Release v5.0

What's Changed

The one major change:

• RetDec is now a library (#779.
  • Related changes are the removal of retdec-decompiler.py (it is now a binary, e.g. retdec-decompiler.exe on Windows), retdec-bin2llvmir, retdec-llvmir2hll, and some other supportive functionality.
  • See an example in src/retdectool, or an actual implementation of RetDec executable in src/retdec-decompiler, to find out how to use RetDec library.

For more details, see the full changelog or the list below:

• Check for Armadillo made more generic by @ladislav-zezula in #733
• Added tests for more versions of Petite packer by @ladislav-zezula in #735
• Add detection support for newer versions of VMProtect. by @tamaroth in #734
• Improve the detection of Enigma protector (32-bit). by @tamaroth in #741
• Improve the detection of ASPack executable packer. by @tamaroth in #743
• Fixed missing header by @Cyclic3 in #745
• Improve the detection of the Eziriz packer/protector by @ladislav-zezula in #746
• Added detection of PyInstaller by @ladislav-zezula in #748
• Add support for using the 'dotnet' module in YARA rules by @PeterMatula in #749
• Add detection support of Astrum InstallWizard. by @tamaroth in #753
• Add detection of AutoHotKey compiler. by @tamaroth in #756
• Improve the detection of AutoIT files compiled to binary. by @tamaroth in #757
• fix: mislabeled scripts and writing strings versus bytes by @kayarre in #759
• The detection of BAT to PE-EXE script-compilers. by @tamaroth in #761
• The improved detection of BeRo EXE Packer. by @tamaroth in #764
• deps/yara: force rebuild if config changed, fix #760 by @PeterMatula in #763
• Lz more corruptions by @ladislav-zezula in #767
• Fixed bug with alignment of PointerToRawData by @ladislav-zezula in #768
• Update Yara to 4.0.1 by @PeterMatula in #769
• deps/yara/patch: patch YARA surces to fix bug in v4.0.1 by @PeterMatula in #773
• Optimize utils and file parsing to prevent timeouts in exotic files by @PeterMatula in #772
• Lz memory dump detection by @ladislav-zezula in #770
• Extension of bin2llvmir with optimization of X87 FPU stack. by @JurajHolub in #715
• CMake fixes by @xkubov in #777
• Remove too broad YARA rules for VMProtect packer detection. by @tamaroth in #778
• Improve the detection of CExe packer by modifying the YARA rule. by @tamaroth in #781
• Retdec is a library now by @PeterMatula in #779
• • gu_idata and gu_rsrc section names are now considered packer sections by @ladislav-zezula in #776
• fileformat/format_detection: use file magic to detect COFF files. by @PeterMatula in #783
• Issue 774 by @PeterMatula in #785
• Reduce static data by @PeterMatula in #787
• deps/openssl: remove, require it as a prerequisite. by @PeterMatula in #807
• Improvement to the detection of multiple packers. by @tamaroth in #804
• utils: replace our filesystem_path with std::filesystem by @PeterMatula in #806
• MzHeader and PeHeader classes in PELIB were replaced by ImageLoader class by @ladislav-zezula in #812
• Improve MoleBox packer detection. by @tamaroth in #815
• • Fixed high memory usage on samples with screwed up delayed imports by @ladislav-zezula in #817
• Provide unified logging interface by @xkubov in #816
• Lz high memory usage by @ladislav-zezula in #818
• • Check for invalid IAT directory by @ladislav-zezula in #822
• Fixed high memory usage in debug directory (#824) by @ladislav-zezula in #825
• Fix crash on samples having corrupted PE header (#821) by @tamaroth in #827
• Ninja build by @PeterMatula in #830
• Small improvements to detections of binary tools. by @tamaroth in #831
• Fixed build under RHEL based Linux where libraries are installed into lib64 instead of just lib by @metthal in #834
• fix GCC 9.3.1 hang by @hanickadot in #835
• Fixed segfault on PE files whose IMAGE_FILE_HEADER is cut by @ladislav-zezula in #839
• Fix invalid memory read in PeLib::CoffSymbolTable::read() (#840) by @ladislav-zezula in #841
• Added detection of Blizzard Protector by @ladislav-zezula in #845
• Remove the copyright comment from the outputs generated by RetDec by @s3rvac in #843
• utils: fix #842, always link stdc++fs if linux & gcc. by @PeterMatula in #846
• deps/googletest: fix adding 'd' suffix in MSVC debug build by @PeterMatula in #848
• Added YARA rule for CreateInstall installer by @ladislav-zezula in #852
• Added YARA rules for FlyStudio installer by @ladislav-zezula in #853
• Added YARA rule for Gentee Installer by @ladislav-zezula in #855
• GhostInstaller and InnoSetup revisited by @ladislav-zezula in #857
• Lz installers install creator by @ladislav-zezula in #858
• Added YARA rules for Quick Batch installer by @ladislav-zezula in #864
• Lz image loader win version specific by @ladislav-zezula in #863
• improved YARA rules for Wise installer by @ladislav-zezula in #865
• Added YARA rule for VISEMAN installer by @ladislav-zezula in #868
• Added YARA rules for Setup Factory by @ladislav-zezula in #869
• Added YARA rule for 'Xenocode Application Launcher' by @ladislav-zezula in #870
• Added YARA rules for SmartInstall Maker by @ladislav-zezula in #871
• Fixed issue #872 by @ladislav-zezula in #873
• Fix infinite loops in copy propagation optimizer by @jacob-baines in #876
• Fix missing comma in usualPackerSections initializer by @HoundThe in #894
• Lz import thunk check by @ladislav-zezula in #897
• Added YARA rule for Inno Setup 6.0.0 by @ladislav-zezula in #899
• Fixed possible access to unallocated memory in MPRESS unpacker by @metthal in #906
• Lz issue 907 by @ladislav-zezula in #908
• Fixed issue #911 by @ladislav-zezula in #912
• unpacker/mpress: Properly copy non-packer related sections to the unpacked file by @metthal in #913
• Do not fail completely when retdec-archive-decompiler is not available by @metthal in #914
• Lz fix too many imports by @ladislav-zezula in #917
• Fixed issue #921 by @ladislav-zezula in #922
• Make Fileinfo configurable via a JSON config file by @PeterMatula in #923
• Add version info to all executable apps by @PeterMatula in #926
• unpackertool: added signatures for new UPX versions by @TheDuchy in #929
• Detection of SHA512 improved. Prevented YARA DoS on d251e8b3a5818132d… by @ladislav-zezula in #935
• Implement telfhash for ELF import table by @HoundThe in #936
• Calculate Rich header hash by @HoundThe in #945
• Added new x86 PE signatures for LZMA UPX stub for UPX 3.94+ by @metthal in #948
• Add parsing of the PE Authenticode format by @HoundThe in #902
• Make X509 serial number parsing code compatible with YARA (#954) by @xbabka01 in #955
• Fix the Rich header analysis algorithm by @HoundThe in #973
• Add sanity check for length of a PE resource type name by @HoundThe in #974
• Add oneline subject/issuer to the output by @HoundThe in #976
• Increased PE symbols MAX_LENGTH limits by @HoundThe in #978
• Fix UB due to iterator reaching before begin() in rich header parsing by @HoundThe in #987
• Fix PE resource memory leak due to missing virtual destructor. by @HoundThe in #984
• Fixed resource issue by @ladislav-zezula in #988
• Check for TypeLib parent relationship by @HoundThe in #983
• Change the section name parsing to only remove trailing zeroes by @HoundThe in #979
• Fixed Lz issue 967 by @ladislav-zezula in #970
• Adding Yara rule for InnoSetup 6.1.0 by @fr0gger in #989
• Lz retdec 54 by @ladislav-zezula in #981
• DllFlags are now present on EXEs as well by @ladislav-zezula in #995
• Modified Visual Basic's Yara rule by @Dadda97 in #992
• Modified AutoHotKey's Yara rule by @Dadda97 in #991
• COFF debug info is no longer counted as part of the image by @ladislav-zezula in #996
• Debug info is only accepted if it has the type of IMAGE_DEBUG_TYPE_CO… by @ladislav-zezula in #1004
• Fixed RETDEC-74 and RETDEC-61 by @ladislav-zezula in #1003
• Add signatureVerified flag for each signature by @HoundThe in #994
• Add check that the resource file offset is valid by @HoundThe in #982
• backport yara patch for macOS by @catap in #1001
• Fix of .NET analysis differences by @HoundThe in #997
• Do not return entry point offset if it's not backed up by disk data by @HoundThe in #975
• Check if certificateTable overlaps a section and export the information by @HoundThe in #986
• Fix master not building due to conflicting types by @HoundThe in #1007
• Fixed discrepancies in icon hash between YARA and retdec-fileinfo by @ladislav-zezula in #1006
• Switch to using Python3 module to detect a python by @catap in #999
• Add SECURITY.md as requested in #1018 by @PeterMatula in #1025
• Check if data is not empty in dotnet integer decoding functions by @HoundThe in #1030
• remove --backend-aggressive-opts and all the related code by @PeterMatula in #1032
• Parse various PE timestamps and export them out by @HoundThe in #1035
• Integrate new authenticode parser by @HoundThe in #1027
• Fixed ImageLoader::Save() by @ladislav-zezula in #1029
• Check for ELF damage by @HoundThe in #1036
• Update API for OpenSSL 3.0 by @catap in #1041
• fix typo in config.cpp by @KisaragiEffective in #1048
• Fixed false positive in the detection of PyInstaller 3.x by @ladislav-zezula in #1051
• Migrate hardcoded make to ${CMAKE_MAKE_PROGRAM} by @catap in #1043
• Updated list of language IDs by @metthal in #1054
• Use image loader when loading corrupted resources by @metthal in #1055
• Update YARA to 4.2.X by @HoundThe in #1061
• Add dll name from export directory to output by @HoundThe in #1060
• Fix: Manually-specified variables were not used by the project. by @xkubov in #1052
• Lz include relocation into image load by @ladislav-zezula in #1063
• Move signing certificate to a separate object by @HoundThe in #1065
• Updated authenticode parser to the newest version by @metthal in #1067
• Never try to limit memory on macOS by @catap in #1074
• Update authenticode-parser, use-after-free, signedness issues by @HoundThe in #1082
• Use multistage build for Dockerfile, reduces container size by ~1.5G by @bagelbyte in #1081
• Check for possible overflow when checking for segment overlap. by @HoundThe in #1087
• Fix parameter and return types for dynamically called functions by @richardlford in #1085
• Upgrade to Capstone release 4.0.2 with patch by @richardlford in #1086
• Handle Procedure Linkage calls for 32bit x86 from gcc by @richardlford in #1088
• Add ability to process PNG icons for perceptual hash calculation by @HoundThe in #1090
• Add prototypes for dynamically-linked functions without headers by @richardlford in #1092
• Add printing of analysis time to retdec-fileinfo output by @metthal in #1107
• Yara: inherits linker flags by @catap in #1111
• Use provided libtool via CMAKE_LIBTOOL by @catap in #1109
• Added missed ${RETDEC_INSTALL_BIN_DIR} to pat2yara by @catap in #1113
• Updated yaramod by @metthal in #1121
• Added sanity check for page index when loading pages from broken samples by @metthal in #1120
• Fix removeZeroSequences by @neverwin in #1110
• Update to Capstone V5 by @PeterMatula in #1124
• Simplify removing range by @neverwin in #1115
• Allow to configure yara's make tool by @catap in #1123
• capstone2llvmir: use undef value if register not loaded but used by @PeterMatula in #1033
• Try to fix issue #638 by @seviezhou in #642
• Continuous integration in Github Actions by @xkubov in #1053
• Create Autoamted Release Flow by @xkubov in #1125

New Contributors

• @tamaroth made their first contribution in #734
• @Cyclic3 made their first contribution in #745
• @kayarre made their first contribution in #759
• @hanickadot made their first contribution in #835
• @jacob-baines made their first contribution in #876
• @HoundThe made their first contribution in #894
• @TheDuchy made their first contribution in #929
• @xbabka01 made their first contribution in #955
• @fr0gger made their first contribution in #989
• @Dadda97 made their first contribution in #992
• @catap made their first contribution in #1001
• @KisaragiEffective made their first contribution in #1048
• @bagelbyte made their first contribution in #1081
• @richardlford made their first contribution in #1085
• @neverwin made their first contribution in #1110

Full Changelog: v4.0...v5.0