IDA 8.4

IDA 8.4.240215 February 15, 2024

IDA 8.4 Highlights

Unified type storage (ASMTIL)

• The presence of Structures, Enums and Local Types views and synchronization between them confused many users, especially those new to IDA. We have decided to add all missing features (such as structure field representation) to Local Types and now all type manipulations (still with familiar hotkeys!) can be done there. New databases will only have Local Types by default and Structures and Enums are deprecated.

• The new Local Types Widget allows editing structures like the classic Structures widget, or via a free-text editor.

• The same goes for enum types:

ARM/iOS improvements

• We added support for common Apple-specific instructions and system registers commonly encountered in iOS and macOS software. This means you should see fewer instances of undefined bytes breaking disassembly and more understandable code when working with these files.

• ARMv8.6-A support. We've added most of mandatory and optional instructions from ARMv8.6-A (with notable exception of SVE). In particular, we added the following instruction set extensions:

• FEAT_SHA3: (4) Advanced SIMD SHA3 instructions

• FEAT_SHA512: (4) Advanced SIMD SHA512 instructions

• FEAT_DotProd: (2) Advanced SIMD dot product instructions

• FEAT_BF16: (8) BFloat16 (Brain Floating Point) instructions

• FEAT_FHM: (2) Floating-point half-precision multiplication instructions

• FEAT_I8MM: (5) Int8 matrix multiplication instructions

• ARMv8-M support: we now properly disassemble accesses to the new system registers introduced since ARMv7-M (for example, NS variants of some registers)

• The Mach-O loader now offers fine-grained control over the selection of dyld shared cache modules and their dependencies:

• The ARM32 decompiler supports hard-float ABI (floating point values passed and returned in FPU registers):

Debugger improvements

• We added support for recent Android versions and made it more robust when working with apps without debug information. If running on a recent (API28+) Android, IDA will try to guess the variable type automatically. Since in the Dalvik VM the value of a variable cannot be displayed without knowing its type, this boosts the debugging experience significantly.

Dalvik debugger without type information:

The same app, but with successfully guessed types for all local variable slots that are in scope:

• Environment variables can now be specified for Windows/Linux/Mac debuggers in process options:

• We made various improvements to the debugging backends:

  • Address Space Layout Randomization (ASLR) can now be disabled for most platforms that support it (local debuggers and remote gdbstub). This simplifies debugging in cases where deterministic addresses are desired.

  • We enabled NoAck mode on iOS, saving one round trip time. This is beneficial for anybody debugging remote devices over high-latency connections (typically cloud-based emulators).

  • Finally, our remote debugging server now is available for ARM64 Linux.

Modernized Look'n'Feel

• We replaced all icons with brushed-up, vectorized versions and added a crosshair effect to the minigraph view for orientation in large graphs.

Moreover, pixelated fonts are a thing of the past. Texts in graph mode now render crisp at any zoom level.

• Scrolling and zooming via the trackpad now works smoothly (especially, but not limited to, macOS)

Old version:

New version:

• better graph layouts with fewer(none?) edge intersections, even on big functions

Improved Parsing of Rust metadata

• We added a plugin for parsing Rust-specific data and constructs. As a consequence, the huge string pools typically observed in Rust binaries are now split up properly. Moreover, the plugin adds demangling of both legacy and the v0 Rust name mangling format.

Full list of changes and new features:

Processor modules

• ARM: added some Apple-specific A64 system registers

• ARM: added support for most ARMv8.6-A instructions: FHM, BF16, SHA3, SHA512, SM3, SM4

• ARM: decode Apple-specific instructions used in iOS and macOS (GXF, AMX, SDSB etc.)

• ARM: detect calls in A64 mode when X30 (LR) points to the address after a branch

• ARM: expand the architecture settings dialog with explicit options for ARMv8-A, ARMv8-M and ARMv9

• ARM: improved handling of references to fields of structure instances

• ARM: improved xref creation for LDP and STP instructions

• PC: added decoding of new Sapphire Rapids instructions (UINTR and HRESET)

• PC: support x86 switch variation produced by GCC 4.8

• PPC: implemented a simple regtracker (regfinder)

• PPC: improved handling of references to fields of structure instances

• MIPS: added support of $s1 as frame register in mips16 functions

• MIPS: improved handling of references to fields of structure instances

• NEC850: implemented a simple regtracker (regfinder)

• NEC850: print the target for indirect jumps and calls (when available)

• NEC850: support a new switch pattern (uses 'bnc' after 'addi')

• TMS320C28X: added support for extended instructions (FPU, FPU64, VCU, VCRC, VCU-II, TMU, FINTDIV)

File formats

• MACHO: overhaul of the dyld shared cache module selection system

• MACHO: properly describe versioned arm64e ABI Mach-O files

• MACHO: support relocations provided by the __chain_starts section in Apple's firmware components (e.g. SPTM, TXM)

• MACHO: added support for dyld slide info version 5 (macOS 14.4)

FLIRT / TILS / IDS

• FLIRT: added signatures for icl 231 (Intel C++ 2023.1.0)

• FLIRT: go: runtime signatures for go1.22 (x86_64)

• FLIRT: go: startup and runtime signatures for go1.21 (x86_64)

• FLIRT: VC: added signatures for vc14.36 (Visual Studio 2022.16)

• FLIRT: VC: added signatures for vc14.37 (Visual Studio 2022::VC17.7)

• TIL: MacOSX12.0 SDK

• TIL: MacOSX13.0 SDK

• TIL: MacOSX14.0 SDK

• TIL: iPhoneOS15.0 SDK

• TIL: iPhoneOS16.4 SDK

• TIL: iPhoneOS17.0 SDK

Standard plugins

• makesig: new plugin to generate FLIRT signatures from the current database

• makesig: Added File > Produce file > Create SIG file... action

• DWARF: Handle oversized bitfield groups at the end of structures

• idaclang: parse __attribute__((annotate("...")))

• OBJC: added support for relative lists of properties and protocols (iOS17 optimization)

• OBJC: got rid of extra cast to 'Class' in the calls to objc_alloc() and objc_alloc_init()

• OBJC: handle object initialization using objc_opt_new

• OBJC: simplify calls to the 'objc_msgSend$method' helpers and add cross-references to destination method using the decompiler

• rust: new plugin for parsing rust-specific data and constructs (e.g. splitting merged string literals)

• rust: support demangling of both legacy and the v0 mangling format (RFC 2603)

• SWIFT: group functions by the module name; added an option to swift.cfg

• SWIFT: updated demangler for Swift 5.9

Kernel/Misc

• kernel: added a new analysis option "Merge strlits" (enabled by default, disabled for golang)

• kernel: allow constant with value 0 for bitmask enum if zero is not the only one constant in group and there is more than 1 group

• kernel: allow register names as struct/union member names.

• kernel: assume g++ 3.x (Itanium ABI) name mangling by default

• kernel: improve strlit discovery from cross-references

• kernel: parse __attribute__((annotate("...")))

Scripting & SDK

• IDAPython: implemented idc.sizeof(), equivalent of the IDC function

• IDAPython: improve doc and error message for ida_typeinf.calc_type_size()

• IDC: highlight more keywords in the script editor

• SDK: improved get_utf8_char() not to move the pointer past the terminating zero

• SDK: improved idb_event::local_types_changed to include more detailed info about the modified types

• SDK: renamed get_ordinal_qty -> get_ordinal_limit

UI

• UI: added "Find register definition" and "Find register use" to the IDA View context menu

• UI: debugger: added environment variables to the process options dialog

• UI: enable folders in the Functions window by default

• UI: FLIRT signatures can now be loaded from arbitrary location and not just IDA's sig folder

• UI: graph: add ability to select graph edges, in addition to nodes

• UI: graph: highlight item under mouse after jump on edge (when the animation stops)

• UI: graph: improved readability of the graph overview's focus area

• UI: highlight focused area in the mini graph view

• UI: improved displaying of string literals in terse structure view

• UI: improved Local Types view to be a complete replacement for assembler-style Enums and Structs (which are deprecated)

• UI: improved output of array of structs and output of varstruct (if last field is not empty)

• UI: improved output of terse struct with nested varstruct

• UI: improved wheel scrolling, to make it smoother (and more accurate)

• UI: new icon set, SVG-based and with a refreshed palette

• UI: reduce the delay when invoking 'Convert to array' action

• UI: save "Turn on synchronization" and "Show Folders" Functions window setting in desktop

• UI: when wheel-zooming into the graph view, snap to 1:1 in the event of a trackpad "elastic" wheel motion

Debuggers

• debugger: added 'disable ASLR' to the common debugger options for supported platforms (Linux, Win32, macOS)

• debugger: arm: added debug server for ARM64 Linux

• debugger: dalvik: added IDC functions for raw JDWP calls

• debugger: dalvik: improved local variable type detection/guessing

• debugger: dalvik: warn about missing APK debuggable flag

• debugger: gdb: now we accept xml files lacking the "target" node

• debugger: ios: support for changes in the debugserver protocol for iOS17

• debugger: ios: try to use NoAckMode by default (improves latency over slow connections)

• debugger: support for ipv6 address notation for hostname in the -r commandline option

• debugger: x64: improved stack trace recovery

Decompilers

• decompiler: "Split expression" can now be used on inlined memcpy/strcpy/memset helpers to split them into individual operations

• decompiler: "Extract Function" can now delete unreferenced local types

• decompiler: added hxe_callinfo_built and hxe_calls_done events

• decompiler: arm: decompile ARMv8.3 LDAPR instruction

• decompiler: arm: support ARM32 hard-float ABI (FP values passed in FPU registers)

• decompiler: colorize floating point numbers

• decompiler: colorize non-trivial strlit forms (such as CFSTR)

• decompiler: double-clicking on a symbolic constant opens its definition

• decompiler: if a bitmask operation is used to check the sign bit of a signed expression, replace it with the "less than zero" expression

• decompiler: ppc: improved handling of code manipulating the conditon register (CR) directly

• decompiler: renamed "Force variable" to "Split variable"; its hotkey is Shift-S now

Bugfixes

• BUGFIX: ARM: ARMv8-M MSR/MRS instructions accessing newly introduced system registers (e.g. MSP_NS) were not decoded

• BUGFIX: ARM: calls to _mcount in ARM64 Linux kernel modules would cause the stack to be unbalanced

• BUGFIX: ARM: fixed some T32 UAL mnemonics (FMXR -> VMSR and FMRX, FMSTAT -> VMRS)

• BUGFIX: ARM: some Thumb32 MSR instructions accessing xPSR fields were not decoded correctly

• BUGFIX: AVR: immediate operands to subi/sbci instructions would be incorrectly displayed as negative numbers for values >127

• BUGFIX: dalvik: allowed setting breakpoints on methods with empty variable table

• BUGFIX: dalvik: fixed race condition that would prevent attaching to the process on API30+

• BUGFIX: dalvik: removed excessive warnings when connecting without running debug target

• BUGFIX: debugger: gdb debugger was printing wrong error messages about system errors

• BUGFIX: debugger: the win32 debugger would miss exports from ntdll.dll on some systems

• BUGFIX: decompiler: "copy to assembly" had line numbers off by one

• BUGFIX: decompiler: __stdcall functions must follow Windows ABI even when the current compiler is gcc64

• BUGFIX: decompiler: arm: fixed decompilation of PKHBT and PKHTB instructions

• BUGFIX: decompiler: arm: fixed wrong decompilation of LDADDLH instruction (result was not zero-extended)

• BUGFIX: decompiler: c++ implementation of vds6 sample was buggy

• BUGFIX: decompiler: dead code elimination pass could incorrectly remove code when an indirect jump was converted to a goto

• BUGFIX: decompiler: extract_func() could hang trying to collect the used types

• BUGFIX: decompiler: fixed a case of too aggressive propagation leading to wrong decompilation

• BUGFIX: decompiler: hints for the offsets of the base class members were wrong

• BUGFIX: decompiler: magic division by 641 and its multiplies was not properly recovered

• BUGFIX: decompiler: mba_t::find_mop() could miss call arguments

• BUGFIX: decompiler: print correct shortcut for expanding collapsed local variables declarations

• BUGFIX: decompiler: the "Split variable" action was not always visible when clicking on the variable name; clicking on the beginning of the line was required

• BUGFIX: decompiler: the decompiler was failing on the calls to runtime.morestack in golang binaries

• BUGFIX: decompiler: user-defined calls were not honored in outlined functions

• BUGFIX: decompiler: when the cursor is put in a block comment in pseudocode, synchronized idaview would jump to the beginning of the function

• BUGFIX: decompiler: x coordinates of the xrefs to types mentioned in function prototypes were miscalculated

• BUFGIX: DSCU: IDA would appear to hang when loading an arm64_32 DYLD shared cache for WatchOS

• BUGFIX: eh_parse: analysis could hang on some win32 binaries with many unwind blocks

• BUGFIX: golang: plugin was creating REF_OFF64 fixups in all cases, even for 32-bit applications

• BUGFIX: IDA could silently ignore failed rebasing attempts in some databases; now an error is shown

• BUGFIX: IDAPython: ida_bytes.op_stroff was unusable

• BUGFIX: IDAPython: ida_kernwin.get_[named|numbered]_type would return "fields comments" as a string, which was incompatible with ida_kernwin.set_[named|numbered]_type

• BUGFIX: IDAPython: ida_hexrays: IDA could crash on accessing the 'it' member of an empty ctree_item_t instance

• BUGFIX: IDAPython: ida_idaapi.as_int32 could compute an erroneous value

• BUGFIX: IDAPython: ida_idaapi.as_signed() could return numbers that were not truncated to the specified width

• BUGFIX: IDAPython: IDAPython would fail to initialize on Python 3.12 release due to missing 'imp' module

• BUGFIX: IDAPython: plugins using PyQt5 would crash IDA when using Python 3.12 release build

• BUGFIX: IDC: get_flags() and get_full_flags() were still returning 32 bits instead of 64 bits.

• BUGFIX: installer: installer would try and fail to configure IDA for Python 2 on macOS

• BUGFIX: kernel: improved tracking of SP when the stack pointer is changed in delay slot of a branch

• BUGFIX: kernel: on Linux/Mac, IDA would create useless btree records for some big arrays, leading to substantial increase of the database size

• BUGFIX: kernel: some offsets could be truncated in wide-byte processors resulting in missed or wrong cross-references

• BUGFIX: kernel: specifying a different processor name with -p for old databases would cause an odd error message; now ida quits after showing a correct message

• BUGFIX: kernel: the C parser was accepting wrong type names like "WRONG_PREFIX::name", now it complains about them

• BUGFIX: kernel: when loading a corrupted til file, IDA would exit with interr 97 instead of reporting the problem

• BUGFIX: kernel: xref to enum constant with value greater than 0xFF was improperly calculated

• BUGFIX: MACHO: fixed wrong warnings during loading of DSC modules

• BUGFIX: MACHO: IDA could load wrong type library (from macOS) for MH_FILESET kernelcashes (iOS16+)

• BUGFIX: MACHO: parsing of DSC slide chain could continue past end of page (on corrupted files) and display bogus warnings

• BUGFIX: NEC850: rh850 LDSR/STSR instructions with selID != 0 would incorrectly use system register names from the selID=0 set

• BUGFIX: OBJC: "jump to selector" action could have failed on calls which use helper stubs

• BUGFIX: OBJC: RunUntilMessageReceived could fail on macOS ARM64

• BUGFIX: OBJC: small direct method selectors in dyld shared cache could be parsed incorrectly if libobjc.A.dylib was not loaded

• BUGFIX: OBJC: some types which referred to blocks (typestring "@?") were parsed incorrectly

• BUGFIX: OBJC: stack block analysis in DSC could fail if libsystem_blocks was loaded into the database

• BUGFIX: OBJC: the objc plugin would fail to add cross-reference to destination method in case of tail-call to _objc_msgSend

• BUGFIX: PC: fixed error when loading x64 .net modules

• BUGFIX: pc: fixed multiple issues with segments ending at 0x100000000 for 32-bit files in IDA64

• BUGFIX: PC: IDA would crash with an internal error 10129 when disassembling some 64-bit instructions in an originally 32-bit database

• BUGFIX: PDB: some well-formed typedefs were not added to local types

• BUGFIX: PIC: ROM sizes were wrong for some members of the PIC18F family

• BUGFIX: picture_search: disable automatic picture detection while debugging

• BUGFIX: RISCV: add stack variables in function that use a frame pointer (s0)

• BUGFIX: RISCV: set stack variable size based on store and load instruction whenever possible

• BUGFIX: SDK: tinfo_visitor_t with TVST_DEF was not visiting the typedef targets

• BUGFIX: SWIFT: a deliberately crafted IDB could cause IDA to load an arbitrary DLL (potentially from a remote host) and lead to code execution

• BUGFIX: SWIFT: newly loaded modules from DSC would not be detected as having Swift metadata

• BUGFIX: TEAMS: fixed multiple instances of database corruption/internal errors during merging

• BUGFIX: TEAMS: folder structure could be corrupted during merging

• BUGFIX: TEAMS: handling a large number of the deleted types could lead to interr 1949

• BUGFIX: TEAMS: IDA always borrowed the first license in "Borrow license" dialog even if there were other appropriate candidates to borrow

• BUGFIX: TEAMS: in some cases IDA refused to use a valid borrowed license

• BUGFIX: TEAMS: merging bookmarks could corrupt their folder structure

• BUGFIX: TEAMS: remembering credentials could silently fail

• BUGFIX: TIL: added checks to type visitor to prevent OOB

• BUGFIX: TIL: tilib could produce an error "Cannot get information about @__security_check_cookie@4" when dumping TILs created by idaclang

• BUGFIX: TMS320C8: IDA could incorrectly show read cross-references as write and vice versa

• BUGFIX: UI: color highlighting in the code snippet editor could be off by one for some words

• BUGFIX: UI: correctly handle paths containing spaces when opening a new ida instance

• BUGFIX: UI: drag and drop selection is now possible to a cell which is not the first column for chooser in full tree mode

• BUGFIX: UI: graph: default graph layout in huge functions could have some edges intersecting with nodes

• BUGFIX: UI: graph: edges were sometimes not redrawn correctly after undo

• BUGFIX: UI: graph: fixed discrepancies between selection and highlight colors for nodes/edges

• BUGFIX: UI: graph: option 'Re-layout graph if nodes overlap' didn't work in some situations

• BUGFIX: UI: graph: resetting graph ('Layout graph') didn't work in some cases (database after rebasing)

• BUGFIX: UI: hexadecimal values higher than 0x8000000000000000 were not sortable in choosers

• BUGFIX: UI: IDA could fail to display menus created in plugin's init() method

• BUGFIX: UI: IDA could jump to wrong address when double-clicking a function in the list during autoanalysis

• BUGFIX: UI: some actions invoked through the context menu could not be undone

• BUGFIX: UI: some combo boxes had too little space for text in the dark theme

• BUGFIX: UI: trying to request an update from the UI in IDA Home or Teams would fail with "time limited version cannot be updated"

• BUGFIX: UI: using "Reload file" on previously opened file without extension could fail with "you can't disassemble file with such an extension"