg meta(...) for improved readability/consistency. This is a non-functional formatting change and does not alter detection logic.
Update MPRESS detection logic: set default sOptions to "modified DOS", always run the non-.NET EP signature checks (removed the !bDetected guard), and add a post-detection check to mark the binary as having modified sections when section names differ from ".MPRESS1"/".MPRESS2". Also normalize the NT Packer 2.0 entry-point signature to a contiguous hex string to fix matching/parsing of the pattern.
Update PE heuristic database (db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg): add signatures for KByS (x32) and NakedPacker (x32) — "68........E8........C3C3", "60FC0FB605", and "60B8" — to improve packer detection. Also remove ".imports" from the Themida 3.XX section-name list to refine Themida detection.
Remove the Telegram Bot entry from the contact section and normalize extra spacing in the DiE API Library link label. Minor README formatting/cleanup to tidy up links.
Update protector_Denuvo.2.sg to relax the export-name regex used by PE.isExportFunctionPresentExp. The previous /^ANTICHEAT_OBFUSCATE_.+_CODEMARKER$/ required a middle token (and underscore), which missed names like ANTICHEAT_OBFUSCATE_CODEMARKER. The new /^ANTICHEAT_OBFUSCATE_(.+_)?CODEMARKER$/ matches both variants.
Update db/PE/protector_Denuvo.2.sg: broaden the PE.isLibraryPresentExp regex to match both '/' and '\\' path separators, properly escape the dot before 'dll', and add case-insensitive matching. This makes detection of Core/Activation.dll and Core\Activation64.dll more robust across platforms and case variations.
Enhance GenericHeuristicAnalysis_By_DosX by adding multiple PE.isNetUStringPresent checks to broaden UX-Locker detection. New signatures include memory/service messages ("\r\nMemory section at address 0x0424* is locked!", "\r\nService UXCryptor started.", "\r\n\r\n * Windows blocked!"), "lc.exe error", bypass markers ("ByPassWarnMsg", "ByPassMessage"), "ux-cryptor.exe", the ransom message "YOU ARE HACKED!\\1", and a combined pattern requiring both "_o_program" and "border_1". These additions improve detection coverage for UXCryptor/locker behaviors.
Replace a complex export-name check inside scanForObfuscations_Native with a simpler condition that flags exports starting with a digit or containing non-ASCII characters. Removed the additional checks for mangled names and underscore-replaced obfuscation testing. Note: the parentheses were changed, so the !isAsciiString check is now evaluated independently of the functionName truthiness (behavior may differ subtly).
Update PE heuristic rules: add a kernel32 library presence check to the UPX-like detection conditional to ensure VirtualProtect is resolved from kernel32, and change NsPack detection flag from 0 to -1. Also apply non-functional formatting/comment alignment across db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg for readability.
Add an inline comment marking the static export option for Audiokinetic detection (sOptions = "static" // EAT). Tighten Denuvo protector detection by consolidating separate export checks into a single conditional that requires >10 imports, a d3d library import, and an export matching GetDenuvo(TimeTicketRequest|TicketLocation). This removes redundant individual export checks and reduces false positives by adding import/library heuristics.
Broaden Denuvo signature and add heuristics for more reliable detection. The packer signature now recognizes .etext/.xtext section names in addition to .ecode/.xcode. Added a heuristic that marks Denuvo if Core/Activation(64).dll is present or if the binary has >10 sections, >10 unmanaged imports, and either a .etext/.xtext section or exports like GetDenuvoTimeTicketRequest/GetDenuvoTicketLocation. SteamStub detection was moved earlier and now checks for the E8 stub at the entry point and a trailing .bind section. Removed duplicated older checks and added contextual comments/links.
Add contributor tag and refine detect() to prefer PE.isFunctionPresent("AkTlsAllocateSlot") first; if only the export exists, set sOptions = "static" and mark detection. This distinguishes static vs exported symbol cases for more accurate Audiokinetic library detection.
Delete obsolete db/PE/library_AMD_FidelityFX.4.sg detection rule. Update db/PE/protector_Denuvo.2.sg to relax the section-count check from >12 to >10, broadening matches for Denuvo-protected binaries (logic and other checks unchanged).
Tighten and expand section-name checks in db/PE/protector_Denuvo.2.sg: require both the .[e|x](text|code) and corresponding data section when checking PE files with >12 sections, extend accepted data section name patterns (add .sx and allow .code variants and xp/xd forms), and update detection comments to include Deathloop and Immortals Fenyx Rising alongside Atomic Heart. Also includes a minor whitespace adjustment.
Adjust Denuvo detection heuristics: increase section-count threshold from >6 to >12, tighten and anchor section-name regular expressions (add '^' anchors, include 'my' and explicit .[ex]text pattern), and consolidate some checks to use isSectionNamePresentExp. Update the Atomic Heart version tag from "17.0" to "12.0-17.0+". These tweaks aim to reduce false positives and improve matching for newer builds.
Add 'ezip' (1.X) signature to scanForPackersAndCryptors list in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to improve detection of ezip-packed binaries. Signature hex: 0x174efb84.
Insert NakedPacker entry (version 1.0, id 0x64910c88) into the packers list in scanForPackersAndCryptors_NET_and_Native within db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to add detection for NakedPacker.
Add an NTPacker entry (version 1.0, signature 0x1a721d2d) to the packers/cryptors array in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg so the heuristic scanner can detect files packed with NTPacker.
Insert a new signature for JDPack 1.01 (hash 0xd9380ce5) and update the existing entry to use the consistent 'JDPack' casing for the 2.00 signature (0xc002db0e) in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg. This improves packer detection accuracy and naming consistency.
Add new signature 558BEC83C4E05333C0 to scanForPackersAndCryptors_NET_and_Native in db/PE/__GenericHeuristicAnalysis_By_DosX.7.sg to detect NTPacker (x32) samples. Improves heuristic detection coverage for this packer.
Enhance PE heuristic DB by adding multiple detection signatures for the Petite packer: introduce a 2.1 entry with three signatures, retain the existing 2.2 entry, and add two 2.X signatures. These changes improve detection of Petite variants in the scanForPackersAndCryptors_NET_and_Native routine while preserving the original reference link.
Replace explicit checks for vcruntime140.dll and vcruntime140_1.dll with PE.isLibraryPresentExp using a regex that matches multiple vcruntime140 naming variants (debug builds, _1, hashed suffixes, optional .dll). This broadens library detection to capture more runtime DLL name patterns while preserving the existing behavior of setting sOptions to "dynamic" and bDetected to true in db/PE/library_Microsoft_C_Runtime.4.sg.
Corrects the conditional in scanForObfuscations_Native so the heuristic flags when the first PE section is not ".text", ".textbss" or ".code" and a text section exists elsewhere. The previous check only triggered when the first section was exactly ".code", which missed other non-text section names and caused false negatives in the text-section-not-first detection.
Separate UPX-like structure detection from import/IAT checks by adding isUpxLikeImports. Move VirtualProtect/GetProcAddress/ExitProcess|CopyContext validation into a nested branch so we only mark IAT-like when imports are present. Update logging to show R(W) and build the option label to include "and IAT" only when import checks pass. Also require both structure and imports for the final ~packer UPX-like result to reduce false positives.
Reformatted the licesingStrings array into a multiline list for readability (entries reordered but behavior unchanged). Added inline comments linking to Denuvo and SteamStub resources above their respective detection checks to provide context for the DRM heuristics.
Replace a loose library check with a stricter, anchored regex so the heuristic only matches exact DLL names (e.g. Core/Activation.dll or Core/Activation64.dll, allowing either slash or backslash and case-insensitive). This reduces false positives when detecting Denuvo activation libraries.
Register SteamStub as a known packer ('.bind') and detect SteamStub DRM in licensing scans. Adds a packer list entry for SteamStub and checks for the SteamStub pattern in scanForLicensingSystems by verifying the entry-point opcode via PE.compareEP("E800000000") and that the last section is named ".bind", then adds the "SteamStub DRM" option when matched.
Add a check in the Denuvo protector detection to ensure PE.section[0].Name !== ".text" before applying the existing heuristics (sections > 6 and special section-name patterns or .arch/.xtext/.xtls). This reduces false positives for binaries whose first section is .text and improves readability by splitting the long conditional across lines.
Introduce a Denuvo entry to the PE heuristic database in scanForPackersAndCryptors_NET_and_Native. Adds a pattern (regex for .excode/.xcode and ".ooa") so the scanner can recognize Denuvo-protected binaries and improve detection coverage.
