New features

• .NET metadata shown: metadata root, stream headers, CLR tables of #~ stream
• CLR tables resolve references to other tables to give the values more meaning
• Reversing hints added for: AutohotKey, embedded archives, embedded executables, AutoIt, Electron package, fake VMProtect, InnoSetup, generic installer, Nullsoft, PyInstaller, a specific but unknown Batch-to-Exe wrapper, SFX, UPX
• More anomalies

The picture below shows one of the .NET CLR tables

About reversing hints

These take several anomalies and other features into consideration to determine that a specific approach should be used to analyse/extract/unpack this file. The hint is provided at the node "PE Format" for now and will list all reasons and signatures that led to the hint.

One file can have several hints.

What is the difference to signature matches?

Signatures detect something and display a name for the result. They allow you to classify a sample. They do not present a reason nor explanation of what you should do.

A reversing hint is a collection of 1-N anomalies and gives it a meaning. Anomalies can be signature matches but also any other characteristic of the file. Reversing hints always provide an explanation on how to reverse the file.