IDA 6.5

ARM64 (aka AArch64) support

In September 2013 Apple released iPhone 5s with the A7 processor which supports the newest, 64-bit variant of the ARM instruction set. We are happy to announce that IDA 6.5 fully supports disassembly of ARM64 code and can load iOS 7 Mach-O binaries out of the box. The Objective-C metadata, if present, is also parsed and applied.

As usual, stack variables are created for you. We also perform limited register tracking and add cross-references so that it is easier to see, for example, what string values are loaded into registers.

Similar to x64 code, ARM64 allows you to access parts of the same register using different names (for example, W0 is the low 32 bits of the 64-bit register X0). We have implemented highlighting for ARM64 registers and in the screenshot above you can see how V11 is highlighted together with D11. This saves time when looking at complicated function, since ARM64 has 32 general-purpose and 32 SIMD registers to use.

Note: ARM64 decompilation is not available at this moment.

Rendering quality and speed improvements

We have made substantial improvements in rendering of the disassembly, both in text and graph view. You should see faster and better quality rendering. HiDPI (Retina) displays are fully supported on OS X.

Here's old IDA 6.4 on Retina display (zoomed graph view):

And the same in new IDA 6.5:

Database format improvements

The dreaded "Maximum number of chunks reached" message is gone. The database files can now be greater than two gigabytes, so the possible address space is limited only by the available disk space. Many other limits have been raised so now you can load huge files into IDA.

Type system

The type system has been redesigned and improved. Most of the changes are only visible to plugin writers, but users will notice:

  • support for bitfields in structures (only on C level, not in disassembly)

  • support for struct and class inheritance (only single inheritance for now)

  • improved handling of complex function prototypes and calling conventions (e.g. structures passed in registers, arguments in SSE registers etc.)

  • support for C++ ? C function prototype lowering (e.g. explicit "this" and return value parameters)

  • PDB and DWARF plugins can now import more complex types using the new type system

UI improvements

Many small but useful features have been added or improved. Here's just a few:

  • Breakpoint groups

    You now can group breakpoints and disable/enable them at once. You can also export breakpoints to IDC and load them into another IDB. This can be a quick way to set breakpoints on a set of common APIs in many programs.

  • Structure offsets dialog

    The "Selection-T" dialog now supports quick filtering (Ctrl-F) of the structure list, similar to other lists in IDA. You can also add missing fields to structures based on the register+offset accesses.

  • Export data

    The new Edit ? Export data command can be used to quickly export selected bytes as an array of numbers or an initialized C structure (if it is a struct instance)

  • Export to C header

    This command is now smarter: it can include necessary dependencies automatically and reorders the exported types so that the declarations or definitions appear before their use.

  • Create struct from selection

    This command used to be called "Create struct from data". We have renamed it because now it can be used not only for initialized data items, but also for a selection of stack variables in a stack frame, or a set of fields in a structure (to extract those fields into a new structure). It has also been updated to use type information, when available. For example, when converting a virtual function table (a list of function pointers), the created structure will have pointers as members, and they will have proper types if the functions had their prototypes defined.

  • Navbar and mouse wheel

    You can now use mouse wheel to scroll the navigation bar, and Ctrl-wheel to zoom it.

Complete changelist

  • Processor Modules

    • + 6808/HC(S)08: decode skip1 and skip2 pseudoinstructions

    • + 68K: decode Mac OS toolbox traps with auto-pop flag set

    • + 68K: added a few missing A-trap values (thanks to Doug Brown)

    • + 8051: added support for 51MX extensions

    • + ARC: disassemble MAC extension instructions

    • + ARC: initial typeinfo support

    • + ARM: added recognition of __gnu_mcount_nc

    • + ARM: added support for Thumb switches that use GCC helpers __gnu_thumb1_case_<.../>

    • + ARM: added support for ARM64 aka AArch64

    • + ARM: handle another variation of Thumb-2 switch table

    • + ARM: improve analysis speed for files with extremely long functions

    • + ARM: improve handling of unoptimized GCC Thumb-2 epilogs (ADD R7, R7, #delta; MOV SP, R7)

    • + ARM: improve stack tracing in the presence of conditional instructions

    • + ARM: recognize 'ADD PC,PC,R' as return from subroutine

    • + ARM: set default ARM architecture to "metaarm" (disassemble all instructions) in ida.cfg

    • + ARM: support BE-8 images (big-endian data but little-endian code)

    • + H8: added support for the Renesas H8SX family

    • + H8: handle several switch patterns generated by Renesas High-performance Embedded Workshop (HEW).

    • + H8: improved analysis, added rudimentary register tracking (thanks to Zak Escano)

    • + MIPS: recognize new-ABI/System-V-ABI GCC PLT slots (see https://sourceware.org/ml/binutils/2009-06/msg00203.html)

    • + PC: assume that "int 3" after calls stops execution (this is used by Visual C++ to guard calls to noret functions)

    • + PC: decode LOCK MOV TO/FROM CR0 as MOV TO/FROM CR8D (AMD-specific)

    • + PC: handle code sequences which load imagebase value into a temporary register (common in x64 Windows code)

    • + PC: handle code which jumps over the lock prefix of instructions (e.g. Linux glibc)

    • + PC: handle PIC helpers from Android/x86 binaries (__x86.get_pc_thunk.bx)

    • + PC: improve analysis of functions with multiple "push ebp" instructions

    • + PC: improved speed of stack analysis for long functions

    • + PC: introduced PC_ANALYZE_MAX_SIMPLEX_SIZE: if the size of the simplex problem is greater, IDA will not use the simplex method

    • + PPC: Recognize 'addis'/'lwz' pair for 32-bit offsets.

    • + PPC: recognize switch constructs that use a GOT register

    • + PPC: switch idiom recognition drastically improved.

    • + TMS32028: new processor (Texas Instruments TMS320C28x). Includes C27 and C2xLP modes.

    • + TMS320C55x: decode instructions that access deprecated registers MDP05 and MDP67

    • + Tricore: added instruction auto-comments

    • + Tricore: added new assembler for TASKING VX-toolset

    • + Tricore: recognize some standard instruction sequences to load addresses and convert them to offsets

  • File Formats

    • + CLI: implemented renaming of .NET methods

    • + COFF: ignore symbols for import fixup pointers generated by GCC ("__fu<N>__<impname>") since they point into middle of instructions

    • + COFF: ARM: support IMAGE_REL_ARM_MOV32T/IMAGE_REL_ARM_MOV32A relocations (used in WinRT targets)

    • + DBG: added a workaround to handle non-compliant .dbg files produced by map2dbg

    • + DEX: various dex loader improvements: format dex headers, methods descriptions, prototypes, strings, classes, annotations; parse and use debug info.

    • + ELF: added minimal support for Tricore

    • + ELF: added option to handle really huge segments (load them chunk by chunk). Thanks to Avi Cohen Stuart.

    • + ELF: ARM: support R_ARM_THM_JUMP11 and R_ARM_THM_JUMP8 relocations

    • + ELF: create a new, dummy segment for the .tbss section to avoid overwriting unrelated symbols

    • + ELF: disable data coagulation by default (don't convert objects to byte arrays). Among other things, this improves display of vtables.

    • + ELF: Handle Thumb entrypoints in files.

    • + ELF: MIPS: support R_MIPS_TLS_GOTTPREL, MIPS_R_COPY and MIPS_R_JUMP_SLOT relocations

    • + ELF: support for STT_GNU_IFUNC symbols

    • + ELF: symbol value in RELA relocs against section symbols in dynamic files should be ignored (bug compatibility with binutils/ld.so)

    • + DWARF: accept clang's non-DW_AT_declaration-based declaration (it uses an explicit DW_AT_byte_size of 0), and strip 'class ', 'struct ' and 'union ' from complex types names.

    • + DWARF: basic support for Fortran-originating DWARF info.

    • + DWARF: Declare function prototype even when params locations cannot be determined.

    • + DWARF: Enable loading of DWARF information for shared libraries of a program being debugged.

    • + DWARF: fixes and improvements to handle clang idiosyncrasies

    • + DWARF: handle C++11 unspecified type: nullptr becomes a 'void*', and the rest becomes 'void'.

    • + DWARF: Handle calling conventions that pass arguments in registers (e.g., __fastcall, __usercall, __thiscall)

    • + DWARF: handle DW_AT_GNU_vector types, by packing them in a structure

    • + DWARF: improved DWARFv4 handling

    • + DWARF: support for DWARF info in PE files

    • + DWARF: recognize DW_ATE_UTF8 for C++11 char16_t, char32_t, ...

    • + DWARF: support for bitfields

    • + DWARF: Support for complex float/double/longdouble.

    • + DWARF: Support for DWARF V4-style, exprloc-based location lists.

    • + DWARF: support for segmented addresses

    • + DWARF: support for WATCOM-style, spec-incompatible, typeless global variables with no location descriptor (uses DW_AT_low_pc instead)

    • + DWARF: too many other fixes and improvements to list

    • + MACHO: rename pointers to ascii strings; this improves the listing

    • + MACHO: symbols with names like "__dtrace_probe$..." were being interpreted as ARM symbols, which destroyed valid Thumb code

    • + MACHO: when loading a dyld cache, ask about Objective-C parsing only once

    • + PDB: improved handling of fragmented functions.

    • + PDB: removed artificial limitation on the type names, it was leading to names clashes and interrs. NB: types with really long names cannot be imported into the structure view anymore.

    • + PDB: use class inheritance instead of inclusion

    • + PE: display TimeDateStamp header field using UTC instead of local timezone

  • Kernel

    • + bTree/varray: raise implementation limits to handle big databases. Removed "max number of chunks" limit.

    • + include paths and predefined macros are set for each compiler separately

    • + added CC_PARMS in ida.cfg as a tagged collection of the parameters (with compiler abbreviations as tags)

    • + added report_gsfailure, com_raise_error and com_issue_error to noret.cfg

    • + added tinfo_t, an object to hold the type information

    • + C parser: added support for __ptr32 and __ptr64 keywords

    • + demangler: support of 'rvalue reference' gcc mangling

    • + demangler: various updates for GCC 4.x/C++11

    • + parameter tracking: do not propagate 'this' name to callers

    • + security: IDA will ask for a confirmation if an unknown IDB (from a third-party) is used to launch a debugger

    • + security: disallow IDC snippets in startup signatures; only external IDC scripts may be used

    • + removed -C command line switch (the compiler can be set using a script function instead)

    • + type parser: c++ names with class/namespace qualifiers can be parsed, like aaa::bbb

    • + type system: added support for 64-bit enums (64-bit enums in the enum view are supported only in idaq64)

    • + types: added local_types_changed event; it occurs on any change to type definitions or when the user loads/unloads type libraries

    • + types: added support for class inheritance; currently the parser support one base class but other parts can handle multiple inheritance too (at least in theory)

    • + types: added support for type attributes (introduced with __attribute__ or __declspec keywords).

    • + types: added support for zero sized structs

    • + types: IDA can parse structure definitions with bitfields and store this info in the type strings

    • + types: introduced udt_type_info_t object to represent struct and union types and refactored the code to parse udt type strings (so we do not have the same code in 2 places)

    • + types: added new type-related callbacks for processor modules; they are used if PR_TINFO bit is set in the processor module; it PR_TINFO is not set, then the old callback will be used

    • + types: deprecated varloc_t and created argloc_t, it can express register relative and static (fixed memory address) locations; also implemented compatibility layer so that older plugins continue to work

    • + types: do not propagate "this" and "retstr" variable names, they just clutter the output without adding any useful info

    • + types: introduced the notion of 'type level'. Types usually encountered in source files are called 'high level' types.

  • FLIRT, TIL & IDS

    • + added win8_um.til and wdk8_km.til for Windows8 WDK (user and kernel mode headers)

    • + FLAIR: all parsers now support > 0x8000 sections, offsets and fixups.

    • + FLAIR: allow sigmake to process .pat files with Objective-C messages as function names (containing []+- and spaces).

  • Scripts & SDK

    • + IDAPython: don't del() modules that were created by user scripts; provide idaapi.require() to import/reload modules (see http://www.hexblog.com/?p=749).

    • + IDAPython: Enable multi-threading

    • + IDAPython: python.cfg: set REMOVE_CWD_SYS_PATH=1 by default (remove current directory from the import search path).

    • + IDC: added Breakpoint.AddToGroup(bpt, group_name) method

    • + IDC: added function ApplyType()

    • + IDC: added GetDisasmEx() which allows generating disassembly for non-existing instructions or locations in the middle of other instructions

    • + IDC: added GetLocalTinfo(): return a local type by ordinal

    • + IDC: added IsInt64() and similar functions

    • + IDC: added typeinfo.size(): return type size

    • + SCRIPT: implemented additional processor notification callbacks for scripted processor modules

    • + SDK: added custom popup menu callback support for all choosers. Implemented submenus for choosers popup menus

    • + SDK: added a new assembler format for octal numbers (q'123, flag ASO_OCTF7)

    • + SDK: added DOUNK_NOTRUNC flag for do_unknown[_range]()

    • + SDK: added expand_argv()

    • + SDK: added guess_func_cc(): a function to determine the calling convention from the types and locations of arguments

    • + SDK: added notifications and new control APIs for the Output Window

    • + SDK: added str2ea_ex()

    • + SDK: added SWI2_STDTBL flag for switch_info_ex_t - to mark switch tables which use standard layout but non-standard target calculation

    • + SDK: forms: support for user-defined menu items for choosers in forms

    • + SDK: generate_disasm_line() with GENDSM_FORCE_CODE can be used to generate instruction text for any address; regardless of the existing instructions in the database

    • + SDK: getting/setting/deleting node properties (grcode_[set|get|del]_node_info).

    • + SDK: ht_output: a sample plugin to demonstrate receiving output window notification and using of new output window functions

    • + SDK: IDA graphs can be controlled by plugins, including Python bindings (see graph.hpp).

    • + SDK: navcolor: sample plugin to illustrate how to customize navigation band colors

    • + SDK: plugins can add popup menu items using add_custom_viewer_popup in two ways: 1) On ct_popup or view_popup notifications. Such items will be automatically removed after popup execution; 2) In any other place - the added items will remain until set_custom_viewer_popup_menu(viewer, NULL) is called (previous behavior)

    • + SDK: qctime_utc() uses Coordinated Universal Time (UTC), is equivalent to asctime(gmtime(t))

    • + SDK: removed requirement for mkidp branding for processor modules. Instead, lnames/pnames arrays are used.

    • + SDK: rename segment registers areas interface functions.\

    • + SDK: sample plugin ht_view to demonstrate usage of HT_VIEW notifications (view callbacks), different ways of adding user popup menu items get_viewer_name() APIs

    • + SDK: support for UTF-8 strings in choosers (CH_UTF8)

    • + SDK: tracing: added set_trace_platform(), get_trace_platform functions(), set_highlight_trace_options()

    • + SDK: Change idp_desc_t struct to combine processor names. Set IDP 'family' name for UI purposes.

    • + SDK: qflow_chart_t: added FC_CHKBREAK flag (so build_qflow_chart() may be aborted by user)

  • User Interface

    • + UI: add "synchronize" option to the Function list which keeps it synchronized with IDAviews.

    • + UI: added "Create structure from data" functionality to the stack frame view and Structures window

    • + UI: added breakpoint groups. They can be enabled/disabled at once.

    • + UI: added experimental "Address details" info panel (see View ? Toolbars).

    • + UI: added exporting of breakpoints (to an IDC script)

    • + UI: allow specifying directories to ignore (both for source mappings and binaries mappings)

    • + UI: Alt+T "search all" command result is now displayed in the output window (pattern not found, bad regular expression, search aborted)

    • + UI: color buttons now allow resetting the color back to default

    • + UI: debugger: added an explanatory dialog box for debuggers with manual memory regions

    • + UI: display long processor descriptions in the "Load file" dialog

    • + UI: improve rendering quality and speed of zoomed graphs

    • + UI: improved scroll bar behavior if there are big gaps in addressing

    • + UI: make the commandline Python/IDC switch button non-flat to make it more obvious

    • + UI: marked location descriptions can be edited from the marked location chooser (Ctrl-M)

    • + UI: mouse wheel can be used in the navigation bar for scrolling (and Ctrl+wheel for zooming)

    • + UI: navbar: when current location is changed the navigation bar is shifted so that the whole pointing arrow is displayed.

    • + UI: new command: Export Data (default hotkey Shift-E)

    • + UI: properly display Unicode/custom codepage strings in the "Strings" window

    • + UI: redesigned "Name representation" dialog

    • + UI: rendering speed improvements, especially in graph view mode

    • + UI: structure offset dialog (selection-T): added quick filter (Ctrl-F)

    • + UI: structure offset dialog: "Add missing members" function; Show hints for list view

    • + UI: Support for fine-grained scrolling (e.g. two-finger scrolling on Macs)

    • + UI: support for HiDPI (Retina) displays on OS X

    • + UI: when adding on-access breakpoint from the Segments list, deduce its type from the segment permissions (for example, for the code segment we set eXec bpt)

    • + UI: when deleting multiple segments, ask for confirmation only once

    • + UI: removed "Output window" from the View menu. (it still remains in "Windows" menu)

    • + UI: TXT: added Tracing submenu

    • + UI: TXT: Added "Switch debugger" to the "Debug" menu

  • Debugger

    • + debugger: Allow specifying which IP (v4) interface to bind to for remote debugger server

    • + debugger: Allow the user to specify binary paths mappings, to be used by the debugger.

    • + debugger: Android: support for debugging under Android 4.2.2

    • + debugger: ARM: linux: added a workaround for syscalls made by jumping to the last page so we can single step them

    • + debugger: win32: clarify the error message if getting debug privilege fails. Also, don't reset it if we didn't get it.

    • + GDB: try to detect target architecture and bitness (qXfer:features:read)

    • + GDB: use register layout from the feature info XML on ARM, if available

    • + PIN: 'logging mode', 'only add new instructions', 'trace over debugger segments' flags may be changed when the application is running

    • + PIN: allow 64-bit IDA to attach to a 32-bit process

    • + PIN: check process bitness compatibility before attaching

    • + PIN: function tracing mode: record call & return instructions

    • + PIN: implemented attaching to a process

    • + PIN: multiple fixes, improvements and speed-ups.

    • + PIN: pass both 32- and 64-bit pintool DLLs when launching pin. So pin can choose appropriate tool itself

    • + PIN: remove "Only add new instructions" option from tracer submenu as it is already present in the 'Tracing options' dialog.

    • + PIN: support 'log return instructions' option

    • + windbg: check if dbgsrv.exe is present in usual locations and offer it by default if so

    • + Windbg: check the "WindowsDebuggersRoot" registry key to locate the debugging tools (WDK8)

    • + windbg: complain if the user tries to debug 64-bit code with 32-bit IDA

    • + Windbg: implemented jump by double-clicking on 64-bit addresses printed into the output window (delimited by the ` symbol).

    • + WINDBG: when debugging or loading dumps for WoW64 processes, try to detect 32-bit vs 64-bit modules and mark segment bitness accordingly (IDA64 only)

    • + WINDMP: when loading WoW64 dumps with 32-bit IDA, skip 64-bit segments instead of failing completely

  • Bugfixes

    • BUGFIX: 'convert to dword' (hotkey D) was failing to delete a hindering name in some cases

    • BUGFIX: "create function" command could wrongly fail in some rare cases

    • BUGFIX: "Dump database to IDC" could create too long strings that could not be parsed back by IDA

    • BUGFIX: 16-bits offsets from the current segment were not displayed properly if the segment did not start at its base address

    • BUGFIX: accessible memory limits (inf.minEA/maxEA) could be wrong after starting instant debugging

    • BUGFIX: alpha: load osf.til only for non-PE files because it is for Unix

    • BUGFIX: ARC: jump instruction with long immediate operand were incorrectly marked as indirect

    • BUGFIX: ARC: some cross-references for ld instructions were missing

    • BUGFIX: argument propagation could fail inside function chunks

    • BUGFIX: ARM debuggers could not correctly single step IT,TBH,TBB instructions

    • BUGFIX: ARM: handling of some Thumb-2 switches resulted in wrong cross-references, hindering disassembly and decompilation (Thumb bit was not ignored)

    • BUGFIX: ARM: some comments in the listing were using ';' character even in GAS mode (which uses '@' instead)

    • BUGFIX: ARM: some NEON instructions with an immediate operand (e.g. VMOV <reg>, #imm) were decoded incorrectly in Thumb mode.

    • BUGFIX: autoanalysis could enter an endless loop creating and destroying a macro instruction

    • BUGFIX: AVR module was not displaying xrefs to i/o ports

    • BUGFIX: avr: even if the user did not select a device, IDA would use the default device settings (AT90S8515) until the database was reopened

    • BUGFIX: binary search dialog interpreted control characters as their literal values (e.g. newline would be interpreted as 0A)

    • BUGFIX: CLI: a specially crafted IDB file could lead to a buffer overflow and potential code execution

    • BUGFIX: CLI: IDA could crash on some corrupted .NET files because of bogus values returned by the metadata APIs on Windows

    • BUGFIX: dalvik: fixed DALVIK_MOVE_RESULT_OBJECT instruction handling

    • BUGFIX: DALVIK: names of overloaded functions could be wrong

    • BUGFIX: DbgDword() was failing if pin debugger backend was used

    • BUGFIX: DbgDword() was returning garbage for wrong addresses on WinXP instead of failing

    • BUGFIX: debugger: 'manual regions' menu item was never displayed to the user

    • BUGFIX: debugger: 64-bit appcall was failing for bochs debugger

    • BUGFIX: debugger: fixed some data race conditions in the windbg debugger module

    • BUGFIX: debugger: IDA could crash while trying to resolve a "reg:delta" expression if "reg" was a virtual register (e.g. a flag name)

    • BUGFIX: debugger: IDA could lose control while tracing ARM programs

    • BUGFIX: debugger: if breakpoint with condition 0 was used in the short loop, "Suspend execution" button was kept disabled

    • BUGFIX: debugger: it was impossible to correclty resume the application once we suspended inside a page read-write bpt

    • BUGFIX: debugger: linux: bpt-related signals were sometimes passed to the application even if the user masked them

    • BUGFIX: debugger: mac debugger could report wrong memory layout info

    • BUGFIX: debugger: pin (64bit architecture) did not trace instructions having addresses 0xffffffff and higher

    • BUGFIX: debugger: selecting "Suspend" from the "Unable to single step" dialog box would lead to resuming the application

    • BUGFIX: debugging an x64 application could crash IDA when stepping over a pushfq.

    • BUGFIX: DWARF in fat Mach-O files with 2+ architectures could not be read, because of an additional offset to the DWARF information stream.

    • BUGFIX: dwarf: avoid type duplication.

    • BUGFIX: dwarf: don't apply DWARF-provided-name when a mangled name is already present.

    • BUGFIX: DWARF: Don't fail on anonymous types that embed similarly-named types with different sizes.

    • BUGFIX: dwarf: DW_TAG_label DIEs produced by Apple's fork of GCC would be placed at wrong addresses.

    • BUGFIX: dwarf: empty types (1-byte wide) were erroneously saved as dummy. Therefore, any type depending on them would collapse into a dummy as well.

    • BUGFIX: dwarf: GCC-produced DWARF files can have negative bit offsets.

    • BUGFIX: dwarf: handle bogus bitfield length generated by RVCT

    • BUGFIX: dwarf: If the x86 processor was set to something other than "metapc", the plugin wouldn't load DWARF info.

    • BUGFIX: dwarf: In some cases, loading of additional modules could cause IDA to quit.

    • BUGFIX: dwarf: it was not possible to load a separate file with debug info manually

    • BUGFIX: dwarf: mangled names could be ignored, in case the didn't appear in the declaration of a function, but in its specification.

    • BUGFIX: dwarf: RVCT-produced files could have references cross-compile_units, which would lead to having duplicate types

    • BUGFIX: dwarf: RVCT 3.1 outputs erroneous 'DW_AT_sibling' information, that caused the plugin to loop endlessly.

    • BUGFIX: dwarf: some frame offsets were wrong.

    • BUGFIX: dwarf: some global variables could not be properly recognized when they are of a static member of a complex type

    • BUGFIX: dwarf: some structure names could conflict with defined functions ('stat64', 'sigaction', ...); rename them in that case.

    • BUGFIX: dwarf: support DW_TAG_unspecified_type when retrieving function prototype.

    • BUGFIX: dwarf: support RVCT-generated existing-but-empty names.

    • BUGFIX: dwarf: types with very members that are large arrays of declared-only types could fail being imported.

    • BUGFIX: dwarf: when DW_TAG_unspecified_parameters was specified as part of the function declaration (as opposed to its potential specification), it was ignored.

    • BUGFIX: dwarf: when multiple variables with the same name but different offsets are present in the stack frame, '_NN'-suffix them and declare them all.

    • BUGFIX: dwarf: with optimized code, source-level debugging could fail retrieving a valid size for the current block of code

    • BUGFIX: EBC: MOVI instruction with 64-bit immediate value was incorrectly disassembled.

    • BUGFIX: ELF: 'NOTE' sections/program headers would corrupt the program's end address, and prevent some items to be properly named/used.

    • BUGFIX: ELF: ARM loader would erroneously set the name of the symbol at the place of the relocation, for R_ARM_TLS_LE32.

    • BUGFIX: ELF: loader could sometimes mis-calculate the location of TLS variables

    • BUGFIX: ELF: relocations wouldn't be applied if no section headers were present, and no DT_REL[A] were present in the dynamic info but only a DT_PLTREL

    • BUGFIX: ELF: some PPC RELA relocations were applied incorrectly

    • BUGFIX: ELF: Wouldn't systematically consider symbols that point to SHN_UNDEF as externs.

    • BUGFIX: Enable PDB loading for modules of the program being debugged remotely.

    • BUGFIX: fixed a deadlock: if a script was modifying breakpoints while the debugged application was running, IDA could hang

    • BUGFIX: fixed interr 30141 that could occur when using the windbg backend

    • BUGFIX: Functions imported by ordinal could be erroneously labeled in 64-bit IDA (on Windows only).

    • BUGFIX: GDB: AddBpt() with size=0 did not work properly for PPC targets (while doing it from UI worked)

    • BUGFIX: IDA could crash when opening an old ST9 database

    • BUGFIX: IDA could crash when starting a remote debugging session without a database

    • BUGFIX: IDA could wrongly complain about failing to acquire debug priveledges

    • BUGFIX: IDA would use Borland type libraries for Windows even for OS/2 programs

    • BUGFIX: IDAPython could be leaking memory on some operations.

    • BUGFIX: IDAPython: asklong/askaddr/asksel (and corresponding idc.py functions) were returning results truncated to 32 bits in IDA64

    • BUGFIX: IDAPython: fix wrong documentation for idc.SizeOf

    • BUGFIX: IDAPython: GetFloat/GetDouble functions did not take into account endianness of the processor

    • BUGFIX: idapython: idaapi.NO_PROCESS was not defined, and was causing GetProcessPid() to fail

    • BUGFIX: IDAPython: idc.py: insert escape characters to string parameter when call Eval()

    • BUGFIX: IDAPython: idc.SaveFile/savefile were always overwriting an existing file instead of writing only the new data

    • BUGFIX: IDAPython: PluginForm.Close() wasn't passing its arguments to the delegate function, resulting in an error.

    • BUGFIX: IDC: FUNCATTR_OWNER and FUNCATTR_REFQTY were not usable with GetFunctionAttr

    • BUGFIX: IDC: setting condition using Breakpoint class didn't work

    • BUGFIX: In case a different process has an exclusive lock on a file (and thus IDA cannot open it for reading), "File > Load file > Additional binary file" would silently fail.

    • BUGFIX: it was impossible to edit very long type definitions because the buffer was limited to 10KBytes

    • BUGFIX: it was impossible to use Windbg for instant kernel debugging (without an existing idb file)

    • BUGFIX: MACHO: Objective-C metadata parser could not handle some incompletely specified types

    • BUGFIX: MIPS: cross-references from 'jalx' instructions were marked as jumps instead of calls

    • BUGFIX: network-related settings that were used for instant debugging were not handled correctly; (- the default settings were used instead of the ones specified for the current session - the default settings were not displayed in the instant debugging related dialogs but the settings used the last time)

    • BUGFIX: on Windows it was impossible to import some Python modules (for example, 'import zmq' would fail)

    • BUGFIX: opening idb file created from a windows dump file would automatically launch windbg; this could lead to unauthorized code execution

    • BUGFIX: pc module would mark 'lea reg, [esp+N]' in the gcc stack alignment code as a prolog instruction; in fact the value of 'reg' may be used in the function body so it should not be marked

    • BUGFIX: PC: code cross references from indirect jump instructions to external symbols were sometimes missing

    • BUGFIX: PC: Could INTERR in case some type names were unreasonably long.

    • BUGFIX: PC: could interr on invalid floating-point instructions

    • BUGFIX: PC: epilog analysis could erroneously mark too many instructions as epilog instructions, leading to bad decompilation results

    • BUGFIX: PC: epilog analysis could mark wrong instructions as belonging to the epilog

    • BUGFIX: PC: IDA could interr when applying a function prototype with an array argument

    • BUGFIX: PC: recognition of GCC-generated stack aligment prolog was broken and could interfere with the stack pointer analysis

    • BUGFIX: PC: some SSE instructions were decoded incorrectly if extra prefixes were present (e.g. both F2 and 66)

    • BUGFIX: PDB: msdia90.dll can crash on bogus data in the debug directory; added a workaround

    • BUGFIX: pdb: on rare occasions a wrong type could be created that would cause an internal error

    • BUGFIX: PDB: Use *.pdb file name instead of input file name in error and warning messages and dialogs during pdb loading

    • BUGFIX: PDB: variadic functions (printf, ...) wouldn't have their function type set properly.

    • BUGFIX: PDB: when using "browse for pdb" option, names from the PDB were not applied

    • BUGFIX: PE: relocation IMAGE_REL_BASED_ARM_MOV32T was not handled correctly

    • BUGFIX: PIN: auto-launching PIN on Windows could fail with "CreateProcess failed: The directory name is invalid."

    • BUGFIX: PIN: IDA could fail to connect to PIN running under XP

    • BUGFIX: PIN: IDA crash when trying to set "Autolaunch PIN" field in PIN debugger specific options on OS X

    • BUGFIX: PIN: PIN options dialog could not be opened in the text mode IDA

    • BUGFIX: PIN: the error message about the connection failure was wrong

    • BUGFIX: remote appcall for void functions would fail

    • BUGFIX: SDK: append_name() could create a wrong type string (with too long name)

    • BUGFIX: SDK: calling del_struct(some_func_frame) would cause IDA to exit and with an error message; now it simply returns failure

    • BUGFIX: SDK: execute_sync() could skip some requests and process them only when called again later

    • BUGFIX: SDK: fixed description of the idb_event::struc_cmt_changed notification ('repeatable_cmt' argument was not documented)

    • BUGFIX: SDK: get_enum_type_base() was broken

    • BUGFIX: SDK: get_min_spd_ea() could erroneously return BADADDR

    • BUGFIX: SDK: next_unknown() would work incorrectly if called with the address inside of the last element when sparse storage was used

    • BUGFIX: SDK: qexit() could deadlock if called from non-main thread

    • BUGFIX: SDK: register_timer() did not work when called from non-main thread in GUI version.

    • BUGFIX: SDK: removal of an IDC function could cause incorrect behaviour of other functions

    • BUGFIX: SDK: set_purged() was not reanalyzing all involved call instructions in some cases

    • BUGFIX: SDK: ui_set_nav_colorizer was broken

    • BUGFIX: SDK: when using choose3() function, the getl() callback was being called before initializer() under Qt UI.

    • BUGFIX: some bookmarks could become inaccessible after deleting other bookmarks

    • BUGFIX: srcdbg: IDA could crash trying to display a source view after suspending the debugged application because of a source code debugging event

    • BUGFIX: srcdbg: IDA could crash with a stack overflow when trying to display nested recursing structures in the Locals view

    • BUGFIX: srcdbg: watchview could fail to display some types if a member failed printing because of excessive size.

    • BUGFIX: strings from database could be interpreted as IDC expressions when showing hints, leading to possible malicious script execution

    • BUGFIX: Support for R_386_TLS_DTPOFF32 relocation.

    • BUGFIX: The ELF loader would fail loading an ET_REL file with no sections, even though those are sometimes used as containers for actual programs.

    • BUGFIX: UI: "List cross-references from..." was not always shown in the context menu even if the current address had xrefs

    • BUGFIX: UI: ask before overwriting exported script file

    • BUGFIX: UI: both lowercase and uppercase variants of the same letter could be used as hotkeys in the debugger menu

    • BUGFIX: UI: Canceling of "IDA is going to copy data from the debugged process to the database...." dialog (Take memory snapshot command) did not work.

    • BUGFIX: UI: chooser headers height could be too small for some letters

    • BUGFIX: UI: clicking to the right of disassembly line in IDA View could produce a small invisible selection. If using search after that, no hits would be found.

    • BUGFIX: UI: disassembly view could scroll to the right when opening other views

    • BUGFIX: UI: Enable renaming of any structure (even if its name contains bad characters)

    • BUGFIX: UI: Fix HexView text rendering issues with selection

    • BUGFIX: UI: Fix incorrect "Tracing" ending of window title during debugging

    • BUGFIX: UI: fix selection of several items in choosers using Shift + arrow keys

    • BUGFIX: UI: IDA could crash after deactivating the struct/enum view

    • BUGFIX: UI: IDA could crash if two dock widgets were packed together in 1 tab, and that tab was closed by clicking the 'x' button.

    • BUGFIX: UI: IDA could hang trying to delete multiple structures/enums if the very first struct/enum was being deleted too

    • BUGFIX: UI: IDA could hang trying to display a hint

    • BUGFIX: UI: IDA would crash if trying to "Add breakpoint" from the context menu of an empty stack backtrace

    • BUGFIX: UI: imported script was not saved in Script snippets dialog if it was not edited

    • BUGFIX: UI: it was not possible to convert a structure field to float.

    • BUGFIX: UI: it was not possible to go back using Esc in Hex View

    • BUGFIX: UI: it was not possible to output strings that start with '@' into the Output window (using msg(), Message() and similar functions)

    • BUGFIX: UI: main IDA window title was not updated when tracing is toggled

    • BUGFIX: UI: non-English text in hints could be corrupted

    • BUGFIX: UI: pop-up menus with items longer than screen size would expand the menu to the whole screen; now they're truncated

    • BUGFIX: UI: Under certain circumstances, when the debugger's registers window was being shown, it could be empty.

    • BUGFIX: UI: when converting a selection to code, IDA would try to undefine existing instructions even if the user chose "Analyze".

    • BUGFIX: UI: when editing segment boundaries, check that the new range intersects the old

    • BUGFIX: UI: When in multi-monitor mode on Linux and a monitor is placed above another, hints that should be displayed in the same monitor as IDA's window could end up showing on another monitor.

    • BUGFIX: UI: when quick filters are used together with common filters, always filter out results which do not match the quick filter

    • BUGFIX: UI: wrong actions could be triggered when using keyboard shortcuts in the "Execute script" window

    • BUGFIX: V850: autoanalysis could enter an endless loop if a function was immediately preceded by a JR instruction

    • BUGFIX: when adding a segment at the start of an existing one, all information from the existing segment was being deleted

    • BUGFIX: When creating a custom viewer from IDAPython, and then quitting IDA, IDA could hang.

    • BUGFIX: When debugging 64-bit applications (through, e.g., windbg), the "Function callers:" window wouldn't properly let users jump to call sites by double-clicking.

    • BUGFIX: when importing union types from the 'local types' to the 'structure view', the union field types were set incorrectly

    • BUGFIX: When saving & then restoring a desktop with more than 1 disassembly view, all views except the first will have a weird margin size.

    • BUGFIX: win32 debugger: page breakpoints with UPX-compressed programs could work incorrectly

    • BUGFIX: win32 debugger: with DEP disabled, execute-only page breakpoints could incorrectly trigger on reads or writes

    • BUGFIX: windbg: fixed interr 30143 that could occur when page breakpoints were used while debugging a multithread application

    • BUGFIX: windbg: if the process exited during an appcall, IDA would crash

    • BUGFIX: windbg: the main thread could be listed twice in the thread list for windbg in kernel mode

    • BUGFIX: xrefs to forced zero offset struct members were not created

Fixes published on 2014-01-16

  • BUGFIX: Added support for bitfields within unions (in real world there are applications using them)

  • BUGFIX: ARM: some functions (e.g. some implementations of __gnu_mcount_nc) could be misdetected as no-returning

  • BUGFIX: Better handling of boundaries in flat renderer view: pressing pageUp/pageDown when window is at beginning/end of disassembly but cursor isn't, will properly move cursor at the right place.

  • BUGFIX: COFF: section addresses could be over-aligned when loading some PowerPC COFF/XCOFF files (e.g. for AIX), leading to incorrect addresses in some cases

  • BUGFIX: Do not print "Error" for forward declarations of types (it confuses some users)

  • BUGFIX: DWARF could fail on some ICCARM-generated files, because of multiple definitions of the same typedef, ending up in the graph at the same time.

  • BUGFIX: DWARF plugin didn't properly handle ICC-style, based-at-start-of-file DW_AT_FORM_ref_addr references.

  • BUGFIX: DWARF plugin was computing bitfield members offsets wrong for MSB architectures.

  • BUGFIX: Enable dragging of nodes in proximity view.

  • BUGFIX: Fixed crashes on some versions of OSX, when creating decompiler view. BUGFIX: fixed a buffer overflow in mach-o loader

  • BUGFIX: Fixed crash in breakpoint list if "Move to group" is called when no breakpoints are selected. BUGFIX: Fixed exporting of breakpoints with complex conditions

  • BUGFIX: Fixed IDA crash on calling "Run to cursor" from popup menu from non-debug desktop

  • BUGFIX: generating DIF file in IDA64 produced bad output

  • BUGFIX: IDA could crash computing the highlight length

  • BUGFIX: IDA could crash when deleting a huge amount of database entries (e.g. executing 'Extract function')

  • BUGFIX: IDA would never show "collapse parents" in proximity view.

  • BUGFIX: IDA wouldn't display, in the 'Use standard symbolic constant', enum values that have bit 31 set to 1.

  • BUGFIX: idaapi.add_hotkey() was broken.

  • BUGFIX: IDAPython, when used as primary expressions evaluator, would be in a bad state after any failed evaluation

  • BUGFIX: IDAPython: idaapi.get_next_serial_enum_member was broken BUGFIX: IDAPython: strpath_t was not properly exposing its IDs.

  • BUGFIX: it was impossible to attach to 64-bit processes on mac (process list was wrong because sizeof(kinfo_proc) was wrong)

  • BUGFIX: It was impossible to click, or select past the last character in graph view.

  • BUGFIX: MACHO: garbage in Objective-C metadata could crash IDA

  • BUGFIX: MACHO: some local relocations in x64 files were processed incorrectly, and the offsets were displayed as expressions instead of just the destination address

  • BUGFIX: mfc42* related ids files were wrong in ids/win.zip

  • BUGFIX: navigation band could be empty after loading a file in some cases

  • BUGFIX: repeating 'sync type to database' multiple times could spoil the struct definition

  • BUGFIX: Structure offsets in IMUL instruction were not displayed correctly

  • BUGFIX: SuperH: the selected device setting was not used on reopening the database BUGFIX: There was wrong "typedef" keyword in the declaration of forward declarations for undefined types

  • BUGFIX: tinfo_t::get_size() was returning 0 for forward declarations of (yet) undefined types (the correct answer is BADSIZE)

  • BUGFIX: ui/qt: Escape strings in 'Strings window', so they don't span on multiple lines.

  • BUGFIX: ui/qt: In "Local Types" window, "Map to another type..." would always propose an empty chooser.

  • BUGFIX: ui/qt: Navigation through scrollbar was completely broken.

  • BUGFIX: ui/qt: Some actions were becoming unavailable after visiting the "Stack frame" window.

  • BUGFIX: UI: IDA was crashing while trying to show a hint in Structures view if the number of hint lines was set to 0

  • BUGFIX: UI: some actions selected from the context menu's submenus (such as "Use standard symbolic constant") were performed twice

  • BUGFIX: UI: when attaching to a debugger directly after starting IDA (without creating a database first), the navigation bar was not displayed

  • BUGFIX: XA: operands of 'fjmp' and 'fcall' instructions were printed without the segment part, if the destination address was not present in database

  • BUGFIX: XA51: fixed disassembling of JZ/JNZ and some MOV instructions

Last updated

Was this helpful?