v0.8.0

[BinFlip]

[0.8.0] - 2026-06-03

Changed

• SSA functionality extracted into the standalone analyssa crate: the target-agnostic SSA IR, analyses, and optimization/deobfuscation pass framework now live in analyssa, with dotscope providing the CIL-specific host (lifting, type system, codegen). dotscope builds on analyssa 0.2.0, which adds the native SSA substrate (SIMD/vector ops, native atomics, wide arithmetic, boolean ops), a fluent SSA builder and verifier-checked editor, and ~3–4× smaller core IR types. The CIL pass scheduler is built on analyssa's PassScheduler::empty so the deobfuscation pipeline keeps full control over which passes run
• Structured parse errors (breaking): parse failures are now reported through Error::Parse(ParseFailure) with a ParseStage, replacing the stringly-typed Error::Malformed / Error::OutOfBounds / Error::HeapBoundsError variants at parse sites. The malformed_error! / out-of-bounds helper macros and #[non_exhaustive] ParseFailure give callers categorizable, source-located errors. Code that matched the removed variants must migrate to Error::Parse(..)
• Fallible metadata lookups (breaking): metadata lookup APIs such as CilObject::method() now return Result<_, Error> instead of Option<_>, so a missing or unresolvable token reports a typed error rather than a bare None. Callers using if let Some(..) / ?-on-Option must switch to the Result forms
• Hardening against malformed/adversarial input: enabled strict crate lints (unwrap_used, expect_used, panic, arithmetic_side_effects, indexing_slicing set to deny) and reworked the metadata parsers (custom attributes, marshalling, resources, signatures), the validation layer (scanner, schema, raw/owned constraints), and the deobfuscation passes to use fallible, bounds-checked, overflow-safe access. The parser no longer panics on crafted inputs

Fixed

• SSA construction — operand corruption: the placeholder→final variable rename in SsaConverter applied cascading by-value replacements, which under analyssa 0.2.0's variable-id encoding could collapse a binary operation's operands (e.g. a - b becoming b - b). The rename is now applied atomically/position-wise, so it is correct regardless of id numbering (handles operand aliasing, swaps, repeated operands, and the reserved placeholder id). This only affected method bodies regenerated from SSA (deobfuscation output)
• CFF unflattening — expression-obfuscated dispatchers: state-variable backward tracing (trace_to_phi) now follows neg/not/conv wrappers, so ConfuserEx "expression" control-flow flattening (-(!!state)-style transforms) no longer hides the dispatcher state phi. Dispatcher::refresh reuses the same tracer instead of a shallow, fixed-depth walk
• CFF unflattening — nested/exception-handler dispatchers: when a dispatcher's state-setup block is also one of its own switch case targets (common for handler-region CFF), the initial state was not recovered, so the tracer could not seed the state machine and explored every path until hitting its limits — leaving a residual switch and dropping code. The initial state is now recovered from the state phi's constant operand; ConfuserEx control-flow + expression samples fully unflatten again

[codecov]

Codecov Report

❌ Patch coverage is 69.31106% with 147 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
dotscope/src/analysis/ssa/function.rs	40.11%	103 Missing ⚠️
dotscope/src/analysis/ssa/exception.rs	4.76%	20 Missing ⚠️
dotscope/src/analysis/ssa/converter.rs	88.49%	13 Missing ⚠️
dotscope/src/analysis/callgraph/resolution.rs	0.00%	4 Missing ⚠️
dotscope/src/analysis/cfg/semantics.rs	78.57%	3 Missing ⚠️
dotscope/src/analysis/ssa/builder.rs	96.87%	2 Missing ⚠️
dotscope/src/analysis/ssa/decompose.rs	97.01%	2 Missing ⚠️

📢 Thoughts on this report? Let us know!