IDA 9.2 Beta

Welcome to the IDA 9.2 Beta Release, and thank you to all our beta testers for joining us! Below are the key highlights and changes introduced in this beta version. Prefer a quick overview? Watch the IDA 9.2 Beta Highlights video.

New in Beta 2

Based on the feedback collected during the Beta 1, we’re releasing an improved Beta 2 of IDA 9.2. While we've addressed as many reported issues as possible, some problems remain unresolved. Before submitting a new bug report, please review the existing issues assigned to features or listed under other known issues.

Improved Stack Frame Analysis of 32-bit ARM Code

• Added support of STMIA pseudo-instructions. For example, STM at DE6 is used to store R1-R3 at the frame top (space was allocated by the SUB at DD4).

  Copy

  00000DD4 000 SUB     SP, SP, #0xC   ; PROLOG
  00000DD6 00C PUSH    {R4-R7,LR}     ; PROLOG
  00000DD8 020 ADD     R7, SP, #0xC   ; PROLOG
  00000DDA 020 PUSH.W  {R8,R10} ; PROLOG
  00000DDE 028 SUB     SP, SP, #0x34  ; PROLOG
  00000DE0 05C MOV     R4, R0
  00000DE2 05C ADD     R0, SP, #0x34+varg_r1
  00000DE4 05C LDR     R6, [SP,#0x34+arg_4]
  00000DE6 05C STM.W   R0, {R1-R3}    ; PROLOG

• Improved detection of non-PROLOG instructions. For example, PUSH at B910 and B91C are not prolog instructions, because R12 is not a callee-saved register.

  Copy

  0000B910 000 PUSH    {R12}
  0000B914 004 LDR     R12, =(off_C1A4 - 0xB920)
  0000B918 004 ADD     R12, PC, R12 ; off_C1A4
  0000B91C 004 PUSH    {R12}

• Improved frregs and fpd.

These updates lead to more accurate decompilation results.

Decompiler

• Rather than creating extra variable and assigning the result expression right before returning, directly return the expression.

• New decompiler action:

  • "Show all call decompilations". Right-click any function call in the decompiler, and select this option to open a window displaying all decompiled call sites to the selected function.

TriCore

• Added chipset definitions for: tc1762, tc1764, tc1782, tc1784, tc1792, tc1791, tc1793, tc1798

• Added generic devices: tc1xxx, tc2xxx, tc3xxx, tc4xxx

• The .cfg file format now supports folders (e.g., tc1xxx/tc1762), allowing for better organization of chipset definitions. Additionally, multiple devices that have the same parameters can now be defined in a single line, e.g., tc1791,tc1793,tc1798.

Microcode Viewer

• New widget displaying the decompiler microcode at arbitrary maturity levels

• Displays micro instructions, block types, control flow transfers, and use-def chains

• Syncable with Disassembly, Pseudocode, and other Microcode Viewer widgets

Shortcuts and controls

• Invocable by Ctrl + Shift + F8

• Increase maturity level with >

• Decrease maturity level with <

Known issues

• Selection misbehaves

Unified Location History

• History sharing now also includes the Stack View. This change revealed a known issue where ESC doesn't consistently work in all cases.

• Moved "Enable history sharing" to Options → General → Browser instead of Misc

• Widgets can now sync with history sharing enabled. The current widget automatically moves to a non-shared history stack during sync and rejoins shared history when un-synced.

Xref Tree

• Performance optimizations with large trees

• Made all columns respect font size

• Improved focus management:

  • Focus is put on the tree when the widget opens

  • When switching to the Xref Tree window, the last child widget that had focus will receive focus

  • Root item is preselected

• Section headers use keyword color for better readability

• Fixed occasional crash on exit

• Xref Tree can collect "References To" for data items

• If no name is present in the IDB for an item, generate a fallback one (off_...)

• Reference jumping and cycling mechanism has been reworked:

  • (Shift +)F10 has been removed

  • Enter/double-click automatically cycles on repeated triggers

  • By default, Enter will update the previous IDA View to the location that was selected but keep focus in the tree to let the user cycle or select another location

  • The "Change Focus" option was added for testing purposes. It modifies the behavior of Enter to "Jump" to the location that was selected in the previous IDA View (just like "Jump to xref")

Known issues

• It is not possible to jump to references gathered for data items

• Double-clicking on the root node doesn't behave as expected

• Double-clicking on section headers (e.g. "References To") continues cycling

• "Allow Duplicates" doesn't seem to have an impact on "References To"

• Position of widget is not preserved across sessions

• The tree's information density is not high enough

• Some references to items that aren't heads may have incorrect names (e.g. SUB_...)

• Xref Tree is not available from Pseudocode views

Jump Anywhere

• Fixed broken support for address expressions

• Action has been renamed from JumpToAnywhere to JumpAnywhere

  • Users who used the "Feature Flags" dialog to remap it will have to go through that manipulation again

• A Preview pane is displayed on the right-hand side of the dialog that corresponds to the entry that is currently selected

  • This can be disabled in the "Feature flags" dialog

Known issues

• JumpAnywhere window appears to blink during search

• Indexer may not be up to date with type information

• Preview pane isn't correct for first entry (interpreted as address expression)

• macOS: using Up or Down will move cursor to Begin/End of input

Xref Graph

• Xref Graph window title prefixed with 'Xref Graph: '

• Selected initial node on graph creation

• Fix plugin dialog shortcuts & focus

• Removed default shortcut

  • Recommending to invoke Xref Graph using "Xrefs graph [to|from]..."

Known issues

• Slow layout on large graphs

• Actions presented in context menu may not be up to date with selection

• Not preloading OpenGL seems to make IDA crash on exit if Xref Graph was used; please set $IDA_PRELOAD_OPENGL if you wish to use Xref Graph with Beta 2

New Parser

• Renamed the parser names to more descriptive: default → legacy, clang → old_clang, future → clang. For this Beta 2 release,legacy remains the default. The default will switch to clang in one of the upcoming releases.

• The parser name is taken from ida.cfg instead of the registry. See the TYPE_PARSER option.

• The following functions have been added to the ida_srclang Python module:

  • parse_decls_with_parser_ext(parser_name: str, til: 'til_t', input: str, hti_flags: int) -> int

  • get_parser_option(parser_name: str, option_name: str) ->str

  • set_parser_option(parser_name: str, option_name: str, option_value: str) -> bool

Golang

• Added recognition of Golang-specific inlined memcpy/memset patterns in the MIPS and RISC-V decompiler.

Other Bugfixes since Beta 1

• Xref Graph: added plugin to Home edition

• Linux/Wayland: now bundles libqt-plugin-wayland-egl.so

• Decompiler (PC):

  • fixed issue where splitting assignments made using xmm instructions was not working

  • improved recognition of shifts performed via combination of cvtsi128 and srli

• Decompiler: Fixed crash when editing the prototype of an imported function

• Golang:

  • fixed built-in declarations

  • added recognition of inlined for inlined memcpy/memset on riscv and mips

• Parser:

  • now allows specifying only the argument type when editing a function argument

  • fixed missing calling convention in pointer to function

  • Resolved handling of qualified names when using __shifted()

  • fixed incorrect treatment of __hidden as a simple annotation

  • fixed parsing failure when an argument was named this

• Types: fixed issue where method tinfo_t::expand_udm() was spoiling the type

• CFG (idagui): increase output scrollback to 128k lines

• Function prototype editor: Fixed issue where the default prototype was ignored by IDA

• DWARF: improved handling of stkvars

• Mac: fixed missing Dock Tile (when multiple IDA instances are open)

• Fixed ICC profile of collapsible icon (used to produce warnings in libpng)

• Not preloading QOpenGL (causes issues on older Windows 10 and Windows on ARM systems

  • set $IDA_PRELOAD_OPENGL to preload anyway

Other known issues

• Linux: crash on Wayland when trying to dock a floating window

• Mac: missing custom Dock Menu, warning about "missing call to 'qt_mac_set_dock_menu'"

• Mac: hangs on macOS 26 beta 3

• Mac: SHOW_BANNER=NO can cause crash when opening files

• Qt: light/dark theme rendering issues

• Qt: sluggish UI when scrolling in some listings (e.g. local types)

• Feature Flags: overriding 'G' shortcut will also disable that shortcut in earlier versions of IDA

• "Copy full type(s)" in Function Prototype editor available and will fail

UI Improvements

Jump Anywhere

• Jump Anywhere is a new dialog created to simplify quick jumps to locations anywhere in the IDB. It is envisioned to become the successor of the JumpAsk ("Jump to address...", bound to the G key) dialog.

• It can be opened via the JumpAnywhere action that is bound to Ctrl + Alt + F (CMD + Alt + F on macOS) by default. A checkbox was also added in the (new) Feature flags dialog (Options → Feature flags...) to quickly map/unmap JumpAnywhere to the G key.

• Currently we index functions, local types, names, segments, later we plan to introduce a public API, allowing users to extend the index, querying it, and much more.

• For now the dialog is fairly simple: it presents an input box where the user can type in a name and below that a list of search matches is populated.

• The list can be navigated using arrow keys. Pressing Enter jumps to the currently selected entry.

• If the user input is interpretable as an address expression, a result entry for the corresponding destination will appear at the top of the search result list.

• The behavior of the dialog can be changed in idagui.cfg to your preference:

//-------------------------------------------------------------------------
//      Jump anywhere parameters (requires ENABLE_INDEXER = YES in ida.cfg)
//-------------------------------------------------------------------------

#ifdef __QT__
JUMP_ANYWHERE_MAX_RESULTS = 10000  // maximum number of search results (0 = no limit)
#endif

Disabling of the indexer is possible in ida.cfg, by setting ENABLE_INDEXER = NO, this may be useful if you use IDA in headless mode (eliminating the small overhead of building & maintaining the index).

Future plans

• We would like to support fuzzy string matching in JumpAnywhere

• We will also add a preview pane inside of the dialog to provide context about the entry that is currently selected.

Unified Location History

• Global history stack across multiple widgets. Addresses issues like:

  • double clicking on a static variable switching to disassembly view, but ESC would not navigate back to Pseudocode

  • double clicking on a type or stack variable would "trap" navigation with no easy way to return back to the origin

• Activated automatically for Disassembly, Pseudocode, Local Types, and Stack. Old behavior can be re-instantiated by disabling "Enable history sharing in Options → General → Browser.

New Debugger Regs Widget

• New register widget for the debugger. It applies coloring, dereferences pointers, and in general tries to be smart about register values. This behavior can be controlled via the context menu.

Autocompletion for Types in Local Types

• Autocompletion when editing/creating types in Local Types via the free text editor.

• Either automatically triggered when typing, or manually invoked using Ctrl + Space.

• When adding a new type in the "C syntax" tab, autocompletion is available.

• Autocompletion uses the existing types in the database and C/C++ keywords (such as "struct", "int"...).

• Simply start typing the beginning of the desired type name and a list of completions will appear, they can be navigate using arrow keys.

• Additionally, a very useful hint will appear on the side to provide more context about the suggested type, allowing you to distinguish between "foobar1", "foobar2" or even "FooBar".

• If autocompletion suggestions are in your way, you can discard them by pressing Esc.

• It is also possible to deliberately request to show completions at any moment using Ctrl + Space (the ForceTypesAutoCompl action, the shortcut is configurable).

• We also added automatic completion of curly braces and auto-indentation: when entering '{', '}' will be automatically added, and between them an empty line with an indentation.

• After working with older builds that lacked autocompletion, we were reminded how much easier editing types is with it. It's one of those things you only truly appreciate once it's gone. If for one reason or another you're not keen on autocompletion, you can disable it partially or fully: Options → General... → Misc. At the bottom of that page you will find a group of settings "Types autocompletion":

  • Enable autocomplete for types — enables or disables the entire mechanism. If you uncheck the box, the behavior will not differ from previous versions. Enabled by default.

  • Case sensitive — changes case sensitivity. If you check the box, then, for example, the "f" prefix will show "foobar", but not "Foobar". Disabled by default.

  • Enable autocomplete for curly braces — enables or disables autocompletion of curly braces and indents. Enabled by default.

  • Enable type hints — enables or disables hints when choosing a type from suggestions during autocompletion. Enabled by default.

Xref Graph

• New widget graphically displaying inter-function relationships (code and data).

• Replaces the following widgets / actions / tools:

  • Qwingraph

  • Xrefs graph from ... (function name context menu)

  • Xrefs graph to ... (function name context menu)

  • Function call graph

  • User call graph

• The graph gathers a set of nodes connected by xrefs. For now the nodes are laid out using a force-directed approach.

• The controls are quite simple:

  • dragging nodes around moves them

  • clicking and dragging around the graph pans around (holding the Shift key will pan without unintentionally grabbing a node)

  • holding Ctrl/CMD while scrolling will zoom in/out

  • double-clicking on a node will jump to the corresponding item in an IDAView

  • nodes can be added to/remove from the graph using right-click on a node (e.g. "Add xrefs from node")

• The layout mechanism can be played/paused using the Space key.

Xref Tree

• New widget textually displaying inter-function relationships (code and data).

• New widget enabling textual, interactive, non-modal traversing of xrefs to provide a better overview of the function call hierarchies and data references. This view complements, and will eventually be tightly integrated with, the new xref graph and xrefs in general.

• Replaces the following widgets:

  • Function Calls

  • Cross References

• The tree shows both references to and from the current function, in a fashion similar to call hierarchy views in IDEs. Both code and data references are displayed.

• The tree is non-modal and there can be multiple instances of it open at the same time, each displaying a different function. The tree state is not preserved between sessions.

• The tree nodes are lazily loaded, and the tree is updated in real-time as the user navigates. Any changes to function and object names are reflected in the tree.

• It is possible to make the tree synchronize with the current IDA View, by checking the "Sync" checkbox.

• Some unnecessary functions can be filtered out, by checking the "Add filter" button, or by using the Ctrl + F shortcut (Ctrl + Shift + F to remove the filter).

• By default the tree displays function names in simplified form, such as main(argc, argv) instead of int main(int argc, char **argv). This can be changed by unchecking the "Simplified view" checkbox.

• The tree can be navigated with mouse and keyboard, using the common cursor keys.

• If there are multiple xrefs to the same function, they are deduplicated by default. This can be changed by checking the "Allow Duplicates" checkbox.

Access and shortcuts

• It is accessible via:

  • View → Open Subview → Cross References Tree,

  • The Command Palette (action name: OpenXrefsTree),

  • Shift + X on any function or address with incoming/outgoing Xrefs

• One can press F10/Shift + F10 to cycle through the xrefs to the currently selected function.

IDA is now running on Qt6

• We provide shims to make sure plugins written for Qt5 remain operational.

Actions for font size controls

• Available under the View menu, the "Increase|Decrease|Reset Font size" actions let the user directly control the font size of the (family of) the widget they're currently using.

• Previously users had to open the font selection dialog ("Font...") to adjust the size of fonts.

• The actions have been mapped to Ctrl + +, Ctrl + =, Ctrl + - and Ctrl + 0, respectively (CMD on macOS).

Feature Flags Dialog

• New dialog enabling/disabling experimental features

• Can be opened via Options → Feature Flags

• Currently only allows to quick map the new "Jump to Anywhere" feature to the G hotkey

Sunsetting idat's Terminal Interface

• As of this release, idat does not support interactive mode anymore (read: the TUI is gone!)

• Batch mode processing is still available (and will stay), so infrastructure relying on batch processing still works

Architecture Support

ARM

• Instruction set extensions:

  • ARMv8.7-A: FEAT_WFxT Extension (fixes most recent Apple SPTMs)

  • ARMv8.7-A: FEAT_xNS Extension (fixes most recent Apple SPTMs)

  • Low Overhead Branch Extensions

  • Custom Datapath Extension

• Load ARM64EC Windows COFF files (ARM64EC PE support pending)

• Speed improvements of the internal register tracking logic

• FLIRT:

  • ARMv8 support for pmacho

  • pcf: New option -f to filter for ARM64EC/ARM64 objects in Windows COFF files (supports any COFF OBJ magic.)

  • pcf: Fix processing of ARM64 relocations

  • properly emit and consume ARMv7 THUMB bits in PAT files

MIPS

• Added support for O64 ABI

RH850

• Support more relocation types

• Make TP, GP, CALLT registers user-assignable global registers

• Many small improvements in macro building

RISCV

• Dramatically improved function discovery

• Recognition of table based switch constructs making use of THEAD instructions

TriCore

Support for TC4x (TC1.8) instructions

50+ new instructions from the TC1.8 architecture are now fully supported in the disassembler. This includes double-precision FPU instructions, virtualization instructions, and new Q (quad-sized) registers.

Make A0, A1, A8, A9 user-specifiable global registers

Support for setting global address registers (A0, A1, A8, A9) as segment registers. TriCore uses these registers for global address computation, typically via GP-relative access. By configuring them via Edit → Segments (or Alt + G), you help IDA resolve memory references more accurately.

New chipset definitions

• Added support for new chipsets: tc1765, tc1724, tc1728, tc1130, tc1762, tc1764, tc1782, tc1784, tc1791, tc1792, tc1793, tc1798.

• Improved existing chipsets definitions.

• Added generic devices: tc1xxx, tc2xxx, tc3xxx, tc4xxx.

These chipsets are used across the automotive and railway industries, including real-world train firmware.

TMS320

• Support 32bit SIMD instructions (tms320c6)

Type System

New Parser

There are 3 parsers currently available:

1. legacy - old internal IDA parser (will become obsolete)

2. old_clang - previous parser based on clang

3. clang - new parser based on clang's libtooling llvm-20.1.0 (will become a default one with one of the next releases)

Using the parser

You can switch between them by tweaking the Options → Compiler... options settings.

Additionally, you can use the -Oclang:on command line switch to activate the new parser in IDA, or set the IDA_CLANG_PARSER environment variable to 1. To activate the new parser in tilib, pass the -IC command line switch. You may also pass additional arguments down to clang using -CT(e.g. -CT-target -CTx86_64-pc-linux).

The clang parser is fully migrated to clang's libtooling, and it unifies all type parsing done by IDA into a single backend. This means that the same parser will be used in the type editor, in idaclang and in tilib.

A convenient way to tweak the new parser is via the "Parser specific options" dialog.

You may set defaults for these options and check their documentation in idaclang.cfg.

Python API

Using the parser from the Python API can be done via the ida_srclang module.

import ida_srclang

argv = [ "-target x86_64-apple-darwin-macho",
         "-x c++",
         "-std=c++17",
         "-Werror",
         "-Wno-incompatible-sysroot",
       ]
ida_srclang.set_parser_argv("clang", " ".join(argv)) 

ida_srclang.set_parser_option("clang", "CLANG_SMART_POINTERS", "OSSharedPtr")
ida_srclang.parse_decls_with_parser_ext("clang", None, "header_file.h", idaapi.HTI_FIL)

For example, the new parser can be used to parse C++ templates:

struct std::char_traits<char>
{
};

Note that two new HTI flags are available in ida_typeinf:

• HTI_SEMICOLON: do not complain if the terminated semicolon is absent

• HTI_STANDALONE: should parse standalone declaration, which may contain qualified names and type names (IDA-Pro specific declaration)

Backwards Compatibility

There are two approaches to define a __usercall:

1. int __usercall f<eax>(int *a<edx>[]) - obsolete

2. int __usercall f@<eax>(int *a@<edx>[]) - recommended way

Approach (1) is not supported by the new parser.

Tuples

• Added the notion of tuples (~structs where exact member allocation is ignored)

• Use via keyword __tuple

• Currently they behave as structs with a few differences:

  • two tuples having matching member are considered to be equal

  • tuples are returned from functions in a different manner

Disassembler/Decompiler Integration

• Disassembler automatically uses structure offsets found by the decompiler

• New analysis option: Copy xrefs found by decompiler to disassembler (disabled by default)

Major Golang Analysis Improvements

• Significant improvements of decompiling Golang code:

  • Fully support Golang's stack-based ABI for return values

  • Improved dataflow tracking / recognition of object copy operations

  • Improved string pool handling

  • Recognition of Golang compiler idioms:

    • runtime.convTnoptr, runtime.convT, runtime.growslice, runtime.makeslicecopy, runtime.duffcopy, runtime.duffzero

  • Better metadata parsing (FUNCDATA, PCLNTAB)

• Now we have two different Golang calling conventions:

  • CM_CC_GOSTK - stack abi: default for old apps (golang version < 1.17)

  • CM_CC_GOLANG - regabi: default one for newer apps

  • For old databases (prior to IDA 9.2) we preserve the old behavior: CM_CC_GOLANG is the stack abi for old Go apps (go version < 1.17) and regabi for the newer ones.

Multiple Names as Comments

• When multiple names are discovered for the same address, they are shown as comments. This behavior existed before, but we extended the list of supported file formats from which multiple names are recovered.

Deobfuscation

• New algorithm backing Goomba's MBA Deobfuscation

• Simplify away non-satisfiable cases in switch statements (limited by config variable OPT_VALRNG_SWITCH_NCASES)

IDA Feeds

• Recover more Rust compiler versions from binaries

IDAlib

• Pass down IDA command line arguments in open_database

• Do not pollute file history when opening files with IDAlib

• Bugfix: Debugging in VS Code

API

• New event: idb_event::local_type_renamed

• New event: hexrays_event_t::hxe_mba_maturity event

• New convenience function extend_sign_bits()

• pro: added a new bit function bitcountr_zero() (like in C++20)

• IDAPython: provide compiled_binpat_vec_t.parse

Deprecated APIs

• Deprecate hook_to_notification_point()

Watch what's new in IDA 9.2 Beta

Excited about what’s coming in IDA 9.2? Watch the feature overview based on the 9.2 Beta release on the All Things IDA channel.

Courtesy of Elias Bachaalany (@allthingsida)

Misc

• UI: made 'Cancel' button by default in 'Send database' dialog

• UI: added confirmation on public Lumina metadata push

• UI: add actions to control font size

• UI: add standard ZoomIn shortcut for font increase

• PDB: added more wait boxes during PDB loading, giving users a chance to cancel the process and return back to the UI

• UI: AUTO_CLOSE_MSGBOX gui configuration option (useful for long-running operations)

• DWARF: support DWARF5 debug info in Mach-O binaries

• PE (LDR): add new IMAGE_LOAD_CONFIG_DIRECTORY member

Security Fixes

• Remote Code Execution via Debugger Attachment

• Format string vulnerability in pdbparser

BUGFIXES

• VD: MACHO-O Wrong segment name used with USE_SEG_PREFIXES=YES

• UI: double-clicking/Enter on the header of a type, wouldn't open the editor

• UI: double-clicking/Enter on a structure member name, wouldn't offer to rename it

• UI: fix macOS drag&drop under SHOW_BANNER=NO

• UI: do not suggest shortcut migration

• Kernel: fixed regarg comments for an argument in the register pair in big endian MIPS

• IDC: wrong enum flag was returning for character representation of constants

• GDB: avoid usage of already freed memory

• Kernel: now append_cmt() respects the repeatable flag for the function start

• Kernel: fixed handling of the special Go assembler characters