# IDA 7.5sp3 **IDA 7.5.201028 (SP3)** ***October 28, 2020*** The Service Pack 3 introduces a handful of new and interesting features specific to the soon-to-be-released macOS 11 (Big Sur) and provides fixes for numerous minor issues. ## **Highlight:** * We improved macOS11 kernel debugging with VMware Fusion 12. * We also improved symbolication of MH\_FILESET kernelcaches. ### Complete changelist: Debugger: * improved macOS 11 kernel debugging MACHO: * improve handling of threaded pointers in iOS kernelcaches * support symbolication of macOS11 kernelcaches that link against the boot/sys kext collection. see BOOT\_KC\_PATH in macho.cfg for an overview ### Bugfixes * 78K0S: opcode D5 was incorrectly decoded as INC (should be DEC) * A crafted IDB file could trigger a use-after-free in IDA * Chooser: the ui\_get\_chooser\_item\_attrs event was called with the wrong CHOOSER argument * Cloning script snippets could corrupt the database * Debugger: ios debugger was broken on iOS14 * Debugger: ios debugger could fail to fetch the process list on iOS 14 * Debugger: mac/ios/xnu debuggers would create tons of meaningless debugger segments * Debugger: mac debugger could fail to load symbols from system dylibs * Debugger: PIN: get rid of warning "Unexpected addrsize of the debugged program", permit remote PIN to be started by Debug->Attach * Debugger: linux: debugger could interr when handling program with many short-lived threads * Debugger: xnu debugger would fail to demangle c++ names after attaching with an empty database * Decompiler: "create new struct type" could generate a new struct type with forbidden characters, like < * Decompiler: "push esp/pop reg" was decompiled incorrectly * Decompiler: automapping variables was too aggressive in some cases * Decompiler: changing the type of a structure field would cause the loss of the \_\_cppobj attribute * Decompiler: decompile() would crash if asked to decompile an unexisting function (nullptr) * Decompiler: fixed a crash on corrupted idbs * Decompiler: fixed false alarm 'ignored garbage at the end of the blob...' * Decompiler: fixed interr 50902 * Decompiler: in some cases the action "Reset pointer type" was not working (had no effect) * Decompiler: in some cases the decompiler would add a suffix to the user-defined names (myvar->myvara) * Decompiler: jumping to the pseudocode from another window (for example, from the local types) would fail to activate the window in some cases * Decompiler: on macOS, the decompiler would use shortcut "Ins" instead of "I" for the "Edit block comment" action * Decompiler: PPC: if addresses are subtracted assume that the size is being calculated * Decompiler: renaming a structure field would cause the loss of the \_\_cppobj attribute * Decompiler: some xrefs to enum members would be missed by Ctrl-Alt-X * DWARF: IDA could try to allocate too much memory on corrupted files before dying with out-of-memory error * DWARF: The DWARF plugin could crash IDA (null pointer dereference) with some specially-crafted files * DWARF: The DWARF plugin could INTERR with specially crafted files * DWARF: The plugin could cause IDA to crash (stack exhaustion) with some specially crafted input files * DWARF: The plugin could loop (seemingly) endlessly when encountering a DW\_TAG\_namespace with a (broken) name whose first character is '#' * DWARF: The plugin could perform a use-after-free during stack unwinding, on some DWARF input files * DWARF: The plugin could perform a use-after-free on some specially crafted files * DWARF: validate size of compressed sections before trying to load them * IDA could complain about "corrupted database" (bad srrange) when opening a rebased and saved database * IDA could crash when loading a corrupted elf file * IDA could crash when parsing corrupted PDB files * IDA could crash when performing certain manipulations with script snippets * IDA could crash when restoring function information from a corrupted database * IDA could endlessly loop on some corrupted idbs * IDA could fail with internal error 20078 on corrupted ELF files * IDA would crash when loading an ARM64 driver if the default debugger was set to windbg * IDA would try to allocate huge amount of memory when loading a corrupted elf file * IDAPython: IDA could exit silently on startup if the Python runtime called exit() during initialization * IDAPython: ida\_bytes.bin\_search documentation was lacking * IDAPython: ida\_bytes.next\_visea, ida\_bytes.prev\_visea were not available * IDAPython: ida\_ida.AF\_FINAL had value -0x80000000 instead of 0x80000000 * IDAPython: ida\_name.MNG\_\* and ida\_name.MT\_\* values were not exposed * IDAPython: ida\_search.SEARCH\_UNICODE was not available after IDA 7.0, while ida\_search.find\_binary() still is * IDAPython: if a 'nav colorizer' would return a long that couldn't be converted into 32-bits, IDA would fail reporting the issue in a timely manner, leaving it for later Python code to fail * IDAPython: internal error 30615 could happen if Python intialization failed * IDAPython: using ida\_kernwin.choose\_find() with a non-IDAPython chooser, would crash IDA * IDAPython: when using Python 2, scripts with magic 'encoding' comment could fail to run * INTERR 1983 could happen in some situations after rebasing * LUMINA: fixed "Unsupported OpenSSL version" error on macOS11 * Modifying an attribute of a function argument (e.g. adding \_\_hidden) would be saved in the database but would not be immediately reflected in the disassembly * On windows idat would let the operating system to handle some Ctrl- keys, rendering them unusable in IDA * Opening IDA without an IDB and opening the script snippets dialog, and then loading an IDB with snippets, would fail to properly load that database's snippets * PC: changes in processor specific options were not undone upon Ctrl-Z * PC: parse\_reg\_name() could return wrong register types for XMM/YMM/ZMM registers * PC: some FMA instructions were not decoded in 32-bit mode * Rebasing the program by an odd number of bytes was not forbidden (and led to problems later) * Renaming a local type by pressing F2 would lead to its removal from all use sites * Searching for all occurrences of a byte sequence would not work without an open disassembly view * Types: creating a c++ structure with a \_\_vftable member in the struct view was not marking the structure as having vftable; only doing so from local types was working * UI/QT: during auto-analysis, typing in the quick filter (e.g., in the 'Functions window') could result in loss of certain characters * UI/QT: hiding columns when in 'folders' mode wouldn't work * UI/QT: if entries in the "Structures" or "Enums" widgets were sorted, scrolling by using the scrollbar would jump over some entries * UI/QT: renaming folders in the "Local types", would show the editor on the wrong cell (in the 'Name' column, even though the folder name is in first column, named 'Ordinal'.) * UI/QT: right-click would crash IDA on macOS11 beta7 and later * UI/QT: the "Command palette" could refuse to keep the user selection, making it hard to use * UI/QT: the decompiler action "Jump to local type" could fail to select the proper type when the "Local types" view was sorted * UI/QT: when searching for text in sorted folders views, IDA could loop endlessly * UI/TXT: it was impossible to "Import" snippets in the 'Script snippets' dialog * UI: Alt+T/Ctrl+T searches in tabular/tree views, wouldn't wrap around as they should * UI: choosers starting in "folder" mode, might not have the user-desired sizes for columns * UI: Cmd+M would not minimize the IDA window on macOS, per convention * UI: debugger stack view could display values with wrong bitness (e.g. 32-bit values for 64-bit programs) As of SP3, IDAPython is incompatible with Python 3.9. If you are experiencing crashes when running IDAPython code, and in particular if the following statement crashes: \`from PyQt5 import QtCore\`, please run the \`idapyswitch' utility that can be found next to IDA in the install directory and select a Python 3.8 (or earlier) install. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.hex-rays.com/9.1/release-notes/7_5sp3.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.