IDA: What's new in 6.3
Highlights
- Experimental source-level debugging
Current implementation requires PDB files with source line number info (Windows-only).
Other debugging formats to be added in the future.
Source file breakpoints are possible.
Also implemented in the decompiler - you can now step through the decompiled text.
Local and global variables are displayed.
Hooks for providing lines info and source files are available in the SDK, but API can change in future.
- Trace Replayer
Record execution traces, save, load and compare them.
Tracing can be enabled and disabled in breakpoint actions.
Replay the recording, step forward and backwards.
Show executed blocks and functions in IDA's graph view and proximity view.
See our blog for more details.
- Page-level breakpoints
Arbitrarily-sized memory breakpoints implemented using page permissions.
Can break on writes, reads and execution.
Currently available in the Win32, Bochs, and WinDbg debugger backends.
- >User interface
Updated Qt libraries to version 4.8.1
Full-screen mode. Default hotkey is F11 on Windows and Linux and Cmd-Shift-F on OS X.
Full support for Numpad keys in shortcuts.
- FLIRT signatures
Many improvements in file parsers and sigmake.
Support for 64-byte long patterns (increased from 32 bytes).
Improved resolving and reporting of collisions in sigmake.
Visual C++ signatures regenerated from scratch; you should see a lot less "unknown_libname" in the listings.
Improvements in pelf parser:
- added option for generating one pattern per function instead of per code section
- ELF64 support
- record and honor Thumb bit for ARM files
- .NET file loader
Works in Linux, OS X.
Implemented loading of .NET files from scratch, without relying on .NET or Mono libraries.
Fixed several bugs in the process.
- Processor modules
new: M16C from Renesas (formerly Hitachi).
new: unSP from SunPlus.
new: TMS320C1 from Texas Instruments (contributed by Jeremy Cooper).
new: Philips XA51 (contributed by Petr Novak).
MIPS: Toshiba TX19a extensions and MIPS-MT, MIPS-3D, smartMIPS instructions.
PPC: support for paired single (Gekko) and VMX128 (Xbox360 Xenon) instructions.
PPC: added support for chip-specific SPRs, DPRs and memory-mapped registers.
- IDAPython
Switched to Python 2.7 on Windows and Linux.
Bundle prebuilt Python with Linux installer and offer to use it on x64 distros: this should resolve most of the IDAPython issues under that OS.
More APIs wrapped.
Added missing IDC functions to idc.py
Changelist
Processor Modules
- + 8051: added register definitions for 8032 variants
- + ARM: added recognition of R7 as the frame pointer in the thumb mode
- + AVR: added I/O port definitions for ATtiny2313 and ATtiny2313a (courtesy of Marcel Kilgus)
- + AVR: print immediate operands as unsigned by default (except for subi/sbci)
- + C166: added Tasking assembler style; added C166-specific SEG/@seg and SOF/@sof operators
- + C166: allow user to skip automatic creation of 64K chunks for binary code
- + CR16: added registers for CR16MCS9
- + H8: Added register definitions for H8S/2215R
- + I960: print memory-mapped register names in lda instructions
- + I960: relax memb operands decoding (apparently some assemblers do not produce completely correct instructions)
- + M16C: new processor module: Renesas (formerly Hitachi) M16C. Support for M16C/60, M16C/20 and M16C/Tiny models.
- + MIPS: added MIPS-MT, MIPS-3D, smartMIPS extensions
- + MIPS: added support for Toshiba TX19A instructions
- + PC: added support for "int 29h" (__fastfail call on win8)
- + PC: handle __alloca_probe_16 and __alloca_probe_8
- + PC: improved analysis of function frames that reuse ebp as a temporary register despite setting it up as a frame pointer
- + PC: improved analysis of function prologs
- + PC: improved recognition of import function thunks
- + PC: improved recognition of some jump tables generated by Mingw compiler
- + PC: recognize function prologs with inlined SEH setup (push offset __except_handler3) and parse SEH tables for them
- + PC: renamed some fields of the CPPEH_RECORD structure to match official names (e.g. "disabled" -> "TryLevel")
- + PC: decode RDRAND instruction
- + PC: improve recognition of SEH4 and GS/EH cookie set up in prologs
- + PPC: added support for device-specific SPRs, DPRs and memory-mapped registers; added definitions for mpc5xx
- + PPC: added support for paired single (Gekko) and VMX128 (Xbox360 Xenon) instructions
- + SuperH: handle switch patterns
- + TMS320C1: new processor module: Texas Instruments TMS320C1x series (contributed by Jeremy Cooper)
- + UNSP: new processor module: SunPlus unSP
- + V850: create stack variables in instructions like "movea N, sp, rX"
- + XA51: Philips XA51 (contributed by Petr Novak)
File Formats
- + CLI: the loader for .NET files is now available in Linux and OS X
- + COFF: added support for ARM COFF modules in AR files produced by Microsoft VC
- + COFF: support TMS320C3x files
- + ELF: mark TLS-specific relocations in x64 .o files
- + ELF: PPC: add support for R_PPC_DTPMOD32, R_PPC_DTPREL32 relocations
- + ELF: support for 4 new ARM relocs (TLS offsets (GOT & non-GOT), thumb32 MOVT, thumb32 MOVW)
- + ELF: X64: properly handle R_X86_64_GOTPCREL
- + EPOC: added support for BYTEPAIR code compression
- + MACHO: added support for ARMv7-specific object relocations (ARM_RELOC_HALF, ARM_RELOC_HALF_SECTDIFF)
- + MACHO: format and comment Mach-O headers
- + MACHO: handle LC_FUNCTION_STARTS load command and create functions for the addresses in the list
- + MACHO: warn the user if the file being loaded is encrypted
- + PDB: improved detection of data versus code symbols
- + PDB: improved handling of unnamed types
- + PDB: improved PDB loading on Linux/OS X to make the results close to those of Windows
- + PDB: support remote fetching of PDB symbols under Linux/OS X for PE drivers (.sys files)
- + PDB: print detailed info about PDB matching attempts with -z10000
- + PE: all sections with the executable flag set are loaded by default regardless of their name
- + PE: handle self-modifying relocation blocks
- + PE: if the PE header was loaded into database, format and comment its fields
- + PE: PECPU_ARMI files sometimes use Thumb-2 instructions, so set the ARM architecture accordingly
- + PE: speed up loading of files with large number of exports
Kernel
- + improved propagation of argument type info
- + avoid repeatedly calling simplex analysis by postponing the stack analysis until the final pass completely analyzes the function
FLIRT, TIL & IDS
- + FLIRT: for new version ARM signatures, set the T segreg (Thumb/ARM mode) according to the matched lib function
- + FLIRT: many improvements in file parsers and sigmake; better resolving of collisions
- + FLIRT: pelf: supply "-f" to create one pattern per function, instead of one pattern per text section.
- + FLIRT: pelf: support 64-bit ELF files
- + FLIRT: pelf: support for R_ARM_XPC25 & R_ARM_THM_XPC22 relocation types.
- + FLIRT: pmacho: support for fat Mach-O archives with AR subfiles in them.
- + FLIRT: sigmake: accept 64-bytes patterns .pat files
- + FLIRT: sigmake: "-r" switch to ignore references to other functions when creating patterns
- + FLIRT: support for 64-bytes signatures in IDA
- + FLIRT: when pattern matching succeeds but xref matching fails, notify the user about functions that were candidates for a certain piece of code.
- + IDS: IDA now can load .idt files from .zip archives
- + vc32rtf.sig: better signature; more leaves, less collisions.
- + updated vcseh.sig; added patterns for _EH_prolog/epilog functions
- + loadint: added comments for I/O ports commonly used in BIOS code: 2E-2F,4E-4F,70-77,92,B2-B3,EB
Scripts & SDK
- + IDAPython: added a configuration option (USE_LOCAL_PYTHON) to python.cfg to enable using a local library with Python modules (under IDADIR/python)
- + IDAPython: added missing IDC functions to idc.py
- + IDAPython: switched precompiled plugin on Windows and Linux to use Python 2.7
- + IDAPython: UI_Hooks class automatically unhooks itself when IDA quits, avoiding a crash otherwise
- + IDAPython: wrap more functions from nalt.hpp
- + IDC: added GetMemberId()
- + SDK: added 'changed_stkpnts' IDB event
- + SDK: added choose3() function to invoke the chooser that benefits from additional callbacks
- + SDK: added create_ea_viewer() and improved jumpto() with an additional argument
- + SDK: added DBG_FLAG_FAKE_MEMORY for debuggers without process memory
- + SDK: added for_all_bpts() function to iterate over breakpoints
- + SDK: added functions for the new tracing functionality
- + SDK: added get_name_of_named_type()
- + SDK: added hexview sample plugin
- + SDK: added processor_t::adjust_libfunc_ea
- + SDK: added qunlink() to remove a file
- + SDK: enabled the 'deprecated function' warning and marked the deprecated sdk functions so that the compiler complains about them
- + SDK: get_loader_name_from_dll(), get_loader_name() retain the file extension for scripted loaders
- + SDK: improved randomness in qtmpnam()
- + SDK: now it is possible to create an explicit code cross-reference to the next instruction (it will not get converted to a flow xref)
- + SDK: QueueSet, replacement for QueueMark, allowing for user-friendly messages.
- + SDK: removed FORM_MDI and added a warning that the next version of IDA won't support plugins with native windows
Installer
- + installer: all debug servers are now collected in the "dbgsrv" subdirectory of IDA
- + installer: Linux: bundle a Python 2.7 install with IDA, and offer to use it by default under Linux x64
- + installer: on OS X, add symlinks to IDA binaries directory and debug servers to the install directory
User Interface
- + UI: qt: added full screen mode. The default hotkey is F11 on Windows and Linux and Cmd-Shift-F on OS X.
- + UI: qt: it is now possible to configure the caret blinking interval
- + UI: qt: Numpad keys are treated correctly and don't conflict with normal keys
- + UI: qt: possibility to specify a hotkey for a chooser action
- + UI: for the "Don't display this message again" checkbox, add a comment if it applies only to current session or database (i.e. it's not global)
- + UI: switched to Qt 4.8.1
- + UI: replaced crash handler with Google Breakpad on Linux
- + UI: setting IDA_NOEH=1 disables IDA's crash handler on Linux/OS X (previously worked only on Windows)
- + UI: added "Break on access" to the segments popup menu if the currently selected debugger supports page breakpoints
- + UI: added Edit, Operand types, Set operand type command
- + UI: Do not show the 'copying huge amounts of data, continue?' dialog unless copying takes more than several seconds
- + UI: don't show edit/delete menu items in choosers when nothing is selected
- + UI: print xrefs to structures and members in the structures list (similar to xrefs in disassembly view)
Debugger
- + BOCHS: added support for Bochs 2.5.x
- + BOCHS: warn if detected version is greater than expected
- + BOCHS: PE TLS callbacks with wrong calling convention could mess up the stack and cause a weird exception in bochsys.dll
- + debugger: added support for arbitrary-sized memory breakpoints (implemented using page permissions). First implementation available for Win32 and Linux.
- + debugger: added "warn", "log" and "silent" options for reaction to exceptions
- + debugger: debug traces can now be saved, loaded and compared
- + debugger: experimental source-level debugging feature. Currently available only on Windows and requires PDB files with line number info.
- + debugger: input/output redirection is now specified as part of the argument string, not the input file name
- + debugger: OS X: disable ASLR on Lion; explicitly specify the desired bitness of the debugged process
- + debugger: OS X: support for debugging on Lion (handle relocatable dyld)
- + debugger: support loading of COFF debug info from PE files (used by Cygwin/MinGW compiler)
- + debugger: unlink, rename, mkdir functions are available in low level breakpoint conditions
- + debugger: Win32: when attaching, show full executable paths in the list and also label 32/64-bit processes if running on a 64-bit OS
- + debugger: WinCE: initial support for WinCE 6.0 debugging
- + debugger: WinCE: new debugger module and server for debugging WinCE devices over TCP/IP; now it's possible to debug WinCE devices from Linux (since ActiveSync is not required)
Bugfixes
- BUGFIX: 'produce exe' command was inviting the user to overwrite the current idb file
- BUGFIX: .pdata section of PE files for ARMI architecture was not parsed correctly
- BUGFIX: added a workaround for integer overlow in 'operator new []' if compiled with GCC
- BUGFIX: AF2_STKARG option was ignored by the analysis engine
- BUGFIX: an attempt to create a huge segment that can not be created could corrupt the database in some cases
- BUGFIX: ARM: more correct frame setup in Thumb mode (local variables were lumped together with saved registers)
- BUGFIX: automatic database snapshots were not working if no snapshots existed before
- BUGFIX: C166: I/O registers with addresses above 64K were not handled
- BUGFIX: C166: memory accesses to I/O registers did not use symbolic names if their address was not present in database
- BUGFIX: C166: some instructions that used SFR encodings to access GPRs were decoded incorrectly
- BUGFIX: C166: some invalid DSP instructions were accepted by the disassembler
- BUGFIX: C166: the C166v2 instructions ENWDT and SBRK were not decoded
- BUGFIX: calling get_member_name() with a NULL buffer would crash IDA
- BUGFIX: CLI: array dimensions display was wrong
- BUGFIX: clicking 'Cancel' while uploading a file was not working
- BUGFIX: CR16: register pair operands were printed in wrong order
- BUGFIX: CR16: some CR16B instructions were not decoded
- BUGFIX: creating an enum for a processor with 32-bit wide bytes would lead to interr
- BUGFIX: DBG: CodeView NB11 debug information embedded in PE files was not handled properly
- BUGFIX: DbgByte() and similar functions could not be used in bpt conditions if the debugger backend was WinDbg
- BUGFIX: debugger could crash if user requested to terminate the process but the process was already dying (occurs very rarely)
- BUGFIX: debugger: in WinDbg kernel mode, sometimes it was impossible to continue after stopping at a breakpoint
- BUGFIX: debugger: system properties were not available for the applications launched by IDA's remote debugger server
- BUGFIX: debugger: the "Analyze module" command could put IDA into infinite loop in some cases
- BUGFIX: do not allow handling debug events (i.e., calling GetDebuggerEvent) from a breakpoint condition
- BUGFIX: EBP value reported by the windbg module was not always correct (e.g. at the function entry)
- BUGFIX: ELF: handle files with bogus sh_info values for REL sections (produced by some versions of GNU gold linker)
- BUGFIX: ELF: RELA relocs should ignore the original value and use just the addend
- BUGFIX: ELF: some files from LynxOS could not be loaded
- BUGFIX: ELF: some MIPS relocations were handled incorrectly
- BUGFIX: empty strings in collapsed structures were printed incorrectly
- BUGFIX: for collapsed items IDA was not considering the collapsed line as the most important line; breakpoints were displayed on a wrong line for such items
- BUGFIX: forms: pressing Enter on a readonly combobox would crash IDA
- BUGFIX: GDB: after continuing from a signal IDA kept sending the signal when continuing from next events
- BUGFIX: GDB: debugging of big-endian ARM targets did not work correctly
- BUGFIX: GDB: fixes for multi-thread debugging (resolves issue with VMWare 8.x multi-processor VMs)
- BUGFIX: GDB: floating-point registers were displayed as integer ones
- BUGFIX: H8: addresses of @aa:8 and @aa:16 operands were truncated on output
- BUGFIX: IDA complained on first saving of database if CREATE_BACKUPS was set to YES
- BUGFIX: IDA could crash if a function iterator was still alive at the exit time
- BUGFIX: IDA could crash trying to save desktop if the connection to the remote debugger server was lost
- BUGFIX: IDA could crash when refreshing an empty process list
- BUGFIX: IDA could crash when starting debugging with Bochs
- BUGFIX: IDA could interr when clicking inside text part of hex view in edit mode
- BUGFIX: IDA was refusing to load relocatable ELF files with non-zero section bases
- BUGFIX: IDA would crash if CleanupAppcall() was called while no Appcall was in progress
- BUGFIX: IDAPython: Functions() could miss some functions if the specified range was starting with a function tail chunk
- BUGFIX: IDAPython: op_t.is_reg() was broken
- BUGFIX: IDAPython: scripts residing in directories with specific names next to the IDB could be executed automatically during IDA startup
- BUGFIX: idaw/idal would display "internal error" while trying to show the commandline usage topic (-?,-h switch)
- BUGFIX: IDC: #include "absolute_path" was not accepted by ida
- BUGFIX: IDC: GetManyBytes() would interr if called while win32 debugger was active
- BUGFIX: IDC: proper exception messages were not displayed in some cases (e.g. for breakpoint conditions)
- BUGFIX: IDC: negation of floating point values was impossible
- BUGFIX: if some TILs could not be loaded, the local TIL would not be loaded either
- BUGFIX: in proximity view, some edges between functions may not be added if a function B references function A but function A was already visited before.
- BUGFIX: instant debugger for OS X was not working
- BUGFIX: it was impossible to save a temporary database using the menu command
- BUGFIX: MACHO: fix some ObjC metadata parsing issues
- BUGFIX: MACHO: relocations of type X86_64_RELOC_BRANCH were not correctly applied in final linked files
- BUGFIX: MIPS: jalrc instruction was incorrectly marked as not returning
- BUGFIX: MSP430: jc and jnc instructions were swapped
- BUGFIX: PC: an interr could happen if code changed during debugging
- BUGFIX: PC: instructions like 'pop [esp+N]' use the updated value of esp; IDA was not aware of that
- BUGFIX: PC: it was impossible to assemble 'jmp short' in the presence of non-trivial segment selectors
- BUGFIX: PDB: dbgeng.dll was freed too early in some cases
- BUGFIX: PDB: fix "Parse error near: GUID" messages when loading PDBs during debugging
- BUGFIX: PDB: recursive self-referencing type definitions in PDB files could result in interrs
- BUGFIX: PDB: some structures involving unnamed unions could not be imported into IDB
- BUGFIX: qsem_wait() could return too early on linux (because of EINTR)
- BUGFIX: qt: "Script file..." Menu option was always defaulting to the IDC directory on Linux/OS X
- BUGFIX: qt: changing the color of a graph node with shadows disabled would crash IDA
- BUGFIX: qt: enabling accessibility on OSX could cause IDA to crash deep inside Qt
- BUGFIX: qt: hotkeys set in idagui.cfg for switching between graph, flat and proximity views were ignored under some circumstances
- BUGFIX: qt: in case of a wrong input in a form field the control didn't get focus
- BUGFIX: qt: in IDA 6.2 Shift + double click was not selecting the current identifier
- BUGFIX: qt: it was npt possible to cancel adding children/parents of selected nodes in proximity view
- BUGFIX: qt: it was not possible to enter expressions in the structure offset dialog
- BUGFIX: qt: message boxes could show up on the wrong screen in a multi-screen environment
- BUGFIX: qt: not specifying the initial directory in askfile was resulting in a wrong one
- BUGFIX: qt: proximity view code for handling shortcuts "+" and "-" was handling also the cases were Ctrl, Alt or Shift keys were pressed
- BUGFIX: qt: setting the selection of multiple rows in the chooser was not behaving correctly and was also slow
- BUGFIX: qt: the arrows in disasm views opened by the user were not correctly resized
- BUGFIX: qt: the default shortcut context for local actions was wrong
- BUGFIX: qt: the hex view wasn't saving its configuration
- BUGFIX: qt: the native file dialog on OSX doesn't allow shortcuts such as copy and paste because of a bug in Qt, use the Qt file dialog instead
- BUGFIX: qt: the waitdialog wasn't refreshing the label without a wasBreak call
- BUGFIX: SDK: del_segm() was ignoring SEGMOD_SILENT; also pass on the silent flags when deleting or adding additional segments in add_segm_ex
- BUGFIX: SDK: description of parameters for the 'b' form specifier (combobox) was incorrect
- BUGFIX: SDK: qsem_create() could fail on OS X with ENAMETOOLONG; now we use MD5 of the name instead
- BUGFIX: SDK: validate_name() could overwrite its input buffer by one byte
- BUGFIX: SuperH: wrong cross-references could be created for @(<delta>,gbr) operands if delta was greater than 0x7F
- BUGFIX: the screen was not always refreshed after changing an item color from a script
- BUGFIX: the screen was not always refreshed after renaming a location from a script
- BUGFIX: there was no error dialog box if the user entered erroneous declaration while inserting a new local type (however, detailed error messages were still printed in the output window)
- BUGFIX: TIL: the time_t type was incorrectly defined as 64-bit in "mssdk" and related type libraries
- BUGFIX: TMS320C3x: 16-bit immediate operands could not be converted to enums
- BUGFIX: TMS320C3x: it was not possible to use custom offsets for operands with displacement
- BUGFIX: TMS320C3x: register renaming did not work properly for operands with complex addressing modes
- BUGFIX: Tricore: floating-point data items were not printed as such
- BUGFIX: TXT: file timestamps were wrong in the text UI's file browser on Windows
- BUGFIX: UI: accidentally pressing A in the struct view would spoil the current struct field
- BUGFIX: UI: expanding collapsed segments did not always work
- BUGFIX: UI: choosers that display contents from the database (e.g. instructions with comments) could be using wrong encoding
- BUGFIX: UI: context menu was always shown at the mouse position, even if triggered from keyboard
- BUGFIX: UI: copying strings with custom encoding (e.g. UTF-16LE) would copy incorrect data to clipboard
- BUGFIX: UI: crash in hexview if user specified unsigned represention for floating values using keyboard shortcuts
- BUGFIX: UI: IDA could lock up when calling up the "Structure Offsets" dialog
- BUGFIX: UI: instruction comments could disappear in the find all occurrences retrieved list
- BUGFIX: UI: it wasn't possible to effectively change the hotkey for proximity view
- BUGFIX: UI: numeric keypad keys were not working in hex view's edit mode
- BUGFIX: UI: plugin comments would not show up in the status bar
- BUGFIX: UI: setting the default debugger did not work
- BUGFIX: UI: Shift+Home, Shift+End were working incorrectly in choosers
- BUGFIX: UI: some actions would print unnecessary "Command <...> failed" in the Output window when cancelled by the user
- BUGFIX: UI: status bar in choosers was not refreshed after some navigation events
- BUGFIX: UI: the structure offsets dialog could be displayed even without selection
- BUGFIX: UI: too many bookmarks could make the context menu unusable
- BUGFIX: UI: ui_saved event was happening too early, before the database was fully saved
- BUGFIX: using "Create EXE file" was incorrectly trying to load a DLL if the file was loaded with a scripted loader. Now a proper message is displayed (saving files with scripted loaders is not supported)
- BUGFIX: when mapping a local type to another, the corresponding IDB structure or enum was not being deleted
- BUGFIX: windmp: the check for 64-bit data in the dump file was not working properly
- BUGFIX: wrong input values in the 'load binary file' dialog were silently preventing the user from closing the dialog and continuing; added a warning message
Copyright (c) 2013 Hex-Rays SA
IDA Pro 6.2 feature list (October 5, 2011)
- GUI installers for Linux and OS X
No more manual extraction of tar archives for Linux or OS X.
A new installer is provided for ease of installation.
-
Proximity view
The proximity viewer allows the user to see and browse the relationships between functions, global variables, constants, etc...
It can be used, for example, to visualize the complete callgraph of a program, to see the path between 2 functions or what global variables are referenced from some function.
-
UI shortcut editor
With this feature, it is possible to change and re-assign the shortcuts of built-in IDA actions and the default shortcuts of plugins, external menu entries and IDC scripts.
-
UI filters in choosers
This feature is very handy when it comes to filtering out the content of choosers in order to show or highlight the items that matter.
-
PE+ support for Bochs (64-bit PE files)
Now the Bochs debugger plugin supports debugging basic PE+ executables.
API emulation via scripting also works as usual. Click here for more details.
-
Database snapshots
In this version, it is possible to take database snapshots and restore them when needed (hierarchical snapshots are supported as well).
-
Automatic new version check
Checking for new Hex-Rays products version has been improved. This new addition checks for new versions of IDA Pro or the Hex-Rays Decompilers.
-
Cross-references to structure members
Another nice addition are xrefs to structure members. This features comes in handy when reversing/tracking data structure use in a program for example.
-
Apple is not standing still and in iOS 5 the default compiler will be LLVM instead of GCC. It produces somewhat different code and
we have improved our processor module to handle it. Compare two snippets of the same file.
IDA 6.1:
IDA 6.2:
We now also parse and analyze Objective-C 2.0 metadata structures produced by the compiler.
Using that information, we rename methods, create structures for classes, and apply C-style prototypes
to methods for better results in the decompiler.
We have also added support for the dyld_shared_cache format used in current iOS versions.
kernelcache files are also recognized now and are split into separate KEXTs.
-
IDAPython 1.5.3
IDAPython has been updated. The most notable additions:
More form control support (refer to AskUsingForm() documentation in the SDK)
New processor and UI notification callbacks
New APIs and samples
IDC compatible netnode support
! and ? pseudo commands to shell execute and retrieve documentation
Support for extending IDC functions using Python
Working with patched bytes
Binding of hotkeys with Python functions (no need to go through IDC anymore)
-
Floating licenses
An IDA Pro with floating license can be installed on many computers but only the purchased number of seats can be used simultaneously. Floating licenses require installation of a license manager to track the license use. This feature is useful for enterprises who want to optimize the license use.
Changelist
Processor Modules
- + 65816: A 65816 CPU module (used in SNES consoles)
- + ARM: better tracking of cross-references in code produced by LLVM compiler (MOVW+MOVT pairs)
- + Dalvik: decode instructions produced by dexopt (odex)
- + HCS12X: implemented extended direct addressing (using DIRECT Direct Page register)
- + PC: improve recognition of x64 switches produced by GCC
- + PC: most assemblers encode mov ds, ax and mov ds, eax differently; handle it in the same way
- + PC: some sparse switches produced by Visual C++ for x64 were not recognized
- + PC: __SEH_prolog and similar functions were not properly handled in debugged modules
- + PC: display "66 90" as "xchg ax, ax"
- + PPC: decode tlbie and tlbiel with an optional immediate operand
- + SuperH: track values loaded into the gbr register
- + Z8: added configuration file for device-specific registers, including the Extended Register File banks
- + Z8: detect the use of different register banks by tracking changes to the register pointer (RP) value
File Formats
- + SMC: added a SNES rom loader
- + ELF: added support for MN10200 and MN10300 (AM33, AM34) files
- + ELF: added support for x64 TLS relocations in object files
- + ELF: ARM: added support for R_ARM_THM_PC8 relocation
- + LOD: added a loader for Motorola DSP56000 .LOD files
- + MACHO: entry point was not set properly for some packed files
- + MACHO: parse Objective-C 2.0 metadata, rename methods, create structures
- + MACHO: support dyld_shared_cache file format
- + MACHO: detect OS X/iOS kernelcache files and split the image into kext subfiles
- + PE: added support for ARMv7 relocations (MOV32T)
- + PE: create segments for gaps between sections when complete file is mapped to memory
- + PE: manually loading PE files will prompt before processing the export directory and the TLS entries
- + PE: overlays can now be loaded in manual mode
- + UImage: added a loader for U-Boot images
- + PDB: support PDBs for ARMv7 files
Kernel
- + Improved display of self-modifying code which changes during debugging
- + Track cross-references to structure members
FLIRT & TILS
- + TIL: tilib: added support the new constructs from VC10 header files
- + TIL: added VC10 TIL file
- + FLIRT: pelf: added R_ARM_THM_PC8 support
Scripts & SDK
- + IDAPython: added add_hotkey and del_hotkey() to associate hotkeys with Python functions
- + IDAPython: added execute_sync() to insert a function call into the UI message queue
- + IDAPython: added execute_ui_requests()
- + IDAPython: added idatuils.ProcessUiActions() to process more than one UI action at a time
- + IDAPython: added IDC array functions in idc.py module
- + IDAPython: added IDC hash functions in idc.py module
- + IDAPython: Added MakeCustomData() (and related MakeCustomDataEx)
- + IDAPython: added ph_get_operand_info()
- + IDAPython: Added Structs() and StructMembers() generator functions
- + IDAPython: added support for multiline text input in the Form class
- + IDAPython: added the assemble callback
- + IDAPython: added timer functions
- + IDAPython: added ui_term/ui_save/ui_saved/ui_get_ea_hint UI notifications
- + IDAPython: added visit_patched_bytes()
- + IDAPython: better error reporting for plugin scripts, loaders and processor modules
- + IDAPython: introduced the '!' (shell command) and '?' (Python help) pseudo commands to the CLI
- + IDAPython: it is now possible to add/register new IDC functions from Python
- + IDC: added GetNsecStamp()
- + IDC: DecodeInstruction() now exposes the canonical feature and mnemonic
- + IDC: it is now possible to catch IDC script interruption (with a try/catch) and resume exection if needed
- + IDC: renimp.idc: added support for PE+
- + SDK: added ALOPT_IGNPRINT option for get_max_ascii_length()
- + SDK: added execute_ui_requests() to execute a list of UI requests asynchronously
- + SDK: added extlang->run_statements() callback
- + SDK: added find_extlang_by_name()
- + SDK: added gen_rand_buf() to generate random data
- + SDK: added get_ascii_contents2()
- + SDK: added LP_USE_SHELL bit to launch_process() to launch commands using a shell
- + SDK: added new breakpoint management functions to work with source and module relative breakpoints
- + SDK: added qcopyfile()
- + SDK: added qfsize() and deprecated efilelength()
- + SDK: added qtime64_t and supporting functions
- + SDK: added read/write_dbg_memory(), set_reg_vals() and get_dbg_memory_info()
- + SDK: added register_addon() to allow registration of plug-ins and other add-ons for the About box
- + SDK: added save_database_ex()
- + SDK: added snapshot management plugin sample
- + SDK: added snapshot manipulation functions
- + SDK: added ui_requests plugin sample
- + SDK: added visit_patched_bytes()
- + SDK: exec requests can now set code = 0 inside their execute method to delegate their destruction to handle_exec_request
- + SDK: exported base64_encode/base64_decode functions
- + SDK: introduced ASKBTN_XXX constants for askyn() and askbuttons() functions
- + SDK: moved debugger related functions to dbg.hpp (get_dbg_byte, etc)
- + SDK: updated the "uunp" plugin to support PE+ when used in manual reconstruction mode
- + SDK: Windbg: added debugger extension interface
- + SDK: removed support for create_flow_chart() and flow_chart_t. Please use qflow_chart_t instead.
- + SDK: UI: added a way to specify and retrieve user data in forms
- + SDK: UI: added the close() method to form actions
- + SDK: UI: added timers API for plugins
- + SDK: UI: qt: added the code viewer control
- + SDK: UI: qt: added the get_attrs callback to embedded choosers
User Interface
- + GUI installer for Linux and OS X
- + UI: added the proximity browser view
- + UI: added IDA_NOEH environment variable to disable IDA exception handler on Windows
- + UI: setting IDA_MINIDUMP=NO disables minidump writing on Windows
- + UI: File/IDC command (Shift-F2) has been replaced with File/Script command to execute a statement with a selected extlang
- + UI: Edit/Patch functionality is now enabled by default
- + UI: added "Edit/Patch/Apply patches to input file" functionality to directly save the patches back to the input file
- + UI: added combobox and multi-line edit controls to forms (AskUsingForm())
- + UI: added a menu item "Report a bug or an issue..."
- + UI: added a status bar context menu item for quick access to processor-specific analysis options
- + UI: added an option to automatically check for new versions and request updates for IDA
- + UI: added database snapshots support
- + UI: added the 'select nodes of this color' right click menu command (available in the graph mode)
- + UI: AskUsingForm_c() no longer exits IDA in case of form syntax error. Very useful when building forms dynamically from IDAPython
- + UI: idag.exe and idau.exe are discontinued
- + UI: idaq now uses CHM (HTML Help) under Windows
- + UI: plugins can now be quickly executed using the "Quick plugin run" functionality (Ctrl-3)
- + UI: qt: added the MSG_DELAYED_UPDATE configuration option
- + UI: qt: added the shortcut editor
- + UI: qt: all Ctrl-Ins copy shortcuts were changed to Ctrl-C
- + UI: OSX: 'I' key is used in place of 'Ins' on OS X
Debugger
- + Added the '-I' command line switch to install IDA as a just-in-time debugger
- + debugger: added "event condition" debugger option to allow breaking when a debug event matches a given criteria
- + debugger: huge zero filled arrays are displayed faster in the debugger (do not use the dup construct for them)
- + Bochs: added option to disable Activation context and SearchPath() usage (this allows loading libraries from current directory or search path w/o activating context applied)
- + Bochs: added support for PE+ (64-bit PE files)
- + PDB: handle MIPS16 and ARMv7 files (low bit of the symbol address specifies Thumb/MIPS16 bit)
- + Win32/Linux/Mac debuggers now support I/O redirection
- + Win32 debuggers now have a new window to show the SEH list
- + Windbg: added option to disable debugger auto launch for crash dump files
Bugfixes
- BUGFIX: 'edit breakpoints' dialog was still wrong in 6.1
- BUGFIX: 'search for undefined address' (Ctrl-U) was not working correctly in debugger segments
- BUGFIX: an exception in asynchronious execution request (execute_sync) could crash ida
- BUGFIX: ARM: instructions combined into macros inside IT blocks could lead to wrong disassembly
- BUGFIX: armuclinux server was probably broken (it was using a separate thread to listen to debugee events but uclinux seems to have issues with that)
- BUGFIX: associating .idb extension with idaq was broken
- BUGFIX: Bochs debugger in disk image mode would display wrong addresses sometimes (caused by optimizer bug in VS2010 compiler)
- BUGFIX: bochs was not handling sections with vsize==0 properly
- BUGFIX: bochsrc loader was failing to load the boot sector of the disk images if it was larger than 4GB
- BUGFIX: choosing a device configuration in some processors could crash IDA on Windows
- BUGFIX: clicking on the title of a group node could crash IDA
- BUGFIX: debthread could not handle a hung remote server correctly
- BUGFIX: debugger: long DNS lookup for the connected peer name could lead to failure of the remote debugging session
- BUGFIX: demangler option "no return types of functions" had no effect for Borland mangled names
- BUGFIX: DOS: programs with Borland overlays (FBOV) were loaded incorrectly
- BUGFIX: EPOC: imports from hal.dll were not renamed
- BUGFIX: Executing a script that could cause a desktop switch (start or stop debugger) from the recent scripts window would crash IDA
- BUGFIX: find_binary() was crashing if radix of 0 was passed
- BUGFIX: find_strmem2() with STRMEM_INDEX was broken
- BUGFIX: get_next_struc_idx(-1) was not returning -1 as it should
- BUGFIX: get_type_size() could return >0 value for some illegal types
- BUGFIX: High 64 bit addresses were not being parsed properly by IDAPython in idaq64
- BUGFIX: IDA could crash if starting the application the first time failed (e.g. application path was wrong)
- BUGFIX: IDA could interr when trying to edit an address name in stack view
- BUGFIX: ida was failing with interr 40419 while rendering some graphs
- BUGFIX: IDAPython: Calling set_script_timeout() from callbacks may show the script wait box dialog with no possibility to close it
- BUGFIX: IDAPython: dbg_bpt was called instead of dbg_trace for a DBG_Hooks class implementation
- BUGFIX: IDAPython: dbg_read|write_memory() and dbg_get_thread_sreg_base() were broken
- BUGFIX: IDAPython: del_menu_item() was failing to delete menu items inserted in the middle of a menu list
- BUGFIX: IDAPython: get_blob() was returning a buffer with at most MAXSPECSIZE bytes
- BUGFIX: idapython: idaapi.get_item_head() was ignored
- BUGFIX: IDAPython: idc.GetString()/idaapi.get_ascii_contents()/idautils.Strings() were limited to MAXSTR string length
- BUGFIX: IDC: DelStruc() was behaving as a 'void' function (always returning 0)
- BUGFIX: IDC: on OS X, macros with 6 or more arguments would cause a syntax error
- BUGFIX: IDC: rotate_left() was broken
- BUGFIX: if a function lost some basic blocks (for example, because the user truncated it), its flowchart might be rendered with some empty nodes
- BUGFIX: if a read or read/write hardware breakpoint and a software breakpoint were defined at the same address, IDA would get confused when such such a breakpoint gets hit
- BUGFIX: illegal graph group info in the IDB could crash IDA
- BUGFIX: immediate search could not match the search criteria against defined data items
- BUGFIX: import libraries for gcc under ms windows were erroneously including _alloca and _main symbols.
- BUGFIX: in some cases IDA was trying to read memory outside of ranges provided by a debugger module
- BUGFIX: It was not possible to suspend Bochs if the debuggee was continously calling an API which is emulated by an IDC script
- BUGFIX: launch_process() was crashing in unix if command line arguments were NULL
- BUGFIX: linker directives with non-ascii characters in coff files would be displayed incorrectly
- BUGFIX: location of relative breakpoint was displayed in absolute notation in some cases
- BUGFIX: multithreaded Android applications could not be debugged on some devices
- BUGFIX: non-null terminated strings were printed incorrectly for assemblers with ASCIIZ directives (such as AIX PPC assembler)
- BUGFIX: Opening a crash dump file was failing in some cases
- BUGFIX: opening a malicious idb could lead to launching of debugger on any file (including files accessible with webdav)
- BUGFIX: PC: handling of __fastcall calling convention for Delphi was wrong
- BUGFIX: PC: mov to/from CRn/DRn ignore the mod field and always treat operands as registers (thanks to Ange Albertini)
- BUGFIX: PC: type information from .til files was not used for __fascall APIs (e.g. KfAcquireSpinLock)
- BUGFIX: PPC: dccci instruction with non-zero operands was decoded incorrectly
- BUGFIX: PDB: loading symbols for a module in memory (during debugging) could fail
- BUGFIX: PDB: old way of retreiving symbols (via dbghelp.dll) did not work for 64-bit modules loaded above 4GB
- BUGFIX: PDB: the "Load debug symbols" command was trying to use local files even when debugging remotely
- BUGFIX: PE loader could not properly handle relocations of type IMAGE_REL_BASED_DIR64
- BUGFIX: PE: files with exceedingly big relocation table size could not be loaded
- BUGFIX: PE: MIPS16 and ARMv7 exports and .pdata entries were not handled correctly
- BUGFIX: PE: some files with bogus/huge ImageSize could not be loaded (thanks to Ange Albertini)
- BUGFIX: qrealloc() was freeing the original pointer if allocation failed
- BUGFIX: qsem_create() was ignoring the initial value in mac
- BUGFIX: qt: askfile_c() was returning paths with forward slashes (/) on Windows; this broke some old plugins
- BUGFIX: qt: custom graphs were sometimes displaying some additional misplaced context-menu items
- BUGFIX: qt: forms with no dialog buttons (yes, no, cancel) would cause a crash
- BUGFIX: qt: jump buttons in the CPU Registers window were not working correctly on OSX
- BUGFIX: Qt: On OS X, shortcuts not defined inside idagui.cfg could contain the wrong modifier
- BUGFIX: qt: rendering on mac had problems because of a bug in the Carbon API
- BUGFIX: qt: some actions were not disabled in the stack frame view
- BUGFIX: qt: the jump xref action was missing in the stack frame view
- BUGFIX: qt: the strings sub-menu was missing letter shortcuts
- BUGFIX: qthread_kill() was freeing qthread_t in Windows; it should not
- BUGFIX: running ida with -z10000 could lead to deadlocks or crashes (for win32/linux/mac debugger modules)
- BUGFIX: SDK: askfile_c() default answer was not populated properly if it contained an absolute file path
- BUGFIX: SDK: qfilesize() now returns 0 if file is too large or does not exist (use get_qerrno() to tell between the two).
- BUGFIX: second failed attempt to launch the debugger would lead to interr
- BUGFIX: some edges of the graph would be rendered incorrectly after deleting an uncollapsed group (only if the graph contained more than one group)
- BUGFIX: text version of ida could hang while executing a script that handles numerous debug events
- BUGFIX: the form change callback of AskUsingForm() may be called recursively (leading to a crash) when using fa.set_field_value()
- BUGFIX: the function flowchart with custom layout and collapsed groups could be refreshed incorrectly in some cases
- BUGFIX: UI: "set segment register value dialog" was still using segment selectors even if the processor module had PR_SGROTHER flag set
- BUGFIX: UI: it was not possible to set a structure member's type to Float from the menus
- BUGFIX: UI: refreshing the graph was not resetting all the variables, some were still pointing to old nodes
- BUGFIX: UI: text version was crashing when calling up "Processor-specific options"
- BUGFIX: UI: the "Analysis enabled" checkbox in the load file dialog did not work as expected for non-x86 files
- BUGFIX: UI: the notepad text could exceed the maximum size and overwrite other blob indexes
- BUGFIX: under Windows, IDA still loaded a plugin even if it was renamed to e.g. plugin.plw1 (because the short name extension was still .plw)
- BUGFIX: Windbg 64bit was always proposing to run the dbgsrv even for 32bit apps
- BUGFIX: Windbg debugger in kernel mode would show one big segment called MEMORY in some cases
- BUGFIX: windbg debugger plugin was ignoring the DBGTOOLS value in ida.cfg
- BUGFIX: Windbg plugin was not able to restore absolute breakpoints on the process start if the memory was not already mapped
- BUGFIX: Windbg plugin was not working properly in kernel debugging with reconnect mode
- BUGFIX: Windbg: re-attaching to the kernel debugger may in some cases yield an empty module list (in the modules list window)
- BUGFIX: Windows plugins that used create_flow_chart() function (e.g. Color Loops) were crashing IDA 6.1.
- BUGFIX: IDAPython: calling reserve() on a movable type regvals_t was crashing due to regval_t.clear() with grabage values
IDA Pro 6.1 feature list (April 8, 2011)
HIGHLIGHTS
- Support for Android
The long awaited Android support in IDA is ready!
The new version can disassemble Android bytecode (Dalvik).
An IDA user kindly contributed the processor module and file loader (thank you!)
A screenshot for your pleasure:
Dalvik disassembler is available in the Advanced Edition.
Native ARM code can be debugged too.
IDA Pro supports mixed ARM/Thumb code and can handle multithreaded applications:
- 64-bit support for Bochs/GDB debuggers
The Bochs emulating debugger is very handy for small snippets of code.
Before we could handle only 32-bit code but the new version adds 64-bit support.
Currently only the IDB mode is supported, later we plan to add PE+ support as well.
The GDBServer module adds x64 support and works with the latest VMWare versions.
- Loading PDB files under Linux/MacOSX
Another long awaited feature is loading of PDB files under Linux and
Mac OS X. Lack of this feature was a blocking factor for many Unix
users. It is available now. Below is a screenshot made immediately after
loading a PE file with PDB info on Linux:
We added PDB support to the win32 debugger server. The Unix version
of IDA connects to a remote MS Windows computer (or local Wine session)
and retrieves PDB information from it.
- String encodings
Not only Unicode, but other character encodings can be displayed
in the disassembly listing. It is even possible to specify the encoding
of individual strings:
- Low level conditional breakpoints
Conditional breakpoints can be very slow, especially during remote
debugging. We addressed this problem by creating server side low
level conditional breakpoints. They speed up the debugger tremendously.
In our tests breakpoints were handled more than 20 times faster, even
when running the remote server on the same computer as IDA Pro. Low
level breakpoints are beneifical even for local debugging, so they are
available for local debuggers too:
By the way, the screenshot shows other new breakpoint features:
module relative, symbolic, and source code breakpoints.
Unfortunately we had no time to finish source level debugging, so source
level breakpoints are disabled for the moment.
- Multithreaded debugger
Another measure to speed up the debugger: we made the debugger itself
multithreaded. While this feature is not visible, it makes IDA Pro
more responsive and enjoyable to use. Also we introduced multithread
support in the IDA kernel. The kernel is still single threaded but it is much
more friendly towards multithreaded plugins.
- Power PC improvements
Many things were improved in the Power PC module. All the latest instructions
defined by Power ISA were added, including Altivec and VSX extensions.
Another addition is the VLE (Variable Length Encoding) instruction set,
used in many embedded PPC processors.
Also useful for embedded PPC is the new option to set a fixed value for the
r13 register, commonly used as base for the small data area.
- Wingraph is back!
Chris Eagle has ported Wingraph32 to Qt framework (thanks!), and now we
include it with all platforms, not just Windows.
- SPU
In addition to Dalvik, there is another new processor module in 6.1.
It is the SPU (aka Synergistic Processing Unit) of the Cell BE processor,
used in Sony PS3 console. This processor module is available in the
Advanced Edition.
|
PROCESSOR MODULES
-----------------
+ DALVIK: new processor module (Android Dalvik VM)
+ SPU: new processor module (Cell Broadband Engine Synergistic Processor Unit); contributed by Felix Domke
+ ARM: turned on BL-as-jump analysis for ARM code. Before it was enabled only for Thumb code
+ AVR: added XMega instructions DES, LAC, LAS, LAT, XCH
+ AVR: decode eijmp and eicall instructions
+ C166: allow double-word and floating-point items in the disassembly
+ EBC: discover and comment function thunks
+ EBC: implemented instruction auto comments
+ EBC: made disassembly syntax closer to the one used in UEFI specification
+ EBC: trace stack pointer and create stack variables
+ MIPS: added support for Cavium Networks (Octeon) instructions
+ MIPS: added support for MIPS64r2 instructions (doubleword bit manipulation)
+ MIPS: added support for Sony PSP (Allegrex) instructions
+ MIPS: added type system support (parameter identification and tracking)
+ MSP430: added support for MSP430X (20-bit) instructions
+ MSP430: resolve PC-relative (aka symbolic) addresses
+ PC: recognize prologs of VB6 applications (substantially speeds up analysis in some cases)
+ PC: show Intel conditional branch hints (prefixes 2E/3E)
+ PC: disassemble retn/retf opcodes with operand size override
+ PC: disassemble undocumented bswap ax instruction
+ PIC: automatically track changes to the PA0 status bit (bank selector) for 12-bit PIC processors
+ PIC: track values of BANK and PCLATH registers through the code flow - this improves disassembly of code that resides in multiple banks
+ PPC: added support for AltiVec instructions (including Cell BE extensions)
+ PPC: added support for VLE (Variable Length Encoding) instructions
+ PPC: it is now possible to specify a fixed base for the r13 register (small data area, often used in embedded PPC processors) and automatically convert all references to it
+ PPC: recognize switches used in 64-bit code with 32-bit addressing
+ PPC: updated GNU register names to reflect current conventions
+ SuperH: added option to disable immediates substitution (pre-6.0 behavior)
+ SuperH: it is now possible to use zero-offset structure fields in indirect register operands
FILE FORMATS
------------
+ DEX: new loader for Dalvik Executable files
+ COFF: added support for TI MSP430 files
+ COFF: handle Xbox 360 files (PPCBE). Also small improvements for ARM and MIPS files
+ DOS: added support of loading of CodeView debug info for DOS .exe files
+ ELF: added support for Cell SPU files (no relocations supported yet)
+ ELF: added support for PPC64 relocations
+ ELF: added support for R_*_IRELATIVE relocations
+ ELF: Android prelinked files are detected and loaded at the correct address
+ ELF: handle files produced by Tasking C166/ST10 compiler
+ ELF: if data at entry point is not present in the section list, use program headers to load the missing code.
+ ELF: implemented some workarounds to load Cisco IOS files
+ ELF: PPC: handle files with VLE code sections and mark them as such
+ ELF: PPC: handle VLE relocations
+ ELF: support PSP PRX files
+ NE: support self-loading NE files
+ PE: added support for ARMv7 files
KERNEL
------
+ added support for arbitrarily big types in the type parser
+ added support for custom data formats inside structures
+ improved PIT (parameter identification and tracking) to better handle compex functions
+ improved the speed of rebasing the program
+ IDS: added ceddk.ids for Windows CE
FLIRT & TILS
------------
+ FLIRT: added autodetection of the programs written in the D language
+ FLIRT: added Digital Mars FLIRT signatures
+ FLIRT: added FLIRT signatures for the Intel Compose XE 2011 ICL compiler
+ FLIRT: pcf: handle ARMv7 COFF files
+ FLIRT: pcf: handle PowerPC BE (Xbox 360) COFF files
+ FLIRT: pelf: i386 TLS related relocations require special handing because the linker modifies instructions
+ FLIRT: pelf: added support for SuperH files
+ prepared new mssdk til files based on the Windows SDK 7.0a
SCRIPTS & SDK
-------------
+ IDAPython: added PluginForm class which adds the possibility to extend the UI with PyQt or PySide
+ IDAPython: Python statement execution and script timeout are configurable
+ IDAPython: added AskUsingForm() with embedded choosers support
+ IDAPython: added idautils.DecodePreviousInstruction() / DecodePrecedingInstruction()
+ IDAPython: added idc.BeginTypeUpdating() / EndTypeUpdating() for fast batch type update operations
+ IDAPython: added more IDP callbacks
+ IDAPython: added UI_Hooks with a few notification events
+ IDAPython: added process_ui_action()
+ IDAPython: better handling of ea_t in 32/64bit
+ IDAPython: Added netnode.index() method
+ IDC: added DbgRead/DbgWrite functions to access the debuggee memory directly
+ IDC: added highlevel breakpoint management class
+ IDC: added get_nsec_stamp()
+ IDC: added SetBptCndEx(), unlink(), rename(), mkdir() functions
+ IDC: added ProcessUiAction()
+ IDC: added sp register change points functions
+ SDK: added begin_type_updating() / end_type_updating() functions to allow faster updates to the types
+ SDK: added get_strmem2()
+ SDK: added support for asynchronious execute_sync() calls (MFF_NOWAIT)
+ SDK: added system-independent functions to work with pipes
+ SDK: added process_ui_command()
+ SDK: IDC engine is thread safe. However, multiple threads should not access/modify the same IDC variables, this is not supported
+ SDK: implemented choosers embeddable in forms
+ SDK: introduced get_full_data_elsize(), useful for wide-byte processors
+ SDK: introduced qisspace and similar functions to avoid problems with signed chars
+ SDK: introduced thread-local functions to handle error codes (set_qerrno/get_qerrno)
+ SDK: renamed init_process() to launch_process()
+ SDK: trim() removes all whitespace at the string end (before it was removing only spaces and tabs)
USER INTERFACE
--------------
+ wingraph for Qt, kindly shared by Chris Eagle
+ graph: respect the selection priority when displaying nodes and clicking on them
+ added "New instance" menu entry
+ added "Produce header file from local types" menu entry
+ added 'Unsort' command in choosers
+ added Select All/Deselect All context menu items to the structure offset dialog
+ allow to open any file by drag&dropping on IDA icon (previously only .idb files could be opened this way)
+ allow multiple selection in the recent scripts window
+ enabled multi-selection in the Strings List
+ improved 'rename register' dialog box
+ improved the rebase dialog
+ it is now possible to set a string's encoding from "Setup ASCII types" dialog (Alt-A)
+ pressing Ctrl+K will always jump to the stack variable under the cursor (even if stack window is already open)
+ qt: implemented functions to load/free custom icons to be used in contexts like the chooser
+ qt: improved scroll speed
+ qt: improved the windows list dialog (Ctrl-Tab)
+ qt: improved wait dialog speed
+ txt: implemented the Load Binary dialog
+ gui: this is the last release of VCL based idag.exe
DEBUGGER
--------
+ added support for server-side low-level breakpoint conditions. Such conditions are evaluated on the remote computer, without causing any network traffic
+ added support for Android debugger target (native ARM only)
+ Bochs: added debugging support for 64bit code snippets
+ Bochs: path to Bochs can now only be specified through IDA.CFG or PATH environment variable
+ GDB: added support for debugging x64 code
+ GDB: enabled "Run external program" option for Linux and OS X
+ GDB: handle read/write memory breakpoints if the stub supports them (e.g. VMWare)
+ GDB: improved debugging of MIPS16 code
+ Windbg: added support for the 'reconnect' option
+ Windbg: the debugging tools path can now only be specified through IDA.CFG or PATH environment variable
BUGFIXES
--------
all bugfixes since the initial release of IDA 6.0:
BUGFIX: 'open file' dialog in idal was not sorting directories to the end of the list
BUGFIX: "copy structure" and "create structure from data" commands should copy the type information
BUGFIX: "Produce HTML file" functionality was susceptible to Javascript injection vulnerability
BUGFIX: .NET: opcode "constrained." was decoded incorrectly
BUGFIX: a variable name was accepted and ignored in "enum : int mystupidvarname"
BUGFIX: Adding an enum or struct from an already parsed typeinfo that does not correspond to an enum or struct would cause IDA to crash
BUGFIX: AIF: a specially crafted file could trigger arbitrary code execution
BUGFIX: appcall was failing on high addresses
BUGFIX: arm debuggers could lose control after stepping over pop {pc} insn (the target address was calculated incorrectly)
BUGFIX: ARM: ARM processor module was ignoring the "Mark typical code sequences as code" autonalysis setting
BUGFIX: ARM: in rare cases, bogus data interpreted as code could crash IDA with a stack overflow
BUGFIX: ARM: TBB/THB switch constructs were marked up incorrectly, leading to incorrect decompilation in Hex-Rays
BUGFIX: Bochs debugger plugin was hanging if bochsdbg was terminated due to a crash or VM OS shutdown
BUGFIX: Bochs debugger run menu item was not present in the list when no database is opened
BUGFIX: change_storage_type() was creating sparse flags very inefficiently in some cases
BUGFIX: coff/psx/geos loaders had an integer overflow bug in memory allocation
BUGFIX: COFF: a specially crafted file could trigger a heap overflow
BUGFIX: COFF: relocation REL_ARM_SECREL was not handled
BUGFIX: convert_codepage() was prone to buffer overflow exploits
BUGFIX: debugger / stack view address size was incorrect when debugging without an initial database
BUGFIX: debugger options were not restored if the database had no segments
BUGFIX: demangler: for Borland names do not unmangle procedure/template name when it contains >= 36 arguments
BUGFIX: EBC: indirect register operands without index were disassembled incorrectly
BUGFIX: ELF: import list for ELF files was attaching one of the linked .so files to all imports. Since ELF imports use global namespace, don't attach a library name to them.
BUGFIX: ELF: some SuperH files marked as "sh2a-or-sh3" were loaded incorrectly
BUGFIX: ELF: symbols were not loaded from some ELF files with non-standard section names
BUGFIX: enums with custom size were printed incorrectly and thus their names were lost after editing in "Local Types" list
BUGFIX: EPOC: a specially crafted file could cause a heap overflow
BUGFIX: Executing a script with File/Script file could add a wrong file name to the recent scripts list in some cases
BUGFIX: exiting IDA at the very start of debugging would lead to an internal error
BUGFIX: EXPLOAD: a specially crafted file could trigger a heap overflow
BUGFIX: fixed a longstanding 'nrect(..)' internal error that was occurring in rare cases
BUGFIX: fixed a very rare btree error (there was no logic to handle a double page overflow during a key deletion; only single page overflows were handled)
BUGFIX: fixed DLL hijacking exploit for windmp, windbg and pdb plugins
BUGFIX: Fixed multiple execution of the same sync request for blocking operations like launching modal dialog as the chooser.
BUGFIX: fixed occasional crash when opening the breakpoint list
BUGFIX: GDB: for big-endian ARM targets, PSR register value was sent in wrong byte order
BUGFIX: get_flags_novalue() could fail in some rare circumstances (when the debugger is running and a previously defined memory area disappears it could return garbage)
BUGFIX: header() callback was not working in scripted processor modules
BUGFIX: HEX files for wide-byte processors (e.g. AVR) were loaded at a wrong address if a start address record was present
BUGFIX: hardware breakpoints were not deleted correctly on OSX
BUGFIX: hppa: delay slots were calculated wrongly while applying type information to function calls
BUGFIX: IDA could interr when parsing a C header with the same type name as in a loaded standard type library.
BUGFIX: IDA would crash on Mac / Linux when exiting after the user has attached to a process without an initial database
BUGFIX: IDA could fail to detect some address space overflows (when too many big segments were created)
BUGFIX: idag -S switch was not working properly for file names with spaces
BUGFIX: IDC: open_loader_input() would leak linput_t handles
BUGFIX: IDC: SetSegmentAttr() could crash if passed wrong segment address
BUGFIX: implemented the "CLOSED_BY_ESC" configuration parameter for idaq
BUGFIX: in some cases, trying to focus the recent scripts window with Alt-F9 after having added a new script may not work properly unless the window is closed and reopened
BUGFIX: in some cases, when the cursor was on a structure member, IDA was proposing to rename the whole structure instead of the member
BUGFIX: integer overflow was possible in qcalloc()
BUGFIX: get_chooser_object() was broken in the text UI
BUGFIX: it was impossible to launch idaq64 with command line arguments on OS X
BUGFIX: it was impossible to remotely debug 32-bit programs from IDA64
BUGFIX: it was not possible to rename stack variables from the listing at the start of the function in PowerPC files
BUGFIX: it was possible to rename a register to a name with a space
BUGFIX: it was possible to specify malicious plugins to be autorun at the database opening time; introduced an option to enable/disable autorun plugins and set it to 'off' by default
BUGFIX: kernel: on big-endian processors, float values in collapsed (terse) structures were displayed wrong
BUGFIX: OS X debugger could fail if a hardware breakpoint and software breakpoint occurred at the same address simultaneously
BUGFIX: Mach-O: buffer overflow when loading Mach-O files with corrupted export information
BUGFIX: Mach-O: some corrupted files could cause IDA to crash with out-of-memory exception
BUGFIX: MSP430: sub and subc instructions were swapped
BUGFIX: on very rare occasions the graph overview window would process a paint event after having closed a file and access invalid memory
BUGFIX: opcode bytes were not always printed along with the insruction for TMS320C6
BUGFIX: PatchByte() and similar functions were not refreshing the disassembly view
BUGFIX: PC: pushfq and some other 64-bit stack operating instructions were not handled during stack pointer tracing
BUGFIX: PC: some memory references were displayed incorrectly in TASM Ideal mode (for example: [name[eax*4], note the second bracket)
BUGFIX: PC: some switch constructs were marked up incorrectly by IDA leading to wrong decompilation in Hex-Rays
BUGFIX: PC: the wait instruction could be printed with erroneous prefix byte which belonged to the following non-FPU instruction
BUGFIX: PDB plugin would crash on certain input files
BUGFIX: PEF: a specially crafted file could trigger heap overflow
BUGFIX: PPC: immediate operands for some binary instructions (ori, xori, etc.) were incorrectly displayed as signed values
BUGFIX: pressing Esc in a form with Yes/No/Cancel buttons would return 0 (must return -1)
BUGFIX: qt: added graphs toolbar and implemented prev/next toolbar menu
BUGFIX: qt: adding items to the top-level Edit/Jump/Search menus of enum and struct views would fail
BUGFIX: qt: adding menu items to the Edit menu could fail if it was invisible
BUGFIX: qt: after executing custom menu items from the menu by keyboard on Windows the current focus might be lost
BUGFIX: qt: breakpoint dialog was missing the "Refresh debugger memory" option
BUGFIX: qt: call the sizer() callback in the chooser only for refresh events
BUGFIX: qt: calling msg() from chooser's sizer() and getl() callbacks would crash idaq
BUGFIX: qt: correctly associate the idb extension on Windows
BUGFIX: qt: correctly restore arrows width in disassembly when loading a saved database
BUGFIX: qt: correctly restore focus on Windows after having executed an action in the menu (make sure the focus doesn't remain on the menu)
BUGFIX: qt: correctly restore focus with floating docks under Linux
BUGFIX: qt: correctly restore row selection in a sorted list in a chooser after an edit action
BUGFIX: qt: correctly update navigation history when clicking on an edge in graph mode
BUGFIX: qt: could crash when calling Exit() or idaapi.qexit() from scripts
BUGFIX: qt: could sometimes crash when renaming structure members from the disassembly
BUGFIX: qt: couldn't close dock tabs with the middle mouse button
BUGFIX: qt: debug actions were not updated when an instant debugging session ended
BUGFIX: qt: docking the graph overview in a tab view would lead to problems
BUGFIX: qt: don't ask twice in the Save File dialog to overwrite an existing file
BUGFIX: qt: don't show the Sync submenu in a stackview.
BUGFIX: qt: fixed -t command line switch behavior
BUGFIX: qt: fixed a problem with the shortcut system on mac
BUGFIX: qt: fixed case insensitive completer for input fields in forms.
BUGFIX: qt: fixed incremental search in choosers
BUGFIX: qt: fixed some minor graph rendering glitches
BUGFIX: qt: fixed specific group box frame drawing issue in forms
BUGFIX: qt: fixed the not working Follow in Dump command in the hex editor
BUGFIX: qt: fixed the setting of the initial focus in forms
BUGFIX: qt: fixed wait dialog problems on Linux
BUGFIX: qt: fixed wrong behavior of the numpad Enter
BUGFIX: qt: implemented alternative key to Ins on OS X
BUGFIX: qt: implemented blinking arrows in graph view when debugging
BUGFIX: qt: implemented HELP/ENDHELP in custom forms
BUGFIX: qt: implemented external help support for Windows
BUGFIX: qt: implemented FORM_PERSIST flag in open_tform
BUGFIX: qt: implemented auto-indentation in comment/script dialog
BUGFIX: qt: implemented set_dock_pos()
BUGFIX: qt: improved quality of graph rendering in zoom mode
BUGFIX: qt: improved shortcuts behavior on OS X
BUGFIX: qt: input fields in forms were not generating change events
BUGFIX: qt: it was not possible to open Struct window if a function stack window was open before
BUGFIX: qt: it was not possible to overwrite menu label shortcuts with user created shortcuts
BUGFIX: qt: mac: fixed minor glitch in drawing the cursor
BUGFIX: qt: make sure that after closing an idb all actions are refreshed.
BUGFIX: qt: message box shortcuts now work without pressing Alt
BUGFIX: qt: Produce HTML file was using wrong font
BUGFIX: qt: remember the position of the cursor in the struct view when saving database
BUGFIX: qt: reset desktop was not working properly sometimes on mac
BUGFIX: qt: restore focus after a dock drag operation
BUGFIX: qt: select current thread in debug mode
BUGFIX: qt: set_custom_viewer_popup and add_custom_viewer_popup work now even on non-TCustomViewer IDA memos
BUGFIX: qt: set_focused_field in forms would fail at initialization time
BUGFIX: qt: shortcuts for custom data types were not set correctly
BUGFIX: qt: show lock status on the Highlight toolbar button
BUGFIX: qt: show text cursor in the output window
BUGFIX: qt: some entries of the quick open dialog may fail because of wrong context
BUGFIX: qt: the '.' shortcut now activates the command line when the current focus is in the output window already
BUGFIX: qt: the Cancel button in forms was not returning -1
BUGFIX: qt: the chooser now accepts Home and End even from the numpad and acts the same when Ctrl is pressed. Also, the fast search is cleared when pressing these keys
BUGFIX: qt: the Del shortcut in the watchlist was not always working
BUGFIX: qt: the jump to neighbor node shortcuts were working only on mac
BUGFIX: qt: the main window would not show when starting to debug from the command line
BUGFIX: qt: UI would hang if typing a non-matching letter at the last item of a chooser
BUGFIX: qt: was eating too much cpu time when idle
BUGFIX: qt: was not using system locale to convert text data, so localized comments, file paths, etc. were not displayed properly
BUGFIX: qt: would hang if trying to incrementally search for an item in a chooser without having a selection first
BUGFIX: qt: would not revert to default stack variable name if the name was cleared
BUGFIX: text: chooser was leaking memory on destruction
BUGFIX: right click menu was not listing structures with unions and unions as creatable variable types
BUGFIX: rebase_program() was not updating the xref cache, so cross-references could be wrong immediately after rebasing
BUGFIX: Recent scripts window displays blank script file names if no database was open
BUGFIX: result of custom_ana notification was not handled properly, breaking some processor extension plugins.
BUGFIX: IDC: Qword() was not returning 64bit values in IDA32
BUGFIX: SBN: a specially crafted input file could lead to buffer overflow
BUGFIX: SDK: get_default_reftype() was not working correctly for processors with wide bytes
BUGFIX: The IDC engine was failing on __get/setattr__ functions for IDC objects if those functions were registered from the SDK via set_idc_getattr()/set_idc_setattr()
BUGFIX: SDK: launch_process(formerly init_process) function did not handle properly quoted command-line arguments on Linux and OS X
BUGFIX: SDK: OutMnem() did not work properly for values of 'width' different from default
BUGFIX: set_auto_plugins() was allowing arbitrary plugin path (including UNC) thus leading to malicious code execution
BUGFIX: shortcuts for custom graph actions were not working
BUGFIX: some win32 OEM keys were incorrectly converted to qt codes
BUGFIX: SPARC: R_SPARC_JMP_SLOT relocation was not processed properly in 64-bit files
BUGFIX: SPARC: some WR instructions were decoded incorrectly in V8 mode
BUGFIX: stack view was always using 64-bit addressing in IDA64, even for 32-bit programs
BUGFIX: Symbian debugger was not clearing the old process list before retrieving a new one.
BUGFIX: text version: in the 'create array' dialog box, it was impossible to switch back from binary indexes to any other number base
BUGFIX: The "OK" button in the Choose Structure window was not being enabled when a struct is selected for the first time
BUGFIX: The debugger popup menu to open a register class window was not working
BUGFIX: type parser: type definitions without the terminating ; were silently ignored at the end of the input file (or line)
BUGFIX: ui: a byte with value 0xFF was not printed as a character, even if it was in the AsciiStringChars list.
BUGFIX: ui: avoid duplicate upper/lower-case history entries on Windows
BUGFIX: ui: binary search was searching for wrong pattern if a too long number was entered
BUGFIX: ui: buffer overflow could happen when trying to display a very long string
BUGFIX: ui: Calculator (Shift-/ key) was picking up wrong value from disassembly on OSX and Linux
BUGFIX: ui: fill the Edit->Plugins menu with PLUGIN_FIX plugins when no IDB is open
BUGFIX: ui: IDA could hang while trying to display a hint in some rare situations
BUGFIX: ui: IDA could lock up for some time while trying to display a hint.
BUGFIX: ui: in the 'User Offset' dialog, set initial focus to the 'Base address' field
BUGFIX: ui: the cross reference list would show empty if already open for the same target
BUGFIX: unix: unicode strings were not handled correctly for some locales
BUGFIX: while undecorating names try to preserve the suffix after '@'. remove it only in some special cases
BUGFIX: Windbg debugging mode option was not saved in instant debugging mode
BUGFIX: zero values were always represented as "0" in terse structure representations, even if they should be replaced by offsets or enums or something else
IDA Pro 6.0 feature list (Oct 1, 2010)
IDA Qt based GUI
The long awaited GUI interface for Linux and Mac OS X platforms is ready!
We tried to make it as close as possible to the existing MS Windows
GUI. Daniel Pistelli, who was responsible for the task, accomplished it brilliantly.
The new interface turned out to be so faster and nicer that we plan to
drop the old interface after a short transition period. The IDA v6.0 will
ship with both old idag and new idaq. Some screenshots are
a must, click on them to enlarge:
Also the decompiler runs natively on other platforms as well.
Linux/Mac fans will certainly appreciate the new version ;)
As usual, the new version is free for all users with active support plans.
|
The detailed changelist is below:
PROCESSOR MODULES
-----------------
+ 6812: support an alternative memory layout for paged segments which allows to use short offsets inside the segment
+ ARM: added a switch pattern that uses BX to jump to case labels
+ ARM: display the optional operand of the MRC/MCR instructions, as preferred by the ARM documentation
+ ARM: support another variation of GCC Thumb-2 switches
+ PPC: added SPE (Signal Processing Engine) instructions, including floating-point and vector FP
+ PPC: trace stack pointer for 64-bit code
+ SuperH: added SH-4a instructions
+ SuperH: display immediates loaded from literal pool in the instruction itself
+ SuperH: trace stack pointer and create stack variables
+ TMS320C54x: added register definitions for TI Calypso chipset (thanks to Sylvain Munaut)
+ TMS320C54x: better handling of multi-section files (thanks to Sylvain Munaut)
+ TMS320C54x: better handling of multi-section files (thanks to Sylvain Munaut)
FILE FORMATS
------------
+ Added loader for HP-UX core files (non-ELF), provided by Avi Cohen Stuart
+ ELF: added support for more IA64 relocations
+ LE: added support for bound DOS/4G executables
KERNEL
------
+ kernel: improved database loading and saving times (new crc32 algorithm)
+ Configurable plugins can specify which platform they can operate on in plugins.cfg
+ demangler: demangle GCC local names (_ZLxxx)
+ FLIRT: added parser for Mach-O object files (pmacho)
+ 'volatile' keyword is automatically removed from function return types
IDC & SDK
---------
+ IDAPython: added auto completion support
+ IDC: added ItemHead()
+ IDC: added Exec() to execute IDC statement(s)
+ SDK: added idb events for segment name/class modifications
+ SDK: get_many_bytes_ex() to retrieve bytes and information about initialized and unitialized bytes from the database
USER INTERFACE
--------------
+ it is now possible to jump to a structure cross-reference (default hotkey: Ctrl-X in the structures window)
+ Added "Save to file" to save the trace window contents
+ added a checkbox for sparse segments to the 'create segment' dialog box
+ multiple segments can be selected and moved using the segments window
DEBUGGER
--------
+ debugger: added support for virtual modules (user-defined modules can be added from api)
+ debugger: non-integer register values can be displayed as hints
BUGFIXES
--------
BUGFIX: 'analyze module' was failing on modules with unknown size; now it tries to estimate it
BUGFIX: -B switch fails to generate ASM files if idb path contains the '.' character
BUGFIX: a structure with pointers to functions with non-empty argument names was incorrectly converted to a local type
BUGFIX: adding a segment could erroneously delete a selector (if the start address of the new segment was equal to the start address of an existing segment and the selector was used only by that segment and the selector of the new segment was equal to the selector of the existing segment)
BUGFIX: after attaching to a linux process the names of the main process module were not available
BUGFIX: arm relative-mode elf files were loaded incorrectly (thumb was not used when required)
BUGFIX: ARM: LDMFD SP (no writeback) was incorrectly decoded as POP in Thumb-2 mode
BUGFIX: binary search could return a result outside of the search region
BUGFIX: Bochs could crash in some cases when setting a bp at data locations
BUGFIX: bochs direct commands were not working under linux
BUGFIX: calc_bare_name() could not handle gcc mangled names with '.' prefix
BUGFIX: command line arguments with backslashes were parsed incorrectly under MS Windows: backslashes were escaped even without quotes
BUGFIX: dummy_name_ea() was failing for dword_xxx dummy names
BUGFIX: GDB debugger: resolved incompatibility with VMWare 7.x GDB stub
BUGFIX: global idc variables of object type would crash ida if they were present at the exit time; now we get rid of them when we close the database
BUGFIX: GUI: chooser window may be improperly resized if moved from a low resolution screen to a higher resolution screen
BUGFIX: IDA could crash if an unsuccessful search backwards was done while the debugger was active
BUGFIX: IDA could crash when trying to display custom data items bigger than 16 bytes in size on big-endian processors
BUGFIX: IDA could endlessly loop on some x86 files
BUGFIX: if a search was performed within a selected text, the screen was not redrawn correctly
BUGFIX: if full stack analysis was turned off and a pdb file was loaded at the idb creation time, the decompiler would interr
BUGFIX: it was not possible to create 64-bit segments from UI for PowerPC
BUGFIX: kernel: user-defined offsets with non-zero bases were not adjusted properly during rebasing
BUGFIX: linux debugger was processing 'detach from process' command not quite correctly
BUGFIX: MIPS: basic block boundaries were determined incorrectly for MIPS16 code (MIPS16 branches do not have a delay slot)
BUGFIX: modal recent script box would crash if no script was selected
BUGFIX: moving the vertical scrollbar thumb in the disassembly listing was not handled correctly for 64-bit programs
BUGFIX: MS DOS: rebasing EXE files was not properly adjusting relocations
BUGFIX: PE loader: a bad load config directory can cause an infinite loop
BUGFIX: qvector's insert/erase methods were moving vector elements incorrectly
BUGFIX: replacing a type the comes from a til file might lead to a crash (if there were no defined local types yet)
BUGFIX: script processor module could crash if 'codestart' and 'retcodes' fields were used under Linux/MAC
BUGFIX: the 'switch debugger' command was available only when a disassembly window had focus
BUGFIX: the disassembly text that was copied to clipboard could contain odd characters at the begining in some cases
BUGFIX: the help subsystem of the text version was using memory allocation functions incorrectly
BUGFIX: UI: indexes printed for array of structures were incorrect
BUGFIX: UI: it was not possible to set the type of a structure member ('Y' key) if the cursor was on an undefined area in the disassembly view.
BUGFIX: Windbg plugin now forbids starting a process in non-invasive mode. Only non-invasive attach is supported.
