IDA 9.2 Beta

Welcome to the IDA 9.2 Beta Release, and thank you to all our beta testers for joining us! Below are the key highlights and changes introduced in this beta version.

UI Improvements

Jump To Anywhere

• Jump To Anywhere is a new dialog created to simplify quick jumps to locations anywhere in the IDB. It is envisioned to become the successor of the JumpAsk ("Jump to address...", bound to the G key) dialog.

• It can be opened via the JumpToAnywhere action that is bound to Ctrl + Alt + F (CMD + Alt + F on macOS) by default. A checkbox was also added in the (new) Feature flags dialog (Options → Feature flags...) to quickly map/unmap JumpToAnywhere to the G key.

• Currently we index functions, local types, names, segments, later we plan to introduce a public API, allowing users to extend the index, querying it, and much more.

• For now the dialog is fairly simple: it presents an input box where the user can type in a name and below that a list of search matches is populated.

• The list can be navigated using arrow keys. Pressing Enter jumps to the currently selected entry.

• If the user input is interpretable as an address expression, a result entry for the corresponding destination will appear at the top of the search result list.

• The behavior of the dialog can be changed in idagui.cfg to your preference:

//-------------------------------------------------------------------------
//      Jump anywhere parameters (requires ENABLE_INDEXER = YES in ida.cfg)
//-------------------------------------------------------------------------

#ifdef __QT__
JUMP_ANYWHERE_MAX_HISTORY = 25     // maximum number of history entries in the jump anywhere dialog
JUMP_ANYWHERE_MAX_RESULTS = 10000  // maximum number of search results (0 = no limit)
#endif

Disabling of the indexer is possible in ida.cfg, by setting ENABLE_INDEXER = NO, this may be useful if you use IDA in headless mode (eliminating the small overhead of building & maintaining the index).

Future plans

• We would like to support fuzzy string matching in JumpToAnywhere

• We will also add a preview pane inside of the dialog to provide context about the entry that is currently selected.

Unified Location History

• Global history stack across multiple widgets. Addresses issues like:

  • double clicking on a static variable switching to disassembly view, but ESC would not navigate back to pseudocode

  • double clicking on a type or stack variable would "trap" navigation with no easy way to return back to the origin

• Activated automatically for Disassembly, Pseudocode, Local Types, and Stack. Old behaviour can be re-instantiated in Options → General → Misc, under "History groups".

New Debugger Regs Widget

• New register widget for the debugger. It applies coloring, dereferences pointers, and in general tries to be smart about register values. This behavior can be controlled via the context menu.

Autocompletion for Types in Local Types

• Autocompletion when editing/creating types in Local Types via the free text editor.

• Either automatically triggered when typing, or manually invoked using Ctrl + Space.

• When adding a new type in the "C syntax" tab, autocompletion is available.

• Autocompletion uses the existing types in the database and C/C++ keywords (such as "struct", "int"...).

• Simply start typing the beginning of the desired type name and a list of completions will appear, they can be navigate using arrow keys.

• Additionally, a very useful hint will appear on the side to provide more context about the suggested type, allowing you to distinguish between "foobar1", "foobar2" or even "FooBar".

• If autocompletion suggestions are in your way, you can discard them by pressing Esc.

• It is also possible to deliberately request to show completions at any moment using Ctrl + Space (the ForceTypesAutoCompl action, the shortcut is configurable).

• We also added automatic completion of curly braces and auto-indentation: when entering '{', '}' will be automatically added, and between them an empty line with an indentation.

• After working with older builds that lacked autocompletion, we were reminded how much easier editing types is with it. It's one of those things you only truly appreciate once it's gone. If for one reason or another you're not keen on autocompletion, you can disable it partially or fully: Options → General... → Misc. At the bottom of that page you will find a group of settings "Types autocompletion":

  • Enable autocomplete for types — enables or disables the entire mechanism. If you uncheck the box, the behavior will not differ from previous versions. Enabled by default.

  • Case sensitive — changes case sensitivity. If you check the box, then, for example, the "f" prefix will show "foobar", but not "Foobar". Disabled by default.

  • Enable autocomplete for curly braces — enables or disables autocompletion of curly braces and indents. Enabled by default.

  • Enable type hints — enables or disables hints when choosing a type from suggestions during autocompletion. Enabled by default.

Xref Graph

• New widget graphically displaying inter-function relationships (code and data).

• Replaces the following widgets / actions / tools:

  • Qwingraph

  • Xrefs graph from ... (function name context menu)

  • Xrefs graph to ... (function name context menu)

  • Function call graph

  • User call graph

• Invoked using Alt + Shift + X.

• The graph gathers a set of nodes connected by xrefs. For now the nodes are laid out using a force-directed approach.

• The controls are quite simple:

  • dragging nodes around moves them

  • clicking and dragging around the graph pans around (holding the Shift key will pan without unintentionally grabbing a node)

  • holding Ctrl/CMD while scrolling will zoom in/out

  • double-clicking on a node will jump to the corresponding item in an IDAView

  • nodes can be added to/remove from the graph using right-click on a node (e.g. "Add xrefs from node")

• The layout mechanism can be played/paused using the Space key.

Xref Tree

• New widget textually displaying inter-function relationships (code and data).

• New widget enabling textual, interactive, non-modal traversing of xrefs to provide a better overview of the function call hierarchies and data references. This view complements, and will eventually be tightly integrated with, the new xref graph and xrefs in general.

• Replaces the following widgets:

  • Function Calls

  • Cross References

• The tree shows both references to and from the current function, in a fashion similar to call hierarchy views in IDEs. Both code and data references are displayed.

• The tree is non-modal and there can be multiple instances of it open at the same time, each displaying a different function. The tree state is not preserved between sessions.

• The tree nodes are lazily loaded, and the tree is updated in real-time as the user navigates. Any changes to function and object names are reflected in the tree.

• It is possible to make the tree synchronize with the current IDA View, by checking the "Sync" checkbox.

• Some unnecessary functions can be filtered out, by checking the "Add filter" button, or by using the Ctrl + F shortcut (Ctrl + Shift + F to remove the filter).

• By default the tree displays function names in simplified form, such as main(argc, argv) instead of int main(int argc, char **argv). This can be changed by unchecking the "Simplified view" checkbox.

• The tree can be navigated with mouse and keyboard, using the common cursor keys.

• If there are multiple xrefs to the same function, they are deduplicated by default. This can be changed by checking the "Allow Duplicates" checkbox.

Access and shortcuts

• It is accessible via:

  • View → Open Subview → Cross References Tree,

  • The Command Palette (action name: OpenXrefsTree),

  • Shift + X on any function or address with incoming/outgoing Xrefs

• One can press F10/Shift + F10 to cycle through the xrefs to the currently selected function.

IDA is now running on Qt6

• We provide shims to make sure plugins written for Qt5 remain operational.

Actions for font size controls

• Available under the View menu, the "Increase|Decrease|Reset Font size" actions let the user directly control the font size of the (family of) the widget they're currently using.

• Previously users had to open the font selection dialog ("Font...") to adjust the size of fonts.

• The actions have been mapped to Ctrl + +, Ctrl + =, Ctrl + - and Ctrl + 0, respectively (CMD on macOS).

Feature Flags Dialog

• New dialog enabling/disabling experimental features

• Can be opened via Options → Feature Flags

• Currently only allows to quick map the new "Jump to Anywhere" feature to the G hotkey

Sunsetting idat's Terminal Interface

• As of this release, idat does not support interactive mode anymore (read: the TUI is gone!)

• Batch mode processing is still available (and will stay), so infrastructure relying on batch processing still works

Architecture Support

ARM

• Instruction set extensions:

  • ARMv8.7-A: FEAT_WFxT Extension (fixes most recent Apple SPTMs)

  • ARMv8.7-A: FEAT_xNS Extension (fixes most recent Apple SPTMs)

  • Low Overhead Branch Extensions

  • Custom Datapath Extension

• Load ARM64EC Windows COFF files (ARM64EC PE support pending)

• Speed improvements of the internal register tracking logic

• FLIRT:

  • ARMv8 support for pmacho

  • pcf: New option -f to filter for ARM64EC/ARM64 objects in Windows COFF files (supports any COFF OBJ magic.)

  • pcf: Fix processing of ARM64 relocations

  • properly emit and consume ARMv7 THUMB bits in PAT files

MIPS

• Added support for O64 ABI

RH850

• Support more relocation types

• Make TP, GP, CALLT registers user-assignable global registers

• Many small improvements in macro building

RISCV

• Dramatically improved function discovery

• Recognition of table based switch constructs making use of THEAD instructions

Tricore

Support for TC4x (TC1.8) instructions

50+ new instructions from the TC1.8 architecture are now fully supported in the disassembler. This includes double-precision FPU instructions, virtualization instructions, and new Q (quad-sized) registers.

Make A0, A1, A8, A9 user-specifiable global registers

Support for setting global address registers (A0, A1, A8, A9) as segment registers. TriCore uses these registers for global address computation, typically via GP-relative access. By configuring them via Edit → Segments (or Alt + G), you help IDA resolve memory references more accurately.

New chipset definitions

Added TC1765, TC1724, TC1728, TC1130, and improved the already existing ones. These are used across the automotive and railway industries, including real-world train firmware.

TMS320

• Support 32bit SIMD instructions (tms320c6)

Type System

New Parser

There are 3 parsers currently available:

1. default - old internal IDA parser (will be obsolete)

2. clang - previous parser based on clang

3. future - new parser based on clang's libtooling llvm-20.1.0 (will become default)

Using the parser

You can switch between them by tweaking the Options → Compiler... options settings.

Additionally, you can use the -Oclang:on command line switch to activate the new parser in IDA, or set the IDA_CLANG_PARSER environment variable to 1. To activate the new parser in tilib, pass the -IC command line switch. You may also pass additional arguments down to clang using -CT(e.g. -CT-target -CTx86_64-pc-linux).

The "future" parser is fully migrated to clang's libtooling, and it unifies all type parsing done by IDA into a single backend. This means that the same parser will be used in the type editor, in idaclang and in tilib.

A convenient way to tweak the new parser is via the "Parser specific options" dialog.

You may set defaults for these options and check their documentation in idaclang.cfg.

Python API

Using the parser from the Python API can be done via the ida_srclang module.

import ida_srclang

argv = [ "-target x86_64-apple-darwin-macho",
         "-x c++",
         "-std=c++17",
         "-Werror",
         "-Wno-incompatible-sysroot",
       ]
ida_srclang.set_parser_argv("future", " ".join(argv)) 

ida_srclang.set_parser_option("future", "CLANG_SMART_POINTERS", "OSSharedPtr")
ida_srclang.parse_decls_with_parser_ext("future", None, "header_file.h", idaapi.HTI_FIL)

For example, the new parser can be used to parse C++ templates:

struct std::char_traits<char>
{
};

Note that two new HTI flags are available in ida_typeinf:

• HTI_SEMICOLON: do not complain if the terminated semicolon is absent

• HTI_STANDALONE: should parse standalone declaration, which may contain qualified names and type names (IDA-Pro specific declaration)

Backwards Compatibility

There are two approaches to define a __usercall:

1. int __usercall f<eax>(int *a<edx>[]) - obsolete

2. int __usercall f@<eax>(int *a@<edx>[]) - recommended way

Approach (1) is not supported by the new parser.

Tuples

• Added the notion of tuples (~structs where exact member allocation is ignored)

• Use via keyword __tuple

• Currently they behave as structs with a few differences:

  • two tuples having matching member are considered to be equal

  • tuples are returned from functions in a different manner

Disassembler/Decompiler Integration

• Disassembler automatically uses structure offsets found by the decompiler

• New analysis option: Copy xrefs found by decompiler to disassembler (disabled by default)

Major Golang Analysis Improvements

• Significant improvements of decompiling Golang code:

  • Fully support Golang's stack-based ABI for return values

  • Improved dataflow tracking / recognition of object copy operations

  • Improved string pool handling

  • Recognition of Golang compiler idioms:

    • runtime.convTnoptr, runtime.convT, runtime.growslice, runtime.makeslicecopy, runtime.duffcopy, runtime.duffzero

  • Better metadata parsing (FUNCDATA, PCLNTAB)

• Now we have two different Golang calling conventions:

  • CM_CC_GOSTK - stack abi: default for old apps (golang version < 1.17)

  • CM_CC_GOLANG - regabi: default one for newer apps

  • For old databases (prior to IDA 9.2) we preserve the old behaviour: CM_CC_GOLANG is the stack abi for old Go apps (go version < 1.17) and regabi for the newer ones.

Multiple Names as Comments

• When multiple names are discovered for the same address, they are shown as comments. This behavior existed before, but we extended the list of supported file formats from which multiple names are recovered.

Deobfuscation

• New algorithm backing Goomba's MBA Deobfuscation

• Simplify away non-satisfiable cases in switch statements (limited by config variable OPT_VALRNG_SWITCH_NCASES)

IDA Feeds

• Recover more Rust compiler versions from binaries

IDAlib

• Pass down IDA command line arguments in open_database

• Do not pollute file history when opening files with IDAlib

• Bugfix: Debugging in VS Code

API

• New event: idb_event::local_type_renamed

• New event: hexrays_event_t::hxe_mba_maturity event

• New convenience function extend_sign_bits()

• pro: added a new bit function bitcountr_zero() (like in C++20)

• IDAPython: provide compiled_binpat_vec_t.parse

Deprecated APIs

• Deprecate hook_to_notification_point()

Misc

• ui: Made 'Cancel' button by default in 'Send database' dialog

• ui: Added confirmation on public Lumina metadata push

• ui: add actions to control font size

• ui: add standard ZoomIn shortcut for font increase

• pdb: added more wait boxes

• ui: AUTO_CLOSE_MSGBOX gui configuration option (useful for long-running operations)

• DWARF: support DWARF5 debug info in Mach-O binaries

• pe: ldr: add new IMAGE_LOAD_CONFIG_DIRECTORY member

Security Fixes

• Remote Code Execution via Debugger Attachment

• Format string vulnerability in pdbparser

BUGFIXES

• vd: MACHO-O Wrong segment name used with USE_SEG_PREFIXES=YES

• ui: double-clicking/Enter on the header of a type, wouldn't open the editor

• ui: double-clicking/Enter on a structure member name, wouldn't offer to rename it

• ui: fix macOS drag&drop under SHOW_BANNER=NO

• ui: do not suggest shortcut migration

• kernel: fixed regarg comments for an argument in the register pair in big endian MIPS

• idc: wrong enum flag was returning for character representation of constants

• gdb: avoid usage of already freed memory

• kernel: now append_cmt() respects the repeatable flag for the function start

• kernel: fixed handling of the special Go assembler characters

Known Issues

• Mac installers are not yet notarized

• Linux: crash on Wayland when trying to dock a floating window

• Mac: missing custom Dock Menu, warning about "missing call to 'qt_mac_set_dock_menu'"

• Mac: missing Dock Tile, warning about "IDAMainWindow::maybeUpdateDockTile()"

• Mac: warning about "known incorrect sRGB profile"

• Mac: rare crash on Exit; backtraces welcome!