IDA 7.5sp3

IDA 7.5.201028 (SP3) October 28, 2020

The Service Pack 3 introduces a handful of new and interesting features specific to the soon-to-be-released macOS 11 (Big Sur) and provides fixes for numerous minor issues.

Highlight:

• We improved macOS11 kernel debugging with VMware Fusion 12.

• We also improved symbolication of MH_FILESET kernelcaches.

Complete changelist:

Debugger:

• improved macOS 11 kernel debugging

MACHO:

• improve handling of threaded pointers in iOS kernelcaches

• support symbolication of macOS11 kernelcaches that link against the boot/sys kext collection. see BOOT_KC_PATH in macho.cfg for an overview

Bugfixes

• 78K0S: opcode D5 was incorrectly decoded as INC (should be DEC)

• A crafted IDB file could trigger a use-after-free in IDA

• Chooser: the ui_get_chooser_item_attrs event was called with the wrong CHOOSER argument

• Cloning script snippets could corrupt the database

• Debugger: ios debugger was broken on iOS14

• Debugger: ios debugger could fail to fetch the process list on iOS 14

• Debugger: mac/ios/xnu debuggers would create tons of meaningless debugger segments

• Debugger: mac debugger could fail to load symbols from system dylibs

• Debugger: PIN: get rid of warning "Unexpected addrsize of the debugged program", permit remote PIN to be started by Debug->Attach

• Debugger: linux: debugger could interr when handling program with many short-lived threads

• Debugger: xnu debugger would fail to demangle c++ names after attaching with an empty database

• Decompiler: "create new struct type" could generate a new struct type with forbidden characters, like <

• Decompiler: "push esp/pop reg" was decompiled incorrectly

• Decompiler: automapping variables was too aggressive in some cases

• Decompiler: changing the type of a structure field would cause the loss of the __cppobj attribute

• Decompiler: decompile() would crash if asked to decompile an unexisting function (nullptr)

• Decompiler: fixed a crash on corrupted idbs

• Decompiler: fixed false alarm 'ignored garbage at the end of the blob...'

• Decompiler: fixed interr 50902

• Decompiler: in some cases the action "Reset pointer type" was not working (had no effect)

• Decompiler: in some cases the decompiler would add a suffix to the user-defined names (myvar->myvara)

• Decompiler: jumping to the pseudocode from another window (for example, from the local types) would fail to activate the window in some cases

• Decompiler: on macOS, the decompiler would use shortcut "Ins" instead of "I" for the "Edit block comment" action

• Decompiler: PPC: if addresses are subtracted assume that the size is being calculated

• Decompiler: renaming a structure field would cause the loss of the __cppobj attribute

• Decompiler: some xrefs to enum members would be missed by Ctrl-Alt-X

• DWARF: IDA could try to allocate too much memory on corrupted files before dying with out-of-memory error

• DWARF: The DWARF plugin could crash IDA (null pointer dereference) with some specially-crafted files

• DWARF: The DWARF plugin could INTERR with specially crafted files

• DWARF: The plugin could cause IDA to crash (stack exhaustion) with some specially crafted input files

• DWARF: The plugin could loop (seemingly) endlessly when encountering a DW_TAG_namespace with a (broken) name whose first character is '#'

• DWARF: The plugin could perform a use-after-free during stack unwinding, on some DWARF input files

• DWARF: The plugin could perform a use-after-free on some specially crafted files

• DWARF: validate size of compressed sections before trying to load them

• IDA could complain about "corrupted database" (bad srrange) when opening a rebased and saved database

• IDA could crash when loading a corrupted elf file

• IDA could crash when parsing corrupted PDB files

• IDA could crash when performing certain manipulations with script snippets

• IDA could crash when restoring function information from a corrupted database

• IDA could endlessly loop on some corrupted idbs

• IDA could fail with internal error 20078 on corrupted ELF files

• IDA would crash when loading an ARM64 driver if the default debugger was set to windbg

• IDA would try to allocate huge amount of memory when loading a corrupted elf file

• IDAPython: IDA could exit silently on startup if the Python runtime called exit() during initialization

• IDAPython: ida_bytes.bin_search documentation was lacking

• IDAPython: ida_bytes.next_visea, ida_bytes.prev_visea were not available

• IDAPython: ida_ida.AF_FINAL had value -0x80000000 instead of 0x80000000

• IDAPython: ida_name.MNG_* and ida_name.MT_* values were not exposed

• IDAPython: ida_search.SEARCH_UNICODE was not available after IDA 7.0, while ida_search.find_binary() still is

• IDAPython: if a 'nav colorizer' would return a long that couldn't be converted into 32-bits, IDA would fail reporting the issue in a timely manner, leaving it for later Python code to fail

• IDAPython: internal error 30615 could happen if Python intialization failed

• IDAPython: using ida_kernwin.choose_find() with a non-IDAPython chooser, would crash IDA

• IDAPython: when using Python 2, scripts with magic 'encoding' comment could fail to run

• INTERR 1983 could happen in some situations after rebasing

• LUMINA: fixed "Unsupported OpenSSL version" error on macOS11

• Modifying an attribute of a function argument (e.g. adding __hidden) would be saved in the database but would not be immediately reflected in the disassembly

• On windows idat would let the operating system to handle some Ctrl- keys, rendering them unusable in IDA

• Opening IDA without an IDB and opening the script snippets dialog, and then loading an IDB with snippets, would fail to properly load that database's snippets

• PC: changes in processor specific options were not undone upon Ctrl-Z

• PC: parse_reg_name() could return wrong register types for XMM/YMM/ZMM registers

• PC: some FMA instructions were not decoded in 32-bit mode

• Rebasing the program by an odd number of bytes was not forbidden (and led to problems later)

• Renaming a local type by pressing F2 would lead to its removal from all use sites

• Searching for all occurrences of a byte sequence would not work without an open disassembly view

• Types: creating a c++ structure with a __vftable member in the struct view was not marking the structure as having vftable; only doing so from local types was working

• UI/QT: during auto-analysis, typing in the quick filter (e.g., in the 'Functions window') could result in loss of certain characters

• UI/QT: hiding columns when in 'folders' mode wouldn't work

• UI/QT: if entries in the "Structures" or "Enums" widgets were sorted, scrolling by using the scrollbar would jump over some entries

• UI/QT: renaming folders in the "Local types", would show the editor on the wrong cell (in the 'Name' column, even though the folder name is in first column, named 'Ordinal'.)

• UI/QT: right-click would crash IDA on macOS11 beta7 and later

• UI/QT: the "Command palette" could refuse to keep the user selection, making it hard to use

• UI/QT: the decompiler action "Jump to local type" could fail to select the proper type when the "Local types" view was sorted

• UI/QT: when searching for text in sorted folders views, IDA could loop endlessly

• UI/TXT: it was impossible to "Import" snippets in the 'Script snippets' dialog

• UI: Alt+T/Ctrl+T searches in tabular/tree views, wouldn't wrap around as they should

• UI: choosers starting in "folder" mode, might not have the user-desired sizes for columns

• UI: Cmd+M would not minimize the IDA window on macOS, per convention

• UI: debugger stack view could display values with wrong bitness (e.g. 32-bit values for 64-bit programs)

As of SP3, IDAPython is incompatible with Python 3.9. If you are experiencing crashes when running IDAPython code, and in particular if the following statement crashes: `from PyQt5 import QtCore`, please run the `idapyswitch' utility that can be found next to IDA in the install directory and select a Python 3.8 (or earlier) install.