[2026-01-13] Version 0.9.12 released
● Auto-update:
    - Added an update script in <malcat install dir>/autoupdat.bat (Windows) or <malcat install dir>/autoupdat.sh (Linux/MacOS)
    - Added a new GUI menu that will launch the script: Help > Update Malcat
● Parsers:
    - Added support for .NET single file bundles (with files extraction)
    - Added support for Nuitka PE one-file bundles (with files extraction)
    - Added support for Nuitka .bytecode and other constant blobs
    - Added parser for APlib chunks with AP32 header
    - Added support for python 3.14 .PYC files
    - Added support for column type 0x8500 in MSI files
    - Added support for INNOSetup 6.5, 6.5.2, 6.6.0, 6.6.1 and 6.7.0 (without encryption)
    - Better indentation and spacing for AU3 decompiled scripts
    - ELF parser now ignores truncated section tables
    - Improved heuristics to recover trashed Golang pcln tables
● Disassembler:
    - Python: added disassembler for python 3.14
    - Python: improved disassembly listing readability
    - Python: added support for python 3.11+ exceptions
    - Python: display method definition parameters
    - .NET: arg0... argN operands are replaced by the function's argument names when possible
    - .NET: correctly tokenize TypeSpecTable references
    - .NET: display method argument types in prototype alongside their name
    - .NET: display function prototype for calli opcode
    - String arguments for InnoSetup scripts are now crrectly listed in the strings view
● Stack analysis:
    - Added stack analysis for python 3.8 up to 3.14
    - Added stack analysis for .NET
    - Added an options to deactivate stack analysis (stack_disable) in Options > Analysis setup
    - Added an option to control the verbosity of stack analysis comments in Options > Code view
● Cross references:
    - structure fields of pointer type (RVA, offsets, VAs) now add a cross reference entry to the pointed address (if valid)
● Transforms:
    - Added APLib decompress (C implementation)
    - Added Chaskey-LTS encrypt/decrypt
    - Added md5, sha1, sha256 and sha512 transforms
    - Added "batch global variables" desobfuscator
    - If transforming a known utf-16 string, the transform dialog will be populated with a utf16->utf8 transform (same as for b64 or hexa strings)
● Anomalies:
    - Added TruncatedELFFile anomaly
    - Added NoSectionInELF anomaly
● DNA view:
    - function names are now colored using their dangerosity level if any (e.g. Kesakode danger level)
    - you can now also expand referenced strings (option can be chosen with the <tab> menu)
    - you can now also expand referenced and in-instruction constants (option can be chosen with the <tab> menu)
    - hovering the cursor over a symbol now displays the data preview popup, like for the other views
    - dna view is now enabled by default (again)
● User interface:
    - You can now select which view is displayed first for pure text file, defaults to source code view
    - Added several sanity checks for very large (>10MB) structure strings, in orde to not slow the gui down
    - For archive-like file types, the file names in the Summary view Report are now clickable and will open the file in Malcat (same as double-clicking on the entry in the VFS tab)
    - Added a "Min score" filter in string view. Should help with search speed when filtering millions of strings
    - Added a "clean/lib" filter in string view, to filter out know clean/lib strings after a kesakode search
    - In diff mode, the splitter between the two panes can now be moved with the mouse
    - You can now change the licensing endpoint for activation (full & pro versions) using the Options dialog, or a command line parameter for the install_api.py script. Useful if you have a local entreprise license server or need to use a proxy.
    - Clicking on a non-image virtual file in the VFS tab now preview the first few bytes in a hex viewer
    - Added a button to create a new blank script in the script editor
● Scripting:
    - [WINDOWS] Updated python 3.13.2 to python 3.13.10 (both embedded and linked against, so if you use the system interpreter you may need to update)
    - Adapted volexity's donut extractor in unpackers/donut.py script (and added xpress support)
    - Added support to malcat.analyse() from within the script editor, i.e. in gui mode (experimental)
    - You can now choose in Option > General which script is loaded by default in the script editor. Note that the current script can always be run using Ctrl+Enter shortcut.
    - Added an option in the C decompiler view's toolbar to show/hide casts
    - Added Function.num_string_references field
    - Added Function.num_known_constants_uses field
    - Added Function.num_api_calls field
    - Redesigned Function instruction statistic fields
● Bug fixes:
    - Script editor now waits until analysis is finished before running a script
    - Fixed: if a pinned preview would for some reason disappears (e.g. because of reanalysis), no new preview could be shown ever
    - Fixed: goto dialog would not ignore white space
    - Fixed: goto dialog combobox dropdown list was broken (regression from 0.9.9)
    - Fixed: calc dialog would not clear python error appropriately
    - Fixed: could not apply a user dynamic file type to a structure located inside a recognized file's overlay
    - Fixed: potential deadlock when calling analysis.run() in headless mode 
    - Fixed a memory leak when accessing string-like structure fields from analysis.struct
    - Fixed a memory leak in the CPU state structure used in CFG reconstruction
    - Better size sanitation of utf-8 strings (before really large (>1MB) utf8 strings in structures or disassembly would make the UI lag)
    - Fixed: EXTENDED_ARG disassembly bug in python 3.11+
    - Fixed a crash when clicking in a .NET header structure from within the hex or text view 
    - Double-clicking _into_ the disasm view would sometimes change selection (leftover mouse release event from previous window)
    - Fixed a decoding issue in AU3 script decompilation where some integer constants would be wrong (e.g. 1 would be 261)
    - Fixed formatting issues for .NET signed integer operands
    - Added a workaround in LZMA's decompress transform for buffers having both uncompressed_size set and an end of payload marker (python's lzma doesn't like this)
    - Fixed linux could not run PE-encapsulation script because of directory case issue

[2025-09-28] Version 0.9.11 released
● Disassembler:
    - Added support for ARMv7 CPU 
    - Added support for Aarch32 CPU (aka Armv8 32bits)
    - Added support for Aarch64 CPU (aka Armv8 64bits)
    - Added opcode encoding details for MIPS32/64
    - magic masking is now working for MIPS32/64, ARMv7 and AARCH32/64
    - added gcc symbols demangler
    - Various small improvements to the CFG recovery algorithm
    - autocomment: better display of implicit references
    - autocomment: now try to display dereferenced value when non-ambiguous and from a read-only section
    - Magic masking a .NET instruction referencing a CLR token now tags the table-part of the token as a displacement instead of an offset (for finer-grained magic masking)
    - Hitting ';' while an instruction is selected opens the comment dialog
    - Hitting Ctrl+C with hex bytes selected and some bytes deselected will now respect the selection mask, like in the hex and text views
● Decompiler:
    - Added support for ARMv7 CPU 
    - Added support for Aarch32 CPU (aka Armv8 32bits)
    - Added support for Aarch64 CPU 
    - added gcc symbols demangler
    - Decompiler view: you can now view and edit user comments
    - Decompiler view: you can jump to the corresponding disassembly by clicking on the arrow symbol in the margin
    - Decompiler view: improved disassembly/decompiler synchronisation
    - Added a "Decompile at address" context menu action, alongside "Disassemble at"
    - Fixed a couple of issues regarding symbol derefencing (API call dereferencing and read-only variable dereferencing)
● Kesakode/Intelligence:
    - Kesakode now supporting MIPS32/64, ARMv7, and AARCH32/64
    - Added MalpediaFLOSSed as third-party provider
    - You can now select in the options a default provider for onlines kesakode queries 
    - The view control now displays an appropriate context menu when multiple functions or strings are selected 
    - Functions are now filtered by their _fully_ qualified_ name in the kesakode view (before was just by function name)
    - Hitting Ctrl+A will now select all the element of the list having focus
    - Intelligence providers now accept bool and int options in addition to strings. These options can also be set in the options dialog using relevant controls. 
● Parsers:
    - Added parser for MACHO files
    - Added parser for Universal Binary archives (multi-arch MACHO files)
    - Added parser for DMG containers
    - Added parser for GGUF files (LLMs model files)
    - Added support for BZip2 compression in NSIS installers
    - Added support for ELF Pyinst files
    - Improved support for uncompressed files in InnoSetup installers
    - More symbol types supported in the ELF parser
    - Added parsing of .init_array and .fini_array to the ELF parser
    - PE parser now selects the right architecture for mips, arm and aarch64
● Strings:
    - Scan strings candidates are now rejected if referenced by a jump-like opcode
    - Hitting Ctrl+T in string view now pop-ups the transform dialog for the selected string
    - (Multi-)string context menu allows you to zero-out a string, or to zero out all strings but the one(s) selected
● Signatures:
    - Creating a new yara rule using the dialog will now try to save the rule in a yara file inside the user data directory, if any
    - Yara editor now has word wrapping enabled by default
    - improved the precision of MSVC rich header YARA rules, you get a version too now
● Source code view:
    - Ctrl-T has now precedence (i.e calls the transform dialog) over scintilla's own shortcut (transpose line)
    - Added a "Transform" context menu action to the selection
● Transforms:
    - added xpress decompress (lz77) transform
    - added base85 encode/decode transforms
    - the "to clipboard" button always converted the output to an hex string beforehand. It now depends on the output content: utf16 string > utf8 string > hex string (in addition to the raw bytes)
● Functions panel:
    - Added quickfilter control
    - You can now select multiple functions
    - Added context menu when multiple functions are selected
    - (Multi-)function context menu allows you to zero-out a function, or to zero out all functions but the one(s) selected
● Anomalies:
    - CrossSectionJump: limit to PE files
    - Added WrongSizeOfOptionalHeader
    - cross references also added for _computed_ addresses even in the absence of any read/write operation, e.g. mov eax, <base>; add eax, <delta>;
● Scripting:
    - Function.num_highvalue_immediates now only counts _unique_ high-value immediates
    - Added Function.decompile() (decompile one function to C code, for machine code only)
    - Added Analysis.decompile() (decompile whole file, either all functions for machine code, or source script for autoit, vba, excel, etc)
● Other:
    - API hash constants are now also computed over API names with an ending null byte 
    - cross references also added for _computed_ addresses even in the absence of any read/write operation, e.g. mov eax, <base>; add eax, <delta>;
    - You can now save the current selection/a function into a new barebone PE file using the context menu
    - You can now save the current selection/a function into a new barebone ELF file using the context menu
    - Added rich header hash for PE files (same one as VT)
● Bug fixes:
    - Fixed alt-left/alt-right shortcuts not working under Linux
    - [Type dialog] the types list would scroll through _all_ matching fields after a user search, which could take a while for large searches
    - [Type dialog] Applying a user dynamic type to a file without a recognized type would fail
    - [Type dialog] The python error was not beeing properly cleared, leading to repeated error for dynamic types that raise any exception
    - Fixed a bug in the parsing of delayed imports for PE32+, only the first one would be parsed
    - The gap analysis algorithm would ignore instruction crossing basic block boundaries
    - Comment on bit fields would not be shown on mouse hover
    - The view switcher in the tool bar will now be wider for larger font sizes 
    - Fixed a regression in the PYINST parser
    - Fixed decompiler view not being refreshed the second time a local variable is renamed
    - Fixed missing import statement when creating a new transform from the transform dialog in an existing but empty python file
    - Fixed a conflict between Analysis.open_vfile and some of the parsers disagreeing on a leading '/' for paths
    - Fixed a bug when loading a previously saved transform chain featuring a transform with an empty string / bytes parameter
    - Fixed hover code preview window beeing adjusted in width to the first disassembled instruction
    - Clicking on a matching pattern in the Yara quick view now jumps to the address AND registers the jump in the navigation history
    - Fixed incomplete parsing of exports by ordinals in PE files
    - Fixed a display lag in disassembly view for instructions having a VERY large (like > 10k) count of incoming/outgoing references (thank you flareon #5)

[2025-05-09] Version 0.9.10 released
● Disassembler:
    - Refactoring of the CFG recovery algorithm
    - Vastely improved dynamic pointer recovery during CFG reconstruction
    - Added support for MIPS32 CPU 
    - Added support for MIPS64 CPU 
    - Added new gap analysis in the CFG reconstruction (but only when markov heuristic is on)
    - Disassembly view: hovering a second over a register/number highlights all registers/numbers with the (exact) same text
    - Added documentation for Malcat's CFG recovery algorithm
● Decompiler:
    - Updated sleigh decompiler to the version used in Ghidra 11.3.1
    - Added support for MIPS32 CPU via sleigh
    - Added support for MIPS64 CPU via sleigh
    - Decompiler view: hovering a second over a variable highlights all instances of this variable 
    - Decompiler view: you can now rename variables the same way you could rename function and global adresses. The new names are also saved with the project.
    - Decompiler view: you can now view and edit user comments
● Strings:
    - Improved Rust strings recovery heuristics
● Transforms:
    - Added "zstd compress" and "zstd decompress" transforms
    - Added "rc2 decrypt" and "rc2 encrypt" transforms
    - Added ctr mode for aes
    - The transform dialog now automatically populates a base64/hex decode transform for base64/hex-encoded strings
● Corpus search:
    - Removed vtgrep search (I sadly don't have a VTI API anymore to maintain it)
    - Searching in corpus now popups a dialog to let you select where to search
    - Corpus search now allows you to search in all currently open files too
● Scripting:
    - Added Latrodectus string/config decryptor
    - Added new method analysis.strings.filter() for native-performance filtering
    - Added malcat.pyi file for better autocompletion of malcat scripts using external editors
    - Improved malcat.kesakode.py cli script output in recursive mode
● Anomalies:
    - Improved performance of strings anomalies when facing large amount strings
● User interface:
    -The interaction between the mouse cursor and addresses is now more consistent across views:
        * Hovering quickly over an address displays cross-references in the quickview (can be disabled in the options on a per-view basic)
        * Hovering for a second over an address displays a data preview in a popup (only if the address is physically backed)
        * Pure virtual addresses cannot be clicked anymore (before, you would jump to the nearest physically-backed address)
    - Added a quick filter in the files panel
    - Changed call graph view shortcut to F5 x2 to avoid involontary display when switching to the more used summary view
    - The DNA view is now disabled by default, can be reactivated in the options 
    - jumping between functions from within the functions panel now stays in the decompiler view if needed
    - Added Alt-Left and Alt-Right as shortcuts for goto prev/next location
    - Redesigned the "download by hash" dialog. Will now also accept a local path of a file to open.
    - Copy word/qword context menu actions now respect the endianneness of the file
    - Added copy qword context menu action
    - Improved view-switching performance by ~20%
● Parsers:
    - [WINDOWS] py7zr is now packaged in the embedded python interpreter, meaning 7z archive unpacking is now available by default
    - Added support for Gzip compression in the SquashFS parser
    - Added support for InnoSetup 6.4.0 and 6.4.0.1
● Bug fixing:
    - [ZIP] Fixed bad parsing of zip files having their zip64 header sizes set to 0
    - [ZIP] Improved DataDescriptor localisation code 
    - Right click on selected instructions in disassembly view when the selection was made using something other than mouse movements would display the instruction context menu instead of the selection context menu
    - Config options would not be properly forwarded to 3rd party kesakode providers if called before any intelligence provider
    - Intelligence providers defined in user data dir would not override identically-named providers in malcat's data dir, the two versions would coexist instead
    - The icon size in the projet switcher in Linux was too small
    - The decompiler theme colors would be wrongly displayed in the options dialog (but changing them still worked)
    - Golang parser can now recover when TextStart member of the pclnheader has been zeroed
    - Fixed a slowdown in the string view when displaying very large binary dynamic strings

[2025-02-15] Version 0.9.9 released
● Kesakode:
    - Added an offline database for Kesakode, used by default with every analysis (full/pro versions only, not available in headless mode)
    - Added fuzzy matching mode for functions (online queries only)
    - Kesakode view filter now also filters on function names and strings content
● Intelligence:
    - Threat intelligence lookup now available for lite users!
    - Added VirusExchange (vx-underground) as download source
● User interface:
    - New dropdown control to change the current view mode
    - All views can now be exported to a file using the menu View>Export
    - Added a button in script editor to save the content of the output window to a file
    - Adding a bookark using Ctrl+Alt+1-9 set the bookmark to the start of the curent view (instead of start of selection) if start of selection is outside of current view
    - When opening a new file, the current selection of the files panel (carved + vfs files) will be remembered and restored when switching back to the old file
    - New Dracula theme by CX330
    - Added visual feedback when the GUI is busy loading/saving a file
    - User annotations/highlights are now also displayed in disassembly view as comments + coloring of hex bytes
    - Added user annotation add/edit option to byte & instruction context menus
● Transforms:
    - Added "aes decrypt PBKDF2" transform
    - Reworked the "cut" transform 
    - Improved "list decode" and "list encode" transforms to allow for numbers bigger than 8 bits 
● Scripting:
    - Added a config extractor for AsyncRAT / VenomRAT / DCRAT
    - Added a config extractor for XWorm
    - Added an option "invalidate_cache" to malcat.analyse(). When set to false, databases and python scripts are loaded only once. This should speed up things a lot when analying large batch of files in headless mode.
● Parsers:
    - Added support for INNO setup installers version 6.3.0
    - Improved unpacking speed for CAB files, should be particularly noticeable for large ones
    - Improved carving algorithm performances by optimising some regexps against large blobs of 00s
    - Added support for python 3.13 .PYC files
    - Added support for python 3.13 PYINST archives 
    - Added support for Minidump files (partial or full memory dumps supported)
    - Added support for ASAR archives (pseudo-format used by electron apps), with unpacking
● Disassembler:
    - Added support for python 3.13
    - References to structures inner fields are now displayed as such in disassembly
● Bug fixing:
    - NSIS: "jmp 0x0" is  now correctly disassembled as "nop"
    - NSIS: fixed a couple of opcode argument types
    - Carved files tab would loose keyboard focus when selecting file
    - Fixed bad end of file detection for some AU3 archives
    - Fixed a bug in gui.print() where the last token would sometimes not being printed out when format is True
    - Remove prototype information and just keep full name for symbols coming from mangled export names 
    - Transform dialog: scroll to top of output if new transformed output size is less than the current scroll offset
    - Fixed clearing script output window when the script invalidates (part of) the analysis, which would hide the script's output
    - Fixed scrollbar not scrolling properly for files bigger than 2GiB in hex and disasm views
    - Fixed a rare GUI issue when the summary layout control would gain focus -> be resized -> lose focus that would lead to a GUI crash
    

[2024-11-29] Version 0.9.8 released
● Intelligence:
    - Added InQuest as threat intel source
    - FileScanIO can now be used as download source
    - Triage can now be used as download source
    - Added API key support to MalwareBazaar (will soon be mandatory)
● Strings:
    - Added an additional Xref-based heuristic to recover tricky Golang strings
    - Improved Rust strings detection
● Decompiler:
    - Better parameters recovery for Delphi programs
● Scripting:
    - Added a script to remove null bytes in last section / overlay
    - Added a script to fix section addresses for badly dumped PE files
    - Added a script to extract BMP pixels data in the right order
    - Added a simple config extractor for LummaStealer
    - Added a simple config extractor for DarkComet
    - Added a simple config extractor for Remcos
    - Added malcat.kesakode.py to bin/ folder (query kesakode on a file from the command line, only for full/pro versions)
    - Added analysis.selection.as_hex method
    - Reworked the interface to analysis.xrefs (cf. doc)
    - Added File.read_until function (cf. doc)
    - Added .bb, .function, .inrefs and .outrefs attributes to malcat.Instruction (cf. doc)
    - Added .function, .inrefs and .outrefs attributes to malcat.BasicBlock (cf. doc)
    - Added .callers, .callees, .inrefs and .outrefs attributes to malcat.Function (cf. doc)
    - Added disasm() function to malcat.Instruction, malcat.BasicBlock and malcat.Function objects (with formatting options, cf. doc)
    - Added hex() function to malcat.Analysis, malcat.BasicBlock and malcat.Function objects (with magic masking options)
    - malcat.CarvedFile.file is now malcat.CarvedFile.open() and returns a malcat.File instance
    - malcat.VirtualFile.unpack() is now malcat.VirtualFile.open() and returns a malcat.File instance
    - Added helper function Analysis.open_vfile(path)
    - Added a method malcat.setup() to make malcat's data/bindings/user dirs accessible from scripts in headless mode
    - Added an option in Preferences>General to display an empty script in the script editor by default (instead of the tutorial script)
● Analysis:
    - .NET static arrays are now cross-referenced by instructions accessing their correspondig field 
    - "Force imagebase" menu action is now working as intended
    - User types are now stored in a "usertypes" directory instead of "types"
    - User types directory can now also contain python files containing Malcat's Struct type definitions
● Parsers:
    - Added an heuristic to retrieve obfuscated/trashed PCLn header in Golang 1.18+ programs
    - Proper symbol parsing for relocatable (.o) ELF files
    - Reimplemented zipfile's CRC32 decryption in c++ for faster non-AES encrypted ZIP decryption
    - Added documentation on how to write your own parser
    - Bat2Exe batch files now appear in the virtual file system tab (post-2016 bat2exe only, does not support multi-bat setups yet) 
● Transforms:
    - Improved data preview: hex, text and disasm mode, scrolling support, copy / paste
    - Added a button to add a new transform directly into your user data directory using Malcat's python editor
    - You can now save transform chains into templates for future use
    - You can now store the transform result directly into the clipboard
    - You can now also transform dynamic strings
    - Transform dialog now selects the result only if the "In place" option has been chosen
    - Improved "reverse" and "skip" transforms
    - Added "flip2d" and "keep" transforms
    - Added "nrv2b decompress" transform
    - Added "zlb1 decompress" transform
    - Added "insert" transform
    - Added "salsa20" transform
● Data preview:
    - Added more data types (timestamp, filetime, dostime and GUID)
    - You can now modify data in the same way as in the structure editor
    - Added the possibility to switch between little endian and big endian interpretation
    - Added the possibility to switch between decimal/hexadecimal display
● User interface:
    - Find dialog: your search query is now kept when switching the search mode
    - Find dialog: find pattern now defaults to selected text in the source view
    - The "find in current file" context menu action now pops up the find dialog (gives you a chance to modify the pattern)
    - Hex view: you can now set the width of the colored blocks/columns in the Options dialog
    - Hex view: you can now groups bytes (i.e. no space) belonging to the same colored block/column (also in the Options dialog)
    - Added a context menu in strings view when multiple strings are selected
    - Added a context menu in the files tab when multiple carved/virtual files are selected
    - You can now copy module names to the clipboard in the symbol view
    - Kesakode view: the accordion labels now display the number of elements currently displayed (before, was ALL elements)
    - Improved charset conversion performances
    - Structure editor now uses OS's locale for date fields
    - Disassembly view: clicking on a hexa byte now displays the data preview
    - Dates are now displayed in ISO format in the structure view and the quickview
● Bug fixing:
    - Fixed a parameter parsing issue in install_api.py script
    - Fixed a slowdown in the Yara scanner module when handling very large .yar files
    - Fixed a bug when modifying huge (u)int64_t value in the structure editor
    - Fixed a bug when modifying a DOS imestamp using the structure editor, the result would be in the local timezone instead of UTC
    - Fixed a regression where function discovery was not performed for x86 code embedded inside p-code VB programs
    - Fixed a parsing bug in InnoSetup language section: license text is always utf8, even in unicode versions
    - Fixed a bug in the .NET disassembler for very large (>256 targets) switch opcodes
    - Fixed kesakode http error message being hidden


[2024-06-20] Version 0.9.7 released
● New OS supported: Ubuntu24 / python3.12 
● Parsers:
    - Display certificate(s) metadata for MSI installers 
● Kesakode:
    - Improved score computation function
    - Function matching is now CPU-architecture specific
● Analysis:
    - Updated Yara to 4.5.1
    - Updated Pybind11 to 2.12
    - Better carved files naming convention 
● Scripting:
    - Adapted the GIL locking mechanism to make Malcat compatible with python 3.12+
    - You can now easily access (and analyse) carved files by accessing the malcat.carved.file object
● User interface:
    - Reworked the bytes histogram: better color handling and got rid of the tooltips
● Bug fixing:
    - For Rust programs, scanned strings would take precedence over valid Rust strings in Strings view
    - GUI crash when right-clicking on a blank space in Kesakode view
    - [WINDOWS] Fixed a regression introduced by wxWidget 3.2.4 due to the behavior of tooltip windows in the histogram display
    - LoadConfigurationTable had to many fields presents in some configurations for PE32+
    - You can now also write to files extracted as subfiles (enabled COW)


[2024-05-25] Version 0.9.6 released
● Kesakode:
    - Added Kesakode hash lookup service! (see website for more details)
    - Added Kesakode view
    - Made several views display Kesakode information
● Analysis:
    - User highlights now also get added to the symbols
    - Improved stackstring detection for x86/x64
    - Improved performances in function & loop discovery algorithms
● Parsers:
    - Added support for Golang 1.20+ symbol parsing
    - Added support .p7x certificate files
● Intelligence:
    - Add an option in Preferences>Intelligence>Misc. options to disable SSL checks for HTTPS requests
    - Added Triage as threat intel source
● Scripting:
    - Added python bindings for the identified constants (analysis.constants)
    - Added documentation for the analysis.constants object
    - Added attribute Analysis.entrypoint
    - Added a script to remap PE physical section starts to their virtual counterparts (useful for badly dumped samples)
    - [WINDOWS] install_api.py now immediately throws an error when called from the wrong python interpreter version
    - install_api.py now also offers you to activate malcat for an easy 1-step deployment on online or offline GUI-less servers
● User interface:
    - You can now enter a custom password when extracting virtual files (and the default password does not work)
    - Virtual files are now extracted in a background thread to avoid GUI freezes on large files
    - Added options for _minimum_ column number in structure and hexadecimal views
    - Added "Download and analyse" context menu option to the source code view
    - Improved address context menu with dereference sub-menus for [VA], [RVA] and [OFFSET]
    - Annotation having a danger level (anomalies, yara matches, recognized function / libs) can now be shown using the corresponding danger color
    - Ctrl-E (Goto Entrypoint) now goes to the *best* entry point (i.e the .NET EP for .NET files instead of the PE one)
    - Switching to one of the code view if you've never moved around in the file once now automatically jumps to the entry point of the file
    - Jumping into a code view (disas or proximity) now automatically align the view to the start of the CPU instruction
● Anomalies:
    - Added TableExternalLink anomaly for OLE Word documents (external URL found in Table stream)
    - Added BssNonEmpty anomaly 
    - Added PumpedOverlay anomaly (large overlays with very low entropy)
    - Added PasswordInScript anomaly for InnoSetup installers
    - Added ImportByHash anomaly (know API hash constant were found)
    - Removed RegionHighEntropy anomaly
    - Removed HugeResource anomaly
    - Improved performances of CPU-intensive anomalies
● Transforms:
    - Added GCM mode for aes
● Bug fixing:
    - Fixed file passwords in _unicode_ InnoSetup installers need to be utf16-le encoded
    - Fixed RAR4 and RAR5 file names can be UTF8
    - Fixed a regression where the window title was not updated properly after a project save
    - Fixed a regression where coloring for overlapping annotation would in some rare cases not be applied correctly
    - Fixed some %ls/%s confusion under Linux leading to abberviated names in a few displays
    - Fixed issue in VB p-code disassembler where disassembling an invalid operand would in some rare cases lead to an exception
    - Fixed wrong computation of malcat.Function.num_unique_immediate_bytes
    - Fixed Scintilla editor in Yara view would trash the file on save errors. Go back to the last edit instead.
    - [WINDOWS] In the Yara editor, wxWidgets Scintilla control insisted on saving things as latin1 instead of UTF-8


[2024-02-04] Version 0.9.5 released
● Parsers:
    - Added parser for InnoSetup archives from version 4.0.9+
    - Added AR archive parser (.ar, .lib)
    - Improved OBJ parsing
    - Improved 7Z parsing
    - Improved EMF parsing
● Disassemblers:
    - Added new PascalScript disassembler (binary pascal-like bytecode used in innosetup installers)
● User interface:
    - Redid & improved the file-switching control
    - Previously entered text in the search dialog is now always selected (saves some clicks if you want to replace it)
    - In asm view, Ctrl+C copy selection as hexadecimal bytes (instead of disasm) if the last mouse click was in the hex column
    - Transform dialog "new file" option now opens result in new tab
    - Image previews for virtual files are now generated in the background for better UI responsiveness
    - The files panel folder labels now show the number of descendant nodes instead of the number of direct children
    - Added an option (Preferences>Interface>Panels on the right) to put the quickview + navigation panels on the right side
    - Added option to manually pin the current quickview
    - Redesigned & improved the user script load dialog
    - Added '*'/'?' shortcut in hexa/struct/disasm/dna views: go to next/previous selected area
    - Added '.' shortcut in hexa/struct/disasm/dna views: go to last file modification and select it
    - Reworked the UI theme 'vga'
    - Added a menu entry to switch theme
    - Added a new undo/redo history dialog (Edit>Show undo/redo history)
    - Saving the current file under a different file name (save as) adds the new path to the recent files list
● Scripting:
    - Added shortcut to iterate over all basic blocks in a function: for bb in the_function:
    - Added shortcut to iterate over all instructions in a basic block: for instr in the_bb:
    - Added new "khash" attribute to function objects: a 64bits hash of the function code that masks out all position-dependent bytes (i.e. offsets).
    - Added new function metric: fn.num_highvalue_immediates
    - Added new function metric: fn.num_unique_immediate_bytes
    - [GUILESS scripting] Python bindings don't automatically throw an error if the analysis failed anymore. Use the new method analysis.raise_if_failed() for that.
    - Added new attributes analysis.failed and analysis.ok
    - Added new attribute analysis.log which contain all analysis errors and warnings
● Transforms:
    - Added 'calculate' transform in text/scripts
    - Added 'hex2dec' transform in text/scripts
    - Added 'fill' transform
    - Added LZNT1 compress/decompress transforms
● Anomalies:
    - Added new code anomaly ManyHighValueImmediates
    - Added new code anomaly ManyUniqueImmediateBytes
    - Added new Ole anomaly OleExternalLink
    - Added new Ole anomaly EncryptedWorkbook
● Intelligence:
    - Added VirusShare online lookup
    - Added Malshare online lookup
    - Added a new dialog <File>download from url/hash> that can download a sample from TI providers (currently only MWDB, MalwareBazaar, Malshare and Virusshare)
● Diffing:
    - The diff window size is now correctly taken into account when diffing
    - Diff window parameter limit has been increased
    - Better diff progress report in status bar
● Bug fixing:
    - Fixed a focus issue when selecting data happening to be inside a structure from the data view under Linux
    - [Linux] Fixed Codeview debug information parsing issue on linux
    - install_api.py -u now correctly uninstalls malcat even if you moved/deleted the malcat directory beforehand
    - Fixed a regression where (big) image previews in the quick view panel had incorrect size on HiDPI screens
    - Fixed a regression where the CAPA bindings would miss imports-based rules
    - choosing "new file" in the transform dialog when inside the source code view would replace the current file with the new one
    - fixed a regression where keyboard shortcut in hex/struct/disasm views could not jump to the first annotation in file
    - sometimes, the msvc demangler would return empty function names: use the original symbol name in this case
    - recovered RTTI virtual function names would override exported symbols, which is unlucky since exported names are often more descriptive. Do it the other way around.
    - fixed a rare crash when iterating backward through overlapping strings in a data view using keyboard shortcuts
    - [Linux] fixed a crash when dumping a non-ascii virtual file to disk
    - [Lite] fixed a crash in the summary view
    - Fixed GUI staying unresponsive for a long time when decompiling very large AutoIT scripts
    - Fixed trailing 00s in unpacked TAR archive member file names


[2023-11-05] Version 0.9.4 released
● Malcat can now run on ubuntu23 / python3.11-based linux distributions
● Pure text view:
    - Added a "new file" option in the transform dialog when called within the text view
    - Added a proper non-default context menu to the pure text view (search selected string, add selected string to Yara, etc.)
● Python 3.11:
    - The PYC and PYINST file parsers now support python 3.11 files
    - Added a disassembler for python 3.11 opcodes
    - Added a decomposer for Python opcodes (cf. opcode quickview window)
    - Fixed a few minor errors in the python disassembler
● Analysis:
    - Various dynamic strings extraction improvements
● Quality of Life:
    - Changing the font in the option dialog now displays information regarding the font compatibility with the different charsets
    - For CP437, CP850, CP866 and CP1252 charsets in the data views, we've made the unspecified ascii chars < 0x20 100% compatible with the old DOS graphical extensions
    - Added a "Show disassembly" button shortcut to the call graph view
    - When selecting a structure field in the structure view, the corresponding editing control in the structure editor (quick view) is now given focus 
    - Added a "tokenize" transform that only keep bytes enclosed by the given token
    - Wiki dialogs, like the one for the EULA, is now smaller by default but can be resized as needed
● Magic mask:
    - The "add to Yara (disassembly)" context menu action now respects selection-excluded bytes
    - Added a "Magic mask" context menu action to the selection and opcodes: automatically excludes part of instructions from selection
    - Added a "Magic selection mask" option in the Preferences panel > Code view
    - Added a "Add to Yara (disassembly, magic mask)" context menu action
● Bug fixing:
    - Fixed a regression: hex & struct views were not refreshed when a value was modified using the structure editor (in the quick view)
    - Fixed a regression in custom types
    - Forbid putting more than 6 MB of data in the clipboard, since it seems to crash the clipboard on some systems
    - Fixed a regression: d/D shortcuts in diff mode would sometimes be stuck in disasm view if the difference is in the middle of an instruction
    - Fixed a bug which made some unicode string symbols be double-encoded in the disasm view
    - Fixed a focus issue when editing bytes structures from the data view under Linux
    - Fixed hex & struct views no beeing refreshed when a value is modified using the structure editor (in the quick view)

[2023-10-08] Version 0.9.3 released
● The lite version can now use multithreaded analysis! 
● Python:
    - The current analysis object in scripts has been renamed "analysis" (was "malcat")
    - Renamed bindings module to "malcat" (was "bindings")
    - A new python headless mode was added to full & pro versions! You can now import the malcat module from any python interpreter & perform batch analyses!
    - Added "malcat.analyse()" method to the malcat module in headless mode
    - You can now view and edit user comments from python (analysis.comments)
    - You can now force/unforce function starts from python (analysis.fn.(un)force)
    - You can now set custom data types from python (analysis.struct.(un)force)
    - You can now view and edit user highlighted regions (analysis.highlights)
    - You can now view and dump virtual files from python (analysis.vfiles)
    - You can now override the detected file type from python (analysis.type = ...) 
    - You can now override the CPU architecture from python (analysis.architecture = ...) 
    - Added methods to drive the analysis (analysis.invalidate, analysis.run)
    - Made bindings for the analysis error log (analysis.log, analysis.status, analysis.last_error, analysis.failed)
    - You can now load and save Malcat projects (with all user modifications) from python (analysis.load/save)
    - Added helper functions for address translation and output (analysis.ppa, analysis.v2a, etc.)
    - You can now apply templates (.tpl files) to an analysis from python (analysis.template)
● File parsers:
    - Added support for UImage archive format (with in-app unpacking), often found in firmwares. Exotic compression algorithms are not supported.
    - Added support for JFFS2 file systems (with in-app file extraction), often found in firmwares. Exotic compression algorithms are not supported.
    - Added support for SquashFS file systems (with in-app file extraction), often found in firmwares. Exotic compression algorithms are not supported.
    - [PE] Improved debug info parser: now parses all debug info structures. Correctly interprets repro entries (thx @strupigel's video)
    - [PE] Added parser for bound imports
    - [FAT12/16/32] Ignore deleted entries in directories
    - [VHD] Proper handle of hollow dynamic drives
    - [ZIP] 30% performance optimisation
    - [ZIP] (Very) basic support for AES-password-protected archives. Should be just enough to open malware bazaar's files directly from within malcat.
    - [7Z] Automatic unpacking of password-protected archives if the passord is "infected", "malware" or "virus" (note that you need the py7zr library installed)
● Yara:
    - Added OpenSSL library to the Yara scanner: crypto-related fields such as pe.number_of_signatures should now work
    - You can now override the destination file when creating a new Yara rule
    - Added "Add to new Yara rule" context menu action to selection, strings and disassembly
    - Give focus and proper cursor position in Yara editor after "Add to (new) Yara rule" context menu action
● Rust:
    - Added support for Rust's final function call pattern (should help with CFG reconstruction)
    - Added Rust string analysis 
● Transforms:
    - Added JS beautify transform (requires jsbeautifier lib)
    - moved all "obfuscation" transforms to the text category
● User annotation:
    - You can now add custom annotations (custom text) using the selection context menu. Useful for screenshots and note taking.
    - Undo/redo support
    - Saved with project
    - Preview control
    - Hit a/A to jump to next/previous user annotation
● User interface:
    - In the structure view, also show the extended context menu (including xrefs) for selected fields
    - Reduced the size of the transform dialog to fit in smaller resolution screens
    - Optimized redraw speed of structures tree
    - Display a "bell" icon in case of warnings during analysis in the status bar
    - Clicking on the icon in the statusbar brings you to the output log window (script editor view)
    - Source code viewer now has wordwrap enabled
    - Using "Select All" (Ctrl+A) command in the script view now selects all text in either the script editor or script output window (depending on who has focus)
    - Using "Select All" (Ctrl+A) command in the decompiler view now selects the C code of the current function
    - Using "Select All" (Ctrl+A) command in the corpus view now selects all matching files
    - You can now select & copy multiple items in the corpus view list
    - Files in the Virtual File System tab are now sorted by name
    - The summary view has a new "Type" column that displays the current identified file type with an icon
    - Added "open" and "dump" actions to the string context menu. They convert strings to utf-8 beforehand
    - Library functions (e.g. FLIRT-identified fns) in symbol view are highlighted using the "DEBUG" highlighting color
    - Hexadecimal number display shortcut now changed to Ctrl+Shift+D: Ctrl+D should now properly duplicate the current line in all scintilla-based editor windows under Linux
    - Changing the number of threads for the analysis in the options does not require an app restart anymore
    - Optimized augmented scroll bar redraw performances when displaying large complex files
    - Use c/C in data view to jump to the next identified constant, use r/R to jump to the next string, use y/Y to the next Yara string match
● Bug fixing:
    - [.NET] Fixed an issue in .NET class parser where the last field of the FieldTable would not be parsed
    - Default syntax highlighting for text files would only consider lower-case file extensions
    - Better validation for python conversion of DosDate and DosDateTime fields
    - In some cases, long binary stack strings with no single ascii character were not detected
    - Added some extra vertical space to big file dialog (thx @Squiblydoo)
    - [IMPHASH] Malcat should now compute imphash exactly like pefile, using the same outdated ordinals list, for 100% backward-compatibility (thx @Marco)
    - [ZIP] Fixed zip extractor not being able to unpack files packed in stream mode
    - [PE] Fixed edge case where section gaps were incorrectly computed
    - [LINUX] Fixed int overflow error in the entropy analysis for FILE > 4Gb
    - Renaming a function is disassembly or decompiler view would not display the new name immediately in some cases


[2023-07-10] Version 0.9.2 released
● Source code view:
    - The source code view (F4) got a revamp: folding and syntax highlighting added
    - Pure ascii/utf8/utf16-le text files can now also be viewed as text in the source code view (F4). 
● Transforms (Ctrl+T):
    - Completely redesigned the transform dialog
    - Added the ability to chain transform steps (request from @Cm)
    - You can now search&filter transform operators
    - Added the ability to view or edit python files of transform operators in-app
    - Transform previewing is now done in a background thread
    - Transform dialog is now modless (i.e. you can continue to use Malcat in parallel)
    - Transforms can have different icons
● CHM format:
    - Added support for .CHM archives
    - Can extract archive content in-app!
● .NET:
    - Parsing of obfuscated .net method headers should be more robust
    - Identify and highlight static field initialisation data
● File editing:
    - You can now removed selected bytes from the current file using the selection context menu
    - You can now insert an aribtrary amount of bytes at the selected location using the context menu
    - Added an option in Preferences > General to automatically reanalyse the current file after every insert/delete
    - You can now shift the selected bytes up or down using the selection context menu
● User interface:
    - "Select All" command ("Ctrl+A") now acts according the current view, i.e will select all strings in string view or all text in source code view
    - Source code folding added to the script editor (F8) and other python editors
    - The analysis progress bar (in the status bar) should better adapt to analysis times when some analyses are deactivated 
    - Reduced redraws of the augmented scroll bars in hex view and structure view 
    - You can now add, delete and rename .yar files from within the file lister control of the Yara editor (request from @Cm)
    - Added button in options dialog to clear user data dir (request from @Ben)
    - User data dir changes no longer requires to restart Malcat: just re-analyse (Ctrl+R) for the changes to take effect
    - When chosing a new user data dir in the Options Dialog, Malcat will now offer to create the initial dir structure for you
    - Added a button in anomaly preview to view the anomaly's code inside the python editor
    - Show a confirmation dialog for operations (mainly file loading without mmap) consuming a lot of memory and/or more than 80% of the available free memory
    - The augmented scrollbars should be somewhat more precise
    - In malcat scripts, malcat.file.path is now also available as sys.argv[1] (request from @disasm.re)
    - Recent files list size increased from 10 to 16
    - Added back / next buttons in the project's toolbar (request from @epicout)
● Bug fixing:
    - [LINUX] some views would reraise the window when mouse cursor is over, preventing alt-tab when on this view (thx @wisdomsocks)
    - Fixed a race condition in the summary view section layout mouse hover code that could lead to a crash (thx @Squiblydoo and @voidofone)
    - Fixed improper index construction of the HasFieldMarshal index in .NET which could lead to bad parsing for .NET programs having more than 32K #Param entries (thx @Squiblydoo)
    - Lack of validation for exception infos would lead the CFG reconstruction algorithm to abort early (thx @Squiblydoo)
    - The augmented scrollbar would (in some very rare configurations) display an annotation twice
    - PE: early catch of pyasn1 decoding errors (make the certificate parsing more robust)
    - Histogram's tip label would not be destroyed consistently (regression in 0.9.1)
    - [LINUX] crash when hovering histrogram's bar: wxTipWindow would be destroyed twice (thx @Ben)
    - assertion error when importing yara rules from the user data dir (thx @Ben)
    - C formatting of strings in structure view would display extra 0xFFs for chars >= 0x80
    - Fixed bug in .PYC disassembler
    - Fixed: address column would not be redrawn correctly in disassembly view when "Delta addresses" option (Ctrl+B) is chosen
    - Current view window now correctly gets focus after double-clicking on the side bar
    - Fixed display quirk in structure view when displaying strings longer than the screen surface
    - [WINDOWS] Fixed file lock issue in big file mode (thx @Squiblydoo)


[2023-05-13] Version 0.9.1 released
● .One parser:
    - Fixed early exit when encountering null-sized embedded files
    - Added more detailed parsing for some of the documented properties 
    - Added lots of enum values
● CAB parser:
    - Added support for LZX decompression!
● Added SQLITE format parser
    - Not many info for now, mostly header, pages and end of file to help carving
● Documentation:
    - Removed the old in-app help wiki
    - Added a new online and offline html documentation (sphinx-based, much better-looking, with search and index)
    - Completed some documentation topics
● Added OPSWAT MetaDefender to the list of threat intelligence sources
● Strings & Yara:
    - Strings part of a matching or non-matching YARA rules get better scores
    - Highlights matching YARA strings in string view (same as for anomalies but with a different color)
    - Yara string hits are now highlighted in hexa and struct views and get a proper context menu
● User interface:
    - Updated wxWidgets to 3.1.2 (should fix some hidpi text issues under linux)
    - Added a proper start screen (shown when no file is open)
    - Better-looking summary view
    - Library functions (matching a FLIRT signature) now gets a different highlight color
    - Right-clicking an unselected byte in data views now selects the byte before showing context menu
    - Right-clicking a field value in structure view now gives you the field's context menu instead of the structure's context menu
    - Copying atomic field values (numbers, strings) now possible from context menu in structure view 
    - Font settings should now apply to the whole GUI (before some widgets and dialogs were ignoring the setting)
    - Icon size now properly scales with font size for data views
    - Structure quickview now popups field context menu on right click instead of address context menu
    - Added "Icon Scale Factor" option for linux distros which report HiDPI scale factor incorrectly (i.e. almost all distros)
    - Redesigned the "data" quick view window
    - Redesigned the "function" quick view window, now displays exactly like the disassembly view
    - Left pane is hidden by default when comparing 2 files
    - Added icon in toolbar to hide/show left pane
    - In structures, ascii strings and unicode strings are now escaped the same way (c-style)
    - Carved files can now be opened in a new tab, like virtual files
    - Added new shortcut to display the call graph in proximity view
● Installation:
    - [WINDOWS] user preferences cache is now stored in the application's install dir alongside the config. This makes the software truely portable.
    - [WINDOWS] added a button in Options > General > Add to explorer to add Malcat to the Windows explorer's context menu
    - [LINUX] added a button in Options > General > Add to distribution menus to add Malcat to the Distribution's system menu (.desktop file)
● Scripting:
    - Most objects now display a "Scripting" context menu to easily add the object to the current script 
    - Iterating over structures and arrays now always yield StructAccess instances and not the field's value for atomic fields
    - Better documentation
    - malcat.subfiles object was renamed malcat.carved
    - improved url download script
● Bug fixing:
    - Right-clicking an address field inside a structure now display the context menu for the target address instead of the source address
    - Fixed word wrapping of script output window (F8) again
    - Fixed "corrupted double-linked list detected" console warnings on Linux
    - Scroll bar hints would not be updated when the window is resized vertically
    - Fixed grid view headers not readables on OS with dark theme
    - Fixed an old issue where Yara strings matches locations would be off if the Yara scanner finishes before the file parser
    - Fixed unicode strings in structure view would not be properly escaped
    - Fixed an issue for autoit script where CPU architecture was not correctly set
    - Fixed layout issues in Find dialog under Linux
    - Fixed bogus text search for unicode strings in find dialog
    - Fixed requirements.txt now excludes pyasn1>=0.5.0


[2023-01-22] Version 0.9.0 released
● FLIRT:
    - Added support for FLIRT signatures (in data/flirt and/or <user data dir>/flirt), supporting FLIRT 6+
    - Multi-threaded FLIRT scanning
    - Added FLIRT signatures for MSVC, Delphi and libcurl
    - Added option "Flirt signatures" in Options dialog>Analysis setup
● Added multi-files support
    - Malcat can now open different files in multiple "tabs" and switch between them using the address bar
    - Added "open new files in new tab" option in config dialog
● Added user bookmarks:
    - Added add user bookmark menu entry + shortcuts (Ctrl + Alt + 0..9)
    - Added goto user bookmark menu entry + shortcuts (Alt + 0..9)
    - added context menu entry in context menu
    - user bookmarks are saved alongside the project
● Added parser for Microsoft OneNote (.one) files
● Added FileScanIO to the list of threat intelligence sources
● Analysis:
    - OptIL / Abstract .NET methods now are displayed using their proper name
    - .NET methods header and footer parsing now moved to c++ for improved performance on obfuscated programs
    - Disable data x-ref scan for dotnet
    - Added some PE versions anomalies
● User interface:
    - Byte editing can now be also toggled by double-clicking a byte in hexa, structure and disasm views
    - Removed menu flickering issues when switching views
    - Changed cursor style when editing bytes
    - When exiting a modified file, now offers to save it under a different name if file can't be save to current path
● Bug fixing:
    - the static/ordinals/ folder was missing, disabling PE import by ordinal name resolution
    - fixed issue when comparing multiple (> 2) files
    - fixed import error when running capa script


[2022-10-30] Version 0.8.6 released
● User Interface:
    - Disassembly view: try to display short jump arrows when not enough space to draw full length arrow 
    - When right-clicking selected bytes, Malcat now displays the selection context menu as first context menu, instead of as sub menu (unless just 1 byte is selected, then still as sub-menu)
    - User preferences (like CPU architecture or file type) are now saved to the .malcat project
    - When exiting the software with some unsaved changes, Malcat now offers you to save the changes instead of just asking you for confirmation.
● Capa:
    - Updated capa to version 4.0.1!
    - Updated malcat's bindings for capa, adding .NET support (should be even better than original capa since we do CFG reconstruction and their .net analyser doesn't)
    - Updated capa report template
    - Updated capa rules
● Analysis:
    - Added Intezer to the list of threat intelligence sources
    - Strings: X86 dynamic string detection now also works for esi and edi-indexed buffers
    - CFG: Improved control flow recovery for indirect jumps and switch
    - RTTI vtables are now used as additional entry points in CFG reconstruction
    - Small improvements in the function reconstruction algorithm
    - .NET: improved analysis for "newobj" and "constrained" opcodes
    - Constants scanner: stop scanning after threshold is hit (currently after 100k hits)
● Bug fixing:
    - Fixed: regression in disassembly view: context menu for string, label and method operands was not displayed
    - Fixed: regression in CfgView: basic blocks would be split on call instructions (they are split on calls internally, we just hide it)
    - Fixed: Summary view: crc32/md5/sha1/sha256 value of the empty string would be displayed when hash computation is deactivated.
    - Fixed: Script editor and Yara editor icon size issue in ubuntu 22
    - Fixed: crash when quickly switching to disassembly view while filetype analysis is running
    - Fixed: crash when analysing some edge case python files having their method's bytecode stored as a reference
    - Fixed: crash when modifying a user data type structure and renalysing while the quickview is displaying the structure
    - Fixed: [Linux] wxwidgets fails to give application path if malcat lies in a non-ascii directory, leading to multiple app failures
    - Fixed: imphash computation issue when facing import by ordinals (pefile name them ordXXX and we named them #XXX)
    - Fixed: logic bug in fallback backward-disassembly algorithm giving sub-optimal results
    - Fixed: function just above a symbol-defined function would sometimes not be discovered by the function-discovery algorithm
    - Fixed: logic bug in CFG linear sweep algorithm, resulting in less function prologs being identified when facing obfuscated code


[2022-10-03] Version 0.8.5 released
● Yara:
    - You can now add code/selection/dynamic strings to the current yara rule as "disassembly"
    - Improved new rule dialog in Signatures view
    - Added "search pattern matches in current file" action in yara rule context menu
    - Added "search in corpus" action in context menu to scan whole corpus for selected rule
    - Added "search in corpus (partial matches allowed)" action in context menu to scan whole corpus for any string match
    - Add comments when adding named annotation to the current Yara rule
    - Automatically switch to Yara editor after adding a new pattern to current Yara rule (can be overriden in Options)
● Disassembly view:
    - Disassembly listing can now be selected using the mouse
    - Selected disassembly can now be copied to the clipboard, with or without raw bytes  (Ctrl+C or ContextMenu->Selection->Copy as->Disassembly)
    - Adding comments is now done using the context menu (no more clicking in the comment column)
    - Removed "Disasm - Long jump arrows" options from Options dialog 
    - Added "Disasm - Smart Labels" options to Options dialog
    - Only dynamic/stack strings are now shown in disassembly comments
● "Big File" mode:
    - Optional use of memory mapping for huge files
    - Config dialog when opening huge files 
    - Added "Big File Mode threshold" options in Options dialog
    - Optimised UDF magic regexp (improved overall performance on huge files)
● .NET:
    - Fixed parsing of very long resource names
    - Added parsing of function parameters names, visible in function name
    - Added parsing of function flags (static public, etc.)
    - Added proper support for nested classes
    - Better detection of obfuscated class/function/field names
    - Obfuscated names are now replaced by a special identifier by default (#obfuscated_id_xxx)
    - Added new option "deobfuscate symbols" in "Analysis Setup" Options panel.
● New parsers:
    - Added support for .VHD images (dynamic disks only)
    - Added support for FAT12 file system 
    - Added support for FAT16 file system 
    - Added support for FAT32 file system 
● Misc:
    - Added "reapply last transform" entry to context menu (if you want to decrypt stuff in batch)
    - Improved memory consumption for pattern searches in corpus directories
    - Increased maximal search size for dynamic strings
    - Added imphash hash in Summary view
    - Yara rules now have a context menu in Summary view and Signatures view
    - Added context menu for found constants
    - Added "edit bytes" context menu
    - Added "search in current file" context menu action for strings and selected bytes
    - Added "maximum columns "option in Options>Dataview for hexadecimal and structure view
    - Anomaly quickview now switches to structure view when the anomaly is located inside an identified structure.
● Bug fixing:
    - Fixed: error in golang function parsing for go 1.18+
    - Fixed: crash when adding/removing new corpus directories in Options dialog
    - Fixed: some false positives for cobalt strike file parser
    - Fixed: memory exhaustion for range preview on very large ranges
    - Fixed: closing a sub-file while a python user script is running would cause a crash
    - Fixed: utf16-be strings would not be properly displayed in structure view
    - Fixed: jumping to end of file would not work in data view for files bigger than 2 Gb
    - Fixed: invalid parsing of strings > 64K in MSI installer tables
    - Fixed: error in .NET parser in the HasCustomAttribute index
    - Fixed: regression on data view's colored scrollbar display: annotations were not in sync


[2022-07-16] Version 0.8.4 released
● Ubuntu 22.04 package! 
● Constant analysis:
    - Optimized constant search a bit
    - Added ~413000 common Windows API hashes (using different hash algorithms found in malware) to api.csig
● Cobalt strike:
    - Added a file parser for CS plain-text configurations (useful when analysing memory dumps of beacons)
    - Added summary template
    - Malleable opcodes disassembly
● NSIS:
    - Improved support for unicode scripts, fixed section unicode bug
    - Improved summary template
    - Added FileWriteW and FileReadW opcode support to the disassembler
● LNK:
    - Greatly improved the summary template
    - Added some enums for better readability
    - Added and improved existing anomalies
● CFB/Ole:
    - Parsing for the "\x01Ole" stream object
    - Parsing for the "\x01CompObj" stream object
    - Parsing for the "\x01Ole10Native" stream object
    - Parsing for the "\x03ObjInfo" stream object
● Scripting:
    - Script output window has now horizontal scrollbars and do not wrap (revert to old behavior)
    - Improved PE/speakeasy_pe_unpack.py script: better dump choice
    - malcat.struct: You can now iterates through arrays, structures and bitvectors using python slices
● User interface:
    - When editing bytes in data view, invalid character input is now notified in statusbar and not via a messagebox (which would cause editing session to end)
● Bug fixing:
    - Fixed file differences sometimes needing a refresh to be displayed
    - Fixed in diff mode, secondary analysis would be hidden after help display
    - Fixed saving sub-files using save dialog: only the .malcat project would be saved
    - Fixed undo-redo of file operations: file would sometimes not be seen as modified


[2022-06-14] Version 0.8.3 released
● Added MWDB to the list of threat intelligence providers
● Updated Yara to version 4.2.1 (from 3.9.0)
● File parsers:
    - Added support for ELF golang
    - Better support for partially damaged golang binaries
    - Improved handling of Dstrings in UDF parser
    - Support extended attributes in ISO (old ISO protections)
● User interface:
    - Improved UI feedback for lite users facing unsupported architectures
    - Structure view now properly truncates large string fields
    - Hitting \[insert] when nothing is selected will start editing first editable byte of view (hexa, structure and disasm views)
    - Better editing experience in structure view for Bytes fields
    - Icons are now bigger if you use a bigger font size
● Misc:
    - Also demangle msvc import symbols in PE files
    - Improved Golang string heuristic a bit for conflicting string definitions
    - Updated/added Yara rules
    - Updated/added anomalies
● Bug fixing:
    - Fixed a regression in string analysis module for NSIS scripts
    - Fixed a regression where the decompiler view would not be available after a yara rescan
    - Fixed bad initial widget layout in anomaly and yara quick view windows
    - Fixed incorrect line up/down scroll in Structure/text view for large strings
    - Fixed a stream name decoding issue in MSI installers
    - Fixed early abort for VB binaries having corrupted method tables

[2022-05-05] Version 0.8.2 released
● Fast dynamic string detection for x86/x64:
    - Automatically detects stack strings / memory strings defined within a basic block
    - Algorithm uses a simplified emulator engine
    - Strings are listed along other strings ("DYN" type)
    - Disassembly view show in comments where the strings are defined
● Added support for Py2Exe programs:
    - Added Yara signature
    - Python scripts are recognized and disassembled
● Added support for CD and DVD file systems (.iso/.img):
    - Support for essential ISO 9660 structures
    - Support for essential UDF structures
    - Open files in-app 
● Added support for LZMA packed streams:
    - Automatic detection of LZMA-Alone (with standard flags) and LZMA-XZ streams
    - in-app unpacking
● User interface:
    - Redesigned the views toolbar: one icon per view now to make things less confusing
    - Colored icons
    - Expanded the in-app calculator (Ctrl+Space) by giving access to additional variables and functions
    - Added "Calculate address..." context-menu action for addresses
    - Added "Download & Analyze" context-menu action for URL-like strings and selection
    - Added context menu for fields in structure's quick view
    - Improved readability of midnight theme
    - Script output window now uses wordwrap
● Misc:
    - Improved LNK file parser (extension block parsing)
    - Added template and anomalies for ACE format
    - Added additional options to the "LZMA compress" transform
    - Prefix tlsh version "T1" in tlsh hashes (aka new tlsh format)
    - Added hard timeout of 20 seconds for online intelligence checkers 
    - Improved analysis parallelism by removing a few unnecessary locks
    - Updated/added Yara rules
    - Updated/added anomalies
● Bug fixing:
    - [GTK3] Fixed: crash when chosing "Copy expanded structure" in context menu
    - [GTK3] Fixed: right click would need to stay pressed in order to see context menu for some of the views
    - [GTK3] Fixed: disabled text ellipsis in data and file tabs (top-left), it does not work reliably
    - Fixed: NSIS file name recovery agorithm for non-solid archives
    - Fixed: NSIS disassembly for 'IntOp' opcode
    - Fixed: rare bug in ZIP parser with odd Unix extra fields 
    - Fixed: VBA decompilation would sometimes stop too soon when facing VBA-purging
    - Fixed: assertion error when previewing Yara rules with duplicate strings


[2022-04-01] Version 0.8.1 released
● Added support for Golang 1.18+ symbols
● Context menu added to the CFG view, similar to the one in the disassembly view
● Bug fixing:
    - "Unforce function start" was not woking correctly since last update
    - Fixed an issue in golang anomalies


[2022-03-20] Version 0.8.0 released
● Lite edition now has access to visual themes!
● Improved analysis of MSVC-compiled binaries:
    - Added RTTI parsing (label virtual functions and identify RTTI structures)
    - Added symbol demangler (for RTTI and exports/imports)
● Updated Capa to version 3.2.0:
    - added missing features to malcat's Capa bindings
    - fixed multiple issues in Malcat's capa bindings 
● Python:
    - Added support for python 3.9 and 3.10 disassembly (so we support 2.7 and 3.6-3.10 now)
    - Fixed minor issues in PYINST and PYZ file parsers
● Improved Golang symbols and strings identification for go 1.16 and newer
● Added support for VTGrep (needs a VT premium API):
    - "Search in corpus" now searches selected pattern in virustotal in addition to the local corpus
    - Added VTGrep-related options in Options dialog
● Advanced selection: masked-out nibbles in selection (Shift+Click) are now supported
    - masked out nibbles are replaced by '?' when copying as hexadecimal to the clipboard
    - masked out nibbles are replaced by '?' when adding hex bytes to current Yara rules
    - masked out nibbles are correctly ignored when searching in corpus
● Misc:
    - Disassembler now displays strings using user's selected charset
    - Disassembler now displays numbers and addresses using user's selected base (Ctrl+D)
    - ELF: parse .comments sections for metadata
    - PDF: added a few anomalies
    - Options dialog now warns you with a message box if an option change requires a restart
● Bug fixes:
    - Xref analysis would hide data xrefs if options "CFG: don't follow data refs" was checked
    - GUI would sometimes hang on ubuntu18 when running a python script


[2022-02-16] Version 0.7.88 released
● Scripting:
    - Cleaned up scripting interface a bit
    - Finished scripting documentation 
    - Updated start script
    - Script editor and Yara editor now use mono font
● MSI installers:
    - Proper decoding of MSI stream names
    - Can now decompile MSI tables (hit F4)
    - Added msi.dll ordinal names (most MSI dll plugins use import by ordinals)
● Misc:
    - Added JoeSandbox web API to online intelligence lookups
    - Linux: Copying data now puts content in both PRIMARY and SELECTION clipboards
    - Updated Yara rules
● Bug fixing:
    - Fixed bug in PE+ import by ordinal handling
    - Fixed HexView background not beeing redrawn properly on hover in some edge cases
    - Fixed file path label in signature editor not respecting visual theme


[2022-01-29] Version 0.7.51 released
● Added basic .tar parser with in-app unpacking
● DnaView function names and instructions can now pop up a context-menu (like in the AsmView)
● The Options dialog should pop up faster under Windows
● Save crash report in temp folder if application dir is not writeable 
● Bug fixing:
    - Fixed embedded python "missing python38.dll" error on Windows
    - Fixed PACKAGEINFO resource parsing in PE, displays Delphi project name in metadata
    - Fixed minor issues for the following parsers: PE, JPEG, EMF and ZIP
    - Fixed bad layout for the intelligence tab of the options dialog on Windows (visible in full and pro versions)
    - Fixed a crash when displaying context menu for very huge files


[2022-01-19] Version 0.7.27 released
● Improved AsmView backward scrolling speed in huge basic blocks
● Added Zoom button for pictures in quick view panel
● Annotate import and export API name strings in PE files as DATA
● Added a script to convert DIB files to BMP files
● Fixed a bug when a user-defined function would have its size wrongly set to 1
● Fixed bug(s) in anomalie(s): HugeFunctionGapAtSectionBoundary
● More documentation


[2022-01-12] Version 0.7.12 released
● Fixed Hi-DPI scaling issues introduced with wxWdigets 3.1.5
● Fixed incorrect statusbar height for Windows


[2022-01-03] First beta release
The first version of malcat, tagged 0.7.6, has been officially released! 
