v2.3

New Heuristic: Duplicate Subgraphs

This release adds an iterative context-hashing approach to detect multi-block code patterns that repeat within a single function. By combining each block’s local signature with those of its successors across multiple iterations, the heuristic identifies larger replicated structures that might be introduced by compiler optimizations or obfuscation stubs. Common findings include inlined loops, range-dividing decision trees, and repeated cryptographic routines.

v2.2

• new util: identify recursive functions

v2.1

New features:

• detection of RC4 implementations (KSA + PRGA)
• heuristic for functions with a high loop frequency
• detection of irreducible loops
• extended loop analysis

v2.0

Major version update. Additional to code detection heuristics, this release introduces so-called Util functions, helpers which provide additional information to guide reverse engineering or pinpoint functions using a much narrower scope than heuristics. The first three Util functions are

• entry function detection: lists all functions which are not called from other functions
• leaf function detection: lists all function which do not call other functions
• entropy analysis: computes the entropy for each section and allows to identify packed/encrypted code

v1.9

• added new heuristic to detect arithmetic complex expressions (thanks to @seekbytes)
• changed output of get_top_10 to show minimum 10 and max 1k functions per heuristic to keep scalability for large/small binaries
• added link to blog post "Identification of API Functions in Binaries"
• added video recording of the presentation "Unveiling Secrets in Binaries using Code Detection Strategies"

v1.8

• added new heuristic to detect xor decryption loops (loops which decrypt code/data with a fixed constant)
• added more documentation
• linked a REcon presentation about the underlying heuristics

v1.7

• reworked plugin documentation from scratch
• added example use cases
• output of the flattening heuristic is now sorted by score
• fixed a bug to prevent division by zero in case a function does not have any basic blocks

v1.6

• performance improvement: all analysis tasks run as background tasks instead of blocking the main window
• overlapping assembly instructions are now highlighted in all related functions
• new heuristic: detection of the functions with the most callers

v1.5

Added an architecture-agnostic heuristic to pinpoint uncommon instruction sequences based on statistical analysis

v1.4

Added new heuristic to detect uncommon instruction sequences