IDA 7.7.211224 December 24, 2021
Apple has made major changes to the internal format of core OS files. In particular, the DYLD Shared Cache (DSC) has been split into multiple parts. Our Mach-O loader and the helper DSCU plugin have been updated to handle this seamlessly. We have also updated our iOS and Mac debuggers to handle peculiarities of debugging in the new OS versions.
In addition to the built-in C parser, IDA now supports an additional parser based on libclang. It allows IDA to handle complex, real-life C, C++, and Objective-C syntax found in STL, MFC, Apple's XNU and iOS SDK, and Linux kernel headers. We will also soon provide a command-line version to build your own type libraries - stay tuned!
Thanks to Clang-based parser, now the types from the Boost library can be parsed:
Configuring it is very easy:
We took our golang analysis to another level. Detection of golang binaries is more robust thanks to the standard startup code detection, and standard library signatures allow you to ignore unimportant functions. We also use more of the rich metadata present in Go binaries:
Functions are automatically grouped into folders by modules. Once you enable folders, these groups will be visible: \
Reflection metadata is parsed to recover types used by the program \
The Lock Highlight button now allows you to have multiple permanent highlights in the database, so you can see the important things at a glance.
New icons to easily hide or unhide the listing elements, like functions, segments, etc.
Output window gained an option to enable timestamps making it easier to keep track of the various messages printed there.
Qt libraries have been upgraded to version 5.15.2, offering improved support for HiDPI (4K+) screens, as well as native support for macOS's "dark mode".
Switching between IDA's windows using a keyboard just got easier: hold down Alt to reveal the corresponding digit you need to press to switch to that window.
Breakpoints list now uses the standard folder view for grouping. You can enable or disable all breakpoints in a folder with one click.
Multiple highlights:
Native macOS Dark Mode:
Breakpoint groups:
Two new processor modules were added in this release: Cadence Tensilica Xtensa and the Renesas RX series.
RX processor:
XTensa processor:
Basic type system support has been enabled for all processors, This means that now you can use C syntax declarations for structures and enums via the Local Types editor or by parsing C headers. DWARF types are also imported, when available. FYI, DWARF5, the new version of the debug format, which is the default since GCC 11, is now supported.
RISC-V types imported from DWARF:
We have ported our decompiler to MIPS64. We have also added support for some of the custom instructions of Cavium OCTEON MIPS processors used in advanced network equipment. Currently only n64 ABI is supported for MIPS64. Of course, the existing decompilers also received numerous improvements and fixes. For example, the new extended flow guard (XFG) calls are handled in x64 and ARM64 Windows binaries.
8051: added configuration for the R8051XC2 core in M5 FPGA by Capital Microelectronics (thanks to Zak Escano)
8051: allow loading binary files without a device selection (thanks to Zak Escano)
ARM: improved function recognition
ARM: improved thunk function detection
ARM: added decoding of ARMv8.4-CondM and ARMv8.5-CondM instructions (RMIF, SETF8, SETF16, CFINV, XAFlag, AXFlag)
ARM: added decoding of ARMv8.5-FRINT instructions (FRINT32Z/FRINT32X/FRINT64Z/FRINT64X)
PC: improved speed in analysis of big x86 PE files
PC: recognize switches with BTI notrack prefix (3Eh) on the indirect jump
PIC16: allow 8-bit addressing in data segments for the PIC24/PIC33 series
PPC: improved ppc64 thunk function detection
RISCV: added support for switch patterns
RL78: added RL78S3 core instruction decoding
RL78: added support 32-bit and 64-bit data items and 32-bit segments
RX: new processor module (Renesas RX series)
SPARC: improved detection of functions that use a stack frame
XTENSA: new processor module (Tensilica Xtensa)
bochs: added a config parameter HIDE_CONSOLE in dbg_bochs.cfg
bochs: inform the user about the presence of a .lock file, instead of launching bochs that would complain about the wrong img file
debugger: improve stack walking for macos x64
debugger: improve stack walking for windows x64
debugger: ios: improve debugging on iOS15
debugger: linux: improve call stack recovery on Linux x86_64 (also use libunwind if present)
debugger: report the precise address that caused a page breakpoint to trigger (win32, windbg)
PIN: support PIN 3.21
MACHO: support new format of the dyld shared cache split into subcaches (iOS 15, macOS12)
MACHO: disable ASLR slide detection in dyld shared cache by default (use IDA_DYLD_SHARED_CACHE_SLIDE environment variable to set it manually)
PE, COFF: parse and format new FH4 (CxxFrameHandler4) C++ exception tables
PE: speed up loading of files with a huge number of imports.
DWARF: support for DWARF 5 debug information
DWARF: added DWARF_ENABLE config option, as well as an 'off' command-line option, to disable the plugin
DWARF: add a dialog for fine-grained selection of debug information to import (e.g. do not import types for speed)
FLAIR: go2pat: go obj file to .pat converter for generating Go function signatures
FLAIR: sigmake: added support for signatures with names > 1024 characters
FLIRT: GO: added signatures for the major standard libraries for golang 1.10-1.16 (x64 only)
FLIRT: Updated VC and MFC signatures up to Visual Studio 2019 16.11
FLIRT: BC: added signatures for xe104 (RAD Studio 10.4)
FLIRT: BC: added signatures for xe11 (RAD Studio 11)
FLIRT: ICL: added signatures for icl213 (intel c++ 2021.3)
FLIRT: ICL: added signatures for icl214 (intel c++ 2021.4)
IDS: update coredll ordinal mappings for SH3/SH4 to WinCE 6.0
TIL: idaclang: new command-line utility for creating type libraries using clang C++ parser
golang: add a numerical suffix when a type name already exists (this can happen due to different import paths)
golang: add definitions of some builtin types (string, array, interface, slice)
golang: annotate interface (itab) table
golang: annotate the full reflect.name (possible presence of field tag and import path)
golang: improved detection of prologs in x86/x64 bnaries
golang: provide the ability to turn off(/on) deriving a function's end from pclntab (GOLANG_FUNC_END_FROM_PCVAL_TABS in golang.cfg)
golang: show unprocessed (original) function name as function comment if the name was sanitized.
golang: startup signatures allow detection of golang binaries (currently x86 ELF, PE and Mach-O)
swift: updated libSwiftDemangle to 5.5.1 to enable recent Swift symbols demangling
goodname.cfg: simplify names of STL classes in __cxx11 namespace (libstdc++)
ida.cfg: added DEVICE parameter to specify the target device (e.g. ida -pavr -DDEVICE=\"AT90C8534\" firmware.hex)
ida.cfg: added PRIVRANGE parameter to specify the default private address interval (addresses for internal usage) for new databases
idaclang: added support for libclang-based C++ parser (can be enabled in Options > Compiler...)
installer: allow running of x64 installers on Apple Silicon (under Rosetta)
installer: Installers for Apple Silicon are fully native and do not require Rosetta
kernel: enabled type system for all processors; the processors that do not define the necessary callbacks will still have limited support (e.g. the argument locations won't be calculated, among other things)
kernel: improved function recognition in binary files
IDAPython: added colorize_disassembly_on_the_fly.py example to demonstrate dynamically coloring listing lines (w/o touching the IDB)
IDAPython: added example print_call_stack.py
IDAPython: added IDAPYTHON_IDAUSR_SYSPATH parameter to idapython.cfg to automatically add $IDAUSR/python/[2|3]/ directories to sys.path (enabled by default)
IDAPython: added list_function_items.py sample to demonstrate usage of func_t iterators
IDAPython: examples directory now has an index with the listing of examples and functions used in them
IDAPython: functions returning multiple values or structures, now return tuples instead of lists
IDAPython: idalines_generate_disassembly now returns (int, [line, line, ...]) instead of (int, (line, line, ...))
IDAPython: improve return type information shown in docstrings
IDAPython: improved online API documentation
IDAPython: the xrefblk_t class now provides functions for iterating the cross-references using generator expressions (for ... in)
SDK: added enable_bptgrp() function
SDK: added dirtree_t::find_entry()
SDK: added get_user_input_event() to retrieve information about the event that triggered a certain notification (e.g., view_curpos, hxe_curpos, ...)
SDK: added qstring::split() & qstring::join()
SDK: added REFINFO_NO_ZEROS/REFINFO_NO_ONES flags for refinfo_t to handle special cases of offset values
SDK: added the new ALOPT_ONLYTERM option for get_max_strlit_length() to allow invalid characters inside string literals
SDK: clarify documentation for show_wait_box() about HIDECANCEL
SDK: idb_event::segm_deleted notification now provides the flags that were used for deletion
SDK: introduced functions to convert UTC time to struct tm and back (qgmtime/qtimegm)
SDK: moved qfsize() from diskio.hpp to fpro.h
SDK: renamed inf.comment -> inf.cmt_indent
SDK: APIs working with breakpoint groups (e.g. set_bpt_group) now accept a path instead of a simple name
UI: add the shortcut number to the tabs' titles if Alt is pressed for 1 second
UI: added checks in the floating license borrow/retun forms to avoid a problem with decompiler licenses not being returned
UI: added ymmword and zmmword data types to "Setup data dialog" (for processors that support them)
UI: enable Command+F for QuickFilter actions on macOS
UI: improved speed when manipulating large numbers of breakpoints
UI: improved UI responsiveness when manipulating huge structures
UI: messages in Output window can now be timestamped by enabling the option from the context menu
UI: multiple lockable highlights are now available in listings
UI: show collapse/expand icons to the left of disassembly items when the corresponding action is available
UI: support for relative (i.e., '+N', '-N') jumps in structures window
UI: when a widget is reopened with WOPN_RESTORE, IDA will attempt to place it where it was previously located, instead of next to the currently active widget
UI: the breakpoints view now uses a standard folder view for breakpoint groups
decompiler: add the "Copy" action in the context menu when it's available
decompiler: added PSEUDOCODE_SYNC_XPOS option, to prevent synchronized Pseudocode-* views from scrolling horizontally when navigating in the other view
decompiler: optimize complex conditions by removing useless parts. E.g. x==3 || x!=4 is replaced by x!=4
decompiler: print the decompiler version when writing a C file output
decompiler: recognize more magic division sequences
decompiler: transform memcpy calls into memset when all source bytes are the same
decompiler: transform two shifts in opposite directions into a corresponding division or multiplication
decompiler: disable actions 'Set call type', 'Remove function argument' for helper calls generated by the decompiler
decompiler: improved comments in hexrays.cfg
decompiler: support for the Extended Flow Guard helper (guard_xfg_dispatch)
decompiler: ARM: intrinsic functions swapXX, __rbitXX now use 32/64 suffix to show the underlying operation size
decompiler: MIPS: added support of n64 ABI (MIPS64 decompiler)
decompiler: MIPS: added support for Cavium-specific instructions
decompiler: x86/x64: decompile prefetchnta instruction
decompiler: PPC: CR and CR32..CR63 bits can be specified as argument/return locations in __usercall
functions, e.g. bool __usercall sub_610ACA@<cr34>(int *a1@<r5>)