IDA 6.6
Last updated
Last updated
It was tough and it required even more research than was planned but finally it arrived. The 64-bit decompiler for x64 code is as simple to use as our other decompilers, and fast as well. Below is very short disassembly listing and the decompiler's output for it:
Naturally, it is the very first version and some edges are still rough, but overall it can handle real world code very well.
Since Android devices become more and more popular, we implemented a debugger for them. It can debug both on the Dalvik bytecode level and on the source code level. Below is a picture showing the bytecode debugging:
And this is the same application on the source code level:
Naturally, the user can switch between the two views any time.
IDA knows about the Dalvik objects and show them in a structured way (if the debug info was not stripped):
Please see our Dalvik debugging tutorial for more info!
The title says it all. Since it is easy to create nice interactive plugins with PySide, we decided to include it with IDA. Now all IDA copies will have it properly installed and configured, so as a plugin writer you can rely on its existence!
Many small but useful features have been added or improved. Here's just a few:
Multiline breakpoint conditions
Python users will love this: now it is possible to write a multiline condition right in the 'edit breakpoint' dialog box. IDA even accepts function definitions there!
Functions can be used in IDC snippets
Now you can use the same scripts as in separate .idc files: IDA will compile all functions present in the script and run the main() function, if it's present.
Processor Modules
ARM: decode ARMv7 optional Virtualization Extension instructions (HVC, ERET, banked register MRS/MSR)
ARM: decode optional ARMv7-A instructions SDIV and UDIV
ARM: decode the stand-alone "second half of Thumb BL instruction" as "BL LR, #imm", if currently selected processor does not support Thumb-2
CLI/.NET: put user strings into a pseudo-segment (e.g. so that they can be deobfuscated)
CLI/.NET: use full names when naming methods; this reduces naming conflicts and makes the Function List more useful for .NET binaries
MIPS: added support for n32/n64 ABI
MIPS: when tracking registers, assume that $t9 is initialized with the function's address
PC: Added a GCC switch idiom.
PC: handle morte non-optimized GCC switch patterns
PC: handle non-PIC form of GCC x64 switch (jmp ds:table[reg*8])
PC: improve analysis of functions that use __EH_prolog3 helpers
PC: improved prolog analysis
PPC: support for additional instructions available in some Freescale e200z cores (Volatile Context Save/Restore APU and EFPU2)
Tricore: support for architecture V1.6
File Formats
COFF: added support for EBC object files
COFF: recognize and load Visual C++ /GL files (link-time code generation). Note: since such files contain custom Microsoft bytecode, the code can't be disassembled.
DWARF: (basic) support for runtime GCC 4.8.2-produced DWARF4 information.
DWARF: Allow the plugin to mark function prototypes as being definitive (so e.g. the decompiler can rely on them).
DWARF: At load-time, it is now possible to fine-tune the DWARF plugin regarding calling conventions.
DWARF: Can now configure whether DWARF data should be loaded when in batch mode.
DWARF: Initial support for Golang-produced DWARF debugging information.
ELF: added support for some ARCompact relocations
ELF: MIPS: use DT_MIPS_GP_VALUE to determing the executable's gp register value
PE: better handling of files where .idata is merged into .rdata
PE: IA64: handle IMAGE_REL_BASED_IA64_IMM64 relocations
PE: improve debug directory formatting
PE: parse new fields in the Load Configuration Directory added in Windows 8.1 (control flow guard metadata)
PE: X64: parse .pdata section at load time and create function boundaries accordingly.
PDB: added support for annotations (e.g. NT_ASSERT macro in checked builds)
Kernel
improved printing of unicode strings in the watch view, locals, and in the 'export data' command
argument locations in function prototypes are specified with @<reg>; the old syntax <reg> is accepted too for the moment; we will suppress it in the next release
Decompilers
introduced is_mul_ok() helper function to represent multiplication overflows checks
introduced qmemcpy() which always copies byte by byte, from low to high addresses
added recognition of inlined bswap() function
double clicking on a label jumps to it
the decompiler may use __spoils keyword to specify registers that are not spoiled by the function
improved recognition of register save/restore patterns
'volatile' keyword can be used to override constness of an individual item
if an int 2Ch instruction has NT_ASSERT() comment (e.g. extracted by the PDB plugin from PDB annotations), show it as NT_ASSERT() macro call instead of just __int2c()
FLIRT, TIL & IDS
FLIRT: added EBC startup signature for PE (EFI) files
PCF: handle EBC object files
Scripts & SDK
IDAPython: Don't intercept SIGPIPE, SIGXFZ, SIGXFSZ & SIGINT signals on Unix platforms; leave them for IDA to handle.
IDAPython: added the decompiler bindings
IDAPython: Expose simpleline_t type to IDAPython. That lets the user to set the bgcolor & text for each line in the decompilation.
IDC: added "elang" attribute to the Breakpoint class (scripting language for the breakpoint condition)
installer/Windows: check if Python actually works after installing; offer user to retry the installation
SDK: added askfile2() for extended open/save file dialog with support for file masks
SDK: added 'extlang_changed' IDP event
SDK: added qstring methods ltrim(), rtrim(), trim2()
SDK: added support for custom arglocs
SDK: check_process_exit() now has a 'timeout' argument
SDK: form_actions_t is extended with set/get methods for fields of different types to enable compile-time argument type checking
SDK: replaced addblanks() by a safer function add_spaces(), which accepts the buffer size
User Interface
UI: scripting language for the condition field can be specified for every breakpoint separately
UI: breakpoint conditions can now be multi-line (use "..." button to open a multi-line editbox)
UI: Ctrl-C/Ctrl-Ins copies the currently highlighted text to clipboard (if there is no selection)
UI: export_data plugin will now offer to export the item under cursor if there is no selection
UI: OSX: IDA's main window will now appear as the top level window on OSX when idaq is started with an IDB file on the command line
Debugger
debugger: IDA reacts faster to the cancel button while searching for binary patterns
debugger: now it is possible to stop a long memory snapshot retreival
GDB: added an option to enable/disable the use of stub's single-stepping support for some broken systems (e.g. MIPS or ARM Linux)
Bugfixes
BUGFIX: 78K0S: instruction "MOV [HL+byte], A" was decoded incorrectly (displacement was always zero)
BUGFIX: a reference to a wrongly defined type was considered to be equal to a valid reference (fortunately this occurs rarely)
BUGFIX: ARC: some instructions setting flags were decoded without the .f suffix
BUGFIX: arglocs for vc32 fastcall CC: only UDT pointers are passed on the stack, hidden arguments (e.g. 'this') distribute according to 'fastcall' policy
BUGFIX: ARM: arm64 instruction aliases BFI and BFXIL were decoded incorrectly
BUGFIX: ARM: autoanalysis could loop indefinitely in some rare situations when there was a bogus xref into the middle of a macro instruction
BUGFIX: bfltldr.py was not working anymore.
BUGFIX: btree compress could produce a corrupted base
BUGFIX: creating an array type with wrong array attributes could crash IDA or create wrong type
BUGFIX: debugger: when attaching to x64 process without an existing database, "IP" and "SP" special registers were detected incorrectly
BUGFIX: Debugging an ASLR-enabled binary (which will rebase the IDB) was not rebasing the navigation history.
BUGFIX: During breakpoints export operation always export hardware breakpoint sizes
BUGFIX: DWARF loading could crash IDA in certain circumstances involving complex graphs of objects with variations (i.e., whose padding bytes are re-used when inherited.)
BUGFIX: ELF: dynamic info could be parsed incorrectly for some uClibc files
BUGFIX: Fixed exporting of breakpoints with complex conditions, which contains quoted strings
BUGFIX: fixed internal error that could occur when loading a pdb file with unaligned bitfields
BUGFIX: fixed interr 603
BUGFIX: Fixed representation of the chooser filters in "Modify filter" dialog. The collumn was always shown as '*'
BUGFIX: fixed wrong direction of the floating point conversion
BUGFIX: function argument location could be calculated incorrectly for arguments containing unaligned union fields (gcc64)
BUGFIX: function argument location was calculated incorrectly for some structures containing arrays as members
BUGFIX: GDB: duplicate threads could appear in the thread list in some situations
BUGFIX: GDB: maximum packet size was not respected when doing memory writes
BUGFIX: GDB: SendDbgCommand() with PIN's GDB backend would take at least one second (value or of the GDB timeout setting)
BUGFIX: GDB: when single-stepping in some thread, IDA could issue a "continue" packet for another thread instead
BUGFIX: hexrays: "add pseudocode comments" was broken
BUGFIX: hexrays: an indirect call to a noret function in the middle of a function was not supported
BUGFIX: hexrays: ARM decompiler could generate references to wrong (unexisting) global variables in some cases
BUGFIX: hexrays: ARM decompiler could miss some return instructions and represent them as JUMPOUTs
BUGFIX: hexrays: (ARM) if the user turned off macros after analyzing the database, the decompiler could interr or generate wrong output
BUGFIX: hexrays: (ARM) big endian decompilation had constant halves swapped
BUGFIX: hexrays: decompiler could create overalpping input arguments and later interr
BUGFIX: hexrays: decompiler could erroneously optimize away some expressions like 'x*N & M' and replace them with zero
BUGFIX: hexrays: decompiler could interr if 32-byte enum type was defined (too wide)
BUGFIX: hexrays: decompiler could interr on a comma operator whose type is a bitfield
BUGFIX: hexrays: decompiler could interr on some variadic functions
BUGFIX: hexrays: decompiler was always moving register arguments to the beginning of the argument list in the pseudocode window
BUGFIX: hexrays: def-list for strcat() was sometimes calculated incorrectly
BUGFIX: hexrays: enabled negation of 128-bit values, apparently they can occur even in 32-bit programs
BUGFIX: hexrays: expression like "(x * N) < 0" could be optimized wrongly in some rare cases
BUGFIX: hexrays: fixed a couple of minor memory leaks
BUGFIX: hexrays: fixed interr 50375
BUGFIX: hexrays: fixed interr 50396
BUGFIX: hexrays: fixed interr 50513
BUGFIX: hexrays: fixed interr 50708
BUGFIX: hexrays: fixed interr 50715
BUGFIX: hexrays: fixed interr 50860
BUGFIX: hexrays: fixed interr 51049
BUGFIX: hexrays: ftst instruction was not decompiled
BUGFIX: hexrays: hints for union members were wrong (off=N; where N is the member number, not the offset)
BUGFIX: hexrays: if the return value of a function call was used but could not influence the logic of the program, the call could be optimized out, which is wrong
BUGFIX: hexrays: movd/movq insructions with a register destination were decompiled incorrectly
BUGFIX: hexrays: recursive patterns could be applied wrongly and lead to an interr
BUGFIX: hexrays: ScreenEA() would sometimes return BADADDR in the decompiler view because some pseudocode locations cannot be mapped to an address. Now it tries to return the closest EA, or the function's EA in the worst case.
BUGFIX: hexrays: the rule to recognize signed modulo by power2 could interr
BUGFIX: HT_VIEW example plugin could crash on non-graph views.
BUGFIX: IDA could crash trying to print a function declaration (a function returning a pointer to an array of pointers to arrays)
BUGFIX: IDA could interr when parsing "int func(int,void)"
BUGFIX: IDA could not attach to a remote PIN debugger - tried to launch a local pintool instance instead
BUGFIX: IDA could stop with internal error 498 when loading some pdb files
BUGFIX: IDA graphs could become corrupted, or even crash IDA, on some versions of linux.
BUGFIX: IDA now starts up in the foreground when run from the command line on mac (instead of hiding behind the terminal window)
BUGFIX: IDA would crash if the __FILE__ macro was used in a function prototype
BUGFIX: IDA would fail to import huge (>0x1FFFFFFF bytes) structures from pdb files
BUGFIX: IDA wouldn't display, in the 'Use standard symbolic constant', enum values that have bit 31 set to 1.
BUGFIX: IDA could behave incorrectly under Wine due to a bug exposed by the differences in Wine's MSVCRT implementation
BUGFIX: IDA could crash when loading big PE files with zero-filled areas
BUGFIX: idaw.exe could crash upon closing the database
BUGFIX: IDAPython: for non-code locations, idc.GetOpnd() would create instructions instead of returning empty result
BUGFIX: IDAPython: idb_event::area_cmt_changed was never received in IDB_Hooks (and descendants)
BUGFIX: IDAPython: idb_event::ti_changed, and idb_event::op_ti_changed notifications were not accessible in IDAPython
BUGFIX: IDAPython: op_t.value was truncated to 32 bits under IDA64.
BUGFIX: IDAPython: print_tinfo() wouldn't return a valid string.
BUGFIX: IDAPython: readsel2() was not usable.
BUGFIX: IDAPython: read_selection() was buggy for 64-bit programs.
BUGFIX: IDAPython: StructMembers() considered holes in structures, and didn't properly iterate through the whole structure definition.
BUGFIX: IDAPython: There was no way to call calc_switch_cases() from IDAPython.
BUGFIX: IDAPython: when using multi-select/multi-edit choosers, erroneous event codes could be sent at beginning & end of batch deletion of lines.
BUGFIX: IDAPython: When, in a PluginForm#OnCreate, the layout of IDA was requested to change (for example by starting a debugging session), that PluginForm could be deleted and create an access violation.
BUGFIX: IDC/Python: GetTinfo("") was causing an interr
BUGFIX: IDC/Python: SetType would work incorrectly if an invalid string was passed
BUGFIX: If closing of one of DockWidget causing the closing of other DockWidgets then changing (reset/load) of desktop layout crashed Ida.
BUGFIX: if the user renamed the segments to use dummy segment names like segXXX, IDA would be unable to find such segments by name
BUGFIX: In flat rendering mode, standing on a border line of an instruction (i.e., "-------") that is located right before data, and pressing 'C' to make code (in order to turn that data into code), could scroll the view by 1 line if the MakeCode command failed.
BUGFIX: In graph view, leaving the mouse on an edge wouldn't show "To:/From:" hints anymore.
BUGFIX: in graph view, we can now highlight text by dragging the mouse outside the boundary of a node.
BUGFIX: In some cases, switching from flat view to graph view could have the side-effect of moving the cursor down by one or more lines, which changes the EA.
BUGFIX: incorrect handling of argument location (gcc64) for some nested unions and unions containing big structures as members
BUGFIX: Instances of type tinfo_t couldn't be properly used when they were aggregated by other types.
BUGFIX: it was impossible to check out the IDA Pro floating license if both Starter and Pro licenses were present
BUGFIX: kernel: reloading a binary file would work incorrectly if extra segments were added before the file data
BUGFIX: kernel: user-defined offsets with "subtract" flag set were not working properly for processors that implement ph.translate callback (e.g. MIPS)
BUGFIX: M68K: ColdFire instructions REMU.L/REMS.L were decoded as DIVU.L/DIVS.L
BUGFIX: Mach-O loader's check for valid section index was not correct.
BUGFIX: MACHO: zeroed out symbols were incorrectly considered as imports with unknown names
BUGFIX: Middle-button clicking anywhere to the right of a rightmost tab would crash IDA.
BUGFIX: MIPS module was not marking switch instructions with a special mark (as it is done for x86 code, for example)
BUGFIX: MIPS: arguments in fpu registers were not properly commented in __usercall prototypes
BUGFIX: Moving the structures in the structures window didn't work as expected.
BUGFIX: Once pulled out from the main window, a PluginForm (or derivative) might not receive events properly anymore.
BUGFIX: opening a file with the name starting with @ would lead to a fatal error (instead of a nice error message)
BUGFIX: PC: register tracker could incorrectly use previous register values after a popad instruction, leading to wrong comments
BUGFIX: pdb with a union of bitfields would cause an internal error
BUGFIX: PE: IDA on Linux/OS X would crash when trying to load .NET filles without a User Strings stream
BUGFIX: PPC: "branch always" instruction had a hidden condition field operand, even though condition is ignored for it
BUGFIX: PPC: use/change operand flags were set incorrectly for some instructions
BUGFIX: PPC: IDA could crash due to stack overflow when analyzing some long functions
BUGFIX: Pulling the miniview out could cause a crash.
BUGFIX: Regex-based filters could be un-applied once the "Modify filters..." window was closed.
BUGFIX: reloading the input file with wrong PE file could lead to interr
BUGFIX: Renaming a group node by clicking on the 'rename' icon didn't repaint.
BUGFIX: Rewritten the wrong algorithm for the areas moving
BUGFIX: SDK: call_system() with NULL or empy string argument did not create an interactive shell as expected
BUGFIX: SDK: func_item_iterator_t() could stop enumeration prematurely if the starting address was in a tail chunk
BUGFIX: SDK: get_output_curline()/get_output_cursor() were returning wrong results if wrapped lines were present in output
BUGFIX: SDK: it was impossible to override default behavior of some output window events (msg_click, msg_dblclick, msg_keydown)
BUGFIX: SDK: next_unknown() could return wrong result for sparse storage
BUGFIX: size of an empty base class can be reported as 1 byte in some (rare) circumstances
BUGFIX: Some jmp instructions could create "function chunks" in some inappropriate places (e.g., .plt stubs.)
BUGFIX: Some proximity browser graphs could cause IDA to crash.
BUGFIX: the application bitness (32 or 64 bit) was not set in some cases
BUGFIX: The DWARF plugin could interr on some erroneous DWARF data for complex types.
BUGFIX: the type of a struct member would not be displayed when pressing 'F'
BUGFIX: tinfo_t objects created from IDAPython could cause an assertion failure at exit time.
BUGFIX: type comparison was not taking into account the pointer attributes
BUGFIX: Tricore: some xrefs were created with incorrect type
BUGFIX: TXT: the "OS Shell" command did not work
BUGFIX: UI: creating an array of structs in the struct window could fail
BUGFIX: UI: double-clicking on addresses when using WinDbg debugger did not always work as expected
BUGFIX: UI: exclude filters on '(any)' column could fail filtering the list of data.
BUGFIX: UI: in the message about insufficient disk space, "available" space could be displayed as zero.
BUGFIX: UI: it was impossible to stop the process of taking a memory snapshot while big segments were being processed
BUGFIX: UI: on OS X, IDA would report "Unknown C++ exception" instead of "Out of memory" error
BUGFIX: UI: if an overly long trace description was entered, IDA would crash (Thanks to Alberto Garcia Illera who reported this bug)
BUGFIX: Usage of IDAPython's DropdownListControl was broken.
BUGFIX: valid-position range information was missing when moving a structure around.
BUGFIX: When "recent files" history was set to more than 10, the entries past 10 in the "File" menu wouldn't be numbered.
BUGFIX: When debugging, variables of type '*' that were stored directly in a register were not properly printed in the "Locals" view.
BUGFIX: when importing PDB info, some bitfields would be imported incorrectly
BUGFIX: When in graph view, modifying a function so as to change its structure wouldn't always refresh the graph.
BUGFIX: When the program is rebased, the location history is rebased as well.
BUGFIX: When the user would pull the miniview out, move out of the graph view to the decompilation view, come back to the disassembly view, the floating window would take focus, and actions could be dispatched to the decompilation view instead of the graph view.
BUGFIX: When using a non-default color palette, re-setting a node to its default color could lead to glitchy rendering where node margins are white, & the rest of the node is colored.
BUGFIX: with some IDBs, IDA would start with an oversized arrows window, causing the disassembly view to be squeezed to the right and barely visible.