IDA 9.0

IDA 7.5sp3

IDA 7.5.201028 (SP3) October 28, 2020

The Service Pack 3 introduces a handful of new and interesting features specific to the soon-to-be-released macOS 11 (Big Sur) and provides fixes for numerous minor issues.

Highlight:

  • We improved macOS11 kernel debugging with VMware Fusion 12.

  • We also improved symbolication of MH_FILESET kernelcaches.

Complete changelist:

Debugger:

  • improved macOS 11 kernel debugging

MACHO:

  • improve handling of threaded pointers in iOS kernelcaches

  • support symbolication of macOS11 kernelcaches that link against the boot/sys kext collection. see BOOT_KC_PATH in macho.cfg for an overview

Bugfixes

  • 78K0S: opcode D5 was incorrectly decoded as INC (should be DEC)

  • A crafted IDB file could trigger a use-after-free in IDA

  • Chooser: the ui_get_chooser_item_attrs event was called with the wrong CHOOSER argument

  • Cloning script snippets could corrupt the database

  • Debugger: ios debugger was broken on iOS14

  • Debugger: ios debugger could fail to fetch the process list on iOS 14

  • Debugger: mac/ios/xnu debuggers would create tons of meaningless debugger segments

  • Debugger: mac debugger could fail to load symbols from system dylibs

  • Debugger: PIN: get rid of warning "Unexpected addrsize of the debugged program", permit remote PIN to be started by Debug->Attach

  • Debugger: linux: debugger could interr when handling program with many short-lived threads

  • Debugger: xnu debugger would fail to demangle c++ names after attaching with an empty database

  • Decompiler: "create new struct type" could generate a new struct type with forbidden characters, like <

  • Decompiler: "push esp/pop reg" was decompiled incorrectly

  • Decompiler: automapping variables was too aggressive in some cases

  • Decompiler: changing the type of a structure field would cause the loss of the __cppobj attribute

  • Decompiler: decompile() would crash if asked to decompile an unexisting function (nullptr)

  • Decompiler: fixed a crash on corrupted idbs

  • Decompiler: fixed false alarm 'ignored garbage at the end of the blob...'

  • Decompiler: fixed interr 50902

  • Decompiler: in some cases the action "Reset pointer type" was not working (had no effect)

  • Decompiler: in some cases the decompiler would add a suffix to the user-defined names (myvar->myvara)

  • Decompiler: jumping to the pseudocode from another window (for example, from the local types) would fail to activate the window in some cases

  • Decompiler: on macOS, the decompiler would use shortcut "Ins" instead of "I" for the "Edit block comment" action

  • Decompiler: PPC: if addresses are subtracted assume that the size is being calculated

  • Decompiler: renaming a structure field would cause the loss of the __cppobj attribute

  • Decompiler: some xrefs to enum members would be missed by Ctrl-Alt-X

  • DWARF: IDA could try to allocate too much memory on corrupted files before dying with out-of-memory error

  • DWARF: The DWARF plugin could crash IDA (null pointer dereference) with some specially-crafted files

  • DWARF: The DWARF plugin could INTERR with specially crafted files

  • DWARF: The plugin could cause IDA to crash (stack exhaustion) with some specially crafted input files

  • DWARF: The plugin could loop (seemingly) endlessly when encountering a DW_TAG_namespace with a (broken) name whose first character is '#'

  • DWARF: The plugin could perform a use-after-free during stack unwinding, on some DWARF input files

  • DWARF: The plugin could perform a use-after-free on some specially crafted files

  • DWARF: validate size of compressed sections before trying to load them

  • IDA could complain about "corrupted database" (bad srrange) when opening a rebased and saved database

  • IDA could crash when loading a corrupted elf file

  • IDA could crash when parsing corrupted PDB files

  • IDA could crash when performing certain manipulations with script snippets

  • IDA could crash when restoring function information from a corrupted database

  • IDA could endlessly loop on some corrupted idbs

  • IDA could fail with internal error 20078 on corrupted ELF files

  • IDA would crash when loading an ARM64 driver if the default debugger was set to windbg

  • IDA would try to allocate huge amount of memory when loading a corrupted elf file

  • IDAPython: IDA could exit silently on startup if the Python runtime called exit() during initialization

  • IDAPython: ida_bytes.bin_search documentation was lacking

  • IDAPython: ida_bytes.next_visea, ida_bytes.prev_visea were not available

  • IDAPython: ida_ida.AF_FINAL had value -0x80000000 instead of 0x80000000

  • IDAPython: ida_name.MNG_* and ida_name.MT_* values were not exposed

  • IDAPython: ida_search.SEARCH_UNICODE was not available after IDA 7.0, while ida_search.find_binary() still is

  • IDAPython: if a 'nav colorizer' would return a long that couldn't be converted into 32-bits, IDA would fail reporting the issue in a timely manner, leaving it for later Python code to fail

  • IDAPython: internal error 30615 could happen if Python intialization failed

  • IDAPython: using ida_kernwin.choose_find() with a non-IDAPython chooser, would crash IDA

  • IDAPython: when using Python 2, scripts with magic 'encoding' comment could fail to run

  • INTERR 1983 could happen in some situations after rebasing

  • LUMINA: fixed "Unsupported OpenSSL version" error on macOS11

  • Modifying an attribute of a function argument (e.g. adding __hidden) would be saved in the database but would not be immediately reflected in the disassembly

  • On windows idat would let the operating system to handle some Ctrl- keys, rendering them unusable in IDA

  • Opening IDA without an IDB and opening the script snippets dialog, and then loading an IDB with snippets, would fail to properly load that database's snippets

  • PC: changes in processor specific options were not undone upon Ctrl-Z

  • PC: parse_reg_name() could return wrong register types for XMM/YMM/ZMM registers

  • PC: some FMA instructions were not decoded in 32-bit mode

  • Rebasing the program by an odd number of bytes was not forbidden (and led to problems later)

  • Renaming a local type by pressing F2 would lead to its removal from all use sites

  • Searching for all occurrences of a byte sequence would not work without an open disassembly view

  • Types: creating a c++ structure with a __vftable member in the struct view was not marking the structure as having vftable; only doing so from local types was working

  • UI/QT: during auto-analysis, typing in the quick filter (e.g., in the 'Functions window') could result in loss of certain characters

  • UI/QT: hiding columns when in 'folders' mode wouldn't work

  • UI/QT: if entries in the "Structures" or "Enums" widgets were sorted, scrolling by using the scrollbar would jump over some entries

  • UI/QT: renaming folders in the "Local types", would show the editor on the wrong cell (in the 'Name' column, even though the folder name is in first column, named 'Ordinal'.)

  • UI/QT: right-click would crash IDA on macOS11 beta7 and later

  • UI/QT: the "Command palette" could refuse to keep the user selection, making it hard to use

  • UI/QT: the decompiler action "Jump to local type" could fail to select the proper type when the "Local types" view was sorted

  • UI/QT: when searching for text in sorted folders views, IDA could loop endlessly

  • UI/TXT: it was impossible to "Import" snippets in the 'Script snippets' dialog

  • UI: Alt+T/Ctrl+T searches in tabular/tree views, wouldn't wrap around as they should

  • UI: choosers starting in "folder" mode, might not have the user-desired sizes for columns

  • UI: Cmd+M would not minimize the IDA window on macOS, per convention

  • UI: debugger stack view could display values with wrong bitness (e.g. 32-bit values for 64-bit programs)

As of SP3, IDAPython is incompatible with Python 3.9. If you are experiencing crashes when running IDAPython code, and in particular if the following statement crashes: `from PyQt5 import QtCore`, please run the `idapyswitch' utility that can be found next to IDA in the install directory and select a Python 3.8 (or earlier) install.

Last updated