IDA 7.5sp2

IDA 7.5.200728 (SP2) July 28, 2020

This release fixes some immediate issues with the new macOS11/iOS14 binaries and focuses principally on enhancing the static analysis for new file formats.

Highlights

MH_FILESET kernelcache format

The new MH_FILESET kernelcache format from macOS 11 is now fully supported.

Analysis of dyldcache files from macOS11/iOS14

IDA 7.5 Service pack 2 improves the analysis of dyldcache files from macOS11/iOS14

Objective-C

SP2 also improves the analysis of Objective-C metadata in binaries compiled with XCode 12 (specifically __objc_methlist sections)

Also:

• We added a workaround for slowdowns when loading dyldcache modules on macOS Catalina.

• We added type libraries for MacOSX11.0.sdk and iPhoneOS14.0.sdk.

• Minor improvements to debugging on macOS11/iOS14 were provided (no ARM64 macOS11 debugging support yet).

Complete changelist:

ARM:

• decode ARMv8.5-A BTI instruction

• support ARMv8.4-RCPC instructions (LDAPUR, STLUR)

• support ARMv8.5-A Memory Tagging Extension (MTE) instructions

Decompiler:

• improved recognition of signed divisions via multiplication by magic constant

MACHO:

• handle dyld slide info v4 (used in WatchOS dyld_shared_cache_arm64_32)

• handle LC_DYLD_EXPORTS_TRIE in macOS11/iOS14 binaries

• improve analysis of dyldcache files from macOS11/iOS14

• parse LC_DYLD_CHAINED_FIXUPS for arm64e binaries

• support new MH_FILESET kernelcache format from macOS 11

OBJC:

• improve Objective-C metadata parsing for macOS11/iOS14 (specifically __objc_methlist structures)

TIL:

• introduce type libraries for MacOSX11.0.sdk and iPhoneOS14.0.sdk

Bugfixes

• decompiler: global xref cache might become stale after a user action that was changing only the line numbers (like adding a comment)

• decompiler: the decompiler could crash when displaying the global xref list if the cache was stale

• decompiler: wrmsr instruction could be decompiled wrongly (value of edx was unused)

• IDA could crash when using undo in Local Types editor

• IDA would create many useless *_hidden segments when loading kernelcaches/dyldcaches

• IDAPython: 'coding: ' comments were not respected when loading a script file

• loading single modules from a dyldcache was unusually slow on macOS Catalina

• mac debugger would show "Input file is missing" error when debugging a dyldcache lib on macOS11

• types could be duplicated in the folder view of 'Local types' window

• UI/QT: when in folders mode, fast jumping by row number wouldn't work

• UI/QT: while debugging, detaching an unsynchronized & invisible "Pseudocode-A" tab could crash IDA

• UI: "fast searches" in a folder view, could cause IDA to freeze, or crash in certain cases

• UI: a long, unbreakable line in the "Output window" would cause other long (but breakable) lines to not be laid out according to the viewport size, and thus require scrolling

• UI: Hex View's in databases using certain encodings (typically UTF-8), could show a glitch in the rendering of 'combining' unicode codepoints

• UI: in the "Output window", if a long line had to be broken up into multiple 'physical' lines, clicking in the middle of one of those physical lines would place the cursor to its beginning

• UI: scrolling in the navigation band could jitter with very segmented address spaces

• UI: when folders were enabled on certain widgets, and the IDB was saved (e.g., by clicking on the 'save' icon), but then not saved again when closing, the widget would show up in no-folders mode

• UI: zooming in the navigation band could lose current position