What's New in IDA 6.95 (8/8/2016)

  • iPhone debugger
  • PowerPC decompiler
  • The iPhone debugger uses the debugserver protocol to connect to the device and debug applications. It should work as is out of the box but we encourage you to check out the configuration file dbg_ios.cfg, it contains some important settings like SYMBOL_PATH and AUTOLAUNCH.

    IOS Debugger screenshot

  • The PPC decompiler is just a new decompiler that works with IDA. We had to solve many technical challenges to make it work (notably, the big endian nature of the PowerPC processor caused many inconveniences). Otherwise, the user experience should be the same as with other decompilers: just press F5 and enjoy the result. PowerPC code is especially wordy in assembler:

    PPC code screenshot

    The above code gets converted into:

    PPC pseudocode screenshot

  • Naturally, there are many other improvements. For example, we refreshed many signature files, as well as type libraries, added new ones (64-bit type libraries were something IDA lacked since long time), and improved tilib and FLAIR utilities to work better.

    As you may have guessed, while working on the PPC decompiler we had to improve many aspects of the PowerPC processor module. Now it has a new register tracking algorithm, better offset handling, more complete relocation support, etc.

    The new register tracking algorithm is used for the ARM processor too, greatly improving detection of indirect call targets, switch recognition, and recognition of other common compiler idioms.

    We also spent quite long time improving our venerable PC processor module. It has now an improved prolog analysis algorithm; IDA can parse the Unwind structures and apply them to the disassembly; also recognition of SEH structures and idioms has been improved a lot.

    Since Intel and AMD continue to add new instructions, we too try to be up to date. All new instructions we are aware of have been added to the PC processor module.

    On a completely different level, we modularized IDAPython. Now, instead of one huge idaapi module we have separate modules, each with its purpose: ida_enum, ida_funcs, ida_graph, etc.
    Backward-compatibility is of course preserved through the "umbrella" idaapi module: everything should still work as it used to.

    IDA 6.95 ships with Qt 5.6.0. The 5.6.x branch is a "Long Term Support" branch, that will be maintained by the Qt developers for the next three years. In addition to being an LTS, Qt 5.6.0 offers better accessibility, hopefully improving some of our users' workflow (especially on Windows.)

Processor Modules
  • ARM: improved register tracking
  • CLI: skip unknown metadata streams instead of exiting with a fatal error
  • CLI: support .net files with tables stream named "#-" instead of the standard "#~"
  • PC: added decoding of CLZERO, MONITORX and MWAITX instructions
  • PC: added decoding of HLE prefixes (XACQUIRE and XRELEASE)
  • PC: adjusted handling of chained unwind-information
  • PC: calls with address-size override prefix could truncate the target address
  • SPARC: added support for UA2005
  • V850: convert gp-based movea references to offset expressions
  • V850: resolve callt addresses when user provides CTBP option
File Formats
  • ELF: added R_386_GOT32X relocation
  • ELF: added R_X86_64_GOTPCRELX and R_X86_64_REX_GOTPCRELX relocations
  • ELF: added R_X86_64_RELATIVE64 relocation
  • PDB: added support for obtaining types for global data
  • PE: added detection of entry point from incremental linking by Visual Studio
  • PE: handle non-ASCII PDB filenames
  • MACHO: improved constant CFString parsing (handle Unicode CFStrings and CFStrings not in the __cfstring section)
Debugger
  • GDB: added support for MIPS64 and SPARC
  • PIN: build pintool with PIN 3.0.76991
  • Remote PDB debugging from non-Windows machines, with the help of a remote Windows debugger server
  • Remote iOS Debugger
  • added support for Intel x64 Android binaries (android_x64_server)
  • dalvik: added Dalvik debugger specific IDC function: DalvikGetLocalTyped()
  • gdb: added support for ARM M-Profile debugging
Kernel/Misc
  • FLIRT: added signatures for Embarcadero RAD Studio 10.1 Berlin
  • FLIRT: added signatures for icl163 (Intel C++ 16.3)
  • FLIRT: added signatures for Windows Driver Kits 7-10
  • FLIRT: added detection of GsDriverEntry for Windows Drivers
  • FLIRT: dm: added signatures for Digital Mars 2.071.0
  • TIL: fixed 64-bit macros, which were either truncated or not sign-extended correctly
  • TIL: fixed values for macros that contained casts
  • TIL: updated list of known WM_ messages
  • TIL: added processor specific til files for linux
  • now we build idal/idaq as PIE on Linux
  • more aggressive string detection
  • the IDASGN, IDAIDS, IDAIDC, and IDATIL environment variables have been deprecated: the more versatile IDAUSR should be used instead
  • the IDAUSR environment variable has been extended to all IDA subdirectories (idc, ids, sig, and til)
  • updated Mac OS X (xnu) syscall list
User Interface
  • ui: (windows) added a workaround to allow opening files in directories with paths which are not representable in the system 8-bit encoding
  • ui: IDA now updates the mac dock tile with the idb name when multiple IDA instances are running
  • ui/qt: added envvar IDA_STYLESHEET allowing to load contents from a CSS file without having to make a wrapper invoking "idaq.exe -stylesheet=..."
  • ui/qt: the colorizer passed through set_nav_colorizer() can now be used to update the colors of the legend in the navigation band
  • ui: ability to programmatically create_menu() & delete_menu()
  • ui: ability to programmatically create_toolbar() & delete_toolbar()
  • ui: ability to query choosers for their data
  • ui: get_registered_actions() can now be used to retrieve a list of all registered actions
Scripts & SDK
  • IDAPython: IDAPython is now split in multiple modules
  • IDAPython: added tinfo_t::serialize()
  • SDK: added IDA syntax highlighter
  • SDK: added cleanup_name() to convert a name into some kind of canonical form (strip underscores, module name, etc)
BUGFIXES
  • BUGFIX: "Select all" was not selecting anything
  • BUGFIX: About program...->Addons... dialog could show incorrect info if both HEXARM and HEXARM64 were present in the same ida.key file
  • BUGFIX: CLI: stack buffer overrun could happen when disassembling .net files with very long method prototypes
  • BUGFIX: DWARF could fail while attempting to persist arrays with huge numbers of elements (e.g. >= 0x80000000)
  • BUGFIX: DWARF: Don't try to apply DWARF relocations if the file is not properly relocatable
  • BUGFIX: DWARF: Files with DWARF relocations of type 0 (i.e., 'NONE') would prevent loading DWARF information
  • BUGFIX: DWARF: GNU ADA can use strange constructs for specifying bitfield type dependencies, which the DWARF plugin wouldn't properly handle
  • BUGFIX: DWARF: pressing Esc at the "DWARF info found" dialog did not cancel DWARF loading
  • BUGFIX: DWARF: some types with virtual inheritance could cause IDA to interr
  • BUGFIX: DWARF: two enumerations of different byte size that contain the same list on enumerators would be considered equal
  • BUGFIX: Deleting bookmarks from the menu could crash IDA
  • BUGFIX: Double-clicking in the "Output window" would cause the selection to span from the beginning of the word, to the end of the line instead of the end of the word (and would sometimes fail to recognize some identifiers & jump to them.)
  • BUGFIX: During source-level debugging, the source view scrollbars wouldn't follow the position in the file
  • BUGFIX: ELF: code relocations for big-endian Aarch64 files were applied incorrectly
  • BUGFIX: Fujitsu FR: segments were 16bit (must be 32bit)
  • BUGFIX: GDB: register view in GDB was missing jump arrows and address display
  • BUGFIX: Graph view: when searching (e.g., "Alt+Up/Down", or "Alt+T/Ctrl+T"), IDA could fail placing the cursor's X position at the beginning of the match
  • BUGFIX: IDA View-A wouldn't apply the node_info_t::text property for non-group nodes
  • BUGFIX: IDA could crash while parsing header files with recursive macro definitions
  • BUGFIX: IDA could crash right after having loaded the dyld_shared_cache (on linux.)
  • BUGFIX: IDA could crash when jumping to another function while in graph view, or when switching to the graph view
  • BUGFIX: IDA did not remove xref and switch records when deleted debug segments
  • BUGFIX: IDA on Linux could crash while Tab-completing in the file chooser if 1) 'New' was selected at startup, and 2) Qt couldn't load the GTK2 theme
  • BUGFIX: IDA would attempt to auto-analyze binary files with no known entry point
  • BUGFIX: IDA would fail to keep the cursor on the instruction (or operand) when switching between flat & graph views
  • BUGFIX: IDAPython: IDP_Hooks instances could prevent the decompiler from working properly
  • BUGFIX: IDAPython: decompile_many() wouldn't accept a list of ea_t's
  • BUGFIX: IDAPython: running a long script that cause an IDAPython processor module to kick in, could fail to be properly interruptible because the processor module could receive the error instead of the script itself
  • BUGFIX: IDC's MakeLocal was broken
  • BUGFIX: In hex view, when the first edit takes place at EA 0, the line could fail showing the first byte
  • BUGFIX: On OS X, searching for binary patterns might fail for some values in the [0x80 - 0xff] range
  • BUGFIX: PE: IDA would not detect DLL exports with empty names
  • BUGFIX: PE: IDA would show no exports if the export directory's DLL name was an empty string
  • BUGFIX: Pressing Alt+<key> as an accelerator to (e.g.,) toggle a checkbox in a form, while a text field is being filled and a "completion" overlay is visible, wouldn't transfer focus to the checkbox (because of the auto-completion overlay swallowing those key presses)
  • BUGFIX: Proximity viewer: clicking on nodes representing addresses that fall in the middle of a data item, could cause IDA to INTERR (40467)
  • BUGFIX: SetFunctionFlags() could modify FUNC_SP_READY and FUNC_NORET_PENDING bits, which should be managed by IDA
  • BUGFIX: When performing PDB debugging across multiple modules, IDA could show locals variables that belong to another function
  • BUGFIX: When remote debugging, segment permissions could contain unexpected bits set in the upper nibble
  • BUGFIX: When selecting a union member in the "Structure offsets" view, IDA could crash when hovering that member
  • BUGFIX: When selecting negative "standard constant" enumerators, IDA could display the operand as a faulty number, instead of as that symbolic constant
  • BUGFIX: When trying to load PDB information remotely and no MSDIA DLL could be found, no clear error message was printed on the console
  • BUGFIX: accessibility: reading last word of line, could overflow to following lines
  • BUGFIX: accessibility: when the cursor was after the text on a line, accessibility tools could read the wrong data
  • BUGFIX: arm64: incorrect type of the first operand in instructions UADDLV, SADDLV
  • BUGFIX: arm: in some rare cases undefined data could be disassembled as VLDM/VSTM instructions
  • BUGFIX: arm: incorrect decoding of double presision registers D15-D31 in some VFP instructions
  • BUGFIX: corrupted idbs with wrong segment names info could cause interr 1248
  • BUGFIX: debugger: in the watch view the first member of a struct would be printed in more complete way than other members
  • BUGFIX: f2mc: callp/jmpp instructions did not create proper cross-references
  • BUGFIX: f2mc: operands of callp/jmpp instructions could be decoded incorrectly
  • BUGFIX: flirt: parsing of Digital Mars OMF libraries was broken
  • BUGFIX: gdb: attaching to 64-bit processes would give warnings about unknown registers and CPU_NOT_SUPPORTED
  • BUGFIX: gdb: attaching to ppc64 would fail with 'more than one special register present' message
  • BUGFIX: gdb: memory contents could become undefined while single stepping in the debugger
  • BUGFIX: gdb: some cpu flags could not be edited
  • BUGFIX: ida could loop endlessly trying to create a function and deleting it; overall the idea of deleting a function because it has no call xrefs is not very good; for example, functions referenced from vtable won't have any xrefs; also compilers use tail call optimization and this coverts call xrefs and jump xrefs
  • BUGFIX: idapython: SetFchunkOwner was broken
  • BUGFIX: jump-to-node-by-doubleclick in proximity view was broken
  • BUGFIX: load_debugger() was requiring an underscore in the file name of the debugger plugin; it is not really necessary
  • BUGFIX: on linux/MAC IDA did not apply umask when created some output files
  • BUGFIX: pc: fixed operands for MONITOR and MWAIT instructions
  • BUGFIX: pc: incorrect handling of 16byte aligned function argument/return types of size <= 8
  • BUGFIX: pc: prefix bytes were not supported for CMPXCHG8B instruction
  • BUGFIX: pcf/pelf could incorrectly process files in an archive (static library)
  • BUGFIX: ppc: incorrect calculation of register arglocs for double arguments
  • BUGFIX: some x64 OS X files would not properly decompile string literals using the CFSTR macro
  • BUGFIX: the size part of a scattered argument location could be missing. for example: arg<0:eax,4:rax^4, 8:edx> instead of arg<0:eax,4:rax^4.4, 8:edx>
  • BUGFIX: ui/qt: At startup, the navigation band could fail displaying the whole program address space and only show a part
  • BUGFIX: ui/qt: MSG_DELAYED_UPDATE was not respected anymore (i.e., it was impossible to force a repaint of the "Output window" as soon as text was inserted)
  • BUGFIX: ui/qt: accessibility: JAWS could read from the wrong cursor location after jumping to another place
  • BUGFIX: ui/qt: refresh_navband() was not refreshing until actions (zoom, scroll) were performed
  • BUGFIX: unpadded size of unions was incorrectly calculated
  • BUGFIX: windbg: debugging 32-bit processes or crahs dumps in IDA64 would lead to a crash
  • BUGFIX: xcoff: x_smtyp was decoded in a wrong way, fixed
  • BUGFIX: DWARF: Disassembly for relocatable Mach-O files with DWARF information could be incorrect because of unhandled relocations
  • BUGFIX: DWARF: failed relocations into the .debug_info section, could cause the plugin to place variables at the wrong location in the disassembly
  • BUGFIX: DWARF: wouldn't notice buggy qualified typedefs in GCC < 4.4.1-produced PPC binaries, causing a lot of duplication in the final types list.
  • BUGFIX: IDAPython: Appcall could crash IDA with INTERR 30413
  • BUGFIX: MACHO: parsing of Objective-C information for Swift classes could be incomplete in 64-bit binaries
  • BUGFIX: UI: "Reload input file" function would ignore the full input path stored in IDB and only reload the file if it was present in the IDB directory
  • BUGFIX: elf: IDA would show wrong external symbol calls on specially-crafted ELF files
  • BUGFIX: elf: actually use file offsets from PHT when 'Force using of PHT instead of SHT' is set
  • BUGFIX: fixed infinite loop during switch analysis
  • BUGFIX: fixed the postfix generation for duplicate names
  • BUGFIX: idatui.cfg was not processed completely because the default value of SCREEN_PALETTE was considered to be wrong
  • BUGFIX: tils: fixed wrong definitions in the Vtbl for some COM interfaces
  • BUGFIX: ui/qt: dragging the "Graph Overview" dock widget around could crash IDA
  • BUGFIX: ui/qt: navigating in the graph view wouldn't restore the zoom level & preferred position

What's New in IDA 6.9

  • ARM64 decompiler arrived!
  • added MAX_NCOMMAS to limit the number of comma operators in expressions
  • added a new rule: (~x << 31) != 0 =< x <= 0
  • added a rule: fpval ^ 0x8000... =< -fpval
  • added an action to revert CONTAINING_RECORD macro (if the macro was created from the pseudocode view)
  • added new rule: x + (-N) =< x - N
  • added option "Print casts from string literals to pointers"
  • added support for _byteswap_uint64()
  • added support for andn and bextr instructions
  • added support for runtime data loss checking functions like RTC_Check_..
  • added support for smulbb and similar instructions
  • arm: added support for smfx
  • arm: big mixed scattered arguments were handled incorrectly
  • arm: renamed __rev and _revsh as bswapXX
  • better handling of movlpd/movhpd instructions (use regular mov's instead of intrinsic calls)
  • better handling of user-specified variables that overlap with other variables; now we detect this situation and remove overlapping vars (for stkvars)
  • display the switch cases in sorted order (as signed numbers)
  • fix the current compiler or calling convention if they were not set
  • if only low part of an xmm intrinsic result is used, replace it with a regular operator (add/sub/mul/div/etc)
  • improved "unmerge_calls" to handle more cases
  • improved array handling: instead of p-<array+p-<idx now we output &p-<array[p-<idx]
  • improved array references. was &arr[i1]+i2. now: &arr[i1+i2]
  • improved detection of get_pc_thunk_xx functions
  • improved handling of clz(x)<<5
  • improved handling of sse2 floating point operations
  • improved handling of struct.field0 expressions in assignments
  • improved recognition of 64-bit multiplications
  • improved recognition of __thiscall calling convention
  • improved recognition of interblock setnz
  • improved recognition of sdiv/2
  • improved recognition of signed modulo by a power of 2
  • more accurate handling of va_list variables
  • more aggressive creation of return statements. this reduces number of gotos and leads to shorter output
  • pc: added support for the 'std' instruction
  • sdk: added api functions to create new map instances
  • simplified index expressions like 'ptr[1-1]' to 'ptr'
  • BUGFIX: (&charptr)[idx] was incorrectly displayed as (&charptr)[idx*4]
  • BUGFIX: 16-byte assignments would be split into 4-byte assignments because we did not have support for 8-byte splits. added support for them
  • BUGFIX: 64-bit addresses could be truncated to 32-bits in the output
  • BUGFIX: aliased variables in the shadow argument area could be erroneously optimized away
  • BUGFIX: cast-8 rule could cause an internal error
  • BUGFIX: comparison of a floating point value against zero was decompiled incorrectly in some cases
  • BUGFIX: conditions codes after interlocked add/sub operations were not properly set
  • BUGFIX: decompiler was still refusing to use a bad type after fixing it because its cache of bad types was not flushed
  • BUGFIX: decompiler would now allow setting argument type in function prototype, when function was returning a deleted type
  • BUGFIX: deleting mmx types (line __m128i) after decompiling some functions that use them could lead to interr 50078
  • BUGFIX: fisttp instruction was not supported (it is usually not used by compilers; fistp is used)
  • BUGFIX: fixed interr 50192
  • BUGFIX: fixed interr 50318 which could occur if va_list was undefined or defined incorrectly
  • BUGFIX: fixed interr 50593
  • BUGFIX: fixed interr 50632
  • BUGFIX: fixed interr 50877 (incorrect handling of ARM instruction LDRD R0, R1, [R0,#8])
  • BUGFIX: fixed interr 51031 (however still we can not handle scattered arguments well in some cases)
  • BUGFIX: fixed interr 51166
  • BUGFIX: if the source structure fields are calculated between assignment to the destination then put structure copy operator after all assignments
  • BUGFIX: in theory decompiler could lose some memory writes when optimizing microcode
  • BUGFIX: it was impossible to specify va_list as the function return type on x64
  • BUGFIX: local variable allocation could use wrong variables in some cases
  • BUGFIX: movddup instruction could cause interr 50098 in some rare cases
  • BUGFIX: propagating a call into stx could remove a sequence point
  • BUGFIX: psraw and similar instructions with an immediate second operand were decompiled incorrectly
  • BUGFIX: push/pop pairs with mismatching sp values would be incorrectly converted into mov
  • BUGFIX: some constant assignments could be missing from the decompilation output
  • BUGFIX: some floating point jumps were wrongly optimized away
  • BUGFIX: some interlocked intrinsic functions would not be recognized
  • BUGFIX: some references to imported symbols in relocatable elf files was handled incorrectly
  • BUGFIX: some references using CONTAINING_RECORD were wrong
  • BUGFIX: the decompiler would remove information about the variables used in an inlined function because they would disappear after collapsing the function; this would render future recognitions impossible
  • BUGFIX: in some cases decompiler rejected correct function prototypes entered by user (arm)