IDA 5.7
Last updated
Was this helpful?
IDA 9.0
Last updated
Was this helpful?
IDAPython IDAPython has been modified a lot. We manually wrapped many new functions and classes. We documented all manually wrapped functions. Online documentation is here:
Some "idaapi.cvar" variables have been moved to "idaapi.". In particular, the idaapi.cvar.cmd is now accessible as idaapi.cmd.
Recent script box (Alt+7) and run python script (Alt+9) are replaced with Alt+F7 and Alt+F9 respectively
Scripted plugins Plugins can be implemented in Python or IDC.
See the . See samples in "sdk\plugins\script_plg"
Scripted processor modules Processor modules too can be implemented in Python or IDC. See:
sdk\module\script\ebc.py: EFI Byte code processor module. It works with EBC PE files.
sdk\module\script\msp430.py: MSP430 is a simple 27-instructions 16-bit RISC processor from TI.
sdk\module\script\proctemplate.py: Processor module script template
We have addded many SDK functions to IDAPython to support processor modules.
ARM module/Mach-O file format If you analyze iPhone/iPad file, the following improvements are essential:
parsing of the LC_DYLD_INFO and LC_ROUTINES loader commands (more names are recovered)
improved tracing of register values for ARM that discovers more references
improved offset auto-conversion: now you should see less false positives (e.g. no xrefs into middle of instructions)
indirect calls via register are resolved when possible, and a comment is added with the final address
better Thumb/ARM mode switch tracing
when splitting segments, T register is not reset to 0 but the old value at the split point is reused
support for PIC code generated by GCC 4.4.x (GOT loading)
various other fixes and improvements
ARM architecture options for disassembly can be configured in the UI (Processor-specific options), in IDA.CFG or on command line (see documentation; ARMv6 is default)
for Mach-O files and ELF files with EABI attributes the architecture is set automatically according to the flags in the binary
support for NEON SIMD instructions (available if ARMv7 is selected); they are commonly found in the current iPhone/iPad files
when ARMv7 is selected, a unified syntax is used for VFP and NEON instructions (Vxxx instead of old Fxxx)
Custom data You can define your own data types. For more details, see:
See the.
Also check out "sdk\plugins\custview\custview.cpp" and IDAPython\examples\ex_custdata.py
Bochs Linux debugger plugin We have ported the bochs debugger plugin to Linux. See to learn how to configure and use it. The plugin functions similarly to the Windows bochs debugger plugin except that you need to set up environment variables and copy some Windows DLLs to Linux.
PDB plugin The PDB plugin now works without having MS DIA DLLs registered in the system (i.e. no need to install the full Visual Studio). It is enough to either install VS 2005 or 2008 runtime redistributable or copy msdiaNN.dll into IDA's directory. It now imports much more types from PDB files with private symbols.
WinDbg debugger plugin We improved WinDbg support:
Added non-invasive debugging support. You may find this feature useful if you want to attach to a program that is already being debugged.
The plugin will not automatically set the PDB path to %TEMP%\ida, one has to manually specify the symbol path (_NT_SYMBOL_PATH env var or .sympath command)
Minor bug fixes and speed improvements
Typing ".reload /f" will update the symbols state in the UI as well
Recent scripts Alt-F7: Open script file Alt-F9: Opens the recent scripts chooser.\
Ctrl+E to edit
Del to delete
Ins to insert a new script to the list
New command line switches Please find more information about the -t and -S switches\
Output window We replaced the listbox with a richtext control, allowing the users to:
double click on any identifier or address to jump to it if applicable
select and copy portions of text
search for text in the log
Debugger
Jumping to debug names automatically creates code
Right click on a module in module window offers to jump to module base
debugger: added support for MSR, XMM and MMX registers
debugger: added support for model specific registers registers (win32)
breakpoints: breakpoints have a flag to allow the kernel to invalidate memory layout and contents before evaluating a script condition
added DbgByte/DbgWord/DbgDWord functions to read debuggee memory directly
the breakpoint list window also shows the instruction comment
Processor Modules
6808: added new instructions from the 68HCS08 (aka 9S08) family
ARM: added a switch pattern often found in EPOC files
ARM: improved analysis of constant pool items - reduced false positives when converting data to offsets
ARM: improved detection of ADRL macros
ARM: handle some of the new idioms produced by GCC 4.4.0
ARM: added support for NEON (aka Advanced SIMD) instructions, new to ARMv7 architecture
ARM: architecture version can now be set; it is configured automatically for Mach-O files and ELF files with EABI attributes.
ARM: many other improvements, switch patterns, etc
EBC: EFI Byte Code processor module (written in Python)
H8: 24-bit address operands were truncated to 16 bits
MIPS: added MIPS16e instructions (jrc, jalrc, save, restore etc)
MIPS: added ssnop instruction
MIPS: more common instruction sequences are simplified
MIPS: set proper types (float/double) for operands of FPU instructions - floating-point constants are now recognized and converted
MIPS: substantially improved tracking of register values which recovers most of data and code cross-references in typical MIPS binaries
MIPS: table-based switches are recognized and labeled
MIPS: trace transitions between mips16 and mips32 code for better analysis
MSP430: new processor module (written in Python)
PC: improved detection of Delphi exception handlers
PC: improved parsing of Visual C++ SEH handlers
PC: recognize aligned stack prolog produced by GCC 4.x
PIC: improved handling of FSRs for the PIC18xx series; added more chip configurations
PPC: added G2 core (603e) instructions tlbld and tlbli
PPC: more jump tables are recognized
SuperH: added support for SH-2A architecture
TMS320c54: added support for memory mappings (thanks to Sylvain Munaut)
File Formats
.NET: made output more compatible with MSIL assembler
ELF: added support for TLS relocations in x86_64 files
ELF: handle MIPS files with mips16 functions
ELF: handle more ARM relocations
ELF: ARM: if EABI attributes are present (.ARM.attributes section), they're used to set up the ARM architecture options for disassembly
Mach-O: rebasing a file (e.g. during debugging) could make some pointers invalid
Mach-O: added support for X86_64_RELOC_SIGNED_n relocations
Mach-O: added support for ARM BR24 and Thumb BR22 relocations
Mach-O: cpusubtype field from the header is used to pre-set the ARM architecture version for disassembly
PDB: vtable structures are created and added to class structures if that info is present in the PDB
PDB: msdiaNN.dll can now be loaded without being registered, if found in PATH or default VC CRT install path
PE: load configuration directory (which includes SEH information) is parsed and commented
PE: recognize and load Phar Lap TNT DOS-Extender's 'PL' executables
PE: IDA now allows to load corrupted files after a warning instead of aborting
XCOFF: added support for weak extern symbols
Kernel
added support for scripted processor modules
added support for scripted plugins
added support for 64-bit offsets with unknown base (they are mainly used in structure fields)
added support for appcall with timeouts
added support for custom data types and formats
added support for locking of area pointers returned by the kernel
improved the speed of handling idbs with huge number of segments
improved argument propagation algorithm to handle indirect calls, including function pointers stored in stack variables
jumping to exported entries will create functions automatically
kernel: single-character strings were converted to Unicode too aggressively
New command line switch '-t' to run IDA without an input file
The "-S" switch now works with any supported script type. Users can pass arguments to scripts and access them via the "ARGV" global variable
updated noret.cfg with several no-return functions used in Visual Basic programs (vbaErrorOverflow, vbaGenerateBoundsError etc.)
the "Generate IDC" command retains function prototypes
added FLIRT signatures for Visual C++ 2010 and C++Builder 2010
Scripts & SDK
IDC: IDC definitions are not destroyed upon closing the database
IDC: Added DbgByte(), DbgWord(), DbgWord() and DbgQword() to read program bytes from the debugger memory
IDC: Added GetManyBytes() to read more than a byte from the database or the debugger memory
SDK: added find_extlang_by_ext()
SDK: added idp_notify::set_proc_options notification for more fine-grained configuration of processor modules
SDK: added get_func_by_frame()
SDK: added get_varcall_regs() for processors that use registers for vararg calls (like printf)
SDK: added init_process/term_process/get_process_exit_code system independent functions
SDK: added netnode::supdel_range() to delete range of supval elements
SDK: added qfindfirst/qfindnext/qfindclose functions to enumerate files in a system independent way
SDK: added qrename() to rename files. qrename() does not fail if the new file exists (unix behavior)
SDK: added call_method to extlang
SDK: added set_idc_func_ex(); this function makes it possible to register IDC functions that can work without an open idb; set_idc_func() is obsolete now and should not be used
SDK: added support for complex offsets with subtraction from the base value (REFINFO_SUBTRACT)
SDK: added VarGetClassName() to retrieve the class name of an IDC object
SDK: class areaset_t can now be used by plugins and modules
SDK: find_func_bounds() supports flag FIND_FUNC_IGNOREFN
SDK: MIPS processor module now uses the same instruction numbers for 32-bit and 16-bit instructions. Plugins that rely on those numbers might have to be recompiled.
SDK: processor modules that don't have instruction comments in the ida.int database will receive a get_autocmt notification.
SDK: renamed all *_const functions to *_enum_member (add_const() is reserved in Visual C++ 2010)
SDK: ua_stkvarN and add_stkvarN could fail when adding a stack variable with an odd offset
User Interface
UI: added "follow pointer" context menu command in hex view
UI: added a "jump to cross reference from" command (default shortcut Ctrl-J), useful when navigating large switch statements
UI: it is now possible to generate flow and xref graphs in DOT format (see ida.cfg)
UI: it is possible to add/delete breakpoints from the module names window
UI: "Set callee" plugin (hotkey Alt-F11) now also works for ARM and MIPS processors
UI: user can now enter type declaration for instruction operands
UI: script boxes (Shift-F2, Alt-8) and other multi-line input boxes in IDA now auto-indent new lines
UI: Output window is a ritchtext control. Users can double-click on identifiers / address to jump
UI: Output window is now searchable (hotkey Alt-T and Ctrl-T)
UI: The environment variable TVHEADLESS can be specified for the graphical version of IDA
UI: Set function prototype (shortcut 'y') can also be used if cursor is positioned over a function name
UI: Breakpoints window also shows the comment at the breakpoint's address
UI: Replaced "File / IDC file" with "File / Script file" allowing the users to run any supported script file
Debugger
Bochs debugger can be used under Linux and OS X
Bochs debugger supports Bochs 2.4.5
added "Jump to module base" to the modules list popup menu
added "Analyze module" to the modules list popup menu
added support for MMX/XMM registers (XMM regs only under windows)
connection to a Windows CE device can be canceled
win32 debugger: implemented accessing MSRs using the kernel debugger driver provided by Microsoft. Thanks to Alex Ionescu for the assistance!
added support for reading/writing model specific registers (MSRs)
WINDBG: changing the current thread using the "~Ns" command is now reflected in the UI
WINDBG: Reloading symbols in the debugging engine using ".reload" will also update the debug names in IDA
WINDBG: The plugin will propose to launch the dbgsrv.exe if debugging an x64 application
WINDBG: Added support for non-invasive debugging
Bugfixes
BUGFIX: AddHotKey() was broken under *nix
BUGFIX: ARM: operand order for XScale MRA/MAR instructions was wrong
BUGFIX: ARM: some instructions with PC-relative operand were decoded incorrectly in Thumb mode
BUGFIX: ARM: some PC-relative load and store instructions were decoded incorrectly in Thumb mode
BUGFIX: ARM: specifying a register pair in a function prototype would crash ida
BUGFIX: ARM: Thumb-2 STRD instruction was sometimes decoded as LDRD
BUGFIX: ELF: Solaris files with special values in sh_link field of section headers were not loaded correctly
BUGFIX: nec850: jr was not stopping execution flow
BUGFIX: PIC: 12F629 and 12F675 are 14-bit devices and so should be in pic14.cfg
BUGFIX: Bochs plugin in disk image operation mode could not retrieve segment register base properly in Bochs 2.4.2
BUGFIX: changing the storage type from sparse to regular could convert some zero-initialized bytes to uninitialized bytes
BUGFIX: coff files with more than 0x8000 segments were loaded incorrectly (some symbols could not be resolved)
BUGFIX: custom_viewer callbacks were getting wrong shift state information (should be 1-shift, 2-ctrl, 4-alt)
BUGFIX: dbg_step_into and similar events were not generated if the operation was invoked interactively by the user (not from a plugin)
BUGFIX: debug names were sent over the network repeatedly (remote debugging)
BUGFIX: debugger: Linux debugger did not handle well programs which created a lot of short-lived threads
BUGFIX: disabled menu items with shortcuts could appear in IDA after loading a new idb; this could lead to minor problems (like Esc not working in the decompiler)
BUGFIX: disassembly lines for structure members that are arrays with some repeating values would be truncated
BUGFIX: double clicking on a user-defined graph would lead to inconsistent idag state and create problems with focusing/unfocusing windows
BUGFIX: TDS plugin: choosing CANCEL in instant debugging mode would crash IDA
BUGFIX: Edit,Segment,Move current segment was doing nothing in some cases
BUGFIX: editing a breakpoint could lead to a crash during remote debugging session
BUGFIX: ELF (MIPS): in some cases HI16/LO16 relocation pairs were processed incorrectly
BUGFIX: elf files were rebased incorrectly
BUGFIX: even if the user requested octal represention of a number, IDA could still use decimal representation for values 8 and 9
BUGFIX: fixed an integer overflow bug in the qnx file loader (thanks to Jason Geffner)
BUGFIX: GDB debugger: ARM breakpoints were not working when connecting to OpenOCD
BUGFIX: gdb plugin was crashing on empty reply from monitor command
BUGFIX: get_prev_area() was broken
BUGFIX: GUI: Floating forms could cause IDA GUI to crash if opened and closed many times
BUGFIX: GUI: Hotkeys Alt-0 to Alt-9 (used to switch to a window) were not usuable even if no window was open and occupying that hotkey
BUGFIX: IDA could crash trying to evaluate "eax++" (illegal postfix operation on a register)
BUGFIX: IDA could crash while performing sp-analysis
BUGFIX: IDA could crash with memory corruption
BUGFIX: IDA could endlessly loop on corrupted databases
BUGFIX: IDA could hang when instruction tracing is used with debuggers with the DBG_FLAG_DONT_DISTURB flag
BUGFIX: IDA could hang when trying to display a type referring to itself
BUGFIX: IDA could sometimes refuse to modify the stack pointer while the background analysis was on
BUGFIX: IDA kernel was ignoring the "options" value set by the scriptable loaders in their accept_file()
BUGFIX: IDA was not allowing names with dummy prefixes (like byte_...) for structure members; removed this limitation
BUGFIX: IDA was setting 'use dup' checkbox while creating new arrays; now it remembers the last used value
BUGFIX: IDA would try to continue to interact with the remote debugger server after network timeouts; now it immediately closes the connection because the protocol state is lost
BUGFIX: idal could erronously complain about a corrupted configuration file
BUGFIX: IDAPython: GetCharPrm(INF_PROCNAME) was broken
BUGFIX: IDC DecodeInstruction() was not returning cmd.size attribute
BUGFIX: IDC: SetHashLong() was broken
BUGFIX: if a debugger session was ended with Alt-X, some debugger (and umimportant non-debugger) settings were not saved
BUGFIX: if the network connection was dropped during a debugging session, IDA could crash in some cases
BUGFIX: In rare cases, deleting the last segment could lead to a crash
BUGFIX: in some cases automatic type propagation could overwrite the stack frame's return address field
BUGFIX: it was impossible to connect to 64bit debugger server using 64bit version of IDA without a database
BUGFIX: it was not possible to reload binary files
BUGFIX: it was not possible to set an empty string as connection string for WinDbg debugger, if there was a saved default string.
BUGFIX: it was possible to modify a readonly debugger register from a script
BUGFIX: JAVA: IDA could not load some .class files with corrupted StackMapTable
BUGFIX: MIPS: IDA was creating multi-instruction macros in delay slots, which was incorrect
BUGFIX: MIPS: in some cases 16-bit negative immediate values were displayed as unsigned
BUGFIX: MIPS: jalx was incorrectly stopping execution flow
BUGFIX: normal functions were improperly detected as no-return for some processors with delayed slot instructions (e.g. SuperH)
BUGFIX: only slightly damaged idb files could be repaired by IDA (normally IDA is able to repair badly damaged files too)
BUGFIX: OSX: mac_server could interr in some cases when program exited unexpectedly
BUGFIX: parse c header files: if a type name was used as a local structure member name in a C header file, it would be parsed incorrectly
BUGFIX: parsing "typedef struct x x;" could create a circular dependency
BUGFIX: PC: a wait instruction with prefixes was still lumped together with the next instruction
BUGFIX: PC: assembler could not handle [reg-imm] while [reg+imm] was working ok
BUGFIX: PIC: SFR definitions were not reloaded when opening a previous database
BUGFIX: PowerPC: branch targets were truncated to 32 bits in 64-bit mode
BUGFIX: pressing Cancel while initializing an instant debugger could hang ida
BUGFIX: Python's GetReg and SetReg[Ex] did not work for non-x86 processors
BUGFIX: retrieving objects with circular dependencies from the debugged program to IDC could lead to interr
BUGFIX: SDK: unicode version of qstrlen() was broken
BUGFIX: SDK: request_step_over/step() were not working properly with multithreaded applications
BUGFIX: some SSE instructions were described incorrectly (missing CF_... flags)
BUGFIX: SuperH: basic block boundaries were determined incorrectly, leading to wrong flow graphs
BUGFIX: SuperH: return instructions were not defined correctly for big-endian variants
BUGFIX: text version of IDA could crash at the exit time if all debugger plugins were deleted from the disk
BUGFIX: the calculator could not properly display 64-bit and floating point results
BUGFIX: the screen would not be always refreshed after modifying the very first byte of a segment using the right click menu
BUGFIX: the selector list could not be displayed in the text version
BUGFIX: TMS320C54 module could not display names located in segments with a non-zero segment base
BUGFIX: TMS320C55x: some mov opcodes were decoded incorrectly
BUGFIX: tracing systenter on Windows XP would fail
BUGFIX: TXT: Open/Save file dialog could not list file name with wildcards in Windows
BUGFIX: unmapping all mapped local types and saving the database would corrupt local type storage
BUGFIX: wait_for_next_event() could hang if called without WFNE_SUSP and a suspending event occurred
BUGFIX: win32: it was possible to attach to services and debug them only once; to attach the second time, IDA had to be restarted
BUGFIX: windbg / kernel mode configuration was not being saved
BUGFIX: Windbg plugin (with dump-files) and windmp loader were failing to read certain memory areas
BUGFIX: IDC function xtol() function in IDC could not convert 64-bit values (in 64bit version of ida)