IDA 6.95

IDA 6.95.160808 August 08, 2016

Highlights

Welcome to IDA 6.95!

Below are the highlights:

• We have 2 important news this time: the iPhone debugger and the PowerPC decompiler.

• The iPhone debugger uses the debugserver protocol to connect to the device and debug applications. It should work as is out of the box but we encourage you to check out the configuration file dbg_ios.cfg, it contains some important settings like SYMBOL_PATH and AUTOLAUNCH.

• The PPC decompiler is just a new decompiler that works with IDA. We had to solve many technical challenges to make it work (notably, the big endian nature of the PowerPC processor caused many inconveniences). Otherwise, the user experience should be the same as with other decompilers: just press F5 and enjoy the result. PowerPC code is especially wordy in assembler:

  The above code gets converted into:

  We hope that you will like the new additions to IDA.

• Naturally, there are many other improvements. For example, we refreshed many signature files, as well as type libraries, added new ones (64-bit type libraries were something IDA lacked since long time), and improved tilib and FLAIR utilities to work better.

  As you may have guessed, while working on the PPC decompiler we had to improve many aspects of the PowerPC processor module. Now it has a new register tracking algorithm, better offset handling, more complete relocation support, etc.

  The new register tracking algorithm is used for the ARM processor too, greatly improving detection of indirect call targets, switch recognition, and recognition of other common compiler idioms.

  We also spent quite long time improving our venerable PC processor module. It has now an improved prolog analysis algorithm; IDA can parse the Unwind structures and apply them to the disassembly; also recognition of SEH structures and idioms has been improved a lot.

  Since Intel and AMD continue to add new instructions, we too try to be up to date. All new instructions we are aware of have been added to the PC processor module.

  On a completely different level, we modularized IDAPython. Now, instead of one huge idaapi module we have separate modules, each with its purpose: ida_enum, ida_funcs, ida_graph, etc. Backward-compatibility is of course preserved through the "umbrella" idaapi module: everything should still work as it used to.

  IDA 6.95 ships with Qt 5.6.0. The 5.6.x branch is a "Long Term Support" branch, that will be maintained by the Qt developers for the next three years. In addition to being an LTS, Qt 5.6.0 offers better accessibility, hopefully improving some of our users' workflow (especially on Windows.)

Complete changelist

• Processor Modules

  • ARM: improved register tracking

  • CLI: skip unknown metadata streams instead of exiting with a fatal error

  • CLI: support .net files with tables stream named "#-" instead of the standard "#~"

  • PC: added decoding of CLZERO, MONITORX and MWAITX instructions

  • PC: added decoding of HLE prefixes (XACQUIRE and XRELEASE)

  • PC: adjusted handling of chained unwind-information

  • PC: calls with address-size override prefix could truncate the target address

  • SPARC: added support for UA2005

  • V850: convert gp-based movea references to offset expressions

  • V850: resolve callt addresses when user provides CTBP option

• File Formats

  • ELF: added R_386_GOT32X relocation

  • ELF: added R_X86_64_GOTPCRELX and R_X86_64_REX_GOTPCRELX relocations

  • ELF: added R_X86_64_RELATIVE64 relocation

  • PDB: added support for obtaining types for global data

  • PE: added detection of entry point from incremental linking by Visual Studio

  • PE: handle non-ASCII PDB filenames

  • MACHO: improved constant CFString parsing (handle Unicode CFStrings and CFStrings not in the __cfstring section)

• Debugger

  • GDB: added support for MIPS64 and SPARC

  • PIN: build pintool with PIN 3.0.76991

  • Remote PDB debugging from non-Windows machines, with the help of a remote Windows debugger server

  • Remote iOS Debugger

  • added support for Intel x64 Android binaries (android_x64_server)

  • dalvik: added Dalvik debugger specific IDC function: DalvikGetLocalTyped()

  • gdb: added support for ARM M-Profile debugging

• Kernel/Misc

  • FLIRT: signature files for PC must now be placed in the sig/pc/ subdirectory

  • FLIRT: added signatures for Embarcadero RAD Studio 10.1 Berlin

  • FLIRT: added signatures for icl163 (Intel C++ 16.3)

  • FLIRT: added signatures for Windows Driver Kits 7-10

  • FLIRT: added detection of GsDriverEntry for Windows Drivers

  • FLIRT: dm: added signatures for Digital Mars 2.071.0

  • TIL: fixed 64-bit macros, which were either truncated or not sign-extended correctly

  • TIL: fixed values for macros that contained casts

  • TIL: updated list of known WM_ messages

  • TIL: added processor specific til files for linux

  • now we build idal/idaq as PIE on Linux

  • more aggressive string detection

  • the IDASGN, IDAIDS, IDAIDC, and IDATIL environment variables have been deprecated: the more versatile IDAUSR should be used instead

  • the IDAUSR environment variable has been extended to all IDA subdirectories (idc, ids, sig, and til)

  • updated Mac OS X (xnu) syscall list

• User Interface

  • ui: (windows) added a workaround to allow opening files in directories with paths which are not representable in the system 8-bit encoding

  • ui: IDA now updates the mac dock tile with the idb name when multiple IDA instances are running

  • ui/qt: added envvar IDA_STYLESHEET allowing to load contents from a CSS file without having to make a wrapper invoking "idaq.exe -stylesheet=..."

  • ui/qt: the colorizer passed through set_nav_colorizer() can now be used to update the colors of the legend in the navigation band

  • ui: ability to programmatically create_menu() & delete_menu()

  • ui: ability to programmatically create_toolbar() & delete_toolbar()

  • ui: ability to query choosers for their data

  • ui: get_registered_actions() can now be used to retrieve a list of all registered actions

• Scripts & SDK

  • IDAPython: IDAPython is now split in multiple modules

  • IDAPython: added tinfo_t::serialize()

  • SDK: added IDA syntax highlighter

  • SDK: added cleanup_name() to convert a name into some kind of canonical form (strip underscores, module name, etc)

• BUGFIXES

  • BUGFIX: "Select all" was not selecting anything

  • BUGFIX: About program...->Addons... dialog could show incorrect info if both HEXARM and HEXARM64 were present in the same ida.key file

  • BUGFIX: CLI: stack buffer overrun could happen when disassembling .net files with very long method prototypes

  • BUGFIX: DWARF could fail while attempting to persist arrays with huge numbers of elements (e.g. >= 0x80000000)

  • BUGFIX: DWARF: Don't try to apply DWARF relocations if the file is not properly relocatable

  • BUGFIX: DWARF: Files with DWARF relocations of type 0 (i.e., 'NONE') would prevent loading DWARF information

  • BUGFIX: DWARF: GNU ADA can use strange constructs for specifying bitfield type dependencies, which the DWARF plugin wouldn't properly handle

  • BUGFIX: DWARF: pressing Esc at the "DWARF info found" dialog did not cancel DWARF loading

  • BUGFIX: DWARF: some types with virtual inheritance could cause IDA to interr

  • BUGFIX: DWARF: two enumerations of different byte size that contain the same list on enumerators would be considered equal

  • BUGFIX: Deleting bookmarks from the menu could crash IDA

  • BUGFIX: Double-clicking in the "Output window" would cause the selection to span from the beginning of the word, to the end of the line instead of the end of the word (and would sometimes fail to recognize some identifiers & jump to them.)

  • BUGFIX: During source-level debugging, the source view scrollbars wouldn't follow the position in the file

  • BUGFIX: ELF: code relocations for big-endian Aarch64 files were applied incorrectly

  • BUGFIX: Fujitsu FR: segments were 16bit (must be 32bit)

  • BUGFIX: GDB: register view in GDB was missing jump arrows and address display

  • BUGFIX: Graph view: when searching (e.g., "Alt+Up/Down", or "Alt+T/Ctrl+T"), IDA could fail placing the cursor's X position at the beginning of the match

  • BUGFIX: IDA View-A wouldn't apply the node_info_t::text property for non-group nodes

  • BUGFIX: IDA could crash while parsing header files with recursive macro definitions

  • BUGFIX: IDA could crash right after having loaded the dyld_shared_cache (on linux.)

  • BUGFIX: IDA could crash when jumping to another function while in graph view, or when switching to the graph view

  • BUGFIX: IDA did not remove xref and switch records when deleted debug segments

  • BUGFIX: IDA on Linux could crash while Tab-completing in the file chooser if 1) 'New' was selected at startup, and 2) Qt couldn't load the GTK2 theme

  • BUGFIX: IDA would attempt to auto-analyze binary files with no known entry point

  • BUGFIX: IDA would fail to keep the cursor on the instruction (or operand) when switching between flat & graph views

  • BUGFIX: IDAPython: IDP_Hooks instances could prevent the decompiler from working properly

  • BUGFIX: IDAPython: decompile_many() wouldn't accept a list of ea_t's

  • BUGFIX: IDAPython: running a long script that cause an IDAPython processor module to kick in, could fail to be properly interruptible because the processor module could receive the error instead of the script itself

  • BUGFIX: IDC's MakeLocal was broken

  • BUGFIX: In hex view, when the first edit takes place at EA 0, the line could fail showing the first byte

  • BUGFIX: On OS X, searching for binary patterns might fail for some values in the [0x80 - 0xff] range

  • BUGFIX: PE: IDA would not detect DLL exports with empty names

  • BUGFIX: PE: IDA would show no exports if the export directory's DLL name was an empty string

  • BUGFIX: Pressing Alt+<key> as an accelerator to (e.g.,) toggle a checkbox in a form, while a text field is being filled and a "completion" overlay is visible, wouldn't transfer focus to the checkbox (because of the auto-completion overlay swallowing those key presses)

  • BUGFIX: Proximity viewer: clicking on nodes representing addresses that fall in the middle of a data item, could cause IDA to INTERR (40467)

  • BUGFIX: SetFunctionFlags() could modify FUNC_SP_READY and FUNC_NORET_PENDING bits, which should be managed by IDA

  • BUGFIX: When performing PDB debugging across multiple modules, IDA could show locals variables that belong to another function

  • BUGFIX: When remote debugging, segment permissions could contain unexpected bits set in the upper nibble

  • BUGFIX: When selecting a union member in the "Structure offsets" view, IDA could crash when hovering that member

  • BUGFIX: When selecting negative "standard constant" enumerators, IDA could display the operand as a faulty number, instead of as that symbolic constant

  • BUGFIX: When trying to load PDB information remotely and no MSDIA DLL could be found, no clear error message was printed on the console

  • BUGFIX: accessibility: reading last word of line, could overflow to following lines

  • BUGFIX: accessibility: when the cursor was after the text on a line, accessibility tools could read the wrong data

  • BUGFIX: arm64: incorrect type of the first operand in instructions UADDLV, SADDLV

  • BUGFIX: arm: in some rare cases undefined data could be disassembled as VLDM/VSTM instructions

  • BUGFIX: arm: incorrect decoding of double presision registers D15-D31 in some VFP instructions

  • BUGFIX: corrupted idbs with wrong segment names info could cause interr 1248

  • BUGFIX: debugger: in the watch view the first member of a struct would be printed in more complete way than other members

  • BUGFIX: f2mc: callp/jmpp instructions did not create proper cross-references

  • BUGFIX: f2mc: operands of callp/jmpp instructions could be decoded incorrectly

  • BUGFIX: flirt: parsing of Digital Mars OMF libraries was broken

  • BUGFIX: gdb: attaching to 64-bit processes would give warnings about unknown registers and CPU_NOT_SUPPORTED

  • BUGFIX: gdb: attaching to ppc64 would fail with 'more than one special register present' message

  • BUGFIX: gdb: memory contents could become undefined while single stepping in the debugger

  • BUGFIX: gdb: some cpu flags could not be edited

  • BUGFIX: ida could loop endlessly trying to create a function and deleting it; overall the idea of deleting a function because it has no call xrefs is not very good; for example, functions referenced from vtable won't have any xrefs; also compilers use tail call optimization and this coverts call xrefs and jump xrefs

  • BUGFIX: idapython: SetFchunkOwner was broken

  • BUGFIX: jump-to-node-by-doubleclick in proximity view was broken

  • BUGFIX: load_debugger() was requiring an underscore in the file name of the debugger plugin; it is not really necessary

  • BUGFIX: on linux/MAC IDA did not apply umask when created some output files

  • BUGFIX: pc: fixed operands for MONITOR and MWAIT instructions

  • BUGFIX: pc: incorrect handling of 16byte aligned function argument/return types of size <= 8

  • BUGFIX: pc: prefix bytes were not supported for CMPXCHG8B instruction

  • BUGFIX: pcf/pelf could incorrectly process files in an archive (static library)

  • BUGFIX: ppc: incorrect calculation of register arglocs for double arguments

  • BUGFIX: some x64 OS X files would not properly decompile string literals using the CFSTR macro

  • BUGFIX: the size part of a scattered argument location could be missing. for example: arg<0:eax,4:rax^4, 8:edx> instead of arg<0:eax,4:rax^4.4, 8:edx>

  • BUGFIX: ui/qt: At startup, the navigation band could fail displaying the whole program address space and only show a part

  • BUGFIX: ui/qt: MSG_DELAYED_UPDATE was not respected anymore (i.e., it was impossible to force a repaint of the "Output window" as soon as text was inserted)

  • BUGFIX: ui/qt: accessibility: JAWS could read from the wrong cursor location after jumping to another place

  • BUGFIX: ui/qt: refresh_navband() was not refreshing until actions (zoom, scroll) were performed

  • BUGFIX: unpadded size of unions was incorrectly calculated

  • BUGFIX: windbg: debugging 32-bit processes or crahs dumps in IDA64 would lead to a crash

  • BUGFIX: xcoff: x_smtyp was decoded in a wrong way, fixed

  • BUGFIX: DWARF: Disassembly for relocatable Mach-O files with DWARF information could be incorrect because of unhandled relocations

  • BUGFIX: DWARF: failed relocations into the .debug_info section, could cause the plugin to place variables at the wrong location in the disassembly

  • BUGFIX: DWARF: wouldn't notice buggy qualified typedefs in GCC BUGFIX: IDAPython: Appcall could crash IDA with INTERR 30413

  • BUGFIX: MACHO: parsing of Objective-C information for Swift classes could be incomplete in 64-bit binaries

  • BUGFIX: UI: "Reload input file" function would ignore the full input path stored in IDB and only reload the file if it was present in the IDB directory

  • BUGFIX: elf: IDA would show wrong external symbol calls on specially-crafted ELF files

  • BUGFIX: elf: actually use file offsets from PHT when 'Force using of PHT instead of SHT' is set

  • BUGFIX: fixed infinite loop during switch analysis

  • BUGFIX: fixed the postfix generation for duplicate names

  • BUGFIX: idatui.cfg was not processed completely because the default value of SCREEN_PALETTE was considered to be wrong

  • BUGFIX: tils: fixed wrong definitions in the Vtbl for some COM interfaces

  • BUGFIX: ui/qt: dragging the "Graph Overview" dock widget around could crash IDA

  • BUGFIX: ui/qt: navigating in the graph view wouldn't restore the zoom level & preferred position