IDA 7.2

IDA 7.2.181105 November 5, 2018

Highlights

Welcome to IDA 7.2!

We have many news this time, but let us start with the most desired and requested one: support for ARM v8.3 instructions. With the advent of the new iPhone XS many reverse engineers started to stumble on these new instructions. Besides, they include a new security mechanism: Pointer Authentication Code. It makes exploiting software vulnerabilities much more difficult but it requires modifications in our file parsing and analysis methods. And yes, the upcoming IDA Pro supports it nicely:
The decompiler supports them too and can show the PAC verifications in the output code as compiler intrinsics, or hide them, which is the default behaviour:
The new iOS 12 dyld caches and kernel caches with tagged pointers are handled nicely too.
When loading an iOS12 kernelcache in IDA 7.1, many pointers lead nowhere and kexts are not detected.
In IDA 7.2, pointers are resolved correctly and kexts are marked up.
Speaking of dyld caches, one of the common complaints we've had that usually you have to choose to load either a complete cache to see all modules (which takes forever), or a single module (and see pointers leading nowhere when they point to other, unloaded modules). We've tried to address it with the "load module with dependencies" option but it turned out to be quite limited in practice.
Now you don't have to choose anymore! Even if you load a single module and see a red-colored pointer denoting non-existing memory, just right-click it to load the mising module into the database:
Wait a little for load to finish, repeat as necessary for other addresses:
...and navigate to the destination to continue analysis!
Naturally this only works as long as you still have the original cache file present, but it still should speed up your work.
By the way, for Apple software we also implemented recognition of blocks. We support both global and local (stack based) blocks. The objc plugin parses block descriptors and automatically makes structures representing local context captured by the block. Now the decompiler output looks like this:
In fact there are many other Objective-C improvements, see them all in a submenu:
Note: some of this functionality only works if you have the decompiler for the platform being analyzed.
Our debugger can handle many new OSX and iOS features and can debug iOS 12 applications, including stack unwinding in code using PAC instructions:
For more a more in-depth look at the new mac specific features, see IDA 7.2 - The Mac Rundown.
But enough about Apple. An improvement that Linux and Mac users will love: native support for PDB files. Yes, we implemented a full PDB parser and now IDA on Unix can load information from PDB files without any MS Windows computer. You can even do tricks like
```
export _NT_SYMBOL_PATH='srv*/home/symbols*https://msdl.microsoft.com/download/symbols'
```
and IDA will automatically download PDB files for you! A screenshot is not descriptive in this case but please note that it was done on Linux:
We use our own PDB parser on all platforms but it is possible to switch back to MS DIA if there is a need.
A completely new processor module for the 16-bit PIC24 and dsPIC processors from Microchip:
It supports PIC24/30/33 series and comes with an extensive configuration file.
We've also extended the classic 8-bit PIC series with support for the "Enhanced Mid-range" (PIC1XF1XXX) instructions. IDA automatically tracks changes to the bank registers made with movlb and movlp, which is useful when analyzing big programs spread over multiple banks.
The NEC 850 processor module has been extended to handle new addressing modes and instructions for V850E2M and RH850 from Renesas. For example, we decode the full set of instructions for working with single- and double-precision floating point:
Many new RH850 instructions such as bit operations or long-range conditional branches are supported as well:
We improved our type system with the notion of a shifted pointer. This notion is useful when a pointer points to the middle of a structure. Now the output looks so neat that one of our users said "__shifted pointers are awesome, Delphi code never looked this sexy!"
The decompiler knows about C++ class hierarchies and virtual functions. We support even multiple (but not virtual) inheritance! The output that looked like this in IDA v7.1:
now looks crystal clear:
Here "C" is a complex class with multiple base classes, which in turn has multiple base classes, etc...
In fact there are tons of other improvements to the decompiler. We plan to prepare a separate web page with more details, but yet one more big improvement deserves mentioning right now. Now the decompiler has a powerful value-range analysis engine. More than that, it can be used from the Decompiler SDK. The value-range analysis improves the decompilation quality and will also be used to improve the analysis performed by IDA. On the left side is the decompiler output of v7.1, on the right side the decompiler output of v7.2:
Among other decompiler improvements: a method to handle multiple stack variables that occupy the same stack slot, better optimization engine, better handling of cast operators, better type derivation, more aggressive C expression simplification, for-loop recognition, many subtle bugs are gone, etc. We hope that working with the decompiler will be more pleasant and seamless.
We also improved the microcode API that was initially published in v7.1. Unfortunately we had to shuffle so many things that the new API is not compatible with the old one but we promise that we will try to keep it stable from now on.
Finally, with IDA v7.2 we introduce a new (experimental) Lumina server. Think of it as about a public storage of popular function patterns. The lumina server holds metadata about functions (like names, comments, prototypes, operand representation, etc). IDA can ask Lumina to recognize functions in the current database and apply the corresponding metadata. It is like FLIRT but it is dynamic, stores more information, and can recognize functions that FLIRT cannot.
(yes, you guessed it right, green means lumina :)
Any user can push information to Lumina. Currently the Lumina database is not very big but we hope it will get populated and become useful very fast. So do not get disappointed too fast if it does not recognize all your standard functions yet, but we will work on it!

Complete changelist

Processor Modules
- + 68k: print pc-relative operands with explicit "(pc)" suffix; it seems gas accepts both forms, and having an explicit suffix is a good thing
- + ARC: improved switch recognition
- + ARM : added ARM-v8.3a PAC (Pointer Authentication Code) instructions
- + ARM: added support for A64 basic crypto instructions (AES, SHA1, SHA2)
- + ARM: improve detection of ARM64 imported function stubs in Mach-O and PE binaries
- + ARM: simplify A64 instruction aliases MUL, MNEG, SMULL, SMNEGL, UMULL, UMNEGL
- + DWARF source-level debugging is now availalble on Android platforms
- + H8*: improved switch recognition
- + MC6812: track SP register changes
- + NEC850: added V80E2M and RH850 floating-point instructions (and many others)
- + PIC: added decoding of more 16F1x and 12F1x instructions
- + PIC24: new processor module
- + PC: added yet one more prolog pattern
- + PC: improved detection of 'push ecx' as part of the function prolog
- + PC: reduced number of incorrectly created offset expressions
- + PC: improved recognition of the gcc vararg prolog
- + PIC16: added processor module for PIC24,30,33 families
- + PPC: enhanced switch recognition
- + PPC: improved switch recognition
- + SH3: improved sp analysis
- + SH3: improved switch recognition
- + SPARC: improved switch recognition
- + TMS320C28X: improved switch recognition
- + V850: improved switch recognition
File Formats
- + CLI: corrupted files with bad LUT table can be loaded now
- + DEX: added support for VDEX file format
- + ELF: ability to load external symbols from companion file (even when DWARF info is missing.)
- + ELF: added annotation of NT_PRSTATUS and NT_PRPSINFO notes for core files
- + ELF: added support for packed android relocations (APS2 format)
- + ELF: allow independent loading of PHT and SHT in loader options
- + ELF: detect loading of inconsistent overlapping data from PHT
- + MACHO: allow the user to load a given module from a dyld_shared_cache on-command
- + MACHO: always use segment prefixes for kernelcache files, even when not splitting by KEXTs
- + MACHO: improve XML parsing for __PRELINK_INFO in kernelcache files
- + MACHO: support ARM64_32. only in ida64 (for now)
- + MACHO: support loading of iOS 12 prelinked kernelcaches
- + MACHO: support loading of new dyld cache format for arm64e architecture (e.g. iPhone XS)
- + MACHO: when loading a single dyldcache module, apply the relevant symbols from the cache's symbol table
- + MACHO: store segment protections in the database (previously they were ignored)
- + PE: label guard call check function if present in the load config directory
- + PE: added annotation for IMAGE_DEBUG_TYPE_REPRO
Debugger
- + support debugging on iOS devices with ARMv8.3-A extensions (iPhone XS, XS Max, XR)
- + support watchpoints in the Remote iOS Debugger
- + iOS: improve compatibility with older devices (the oldest we've thoroughly tested is an armv7 iPhone 4 with iOS 6.0.1)
- + dalvik: use "track-jdwp" service instead of "jdwp", it uses more reliable protocol
- + ios_deploy: added "afc" phase
- + ios_deploy: added "battr" phase
- + ios_deploy: added "dattr" phase
- + ios_deploy: added "debug" phase. this allows us to easily troubleshoot issues when launching/attaching to a process
Kernel/Misc
- + CFG: removed obsolete config parameter CHECK_MANUAL_ARGS
- + FLIRT: ICL: Added signatures for icl177 (Intel C++ 17.7)
- + FLIRT: ICL: Added signatures for icl178 (Intel C++ 17.8)
- + FLIRT: ICL: Added signatures for icl182 (Intel C++ 18.2)
- + FLIRT: ICL: Added signatures for icl183 (Intel C++ 18.3)
- + FLIRT: ICL: Added signatures for icl190 (Intel C++ 19.0)
- + FLIRT: VC: Added signatures for vc1413 (Visual Studio 2017.6)
- + FLIRT: VC: Added signatures for vc1414 (Visual Studio 2017.7)
- + FLIRT: VC: Added signatures for ucrt 17134 (Windows 10 April 2018 Update SDK)
- + FLIRT: VC: Added signatures for vc1415 (Visual Studio 2017.8)
- + improved code detection heuristic rules
- + improved sp analysis
- + introduced -8align4 abi option for arm/pc
- + added support for parsing simple c++ classes with virtual functions
- + strlit comments: try to print them even for references to pointers to strings
- + types: improved til <-> IDB structure synchronizing
Objective-C
- + OBJC: added OBJC_LAZY_MODE to objc.cfg, which prevents IDA from parsing objc data at load-time
- + OBJC: allow user to pass options to objc plugin via -Oobjc:
- + OBJC: improve analysis of block functions by detecting Block_layout objects allocated on the stack
- + OBJC: improve type propagation in the pseudocode; specifically across ARC-related functions (objc_retain, objc_retainAutoreleasedReturnValue, etc.)
- + OBJC: introduce submenu for objc features. See Edit>Other>Objective-C
- + OBJC: parse __block_literal_global structures when loading mach-o files
- + OBJC: parse pre-optimized data structures in __objc_opt_ro
- + OBJC: support regular expressions in the selector string for the JumpSelector action
User Interface
- + ui/qt: added the ability to restore custom widgets when a desktop layout is loaded (through the 'ui_create_desktop_widget' notification)
- + ui/qt: added user interface for borrowing and returning floating licenses (available under menu Options-Floating Licenses in floating license IDA versions)
- + ui/qt: any widget that was last closed when floating (alone) and reopened with WOPN_RESTORE will now be restored as a float, in its previous position
- + ui/qt: custom data types & formats registered by the user now appear in the context menu
- + ui/qt: entries in the "Exports" window will now have different icons according to their type (function, data, undefined, ...)
- + ui/qt: in the proximity view, one can now add nodes by from addresses, instead of having access to (non-dummy-) named items only
- + ui/qt: introduced 'get_window_id(const char *name=NULL)' to retrieve the underlying OS-specific window ID
- + ui/qt: some specific floating widgets geometries/positions will now be restored when re-opening (e.g., the "Script snippets")
- + ui/qt: watch views: it was impossible to specify an idc expression as in expressions with a cast: (type)expr
- + ui/qt: when implementing 'ui_get_custom_viewer_hint' in a plugin, it is now possible to ask IDA to inject its "regular" hints anywhere in the returned text
- + ui: "Binary search" now allows tabs instead of spaces, between different items (e.g., 0x89\t0xE5), allowing easier copy-paste from tools such as GDB
- + ui: API: adding navband ea_t <-> pixel conversions
- + ui: added shortcuts Ctrl+Shift+Up/Ctrl+Shift+Down to jump to the start of the previous/next function
- + ui: create segment: if the end address of the segment is not specified, split the segment that is located at the specified start address
- + ui: pressing <Shift+Enter> in "jump" choosers (i.e., Ctrl+P, Ctrl+X, Ctrl+L, Ctrl+E, ...) will jump without closing the chooser, thereby working as a preview/quick navigation
- + ui: show demangled names by default in the module debug name list
- + ui: when a new idb cannot be created because of permissions, propose to create it in the home directory
- + ui: when creating structures from data, the structure will be named "struc_<addr>" (where 'addr' corresponds to the address of the start of the selection), instead of having an unrelated numeric suffix
- + ui: improved application of bitfield enums to operands
Scripts & SDK
- + IDAPython: added Hexrays_Hooks, providing a better abstraction on top of the hexrays_event_t (methods are typed, and bindings are automatically generated, meaning that it'll follow additions to the C++ SDK)
- + IDAPython: all functions not marked as THREAD_SAFE in the C++ SDK, will now check that they are being called from the main thread, avoiding possible corruption or crashes
- + IDAPython: ida_dbg: expose memory_info_t(), meminfo_vec_t(), set_manual_regions()
- + IDAPython: ability to provide user hints for edges of user graphs
- + IDC: added __IDAVER__ as a numeric version number
- + IDC: added debugger registers as variable names
- + SDK: added GN_NOT_DUMMY bit for get_name()
- + SDK: added UTF-8 aware qrmdir()
- + SDK: added calc_func_size()
- + SDK: added idb_event::bookmark_changed
- + SDK: added support for shifted pointers
- + SDK: added the item_color_changed and colee_addr_changed events
- + SDK: append_cmt() does not append the comment if it is already present at the end of the existing comment
- + SDK: deleting a segment register now sends a 'sgr_deleted' event
- + SDK: exported copy_named_type()
- + SDK: renamed regex functions to not conflict with POSIX symbols (qregcomp/qregerror/qregexec/qregfree)
- + SDK: introduced the INSN_64BIT bit
- + SDK: added bitcount()
- + SDK: make request_refresh(), clear_request_refresh() and is_refresh_requested() accept 64-bit masks
Decompilers
- + hexrays: ARM: support RRX addressing mode
- + hexrays: added support for magic divisions in 64-bit code
- + hexrays: added "force new variable" command; it can be used to force the decompiler to create a new aliasable stack variable at the specified location
- + hexrays: added "variable is possibly undefined" warning
- + hexrays: added MAX_STRLIT_LEN configuration parameter
- + hexrays: added a new rule to simplify some ternary operators
- + hexrays: added a new rule: (x ^ y) & 1 => x != y if x,y are booleans
- + hexrays: added hxe_cmt_changed notification
- + hexrays: added logic to remove exception handling code (SjLj)
- + hexrays: exported idaloc2vd and vd2idaloc
- + hexrays: get rid of limitation on number of internal microregisters
- + hexrays: get rid of virtual registers in microoperands
- + hexrays: handle ARMv8.3 Pointer Authentication instructions
- + hexrays: improved handling of some switch idioms
- + hexrays: improved handling of union expressions
- + hexrays: improved propagation of odd parts of constant values
- + hexrays: improved recognizing of register arguments in called functions
- + hexrays: improved function prototype parser: take into account the return type is able to contain parentheses
- + hexrays: improved detection of read-only data in dyldcaches. this can heavily simplify the pseudocode
- + hexrays: slightly improved recognition of magic divisions
- + hexrays: x86: added recognition of gnu mcount()
- + hexrays: calls of virtual functions are decompiled in a nice way
- + hexrays: added support for 64bit character constants
- + hexrays: it was impossible to decompile a call that returns an udt of an odd size (!is_valid_size)
- + hexrays: sdk: added macro HEXRAYS_MEMORY_ALLOCATION_FUNCS() and functions hexrays_alloc/hexrays_free
- + hexrays: sdk: added new flags CVAR_NOPTR, LVINF_NOPTR, use them to indicate that a variable should have a non-pointer type
- + hexrays: sdk: added external blocks (BLT_XTRN). they greatly improve snippet decompilation
- + hexrays: sdk: lvars are taken into account when calculating use/def lists; exported 2 more mlist related functions
- + hexrays: sdk: cleaned up the API; we will try to maintain compatibility from now on
BUGFIXES
- BUGFIX: "Produce file > Dump database to IDC file..." would generate IDC scripts whose 'create_strlit' directives had erroneous 'length' parameter
- BUGFIX: "Suspend on debugging start" option was broken for GDB-based debuggers
- BUGFIX: "ida -B" was not performing the final pass over the input file and this could lead to huge ranges of unexplored bytes in the output listing
- BUGFIX: 68K: some Coldfire-specific instructions were not decoded in the "MC68xxx universal emulator" mode
- BUGFIX: COFF: some XCOFF64 files could be loaded incorrectly
- BUGFIX: Copying to the clipboard from the graph view, could result in text being shifted
- BUGFIX: DWARF: C++ exceptions could be issued by the plugin during source-level debugging, and not be caught, causing IDA to exit
- BUGFIX: DWARF: Golang types containing readonly or writeonly channels, would be turned into anonymous types
- BUGFIX: DWARF: Structures with a variable sized last member consisting of an array of arrays, would fail being properly handled
- BUGFIX: EH: parsing of exception data in arm32 Mach-O binaries could produce bogus " bad try block information" warnings
- BUGFIX: ELF: ARM: some files with ARM-mode entrypoint could be disassembled incorrectly in Thumb mode
- BUGFIX: ELF: loading big-endian ARM files would display "ARM Little-endian" in the "Load file dialog". Similarly, loading little-endian PPC files would show "Power-PC big endian" instead of "Power-PC little endian&quot
- BUGFIX: ELF: parsing SHT_NOTE could yield invalid contents
- BUGFIX: GDB: serialized conversation (for troubleshooting purposes) could contain unescaped '\' characters
- BUGFIX: GDB: IDA could crash when attaching to gdbserver if the bitness was misdetected
- BUGFIX: GDB: some android aarch64 stubs could be misdetected as 32-bit arm
- BUGFIX: GDB: when using snippet mode debugging with QEMU, segments starting with undefined bytes could have data zeroed out at runtime
- BUGFIX: GDB: IDA could crash when attaching to QEMU i386 or x86_64 (starting with version 2.10)
- BUGFIX: IDA could INTERR 40029 when using the gdb debugger
- BUGFIX: IDA could hang trying to load some psx images
- BUGFIX: IDA could crash trying to parse bad objc metadata
- BUGFIX: IDA could crash when deleting a local type
- BUGFIX: IDA could die with interr 40193 when trying to recover from a fatal network error during remote debugging
- BUGFIX: IDA could misdetect the compiler as gcc
- BUGFIX: IDA would become very slow when the debugger was active and the debugged application was running freely
- BUGFIX: IDA would crash when parsing tryblk info
- BUGFIX: IDA would not demangle names from exported from a dll during a debugging session
- BUGFIX: IDA would print empty character constant if the character could not be converted from the source encoding
- BUGFIX: IDA would crash with code 1004 if a scattered location with stack components was specified
- BUGFIX: IDAPython: 'reg' member of action_update_ctx_t & action_activation_ctx_t, was virtually unusable as it corresponds to debugger registers, which have different numbers than processor module-provided ones. It has been replaced with 'regname'
- BUGFIX: IDAPython: (low-level function) 'set_numbered_type()' wouldn't work with the 'sclass_t' argument returned by 'get_numbered_type()'
- BUGFIX: IDAPython: 695 compat's 'ida_kernwin.get_highlighted_identifier()' could cause IDA to crash
- BUGFIX: IDAPython: IDP_Hooks::ev_get_bg_color() was not usable w/o resorting to using ctypes
- BUGFIX: IDAPython: calc_thunk_func_target() would crash IDA if 'None' was passed to it as first argument
- BUGFIX: IDAPython: exceptions happening in timer callbacks wouldn't be reported immediately (and could fail being reported altogether)
- BUGFIX: IDAPython: get_member_by_id() & get_member_by_fullname() were returning garbage instead of a proper 'struc_t *' instance
- BUGFIX: IDAPython: ida_hexrays.ccase_t.values was not usable
- BUGFIX: IDAPython: ida_lines.get_extra_cmt() would return None for empty stings, even though more comments lines exist after it
- BUGFIX: IDAPython: idaapi.py's 'set_func_start' and 'set_func_end' coming from 'ida_funcs' were overriden with constants coming from 'ida_idp'
- BUGFIX: IDAPython: it was impossible to retrieve the selection from an embedded chooser after its parent form has been accepted
- BUGFIX: IDAPython: load_plugin() could crash IDA with a segmentation violation
- BUGFIX: IDAPython: op_t.addr couldn't be used as a value to 'get_stkvar' although the documentation mentions it
- BUGFIX: IDAPython: setting members of the cinsn_t's union without first setting the 'op' type, would silently fail
- BUGFIX: IDAPython: some PLFM_* constants were not exported
- BUGFIX: IDAPython: unexpected (and improperly handled) "wait dialogs" could show while some other modal dialog was activated, in case a timer fired in the background
- BUGFIX: In the "Structures" view, IDA could display multiple times the header text in case structures were corrupted/deleted
- BUGFIX: KERNEL: qfindfirst/qfindnext did not work for non-ASCII paths on Windows
- BUGFIX: MC68K: instuctions referring to addresses with high bit set could be printed incorrectly in IDA64
- BUGFIX: MC68K: some valid instructions would not be decoded in "MC68xxx universal emulator" mode
- BUGFIX: MIPS: in mips16 mode, instructions ADDIUPC and LWPC situated in a delay slot could be disassembled using wrong PC value
- BUGFIX: MinGW/Cygwin-produced PE x64 files could show __fastcall's as __usercall, even though the code does respect Microsoft's x64 ABI convention
- BUGFIX: NEC850: xrefs to high addresses would not be created for some instructions when using IDA64
- BUGFIX: On Windows, with the "windows" style and on Hi-DPI monitors, the check marks in checkboxes would look tiny
- BUGFIX: PC: IDA sometimes was too aggressive in creating functions after multiple nop instructions
- BUGFIX: PPC: some paired single load/store instructions could not be decoded if they used odd displacement values
- BUGFIX: Showing enum values of negated values, would show the list of matching enums for the original value
- BUGFIX: The DWARF plugin could complain on some Rust types (i.e., '()')
- BUGFIX: The DWARF would stop early if it failed loading some debug information when parsing functions data, while it could keep going and try parsing the following functions
- BUGFIX: UI: IDA on Windows could not open filenames not representable in current ANSI character set
- BUGFIX: UI: On Windows, IDA could print network-related error messages in wrong encoding, resulting in unreadable text
- BUGFIX: When debugging a Linux/ELF application, symbols coming from "debuglink"-provided companion files wouldn't be available in IDA
- BUGFIX: When requested, the segment name wouldn't appear in the line prefixes in graph mode
- BUGFIX: Win32: during debugging, it was impossible to open the list of exports for an .exe
- BUGFIX: Win32: when attaching to a process for debugging, IDA could fail loading PDB information associated with the executable file
- BUGFIX: arm: ida64 would not truncate addresses to 32bit when decoding 32bit code
- BUGFIX: debugger action objc:RunUntilMessageReceived could fail for multithreaded Objective-C apps
- BUGFIX: debugger: calling get_event_module_name() in an IDC condition could crash if debug event was not of correct type (PROCESS_STARTED, PROCESS_ATTACHED or LIB_LOADED). now it's also supported for LIB_UNLOADED, and an IDC exception is thrown in other cases
- BUGFIX: debugger: win32: "SEH list" functionality did not work for wow64 processes when using local debugging
- BUGFIX: debugger: win32: IDA could hang when debugging a 32-bit (WOW64) process on Win10
- BUGFIX: excessively big shift counts were handled incorrectly (e.g. "shl eax, 33" should not produce 0)
- BUGFIX: file names coming from AR archives could be garbled due to an incorrect assumption about their encoding
- BUGFIX: fixed a crash when loading corrupted LE files
- BUGFIX: fixed interr 50863 that could occur in corrupted idbs
- BUGFIX: gas for arm requires lowercase instruction conditions but ida was not always using lowercase for them
- BUGFIX: get_strlit_contents() could overflow the range of bytes it was asked to retrieve
- BUGFIX: get_strlit_contents() shouldn't stop at codepoint zero, but rather keep going until the 'len'gth is reached
- BUGFIX: in some cases it was impossible to set the "bp-based frame" function attribute, ida would immediately reset it
- BUGFIX: it was impossible to correctly specify prototype of a thiscall function that returns a big struct
- BUGFIX: it was possible for the mac debugger to load debug names from a file that didn't match an image in memory
- BUGFIX: kernel: IDA could hang on exit when using borrowed licenses and license server was not accessible anymore
- BUGFIX: ldr/coff: don't use a DT_NON symbol to describe a section, if a procedure is planned there and a non-dummy name has been set
- BUGFIX: m65816: abs,x/abs,y addressing could fail to create xrefs
- BUGFIX: mac debugger could fail to load for databases that were created from scratch
- BUGFIX: mac debugger could fail to single step when source-level debugging in multithreaded environments
- BUGFIX: mac debugger could fail to update the thread list properly, which could then cause IDA to fail to add/delete a hardware breakpoint
- BUGFIX: mac debugger could produce duplicate debug names in a module's name list
- BUGFIX: mac debugger could trigger erroneous SIGBUS signals after setting a software breakpoint on OSX 10.14
- BUGFIX: mac debugger would fail to set user-defined hardware breakpoints in newly-created threads
- BUGFIX: mach-o loader could erroneously truncate segments in iOS 11 kernel caches
- BUGFIX: mach-o loader would not properly load files with a __TEXT segment with a nonzero file offset
- BUGFIX: mips: fixed analyzing of the mips16e 'addiu' insn
- BUGFIX: no events were generated when the user toggled the operand sign or bitwise negated it
- BUGFIX: objc plugin could ask to parse Objective-C info when in fact no such info was present in the database
- BUGFIX: pc: ida could loop endlessly if a finally handler was belonging to 2 different functions
- BUGFIX: pdp-11: offset expressions were not creating xrefs
- BUGFIX: pdp-11: removed obsolete PDP_XLAT_ASCII parameter from ida.cfg
- BUGFIX: range change was wrong for ANALYSIS, ANALYSIS2, and some other bitmask config parameters
- BUGFIX: rtti comments would be duplicated upon reanalysis
- BUGFIX: rtti type descriptor names starting with '*' were not recognized
- BUGFIX: rtti type descriptor names starting with *Z were not recognized
- BUGFIX: scripted loaders had to seek to the beginning of the file at the beginning of the load_file() function
- BUGFIX: sdk: tinfo_visitor_t::apply_to() could spoil type modifiers (const/volatile) and attributes when editing the type
- BUGFIX: segmentation info could be lost when opening very old databases (created before 2001)
- BUGFIX: set_fixup() has 6 arguments but the docs were claiming there there are 5 arguments
- BUGFIX: setting the struct member type as "int[]" (without specifying the array size) could lead to an array of arrays (int[][])
- BUGFIX: simplecustviewer_t::OnPopup wouldn't allow receiving the 'widget' and 'popup_handle' as other widgets would
- BUGFIX: some corrupted mach-o files could crash ida
- BUGFIX: some flowchart edges could be missing (could occur in the presence of xrefs into the middle of an instruction)
- BUGFIX: sometimes 'overflow' bit would be calculated incorrectly after cmp or sub instructions
- BUGFIX: stack unwinding could break analysis for prefixed call instructions
- BUGFIX: stopped to modify the function in the 'ev_is_jump_func' event
- BUGFIX: the linux debugger could cause INTERR 20099 with corrupted ELF files
- BUGFIX: the mac debugger could create an incorrect memory layout after attaching to a process with ASLR enabled
- BUGFIX: the win32 debugger server would fail to retrieve pdb files from symbol servers
- BUGFIX: ui/qt: IDA could easily deadlock if more than 1 thread was using logging.py, or simply attempting to print anything in the console while holding any other lock that both threads might require
- BUGFIX: ui/qt: IDA could show the wrong bookmarks contents for the "Jump > Clear mark..." action
- BUGFIX: ui/qt: added "Add watch" to the (old-style) watchlist context menu
- BUGFIX: ui/qt: background color for lines could fail to be applied in some cases
- BUGFIX: ui/qt: changing segment register values wouldn't cause the "Segment registers" chooser to refresh
- BUGFIX: ui/qt: deleting (or modifying) segment register ranges could leave the disassembly view(s) outdated
- BUGFIX: ui/qt: don't show "(null)" in the collapsed area footer, if the description is missing
- BUGFIX: ui/qt: during debugging, the "flags" registers column could be made partly invisible (depending on the display DPI)
- BUGFIX: ui/qt: given a sufficiently long list of functions in "Functions window", deleting ranges of functions could cause IDA to crash
- BUGFIX: ui/qt: hex views would show bogus characters when bytes were decoded as UTF-8 and yielded surrogate codepoints
- BUGFIX: ui/qt: moving IDA between monitors with different resolutions, could result in the graph view showing garbage
- BUGFIX: ui/qt: on HiDPI displays (e.g., 4k), hints could end up being partly truncated
- BUGFIX: ui/qt: the 'COLOR_DEFAULT' for prefixes of simpleline_t would result in portions of that line marked as COLOR_PREFIX, to be invisible
- BUGFIX: ui/qt: when 2 widgets were placed next to one another within the same tab, closing the leftmost one, could cause the rightmost one to disappear as well (without being destroyed.)
- BUGFIX: ui/qt: when jumping between nodes in graph view, the animation could end up in the wrong place
- BUGFIX: ui/qt: when stopping a debugging session, it might happen that some line rendering options (number of opcode bytes, indent, ...) would not be properly restored to what it should be
- BUGFIX: ui/qt: when using line top/bottom paddings, the graph view could show artifacts for e.g., highlighting
- BUGFIX: ui: "Strict ASCII" option in the "Strings window" was not working
- BUGFIX: ui: calling set_view_renderer_type() on the TWidget returned from open_disasm_window(), would crash IDA
- BUGFIX: ui: in the "Structures" view, the "Shrink structure" action would be available on alignment bytes, yet incapable of actually removing those
- BUGFIX: ui: some string literals part of structure instances in the address space, could fail to show in the "Strings window"
- BUGFIX: ui: when attaching to a process, it could be impossible to load PDB or DWARF debug information right away (but would work after detaching & re-attaching)
- BUGFIX: user info would be stored in the idb even when STORE_USER_INFO was turned off
- BUGFIX: user-specified 'manual instruction' for data items was ignored
- BUGFIX: using -DTRICORE_DEVICE in the command line would lead to warnings
- BUGFIX: hexrays: "(x>>8)&1" would be represented as "x>>8" in some cases
- BUGFIX: hexrays: 'jl (N-x), x' would be decompiled incorrectly
- BUGFIX: hexrays: 1-byte functions could not be decompiled
- BUGFIX: hexrays: 64bit multiplication was not correctly recognized in some cases
- BUGFIX: hexrays: In some cases the decompiler could not represent zero constant as a enum member
- BUGFIX: hexrays: an assignment to a global variable could be incorrectly optimized away in some cases
- BUGFIX: hexrays: append_use_list() could give wrong result in case of Big Endian platform
- BUGFIX: hexrays: arm: some multiple registers/memory transfer instructions were not marked in the microcode as multimove sequences
- BUGFIX: hexrays: decompiler could generate wrong offset for accessing a part of variable having user-defined type
- BUGFIX: hexrays: decompiler would consider .text segments as readonly even if their permissions would say otherwise
- BUGFIX: hexrays: find_def/find_use were working correctly only for register operands; other operand types were handled poorly
- BUGFIX: hexrays: fixed a bug in set_to_le_ge()
- BUGFIX: hexrays: fixed an endless loop (fortunately, a rare thing)
- BUGFIX: hexrays: fixed bug in combine_hinsn_mov()
- BUGFIX: hexrays: fixed many interrs
- BUGFIX: hexrays: in some cases "smod power2" rule could produce wrong operands in the generated microinstruction
- BUGFIX: hexrays: in some cases the decompiler could lose 'default:' branch of a switch statement
- BUGFIX: hexrays: in some rare cases some comparisons would be decompiled incorrectly
- BUGFIX: hexrays: incorrect partial operand propagation in some rare cases on Big Endian platforms
- BUGFIX: hexrays: offsetof(type,field) may have empty field name in some rare cases
- BUGFIX: hexrays: pc: incorrect handling of loope/loopne instructions
- BUGFIX: hexrays: signed modulo 2 was sometimes recognized with wrong size
- BUGFIX: hexrays: some 64bit comparisons would be decompiled wrongly
- BUGFIX: hexrays: stack pointer could be miscalculated when decompiling a mixed range that contained code both inside and outside functions
- BUGFIX: hexrays: the "lxe_lvar_type_changed" could provide outdated lvar_t information
- BUGFIX: hexrays: the BACKPROP_CC rule could invert an 'if' condition
- BUGFIX: hexrays: the rule "~x > 0" => "x <= 0" was too aggressive
- BUGFIX: hexrays: the type of guard_dispatch_icall() coud interfere when guessing the protype of the called function
- BUGFIX: when calling 'set_member_tinfo()', the struc_member_changed event would be sent before the tinfo_t object is actually applied
- BUGFIX: when parsing omf files ida was storing wrong extdef name length in the idb
- BUGFIX: when using the "Suspend on debugging start" option with the mac debugger, /usr/lib/dyld would be missing from the module list
- BUGFIX: win32: ida was mistakenly setting a borland debug hook in some cases; this would change the program execution
- BUGFIX: win32: if the debugged application erased a software breakpoint, appcall would stop working
- BUGFIX: windbg: IDA could crash with interr 1491 when loading a 32-bit minidump of a process with DLLs loaded above the 2GB mark (0x80000000)
- BUGFIX: wrong function prototypes could cause an interr
- BUGFIX: 68000: ida would not truncate function and instruction addresses to 24-bit
- BUGFIX: IDA could crash for choosers with empty title
- BUGFIX: IDAPython: GraphViewer.AddEdge() could crash IDA if the source or destination nodes were out-of-bounds
- BUGFIX: hints could not show up for user graphs
- BUGFIX: debugger: win32: IDA could crash on win10 preview with interr 1419 when debugging a 32-bit process
- BUGFIX: fixed interr 40372 (ida would die if a conditional bpt was present in the idb and idapython was disabled or not present)
- BUGFIX: hexrays: if multple windows with the same function were present, an inactive one could be used for jump targets
- BUGFIX: mips: fixed delay slot processing
- BUGFIX: print_operand() would print data operands incorrectly for big endian processors (this function is not used to generate the disassembly listing)
- BUGFIX: IDA could crash when trying to open a registers view in the GDB debugger
- BUGFIX: enumplace_t::adjust() was not working properly with bitfields + serials
- BUGFIX: ios debugger was broken for old iOS versions (< 9.0)
- BUGFIX: the "Currently:" button text in the String Literals dialog was difficult to read on OSX

Last updated 1 month ago

Highlights

Welcome to IDA 7.2!

We have many news this time, but let us start with the most desired and requested one: support for ARM v8.3 instructions. With the advent of the new iPhone XS many reverse engineers started to stumble on these new instructions. Besides, they include a new security mechanism: Pointer Authentication Code. It makes exploiting software vulnerabilities much more difficult but it requires modifications in our file parsing and analysis methods. And yes, the upcoming IDA Pro supports it nicely:

The decompiler supports them too and can show the PAC verifications in the output code as compiler intrinsics, or hide them, which is the default behaviour:

The new iOS 12 dyld caches and kernel caches with tagged pointers are handled nicely too.

When loading an iOS12 kernelcache in IDA 7.1, many pointers lead nowhere and kexts are not detected.

In IDA 7.2, pointers are resolved correctly and kexts are marked up.

Speaking of dyld caches, one of the common complaints we've had that usually you have to choose to load either a complete cache to see all modules (which takes forever), or a single module (and see pointers leading nowhere when they point to other, unloaded modules). We've tried to address it with the "load module with dependencies" option but it turned out to be quite limited in practice.

Now you don't have to choose anymore! Even if you load a single module and see a red-colored pointer denoting non-existing memory, just right-click it to load the mising module into the database:

Wait a little for load to finish, repeat as necessary for other addresses:

...and navigate to the destination to continue analysis!

Naturally this only works as long as you still have the original cache file present, but it still should speed up your work.

By the way, for Apple software we also implemented recognition of blocks. We support both global and local (stack based) blocks. The objc plugin parses block descriptors and automatically makes structures representing local context captured by the block. Now the decompiler output looks like this:

In fact there are many other Objective-C improvements, see them all in a submenu:

Note: some of this functionality only works if you have the decompiler for the platform being analyzed.

Our debugger can handle many new OSX and iOS features and can debug iOS 12 applications, including stack unwinding in code using PAC instructions:

For more a more in-depth look at the new mac specific features, see IDA 7.2 - The Mac Rundown.

But enough about Apple. An improvement that Linux and Mac users will love: native support for PDB files. Yes, we implemented a full PDB parser and now IDA on Unix can load information from PDB files without any MS Windows computer. You can even do tricks like

export _NT_SYMBOL_PATH='srv*/home/symbols*https://msdl.microsoft.com/download/symbols'

and IDA will automatically download PDB files for you! A screenshot is not descriptive in this case but please note that it was done on Linux:

We use our own PDB parser on all platforms but it is possible to switch back to MS DIA if there is a need.

A completely new processor module for the 16-bit PIC24 and dsPIC processors from Microchip:

It supports PIC24/30/33 series and comes with an extensive configuration file.

We've also extended the classic 8-bit PIC series with support for the "Enhanced Mid-range" (PIC1XF1XXX) instructions. IDA automatically tracks changes to the bank registers made with movlb and movlp, which is useful when analyzing big programs spread over multiple banks.

The NEC 850 processor module has been extended to handle new addressing modes and instructions for V850E2M and RH850 from Renesas. For example, we decode the full set of instructions for working with single- and double-precision floating point:

Many new RH850 instructions such as bit operations or long-range conditional branches are supported as well:

We improved our type system with the notion of a shifted pointer. This notion is useful when a pointer points to the middle of a structure. Now the output looks so neat that one of our users said "__shifted pointers are awesome, Delphi code never looked this sexy!"

The decompiler knows about C++ class hierarchies and virtual functions. We support even multiple (but not virtual) inheritance! The output that looked like this in IDA v7.1:

now looks crystal clear:

Here "C" is a complex class with multiple base classes, which in turn has multiple base classes, etc...

In fact there are tons of other improvements to the decompiler. We plan to prepare a separate web page with more details, but yet one more big improvement deserves mentioning right now. Now the decompiler has a powerful value-range analysis engine. More than that, it can be used from the Decompiler SDK. The value-range analysis improves the decompilation quality and will also be used to improve the analysis performed by IDA. On the left side is the decompiler output of v7.1, on the right side the decompiler output of v7.2:

Among other decompiler improvements: a method to handle multiple stack variables that occupy the same stack slot, better optimization engine, better handling of cast operators, better type derivation, more aggressive C expression simplification, for-loop recognition, many subtle bugs are gone, etc. We hope that working with the decompiler will be more pleasant and seamless.

We also improved the microcode API that was initially published in v7.1. Unfortunately we had to shuffle so many things that the new API is not compatible with the old one but we promise that we will try to keep it stable from now on.

Finally, with IDA v7.2 we introduce a new (experimental) Lumina server. Think of it as about a public storage of popular function patterns. The lumina server holds metadata about functions (like names, comments, prototypes, operand representation, etc). IDA can ask Lumina to recognize functions in the current database and apply the corresponding metadata. It is like FLIRT but it is dynamic, stores more information, and can recognize functions that FLIRT cannot.

(yes, you guessed it right, green means lumina :)

Any user can push information to Lumina. Currently the Lumina database is not very big but we hope it will get populated and become useful very fast. So do not get disappointed too fast if it does not recognize all your standard functions yet, but we will work on it!

Complete changelist

Processor Modules

+ 68k: print pc-relative operands with explicit "(pc)" suffix; it seems gas accepts both forms, and having an explicit suffix is a good thing
+ ARC: improved switch recognition
+ ARM : added ARM-v8.3a PAC (Pointer Authentication Code) instructions
+ ARM: added support for A64 basic crypto instructions (AES, SHA1, SHA2)
+ ARM: improve detection of ARM64 imported function stubs in Mach-O and PE binaries
+ ARM: simplify A64 instruction aliases MUL, MNEG, SMULL, SMNEGL, UMULL, UMNEGL
+ DWARF source-level debugging is now availalble on Android platforms
+ H8*: improved switch recognition
+ MC6812: track SP register changes
+ NEC850: added V80E2M and RH850 floating-point instructions (and many others)
+ PIC: added decoding of more 16F1x and 12F1x instructions
+ PIC24: new processor module
+ PC: added yet one more prolog pattern
+ PC: improved detection of 'push ecx' as part of the function prolog
+ PC: reduced number of incorrectly created offset expressions
+ PC: improved recognition of the gcc vararg prolog
+ PIC16: added processor module for PIC24,30,33 families
+ PPC: enhanced switch recognition
+ PPC: improved switch recognition
+ SH3: improved sp analysis
+ SH3: improved switch recognition
+ SPARC: improved switch recognition
+ TMS320C28X: improved switch recognition
+ V850: improved switch recognition

File Formats

+ CLI: corrupted files with bad LUT table can be loaded now
+ DEX: added support for VDEX file format
+ ELF: ability to load external symbols from companion file (even when DWARF info is missing.)
+ ELF: added annotation of NT_PRSTATUS and NT_PRPSINFO notes for core files
+ ELF: added support for packed android relocations (APS2 format)
+ ELF: allow independent loading of PHT and SHT in loader options
+ ELF: detect loading of inconsistent overlapping data from PHT
+ MACHO: allow the user to load a given module from a dyld_shared_cache on-command
+ MACHO: always use segment prefixes for kernelcache files, even when not splitting by KEXTs
+ MACHO: improve XML parsing for __PRELINK_INFO in kernelcache files
+ MACHO: support ARM64_32. only in ida64 (for now)
+ MACHO: support loading of iOS 12 prelinked kernelcaches
+ MACHO: support loading of new dyld cache format for arm64e architecture (e.g. iPhone XS)
+ MACHO: when loading a single dyldcache module, apply the relevant symbols from the cache's symbol table
+ MACHO: store segment protections in the database (previously they were ignored)
+ PE: label guard call check function if present in the load config directory
+ PE: added annotation for IMAGE_DEBUG_TYPE_REPRO

Debugger

+ support debugging on iOS devices with ARMv8.3-A extensions (iPhone XS, XS Max, XR)
+ support watchpoints in the Remote iOS Debugger
+ iOS: improve compatibility with older devices (the oldest we've thoroughly tested is an armv7 iPhone 4 with iOS 6.0.1)
+ dalvik: use "track-jdwp" service instead of "jdwp", it uses more reliable protocol
+ ios_deploy: added "afc" phase
+ ios_deploy: added "battr" phase
+ ios_deploy: added "dattr" phase
+ ios_deploy: added "debug" phase. this allows us to easily troubleshoot issues when launching/attaching to a process

Kernel/Misc

+ CFG: removed obsolete config parameter CHECK_MANUAL_ARGS
+ FLIRT: ICL: Added signatures for icl177 (Intel C++ 17.7)
+ FLIRT: ICL: Added signatures for icl178 (Intel C++ 17.8)
+ FLIRT: ICL: Added signatures for icl182 (Intel C++ 18.2)
+ FLIRT: ICL: Added signatures for icl183 (Intel C++ 18.3)
+ FLIRT: ICL: Added signatures for icl190 (Intel C++ 19.0)
+ FLIRT: VC: Added signatures for vc1413 (Visual Studio 2017.6)
+ FLIRT: VC: Added signatures for vc1414 (Visual Studio 2017.7)
+ FLIRT: VC: Added signatures for ucrt 17134 (Windows 10 April 2018 Update SDK)
+ FLIRT: VC: Added signatures for vc1415 (Visual Studio 2017.8)
+ improved code detection heuristic rules
+ improved sp analysis
+ introduced -8align4 abi option for arm/pc
+ added support for parsing simple c++ classes with virtual functions
+ strlit comments: try to print them even for references to pointers to strings
+ types: improved til <-> IDB structure synchronizing

Objective-C

+ OBJC: added OBJC_LAZY_MODE to objc.cfg, which prevents IDA from parsing objc data at load-time
+ OBJC: allow user to pass options to objc plugin via -Oobjc:
+ OBJC: improve analysis of block functions by detecting Block_layout objects allocated on the stack
+ OBJC: improve type propagation in the pseudocode; specifically across ARC-related functions (objc_retain, objc_retainAutoreleasedReturnValue, etc.)
+ OBJC: introduce submenu for objc features. See Edit>Other>Objective-C
+ OBJC: parse __block_literal_global structures when loading mach-o files
+ OBJC: parse pre-optimized data structures in __objc_opt_ro
+ OBJC: support regular expressions in the selector string for the JumpSelector action

User Interface

+ ui/qt: added the ability to restore custom widgets when a desktop layout is loaded (through the 'ui_create_desktop_widget' notification)
+ ui/qt: added user interface for borrowing and returning floating licenses (available under menu Options-Floating Licenses in floating license IDA versions)
+ ui/qt: any widget that was last closed when floating (alone) and reopened with WOPN_RESTORE will now be restored as a float, in its previous position
+ ui/qt: custom data types & formats registered by the user now appear in the context menu
+ ui/qt: entries in the "Exports" window will now have different icons according to their type (function, data, undefined, ...)
+ ui/qt: in the proximity view, one can now add nodes by from addresses, instead of having access to (non-dummy-) named items only
+ ui/qt: introduced 'get_window_id(const char *name=NULL)' to retrieve the underlying OS-specific window ID
+ ui/qt: some specific floating widgets geometries/positions will now be restored when re-opening (e.g., the "Script snippets")
+ ui/qt: watch views: it was impossible to specify an idc expression as in expressions with a cast: (type)expr
+ ui/qt: when implementing 'ui_get_custom_viewer_hint' in a plugin, it is now possible to ask IDA to inject its "regular" hints anywhere in the returned text
+ ui: "Binary search" now allows tabs instead of spaces, between different items (e.g., 0x89\t0xE5), allowing easier copy-paste from tools such as GDB
+ ui: API: adding navband ea_t <-> pixel conversions
+ ui: added shortcuts Ctrl+Shift+Up/Ctrl+Shift+Down to jump to the start of the previous/next function
+ ui: create segment: if the end address of the segment is not specified, split the segment that is located at the specified start address
+ ui: pressing <Shift+Enter> in "jump" choosers (i.e., Ctrl+P, Ctrl+X, Ctrl+L, Ctrl+E, ...) will jump without closing the chooser, thereby working as a preview/quick navigation
+ ui: show demangled names by default in the module debug name list
+ ui: when a new idb cannot be created because of permissions, propose to create it in the home directory
+ ui: when creating structures from data, the structure will be named "struc_<addr>" (where 'addr' corresponds to the address of the start of the selection), instead of having an unrelated numeric suffix
+ ui: improved application of bitfield enums to operands

Scripts & SDK

+ IDAPython: added Hexrays_Hooks, providing a better abstraction on top of the hexrays_event_t (methods are typed, and bindings are automatically generated, meaning that it'll follow additions to the C++ SDK)
+ IDAPython: all functions not marked as THREAD_SAFE in the C++ SDK, will now check that they are being called from the main thread, avoiding possible corruption or crashes
+ IDAPython: ida_dbg: expose memory_info_t(), meminfo_vec_t(), set_manual_regions()
+ IDAPython: ability to provide user hints for edges of user graphs
+ IDC: added __IDAVER__ as a numeric version number
+ IDC: added debugger registers as variable names
+ SDK: added GN_NOT_DUMMY bit for get_name()
+ SDK: added UTF-8 aware qrmdir()
+ SDK: added calc_func_size()
+ SDK: added idb_event::bookmark_changed
+ SDK: added support for shifted pointers
+ SDK: added the item_color_changed and colee_addr_changed events
+ SDK: append_cmt() does not append the comment if it is already present at the end of the existing comment
+ SDK: deleting a segment register now sends a 'sgr_deleted' event
+ SDK: exported copy_named_type()
+ SDK: renamed regex functions to not conflict with POSIX symbols (qregcomp/qregerror/qregexec/qregfree)
+ SDK: introduced the INSN_64BIT bit
+ SDK: added bitcount()
+ SDK: make request_refresh(), clear_request_refresh() and is_refresh_requested() accept 64-bit masks

Decompilers

+ hexrays: ARM: support RRX addressing mode
+ hexrays: added support for magic divisions in 64-bit code
+ hexrays: added "force new variable" command; it can be used to force the decompiler to create a new aliasable stack variable at the specified location
+ hexrays: added "variable is possibly undefined" warning
+ hexrays: added MAX_STRLIT_LEN configuration parameter
+ hexrays: added a new rule to simplify some ternary operators
+ hexrays: added a new rule: (x ^ y) & 1 => x != y if x,y are booleans
+ hexrays: added hxe_cmt_changed notification
+ hexrays: added logic to remove exception handling code (SjLj)
+ hexrays: exported idaloc2vd and vd2idaloc
+ hexrays: get rid of limitation on number of internal microregisters
+ hexrays: get rid of virtual registers in microoperands
+ hexrays: handle ARMv8.3 Pointer Authentication instructions
+ hexrays: improved handling of some switch idioms
+ hexrays: improved handling of union expressions
+ hexrays: improved propagation of odd parts of constant values
+ hexrays: improved recognizing of register arguments in called functions
+ hexrays: improved function prototype parser: take into account the return type is able to contain parentheses
+ hexrays: improved detection of read-only data in dyldcaches. this can heavily simplify the pseudocode
+ hexrays: slightly improved recognition of magic divisions
+ hexrays: x86: added recognition of gnu mcount()
+ hexrays: calls of virtual functions are decompiled in a nice way
+ hexrays: added support for 64bit character constants
+ hexrays: it was impossible to decompile a call that returns an udt of an odd size (!is_valid_size)
+ hexrays: sdk: added macro HEXRAYS_MEMORY_ALLOCATION_FUNCS() and functions hexrays_alloc/hexrays_free
+ hexrays: sdk: added new flags CVAR_NOPTR, LVINF_NOPTR, use them to indicate that a variable should have a non-pointer type
+ hexrays: sdk: added external blocks (BLT_XTRN). they greatly improve snippet decompilation
+ hexrays: sdk: lvars are taken into account when calculating use/def lists; exported 2 more mlist related functions
+ hexrays: sdk: cleaned up the API; we will try to maintain compatibility from now on

BUGFIXES

BUGFIX: "Produce file > Dump database to IDC file..." would generate IDC scripts whose 'create_strlit' directives had erroneous 'length' parameter
BUGFIX: "Suspend on debugging start" option was broken for GDB-based debuggers
BUGFIX: "ida -B" was not performing the final pass over the input file and this could lead to huge ranges of unexplored bytes in the output listing
BUGFIX: 68K: some Coldfire-specific instructions were not decoded in the "MC68xxx universal emulator" mode
BUGFIX: COFF: some XCOFF64 files could be loaded incorrectly
BUGFIX: Copying to the clipboard from the graph view, could result in text being shifted
BUGFIX: DWARF: C++ exceptions could be issued by the plugin during source-level debugging, and not be caught, causing IDA to exit
BUGFIX: DWARF: Golang types containing readonly or writeonly channels, would be turned into anonymous types
BUGFIX: DWARF: Structures with a variable sized last member consisting of an array of arrays, would fail being properly handled
BUGFIX: EH: parsing of exception data in arm32 Mach-O binaries could produce bogus " bad try block information" warnings
BUGFIX: ELF: ARM: some files with ARM-mode entrypoint could be disassembled incorrectly in Thumb mode
BUGFIX: ELF: loading big-endian ARM files would display "ARM Little-endian" in the "Load file dialog". Similarly, loading little-endian PPC files would show "Power-PC big endian" instead of "Power-PC little endian&quot
BUGFIX: ELF: parsing SHT_NOTE could yield invalid contents
BUGFIX: GDB: serialized conversation (for troubleshooting purposes) could contain unescaped '\' characters
BUGFIX: GDB: IDA could crash when attaching to gdbserver if the bitness was misdetected
BUGFIX: GDB: some android aarch64 stubs could be misdetected as 32-bit arm
BUGFIX: GDB: when using snippet mode debugging with QEMU, segments starting with undefined bytes could have data zeroed out at runtime
BUGFIX: GDB: IDA could crash when attaching to QEMU i386 or x86_64 (starting with version 2.10)
BUGFIX: IDA could INTERR 40029 when using the gdb debugger
BUGFIX: IDA could hang trying to load some psx images
BUGFIX: IDA could crash trying to parse bad objc metadata
BUGFIX: IDA could crash when deleting a local type
BUGFIX: IDA could die with interr 40193 when trying to recover from a fatal network error during remote debugging
BUGFIX: IDA could misdetect the compiler as gcc
BUGFIX: IDA would become very slow when the debugger was active and the debugged application was running freely
BUGFIX: IDA would crash when parsing tryblk info
BUGFIX: IDA would not demangle names from exported from a dll during a debugging session
BUGFIX: IDA would print empty character constant if the character could not be converted from the source encoding
BUGFIX: IDA would crash with code 1004 if a scattered location with stack components was specified
BUGFIX: IDAPython: 'reg' member of action_update_ctx_t & action_activation_ctx_t, was virtually unusable as it corresponds to debugger registers, which have different numbers than processor module-provided ones. It has been replaced with 'regname'
BUGFIX: IDAPython: (low-level function) 'set_numbered_type()' wouldn't work with the 'sclass_t' argument returned by 'get_numbered_type()'
BUGFIX: IDAPython: 695 compat's 'ida_kernwin.get_highlighted_identifier()' could cause IDA to crash
BUGFIX: IDAPython: IDP_Hooks::ev_get_bg_color() was not usable w/o resorting to using ctypes
BUGFIX: IDAPython: calc_thunk_func_target() would crash IDA if 'None' was passed to it as first argument
BUGFIX: IDAPython: exceptions happening in timer callbacks wouldn't be reported immediately (and could fail being reported altogether)
BUGFIX: IDAPython: get_member_by_id() & get_member_by_fullname() were returning garbage instead of a proper 'struc_t *' instance
BUGFIX: IDAPython: ida_hexrays.ccase_t.values was not usable
BUGFIX: IDAPython: ida_lines.get_extra_cmt() would return None for empty stings, even though more comments lines exist after it
BUGFIX: IDAPython: idaapi.py's 'set_func_start' and 'set_func_end' coming from 'ida_funcs' were overriden with constants coming from 'ida_idp'
BUGFIX: IDAPython: it was impossible to retrieve the selection from an embedded chooser after its parent form has been accepted
BUGFIX: IDAPython: load_plugin() could crash IDA with a segmentation violation
BUGFIX: IDAPython: op_t.addr couldn't be used as a value to 'get_stkvar' although the documentation mentions it
BUGFIX: IDAPython: setting members of the cinsn_t's union without first setting the 'op' type, would silently fail
BUGFIX: IDAPython: some PLFM_* constants were not exported
BUGFIX: IDAPython: unexpected (and improperly handled) "wait dialogs" could show while some other modal dialog was activated, in case a timer fired in the background
BUGFIX: In the "Structures" view, IDA could display multiple times the header text in case structures were corrupted/deleted
BUGFIX: KERNEL: qfindfirst/qfindnext did not work for non-ASCII paths on Windows
BUGFIX: MC68K: instuctions referring to addresses with high bit set could be printed incorrectly in IDA64
BUGFIX: MC68K: some valid instructions would not be decoded in "MC68xxx universal emulator" mode
BUGFIX: MIPS: in mips16 mode, instructions ADDIUPC and LWPC situated in a delay slot could be disassembled using wrong PC value
BUGFIX: MinGW/Cygwin-produced PE x64 files could show __fastcall's as __usercall, even though the code does respect Microsoft's x64 ABI convention
BUGFIX: NEC850: xrefs to high addresses would not be created for some instructions when using IDA64
BUGFIX: On Windows, with the "windows" style and on Hi-DPI monitors, the check marks in checkboxes would look tiny
BUGFIX: PC: IDA sometimes was too aggressive in creating functions after multiple nop instructions
BUGFIX: PPC: some paired single load/store instructions could not be decoded if they used odd displacement values
BUGFIX: Showing enum values of negated values, would show the list of matching enums for the original value
BUGFIX: The DWARF plugin could complain on some Rust types (i.e., '()')
BUGFIX: The DWARF would stop early if it failed loading some debug information when parsing functions data, while it could keep going and try parsing the following functions
BUGFIX: UI: IDA on Windows could not open filenames not representable in current ANSI character set
BUGFIX: UI: On Windows, IDA could print network-related error messages in wrong encoding, resulting in unreadable text
BUGFIX: When debugging a Linux/ELF application, symbols coming from "debuglink"-provided companion files wouldn't be available in IDA
BUGFIX: When requested, the segment name wouldn't appear in the line prefixes in graph mode
BUGFIX: Win32: during debugging, it was impossible to open the list of exports for an .exe
BUGFIX: Win32: when attaching to a process for debugging, IDA could fail loading PDB information associated with the executable file
BUGFIX: arm: ida64 would not truncate addresses to 32bit when decoding 32bit code
BUGFIX: debugger action objc:RunUntilMessageReceived could fail for multithreaded Objective-C apps
BUGFIX: debugger: calling get_event_module_name() in an IDC condition could crash if debug event was not of correct type (PROCESS_STARTED, PROCESS_ATTACHED or LIB_LOADED). now it's also supported for LIB_UNLOADED, and an IDC exception is thrown in other cases
BUGFIX: debugger: win32: "SEH list" functionality did not work for wow64 processes when using local debugging
BUGFIX: debugger: win32: IDA could hang when debugging a 32-bit (WOW64) process on Win10
BUGFIX: excessively big shift counts were handled incorrectly (e.g. "shl eax, 33" should not produce 0)
BUGFIX: file names coming from AR archives could be garbled due to an incorrect assumption about their encoding
BUGFIX: fixed a crash when loading corrupted LE files
BUGFIX: fixed interr 50863 that could occur in corrupted idbs
BUGFIX: gas for arm requires lowercase instruction conditions but ida was not always using lowercase for them
BUGFIX: get_strlit_contents() could overflow the range of bytes it was asked to retrieve
BUGFIX: get_strlit_contents() shouldn't stop at codepoint zero, but rather keep going until the 'len'gth is reached
BUGFIX: in some cases it was impossible to set the "bp-based frame" function attribute, ida would immediately reset it
BUGFIX: it was impossible to correctly specify prototype of a thiscall function that returns a big struct
BUGFIX: it was possible for the mac debugger to load debug names from a file that didn't match an image in memory
BUGFIX: kernel: IDA could hang on exit when using borrowed licenses and license server was not accessible anymore
BUGFIX: ldr/coff: don't use a DT_NON symbol to describe a section, if a procedure is planned there and a non-dummy name has been set
BUGFIX: m65816: abs,x/abs,y addressing could fail to create xrefs
BUGFIX: mac debugger could fail to load for databases that were created from scratch
BUGFIX: mac debugger could fail to single step when source-level debugging in multithreaded environments
BUGFIX: mac debugger could fail to update the thread list properly, which could then cause IDA to fail to add/delete a hardware breakpoint
BUGFIX: mac debugger could produce duplicate debug names in a module's name list
BUGFIX: mac debugger could trigger erroneous SIGBUS signals after setting a software breakpoint on OSX 10.14
BUGFIX: mac debugger would fail to set user-defined hardware breakpoints in newly-created threads
BUGFIX: mach-o loader could erroneously truncate segments in iOS 11 kernel caches
BUGFIX: mach-o loader would not properly load files with a __TEXT segment with a nonzero file offset
BUGFIX: mips: fixed analyzing of the mips16e 'addiu' insn
BUGFIX: no events were generated when the user toggled the operand sign or bitwise negated it
BUGFIX: objc plugin could ask to parse Objective-C info when in fact no such info was present in the database
BUGFIX: pc: ida could loop endlessly if a finally handler was belonging to 2 different functions
BUGFIX: pdp-11: offset expressions were not creating xrefs
BUGFIX: pdp-11: removed obsolete PDP_XLAT_ASCII parameter from ida.cfg
BUGFIX: range change was wrong for ANALYSIS, ANALYSIS2, and some other bitmask config parameters
BUGFIX: rtti comments would be duplicated upon reanalysis
BUGFIX: rtti type descriptor names starting with '*' were not recognized
BUGFIX: rtti type descriptor names starting with *Z were not recognized
BUGFIX: scripted loaders had to seek to the beginning of the file at the beginning of the load_file() function
BUGFIX: sdk: tinfo_visitor_t::apply_to() could spoil type modifiers (const/volatile) and attributes when editing the type
BUGFIX: segmentation info could be lost when opening very old databases (created before 2001)
BUGFIX: set_fixup() has 6 arguments but the docs were claiming there there are 5 arguments
BUGFIX: setting the struct member type as "int[]" (without specifying the array size) could lead to an array of arrays (int[][])
BUGFIX: simplecustviewer_t::OnPopup wouldn't allow receiving the 'widget' and 'popup_handle' as other widgets would
BUGFIX: some corrupted mach-o files could crash ida
BUGFIX: some flowchart edges could be missing (could occur in the presence of xrefs into the middle of an instruction)
BUGFIX: sometimes 'overflow' bit would be calculated incorrectly after cmp or sub instructions
BUGFIX: stack unwinding could break analysis for prefixed call instructions
BUGFIX: stopped to modify the function in the 'ev_is_jump_func' event
BUGFIX: the linux debugger could cause INTERR 20099 with corrupted ELF files
BUGFIX: the mac debugger could create an incorrect memory layout after attaching to a process with ASLR enabled
BUGFIX: the win32 debugger server would fail to retrieve pdb files from symbol servers
BUGFIX: ui/qt: IDA could easily deadlock if more than 1 thread was using logging.py, or simply attempting to print anything in the console while holding any other lock that both threads might require
BUGFIX: ui/qt: IDA could show the wrong bookmarks contents for the "Jump > Clear mark..." action
BUGFIX: ui/qt: added "Add watch" to the (old-style) watchlist context menu
BUGFIX: ui/qt: background color for lines could fail to be applied in some cases
BUGFIX: ui/qt: changing segment register values wouldn't cause the "Segment registers" chooser to refresh
BUGFIX: ui/qt: deleting (or modifying) segment register ranges could leave the disassembly view(s) outdated
BUGFIX: ui/qt: don't show "(null)" in the collapsed area footer, if the description is missing
BUGFIX: ui/qt: during debugging, the "flags" registers column could be made partly invisible (depending on the display DPI)
BUGFIX: ui/qt: given a sufficiently long list of functions in "Functions window", deleting ranges of functions could cause IDA to crash
BUGFIX: ui/qt: hex views would show bogus characters when bytes were decoded as UTF-8 and yielded surrogate codepoints
BUGFIX: ui/qt: moving IDA between monitors with different resolutions, could result in the graph view showing garbage
BUGFIX: ui/qt: on HiDPI displays (e.g., 4k), hints could end up being partly truncated
BUGFIX: ui/qt: the 'COLOR_DEFAULT' for prefixes of simpleline_t would result in portions of that line marked as COLOR_PREFIX, to be invisible
BUGFIX: ui/qt: when 2 widgets were placed next to one another within the same tab, closing the leftmost one, could cause the rightmost one to disappear as well (without being destroyed.)
BUGFIX: ui/qt: when jumping between nodes in graph view, the animation could end up in the wrong place
BUGFIX: ui/qt: when stopping a debugging session, it might happen that some line rendering options (number of opcode bytes, indent, ...) would not be properly restored to what it should be
BUGFIX: ui/qt: when using line top/bottom paddings, the graph view could show artifacts for e.g., highlighting
BUGFIX: ui: "Strict ASCII" option in the "Strings window" was not working
BUGFIX: ui: calling set_view_renderer_type() on the TWidget returned from open_disasm_window(), would crash IDA
BUGFIX: ui: in the "Structures" view, the "Shrink structure" action would be available on alignment bytes, yet incapable of actually removing those
BUGFIX: ui: some string literals part of structure instances in the address space, could fail to show in the "Strings window"
BUGFIX: ui: when attaching to a process, it could be impossible to load PDB or DWARF debug information right away (but would work after detaching & re-attaching)
BUGFIX: user info would be stored in the idb even when STORE_USER_INFO was turned off
BUGFIX: user-specified 'manual instruction' for data items was ignored
BUGFIX: using -DTRICORE_DEVICE in the command line would lead to warnings
BUGFIX: hexrays: "(x>>8)&1" would be represented as "x>>8" in some cases
BUGFIX: hexrays: 'jl (N-x), x' would be decompiled incorrectly
BUGFIX: hexrays: 1-byte functions could not be decompiled
BUGFIX: hexrays: 64bit multiplication was not correctly recognized in some cases
BUGFIX: hexrays: In some cases the decompiler could not represent zero constant as a enum member
BUGFIX: hexrays: an assignment to a global variable could be incorrectly optimized away in some cases
BUGFIX: hexrays: append_use_list() could give wrong result in case of Big Endian platform
BUGFIX: hexrays: arm: some multiple registers/memory transfer instructions were not marked in the microcode as multimove sequences
BUGFIX: hexrays: decompiler could generate wrong offset for accessing a part of variable having user-defined type
BUGFIX: hexrays: decompiler would consider .text segments as readonly even if their permissions would say otherwise
BUGFIX: hexrays: find_def/find_use were working correctly only for register operands; other operand types were handled poorly
BUGFIX: hexrays: fixed a bug in set_to_le_ge()
BUGFIX: hexrays: fixed an endless loop (fortunately, a rare thing)
BUGFIX: hexrays: fixed bug in combine_hinsn_mov()
BUGFIX: hexrays: fixed many interrs
BUGFIX: hexrays: in some cases "smod power2" rule could produce wrong operands in the generated microinstruction
BUGFIX: hexrays: in some cases the decompiler could lose 'default:' branch of a switch statement
BUGFIX: hexrays: in some rare cases some comparisons would be decompiled incorrectly
BUGFIX: hexrays: incorrect partial operand propagation in some rare cases on Big Endian platforms
BUGFIX: hexrays: offsetof(type,field) may have empty field name in some rare cases
BUGFIX: hexrays: pc: incorrect handling of loope/loopne instructions
BUGFIX: hexrays: signed modulo 2 was sometimes recognized with wrong size
BUGFIX: hexrays: some 64bit comparisons would be decompiled wrongly
BUGFIX: hexrays: stack pointer could be miscalculated when decompiling a mixed range that contained code both inside and outside functions
BUGFIX: hexrays: the "lxe_lvar_type_changed" could provide outdated lvar_t information
BUGFIX: hexrays: the BACKPROP_CC rule could invert an 'if' condition
BUGFIX: hexrays: the rule "~x > 0" => "x <= 0" was too aggressive
BUGFIX: hexrays: the type of guard_dispatch_icall() coud interfere when guessing the protype of the called function
BUGFIX: when calling 'set_member_tinfo()', the struc_member_changed event would be sent before the tinfo_t object is actually applied
BUGFIX: when parsing omf files ida was storing wrong extdef name length in the idb
BUGFIX: when using the "Suspend on debugging start" option with the mac debugger, /usr/lib/dyld would be missing from the module list
BUGFIX: win32: ida was mistakenly setting a borland debug hook in some cases; this would change the program execution
BUGFIX: win32: if the debugged application erased a software breakpoint, appcall would stop working
BUGFIX: windbg: IDA could crash with interr 1491 when loading a 32-bit minidump of a process with DLLs loaded above the 2GB mark (0x80000000)
BUGFIX: wrong function prototypes could cause an interr
BUGFIX: 68000: ida would not truncate function and instruction addresses to 24-bit
BUGFIX: IDA could crash for choosers with empty title
BUGFIX: IDAPython: GraphViewer.AddEdge() could crash IDA if the source or destination nodes were out-of-bounds
BUGFIX: hints could not show up for user graphs
BUGFIX: debugger: win32: IDA could crash on win10 preview with interr 1419 when debugging a 32-bit process
BUGFIX: fixed interr 40372 (ida would die if a conditional bpt was present in the idb and idapython was disabled or not present)
BUGFIX: hexrays: if multple windows with the same function were present, an inactive one could be used for jump targets
BUGFIX: mips: fixed delay slot processing
BUGFIX: print_operand() would print data operands incorrectly for big endian processors (this function is not used to generate the disassembly listing)
BUGFIX: IDA could crash when trying to open a registers view in the GDB debugger
BUGFIX: enumplace_t::adjust() was not working properly with bitfields + serials
BUGFIX: ios debugger was broken for old iOS versions (< 9.0)
BUGFIX: the "Currently:" button text in the String Literals dialog was difficult to read on OSX