# IDA 9.3 ![](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-3fc7f0f8929f3b668f5b73b97863424467dee618%2Fida9_3.png?alt=media) Welcome to the IDA 9.3 release highlights. You can get your 9.3 installers in the [Download Center](https://my.hex-rays.com/dashboard/download-center/installers/release) of My Hex-Rays portal. ## New V850 Decompiler IDA 9.3 introduces decompiler support for the Renesas V850 (aka NEC850 / RH850) architecture, a 32-bit RISC processor extensively used in automotive ECUs and industrial control systems. Both the modern RH850 ABI and the legacy GCC V850 ABI are supported. ![V850 Decompilation](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-bcbc5b804058a9b5096d21a489e59b39da4ccd1f%2Fv850_decompiler.png?alt=media) Beyond basic decompilation, the V850 module includes recognition of compiler-specific prolog/epilog helper functions, detection and hiding of padding instructions, proper handling of `callt`-invoked compiler helpers, and improved stack frame analysis. A wide range of low-level instructions are now decompiled including `BSW`, `BSH`, `HSW`, `HSH`, `MAC`, `MACU`, `ABF`, `SBF`, `CLIP*`, `SAT*`, `SASF`, `SCH[01][LR]`, `SYNC*`, `EI`/`DI`, `HALT`, `LDSR`/`STSR`, and more. ## Integrated IDA Teams {% hint style="info" %} Read more about the integrated Teams experience in the [IDA 9.3: Teams Moves Inside IDA](https://hex-rays.com/blog/ida-9.3-teams-moves-inside-ida) blog post. {% endhint %} The IDA Teams UI is now **built into stock IDA** — no separate application needed. Users with a Teams add-on can collaborate on reverse engineering projects directly from within IDA. ![Teams Integration](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-786dc03a0c8406ce41d9e6a0639bc5da370feb7c%2Fteams_integrated.png?alt=media) ![Teams Context Menu](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-651b0c3c6ab34b0276a15a7e79981b0606a8987b%2Fteams_context_menu.png?alt=media) * **New Teams top-level menu**: all major Teams functionalities and widgets are accessible directly from IDA's menu bar. * **Open remote files from Quick Start**: open files from the Hex-Rays Vault Server directly through the Quick Start dialog. * **HVUI discontinued**: the standalone HVUI application is no longer shipped. Its core functionality has been fully integrated into IDA. See the [Getting Started Guide](https://docs.hex-rays.com/user-guide/teams/getting-started) to get up and running with integrated Teams. ## Microcode Viewer The Microcode Viewer, introduced in IDA 9.2 as a read-only window into the decompiler's intermediate representation, evolves into a more interactive analysis tool in 9.3. ### Microcode Manipulation / Assertions You can now **delete instructions** and **add assertions**, to specify values for registers and local variables — directly steering the decompilation process. This is invaluable for dealing with obfuscated code or exploring "what if" scenarios during analysis. Take the following pseudocode: ``` int v7 = (*(__int64 (__fastcall **)(__int64 *, __int64, void *, __int64))(v6 + 1720))(v16, v10, &off_181378, 8); if ( v7 <= (int)((v13 | 0x975E3920) - (v13 & 0x975E3920)) ) return (v15 | 0x2A980899) - (v15 & 0x2A980899); else return (v14 | 0x1444A) - (v14 & 0x1444A); ``` From manual analysis of the context (not shown) we figure out ``` int v13 = 0x68A1C6DF; int v14 = 0x0000444C; int v15 = 0xD567F766; ``` We can inject the first constant into the decompiler in the microcode via the new `Insert assertion ...` context menu action: ![Microcode Manipulation](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-f336723ca7c95afe44ad3d0ad3e5aa605f69654d%2Fmicrocode_insert_assertion.png?alt=media) This simplifies the pseudocode to ``` if ( (*(int (__fastcall **)(__int64 *, __int64, void *, __int64))(v6 + 1720))(v15, v9, &off_181378, 8) <= -1 ) return (v14 | 0x2A980899) - (v14 & 0x2A980899); else return (v13 | 0x1444A) - (v13 & 0x1444A); ``` Injecting the other two values simplifies the entire sequence to the (more readable) ``` if ( (*(int (__fastcall **)(__int64 *, __int64, void *, __int64))(v6 + 1720))(v15, v9, &off_181378, 8) <= -1 ) return -1; else return 65542; ``` Similarly, instructions can be deleted from the generated microcode. Deleting control flow instructions automatically repairs the CFG (up to `MMAT_GLBOPT3`) ### Microcode Graphs The viewer can now render **microcode flow graphs** and give insights into **structural analysis**. These graphical views make it easier to follow control flow through the decompiler's intermediate representation — especially when investigating how the decompiler processes complex constructs like nested loops, switch statements, or obfuscated control flow. ### Display Def-Use / Use-Def Chains A new **"Display chains"** action visualizes register and variable use-def and def-use chains — the connections between where a value is defined and where it is consumed and vice-versa. This is particularly useful for understanding how the decompiler tracks data flow across basic blocks. ### Display Modes New toggleable display modes give deeper visibility into the decompiler's internals: * **EA Prefix Display**: optionally show effective addresses between instruction numbers and mnemonics Default (off): ``` 1. 1 mov esp.4, ebp.4 ; 804ABA2 u=esp.4 d=ebp.4 ``` After toggle (on): ``` 1. 1 804ABA2 mov esp.4, ebp.4 ; 804ABA2 u=esp.4 d=ebp.4 ``` * **Compact / Detailed View**: toggle between a dense view (no block headers, no `USE`/`DEF`/`DNU` annotations) and the full detailed view * **Value Numbers**: display [GVN](https://en.wikipedia.org/wiki/Value_numbering) identifiers showing SSA value equivalence across microcode operands (e.g., `rax.8{5}` and `r8.8{5}` share the same value) * **Number Origins**: reveal where constants originate (e.g., `#3.8` becomes `#3@3B0A.8`, pointing back to the original `cmp rax, 3` instruction) * **Display Local Types**: opens a window showing types used during decompilation ### Other Microcode Viewer Improvements * **Undo support**: instruction deletions and comments are fully undoable * **Xref support**: navigate to cross-references directly from the microcode view * **Desktop save/restore**: the viewer state is preserved across IDA sessions * **Persistent preferences**: display toggles (compact/detailed, value numbers, etc.) are remembered across invocations * **`Tab` to disassembly**: press `Tab` to jump to the corresponding disassembly, just like in pseudocode * **"Highest maturity level" action**: jump directly to the final optimization stage * **`Del` shortcut**: quick delete/restore instruction toggle ## Objective-C Parser IDA 9.3 introduces a parser for Objective-C header files inside IDA, streamlining a common workflow in iOS and macOS reverse engineering. Feed it `@interface`, `@protocol`, and `@property` declarations, and IDA produces the corresponding C types and method prototypes — including auto-generated property accessors, protocol method implementations, and category extensions. This eliminates the tedious manual translation of Objective-C headers into IDA-compatible type definitions. To enable Objective-C parsing switch to the llvm-backed parser in `Options` -> `Compiler` -> `Source parser` -> `clang` and select `Objective-C[++]` in the Parser specific options. ![Objective-C Parser](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-356c16f8d9e3d4b39cc760194cb1b899aa77e9ec%2Fobjc_local_types.png?alt=media) ## Andes Andestar V3 (NDS32) IDA 9.3 introduces a processor module for the **Andes Andestar V3 NDS32** architecture — a 32-bit RISC ISA featuring mixed 16-/32-bit instructions optimized for power and code density. Widely deployed in IoT devices, microcontrollers, wearables, storage controllers, and drones, NDS32 firmware can now be analyzed natively in IDA. ![NDS32 Disassembly](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-923691bb71beb4ae1ca8d9d1e4f4814224a7ddd1%2Fnds32.png?alt=media) Key capabilities: * GP-relative addressing with automatic data reference creation * Stack pointer tracing with `push25`/`pop25` and `smw`/`lmw` (store/load multiple word) prolog/epilog recognition * Extension instruction decoding: DSP, SIMD, ZOL (Zero-Overhead Loop), FPU, and coprocessor * Extensive switch pattern detection * `noreturn` analysis * `ex9.it` instruction resolution from the `$itb` system register table (linker relaxation) * Configurable options for encoding variants, register prefixes, macros, and GP values ## Native Linux ARM64 Build IDA 9.3 now ships as a native Linux ARM64 build, requiring **glibc 2.28** or newer (Debian 10 / Ubuntu 20.04 / RHEL 8+). The C++ SDK does not yet include the static libraries needed to link plugins on this platform — those are planned for a future release. Local debuggers are also not yet included. And yes, we've seen your efforts trying to run IDA via convoluted setups on Android phones — we won't ask why. ![IDA running natively on Linux ARM64](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-146adf392a4c3c42fd80ae7042c47b218bf9963a%2Farm64_linux.png?alt=media) ## More Responsive Tabular Views Working with large databases often means working with large lists — hundreds of thousands of functions, names, or types. In IDA 9.2, operations on these widgets could become frustratingly slow, particularly when dealing with large selections or filtering. IDA 9.3 delivers a [first round of targeted performance improvements](https://hex-rays.com/blog/ida-9.3-more-responsive-tabular-views) that make everyday interactions noticeably snappier: * Widgets exposing tabular data — Functions, Names, Local Types, Bookmarks, Imports, Breakpoints — behave considerably better with large datasets * Search operations are now much snappier for widgets with 100k+ entries * Sorting and filtering (`Ctrl`+`F`) have been improved Further performance optimizations are planned, so stay tuned! *** ## Decompiler {% hint style="info" %} Read more about the decompiler improvements in the [IDA 9.3: Expands Decompiler Lineup](https://hex-rays.com/blog/ida-9.3-expands-decompiler-lineup) blog post. {% endhint %} ### Stock Comments Manage reusable comments in the decompiler. Create, edit, and quickly apply frequently-used comments to pseudocode without retyping. Comments are organized by most-recently-used order — useful for documenting repetitive patterns like inlined C++ operations (e.g., `std::string` manipulations). ### Value Range Optimization The analysis of conditionals now includes enhanced value range tracking. For instance, in a conditional such as `(unsigned int)(a2 - 1) <= 5`, IDA can now determine that `a2` falls within the interval `[1, 6]`, allowing it to simplify or eliminate redundant subsequent checks: ```c if ( (unsigned int)v7 >= 0xA000 ) { ... if ( (unsigned int)(v7 - 0x1000) > 0x1000 ) { ``` The second `if` statement is now correctly discarded since its condition is always true given the outer condition. ### Fine-Grained Assignment Propagation Control A new **"Forbid assignment propagation"** option, available from the decompiler's context menu, gives analysts precise control over which assignments the decompiler is allowed to inline, improving readability in cases where automatic propagation produces overly complex expressions. ### "Decompile All" in IDA Home & IDA Pro Essential The "Decompile all" functionality is now available in IDA Home and IDA Pro Essential editions. *** ## Type System {% hint style="info" %} Read more about the type system improvements in the [IDA 9.3: Type System Improvements](https://hex-rays.com/blog/ida-9.3-type-system-improvements) blog post. {% endhint %} ### Create C Header File: Inline Anonymous Types When exporting types to C header files, IDA previously created intermediate anonymous types with hash-based names. The new **"Ignore IDA anonymous types"** option inlines these types directly into the parent structure, producing cleaner and more portable output. **Before (anonymous types exported separately):** ```c union test::$161DE73CEC70B46D2147F48043C58578 { a a; b b; }; struct test { test::$161DE73CEC70B46D2147F48043C58578; }; ``` **After (anonymous types inlined):** ```c struct test { union { a a; b b; }; }; ``` This also handles nested inline structures correctly. ### Fixed Struct Support: Complete Import/Export Roundtrip IDA 9.3 introduces `__fixed` and `__at` attributes for structures with explicit field offsets, enabling **complete roundtripping** of type export and import. Previously, types with explicit offsets (like function stack frames) could be exported to C headers but not re-imported — the offset information was lost. Now IDA-generated headers are fully re-parsable. **New syntax:** * `__fixed(size)` — declares a struct with explicit total size * `__at(offset)` — specifies exact byte offset for a field * `__at(offset, bit)` — specifies offset with bit-level precision for bitfields **Example — function stack frame:** ```c struct __fixed(0x48) x64_prologue_frame { __at(0x0000) void *return_addr; __at(0x0008) void *saved_rbp; __at(0x0010) void *saved_rbx; __at(0x0018) void *saved_r12; __at(0x0020) void *saved_r13; __at(0x0028) void *saved_r14; __at(0x0030) void *saved_r15; __at(0x0038) int local_var1; __at(0x003C) int local_var2; __at(0x0040) void *local_ptr; }; ``` **Example — packed embedded structure (unaligned fields):** ```c struct __fixed(0x20) packed_frame { __at(0x0000) char header; __at(0x0001) __int16 flags; __at(0x0003) int sequence; __at(0x0007) char payload[16]; __at(0x0017) char checksum; __at(0x0018) void *next; }; ``` ### Improved Golang Type Recovery Golang type recovery sees significant improvements affecting both the accuracy and organization of recovered types. **Full package paths in type names** eliminate ambiguity between identically-named types from different packages: | Before (9.2) | After (9.3) | | -------------------- | ------------------------------------ | | `RTYPE_atomic_Value` | `RTYPE_sync_atomic_Value` | | `RTYPE_cpu_x86` | `RTYPE_internal_cpu_x86` | | `RTYPE_sys_Uintreg` | `RTYPE_runtime_internal_sys_Uintreg` | | `RTYPE_poll_FD` | `RTYPE_internal_poll_FD` | ![Golang Type Names: Before](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-07820ea61ed2490f25ff246b9d116ea82057919a%2Fgolang_type_names_before.png?alt=media) ![Golang Type Names: After](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-7545780b376d5abaa27eaca5fce790ac0ca9376f%2Fgolang_type_names_after.png?alt=media) **Hierarchical type library organization** now arranges types in folders matching Go package paths, making navigation much more intuitive: ``` /golang/runtime/internal/atomic/runtime_internal_atomic_Uint32 /golang/syscall/syscall_Iovec /golang/internal/poll/internal_poll_FD /golang/fmt/fmt_Formatter /golang/reflect/reflect_Value ``` ![Golang Type Folders: Before](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-0aeb10d43e8f6120eecd1b3307b7453a6688fbef%2Fgolang_type_folders_before.png?alt=media) ![Golang Type Folders: After](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-04f3298b2d3bb0fc50e2f571efbcb7e9e5158814%2Fgolang_type_folders_after.png?alt=media) Additional improvements include better FUNCINFO and Go version detection, replacement of the internal `BUILTIN_STRING` type with the standard Go `string` type, proper recognition of many standard Go types without the `struct` prefix, and improved handling of return types for anonymous functions in DWARF debug info. ![Golang Decompilation: Before](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-8fb29eb254301211d22e857ddf966f93f0916864%2Fgolang_decompilation_before.png?alt=media) ![Golang Decompilation: After](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-c56c4a7c4065abc74649e551a9a2fbae58d79215%2Fgolang_decompilation_after.png?alt=media) ### Other Type System Changes * Typedefs to anonymous UDTs are now printed properly, and DWARF debug info no longer produces unnecessary pointer-to-anonymous-UDT patterns * The legacy **"Parse declarations"** dialog has been removed. Since IDA 9.2, the "Add type" editor in Local Types supports adding multiple types at once with syntax highlighting and autocompletion, making the old plain-text dialog redundant * The clang-based type parser now has **Print AST** and **Dump AST** options (under `Options` → `Compiler` → `Parser specific options`). "Print AST" outputs a C-like pretty-printed representation of the parsed declarations, while "Dump AST" outputs the raw Clang AST tree — useful for diagnosing parsing issues or understanding how IDA interprets complex type declarations *** ## Architecture Support {% hint style="info" %} Read more about the new and improved processor modules in the [IDA 9.3: Disassemblers Aplenty](https://hex-rays.com/blog/ida-9.3-disassemblers-aplenty) blog post. {% endhint %} ### ARM64 #### SVE/SME Instructions for Apple Silicon Kernels IDA 9.3 can now decode Scalable Vector Extension (SVE) and Scalable Matrix Extension (SME) instructions found in Apple's latest kernels. These instructions were previously shown as raw bytes or undefined opcodes. ```asm __text:FFFFFE00082434E4 STR Z0, [X2] __text:FFFFFE00082434E8 STR Z1, [X2,#1,MUL VL] __text:FFFFFE00082434EC STR Z2, [X2,#2,MUL VL] __text:FFFFFE00082434F0 STR Z3, [X2,#3,MUL VL] ... __text:FFFFFE00082AFF48 UZP1 V0.4S, V0.4S, V1.4S __text:FFFFFE0008240118 ZIP1 V2.4S, V2.4S, V2.4S ``` #### Memory Tagging Extension (MTE) Intrinsics The decompiler now produces clean intrinsic calls for ARM Memory Tagging Extension instructions, replacing inline assembly blocks. MTE is used in iOS 18+ and Android for hardware-enforced memory safety. **Before (9.2) — inline assembly:** ```c __int64 __fastcall create_tag(__int64 _X0, unsigned int a2) { __int64 result; _X8 = a2; __asm { IRG X0, X0, X8 } return result; } __int64 __fastcall get_tag1(__int64 _X0) { __int64 result; __asm { LDG X0, [X0] } return result; } ``` **After (9.3) - intrinsics:** ```c void *__fastcall create_tag(void *a1, unsigned int a2) { return __arm_mte_create_random_tag(a1, a2); } void *__fastcall get_tag1(void *a1) { return __arm_mte_get_tag(a1); } ``` The full set of supported MTE intrinsics: | Instruction | Intrinsic | Description | | ----------- | ---------------------------------------- | -------------------------------- | | `IRG` | `__arm_mte_create_random_tag(ptr, mask)` | Create random tag | | `ADDG` | `__arm_mte_increment_tag(ptr, offset)` | Increment tag value | | `GMI` | `__arm_mte_exclude_tag(ptr, excluded)` | Get excluded tag mask | | `LDG` | `__arm_mte_get_tag(ptr)` | Load allocation tag | | `STG` | `__arm_mte_set_tag(ptr)` | Store allocation tag | | `SUBP` | `__arm_mte_ptrdiff(a, b)` | Pointer difference ignoring tags | #### NEON Cryptography and Math Intrinsics New decompiler intrinsics for ARMv8.2 `AES`, `SHA1`, `SHA256`, `SHA512`, `SHA3` and ARMv8.1 `SQRDMX` (Saturating Rounding Doubling Multiply Accumulate/Subtract) instructions replace inline assembly with readable intrinsic calls. In addition to recognizing the instructions, IDA now infers proper NEON vector types (`uint8x16_t`, `uint32x4_t`, `int16x4_t`, ...) instead of mapping SIMD registers to `long double` or `double`. **Before (9.2) - inline assembly:** ```c long double __fastcall aes_encrypt(long double a1) { _Q30 = a1; __asm { AESE V31.16B, V30.16B } return _Q31; } long double __fastcall sha256_hash(double a1, long double a2, long double a3) { _Q30 = a2; _Q29 = a3; __asm { SHA256H Q31, Q30, V29.4S } return _Q31; } ``` **After (9.3) — intrinsics, proper SIMD types:** ```c uint8x16_t __fastcall aes_encrypt(uint8x16_t a1, uint8x16_t a2) { return vaeseq_u8(a2, a1); } uint32x4_t __fastcall sha256_hash(uint32x4_t a1, uint32x4_t a2, uint32x4_t a3) { return vsha256hq_u32(a1, a2, a3); } ``` #### Common Short Sequence Compression (CSSC) Intrinsics The `CTZ`, `CNT`, `ABS`, `SMAX`, `SMIN`, `UMAX`, `UMIN` instructions from the ARMv8.7 `FEAT_CSSC` extension are now decoded in the disassembler and translated to their corresponding compiler intrinsics in the decompiler. **Disassembly:** ``` .text:90 test_all_cssc .text:90 ABS X3, X0 .text:94 SMAX X4, X0, X1 .text:98 SMIN X1, X0, X1 .text:9C CTZ X0, X2 .text:A0 CNT X5, X2 .text:A4 UMAX X2, X3, X2 .text:A8 UMIN X0, X0, X5 .text:AC ADD X2, X2, X0 .text:B0 ADD X0, X4, X1 .text:B4 ADD X0, X2, X0 .text:B8 RET ``` **Pseudocode:** ```c unsigned __int64 __fastcall test_all_cssc(unsigned __int64 a1, __int64 a2, unsigned __int64 a3) { return __umax(__abs(a1), a3) + __umin(__ctz(a3), __cnt(a3)) + __smax(a1, a2) + __smin(a1, a2); } ``` #### MOV/MOVK Address Construction The disassembler and decompiler now properly optimize ARM64 address construction from `MOV`/`MOVK`/`MOVW`/`MOVT` instruction sequences — even when scattered across non-adjacent instructions — producing proper cross references. ``` .text:000005FC MOV X8, #(WORD0(unk_16120)) .text:00000604 MOVK X8, #(WORD1(unk_16120)),LSL#16 .text:0000060C MOVK X8, #(WORD2(unk_16120)),LSL#32 .text:00000610 MOVK X8, #(WORD3(unk_16120)),LSL#48 ``` #### Minor ARM64 Improvements * Support for `MOVW_UABS_G[0-3]` AARCH64 relocations with custom reference handlers * Improved recognition of `__auth_stubs` sections (iOS PAC import trampolines) * Recognition of Branch Target Identification (BTI)-enabled ELF PLT stubs * Handling of new CSNEG-based switch patterns from iOS and macOS 26 * Detection of Objective-C stub padding (`brk #1` instructions) ### RISC-V * Added support for the Andes V5 performance extension (`XAndesPerf`, 29 instructions) in both disassembler and decompiler. The extension covers GP-relative loads/stores, bitfield extraction (`bfoz`/`bfos`), branch-on-bit-test (`bbc`/`bbs`), constant comparison branches (`beqc`/`bnec`), scaled LEA, and string search helpers (`ffb`/`ffmism`/`ffzmism`/`flmism`, translated to intrinsics in the decompiler). Andes instructions are prefixed by `nds.`, gp-relative accesses are resolved to symbolic names: ``` .text:00010094 load_gprel: .text:00010094 nds.lwgp a0, garr .text:00010098 nds.lwgp a5, gvar .text:0001009C add a0, a0, a5 .text:0001009E ret .text:000100A0 store_gprel: .text:000100A0 nds.swgp a0, gvar .text:000100A4 nds.swgp a0, garr .text:000100A8 ret .text:000100AC extract: .text:000100AC nds.bfoz a0, a0, 0Fh, 8 .text:000100B0 ret ``` * Instruction set extensions are now configurable in processor options (default is "all"). When multiple extensions are selected and IDA comes across an instruction with ambiguous encoding, a comment indicating the alternative decoding is added: ``` .text:0001171C nds.lbugp a5, quit ; alt XThead: th.ext ``` * Improved recognition of several `div`/`mod` patterns on 32-bit RISC-V in the decompiler * Added consistent xref computation for struct/enum members in all cases ### ARC The ARCv2 analysis sees improvements in IDA 9.3. Memory load/store operations with auto-increment/decrement are now recognized as **push/pop instructions**, making function prologues and epilogues easier to read and stack layout computation more accurate: **Before (9.2):** ```asm .start:01C001A6 FC 1C 08 B4 st.a r16, [sp,0xC+var_10] .start:01C001AA FC 1C 48 B4 st.a r17, [sp,0x10+var_14] .start:01C001AE FC 1C 88 B4 st.a r18, [sp,0x14+var_18] .start:01C001B2 FC 1C C8 B4 st.a r19, [sp,0x18+var_1C] .start:01C001B6 FC 1C 08 B5 st.a r20, [sp,0x1C+var_20] .start:01C001BA FC 1C 48 B5 st.a r21, [sp,0x20+var_24] .start:01C001BE FC 1C C8 B6 st.a fp, [sp,0x24+var_28] ``` **After (9.3):** ```asm .start:01C001A6 FC 1C 08 B4 push r16 .start:01C001AA FC 1C 48 B4 push r17 .start:01C001AE FC 1C 88 B4 push r18 .start:01C001B2 FC 1C C8 B4 push r19 .start:01C001B6 FC 1C 08 B5 push r20 .start:01C001BA FC 1C 48 B5 push r21 .start:01C001BE FC 1C C8 B6 push fp ``` Additional ARCv2 improvements: * Improved recognition of switch constructs using `bi`/`bih` instructions * Improved detection of prolog helper functions * Fixed decoding and printing of the `aex` instruction ### V850 In addition to the new decompiler, the V850 disassembler sees numerous improvements: * Recognition of compiler-specific prolog/epilog helper functions * Detection and hiding of padding instructions * Improved stack frame analysis for functions using compiler helpers * Detection of compiler helpers invoked via the `callt` instruction ### TriCore * Improved register finder for better cross-reference detection (the module now supports the `regfinder` API for querying constant run-time values of registers) * Enhanced detection of switch statements * Simplified extended register representation ### x86/x64 * Enabled following of indirect jumps where the target is known at analysis time * Added decoding of VIA Padlock instructions * Fixed MPX hintable NOP handling ### PowerPC * Improved LR recognition for Golang functions (including those with stack canary checks) * Updated stack pointer tracking after load/store for correct stack address resolution ### 80196 * Added support for 8061, 8065, and 8096 processor types ### Xtensa * Added xrefs for enums and structure members *** ## Loaders ### CLI/.NET * CLI metadata names are now applied to native code in mixed assemblies * Fixed several infinite loops and crashes with malformed .NET files * Resolved `MethodSpec` tokens (`0x2B`) * Added handling of the `ExtraData` field in metadata tables stream * Fixed loader failure when `FieldRVA` entry is missing for a field with `fdHasFieldRVA` flag ### Mach-O / Dyld Shared Cache * Faster reading of the local symbol table in shared caches * Collected symbols are now preserved across loader invocations, avoiding redundant work when loading additional modules * Loading additional DSC modules now triggers reanalysis for improved cross-referencing *** ## Debugger ### Android 14+ Native Debugging The Android debugger now properly handles apps targeting Android 14 through 16. Since PAC is becoming prevalent in the Android world, IDA now supports stepping over protected indirect control flow transfer instructions (`RETAA`, ...). ![Android 14+ Debugging](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-ded0e0ae2fd60877cfe9ce27998199ea0eda77c9%2Fandroid_debugging.png?alt=media) ### Stack View Dereferencing The debugger stack view now supports automatic dereferencing, matching the functionality previously available only in the register widget. View pointed-to values directly in the stack view during debugging sessions. Enable it via the context menu under `Data format` → `Addresses with dereferencing`. ![Stack View Dereferencing](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-61e5f328d78a4557ad9cd0ccda681f606ec84516%2Fstack_view_deref.png?alt=media) *** ## UI ### Enhanced Xref Tree The Xref Tree widget now leverages the register tracker and decompiler to **display known function argument values** at call sites, providing immediate insight into parameters being passed without needing to navigate to each call site. ![Xref Tree with Parameter Values](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-8d91035fb79c53f986938e221e9336ab069f526c%2Fxref_tree_93.png?alt=media) Additional improvements: * Multi-selection support with standard `Shift` and `Ctrl` modifiers for batch operations * Search functionality: press `/` to open search, then `F3` to jump between matches * Column management: reorder, resize, and toggle column visibility via header context menu * Column sorting * Rename support via `N` hotkey * Action system integration: xref tree actions can be mapped and customized like any other IDA action * Improved dark theme support on macOS The Xref Tree now fully replaces the legacy **Function Calls** widget, which has been removed. ### Improved Xref Graph The Xref Graph introduced in 9.2 sees several interaction improvements: * **Pin nodes**: press `P` to pin nodes in place — they will no longer drift when the cursor hovers over them * **Dark theme support** * **Capacity warnings**: a warning pops up when the graph's capacity is exceeded, preventing accidental slowdowns * Trackpad pinching/zooming support * Graph management relocated to `View` → `Graphs` → `Manage...` * Now available on systems without GPU-accelerated OpenGL ![Xref Graph — Default Theme](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-2c919e2f56f148a1317053cc1b26856c70d75ee1%2Fxref_graph_default.png?alt=media) ![Xref Graph — Dark Theme](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-595d14469e33755069581c387894ca2a3bf5f06e%2Fxref_graph_dark.png?alt=media) ### Jump Anywhere Improvements [Jump Anywhere](https://hex-rays.com/blog/ida-9.3-jump-anywhere) continues to mature as a full replacement for the classic "Jump to address" and "Jump to type offset" dialogs: * Asynchronous searching for instant responsiveness on large databases * Support for demangled names * Improved search ranking algorithm * History of user inputs * Navigation to offsets within local types * Added to the `Jump` menu ### "Move to Folder" for Functions A new **"Move to folder..."** action lets you organize functions into folders directly from the disassembly, pseudocode, or microcode views. Right-click on a function header to classify it — useful for triaging large binaries or grouping related functions during analysis. ### New "Setting Type Renames Target" Option New option in `Options` → `General` → `Misc` → `Setting type renames target`: when enabled, IDA updates the target's name while setting types (for one-shot renaming and retyping via `Y`). When disabled, IDA ignores naming changes and only applies types. ### Windows 7 Compatibility Qt 6.8 officially dropped support for Windows 7. For users who still need to run IDA on Windows 7, we provide a patched Qt 6.8 build that re-enables compatibility. The DLL bundle can be downloaded from the [My Hex-Rays portal](https://my.hex-rays.com); replace the Qt DLLs in your IDA installation directory. ![IDA on Windows 7](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-16c793f7d9e13824ac599f2e9b579af9ff75cb55%2Fidawin7.png?alt=media) *** ## SDK & Build ### Simplified Build Process * The [C++ SDK on GitHub](https://github.com/HexRaysSA/ida-sdk) now supports **CMake** for building plugins, loaders, and processor modules — including CI/CD workflows for Windows, Linux, and macOS. Thanks to [Elias Bachaalany](https://github.com/0xeb) for the original contribution * The **IDAPython build process** has been simplified to work with SWIG 4.2 and 4.3 from default package managers (`apt` on Linux, `winget` on Windows, `brew` on macOS), eliminating the need for manually-built SWIG ### Direct Lumina API Access Lumina functionality is now directly accessible via `lumina.hpp` (C++) and `ida_lumina` (Python), enabling developers to extract and apply Lumina metadata programmatically from within IDA. **Example — pulling metadata from Lumina and comparing with local state:** ```python import ida_funcs import ida_lumina import ida_pro client = ida_lumina.get_server_connection() if client is not None: # collect all function addresses funcs = ida_pro.eavec_t() for i in range(ida_funcs.get_func_qty()): funcs.push_back(ida_funcs.getn_func(i).start_ea) # pull metadata from the server result = client.pull_md(funcs) if result is not None: # result.codes is 1:1 with input funcs (per-function status) # result.results contains only the matched entries (PDRES_OK) ri = 0 for i in range(len(result.codes)): if result.codes[i] == ida_lumina.PDRES_OK: fi = result.results[ri] ri += 1 remote_score = ida_lumina.score_metadata(fi) # compare with current IDB metadata pfn = ida_funcs.get_func(funcs[i]) local_fi = ida_lumina.func_info_t() ida_lumina.calc_func_metadata(local_fi, pfn) local_score = ida_lumina.score_metadata(local_fi) if remote_score > local_score: print(f"{funcs[i]:#x}: {fi.name} (score: {remote_score})") ``` **Example — computing metadata locally:** ```python import ida_funcs import ida_lumina pfn = ida_funcs.get_func(0x401000) # calc_func_metadata returns (size, md5_hash) fi = ida_lumina.func_info_t() size, md5 = ida_lumina.calc_func_metadata(fi, pfn) score = ida_lumina.score_metadata(fi) print(f"{fi.name}: {fi.size} bytes, score={score}") ``` ### FLAIR * New `-X` switch in FLAIR parsers to exclude symbols by regex during signature creation (can be passed more than once) * `sigmake`: increased collision group size limit from 8192 to 65536 ### Segment Changes **Behavioral changes**: `segment_t` default segment registers are now initialized to `-1` (`BADSEL`) instead of `0`, meaning segments default to having no default segment register values. `add_segm_ex()` now sets the default value of DS equal to CS. ### Decompiler SDK Changes **STL-to-IDA container migration**: All `std::set` and `std::map` typedefs in `hexrays.hpp` have been replaced with `qset` and `qmap`. This is a **source-breaking change** for plugins that directly use iterator types or STL-specific APIs on these containers. Affected typedefs include `user_cmts_t`, `user_iflags_t`, `user_unions_t`, `user_labels_t`, `user_numforms_t`, `lvar_mapping_t`, `eamap_t`, `boundaries_t`, `voff_set_t`, `strings_t`, and others. The `` and `` STL includes are removed. **`ivl_t` and `ivlset_t` de-templated**: These interval types are no longer template instantiations (`ivl_tpl` / `ivlset_tpl<...>`). They are now standalone classes using `uint64` for offsets and sizes. The template classes and the `uval_ivl_t` / `uval_ivl_ivlset_t` typedefs are removed. **`block_chains_t` is now `qset`**: Previously an opaque byte array wrapping a platform-specific `std::set`, it now publicly inherits from `qset` with proper iterator access. The `SIZEOF_BLOCK_CHAINS` macros are removed. A new `int serial` member stores the block number. New APIs: * `cfunc_t::serialize()` / `cfunc_t::deserialize()` for persisting decompiler output * `mblock_t::verify_insn()` for microinstruction validation * `vdui_t::ui_noprop_lvar()` for forbidding assignment propagation * `int64_emulator_t`: new non-throwing `_mop_value()` / `_minsn_value()` variants with `vd_failure_t` error reporting (the original throwing versions are kept as wrappers) * New `ivlset_t::is_subset_of()` convenience method * New `ivlset_visitor_t` abstract visitor for interval sets New flags and constants: * `CVAR_NOPROP` / `LVINF_NOPROP` — forbid assignment propagation for a local variable * `WARN_FRAME_ACCESS` — new decompiler warning for illegal frame access * `MBA_SHOWEA` — control EA display in microcode output **Breaking**: `mba_t::serialize()` now takes `bytevec_t*` instead of `bytevec_t&`. The `ivlset_t::has_common()` overloads have swapped dispatch IDs (binary-breaking for plugins calling either overload). ### UI SDK Changes **128-bit widget masks**: `request_refresh()` is replaced by `mark_builtin_widgets()` using the new `builtin_widgets_mask_t` (`uint128`) type. Related replacements: `is_refresh_requested()` → `is_builtin_widget_dirty()`, `get_dirty_infos()` → `get_builtin_widgets_state()`. The `IWID_ALL` mask is now 128-bit. `get_last_widget()` also uses the new mask type. **Chooser/dirtree separation**: All dirtree-related chooser flags are now obsolete: `CH_HAS_DIRTREE`, `CH_TM_*`, `CH_NON_PERSISTED_TREE`, `CH_BUILTIN()`, `CH2_LAZY_LOADED`, `CH2_HAS_INODE2INDEX`, `CHCOL_INODENAME`. The chooser API version is bumped to 4, with a new `builtin_id` (`int8`) field replacing the 6-bit encoding in flags. `chooser_base_t::flags2` is narrowed from `uint16` to `uint8`. The `chooser_t::get_dirtree()` and `index_to_inode()` methods are deprecated. New widget types: `BWN_TITREE` (type library tree, replaces `BWN_TICSR`), `BWN_XREF_TREE`. `BWN_CALLS` and its callers/callees variants are now `BWN_RESERVED_*`. New APIs: * `prompt_function_prototype_ex()` adds an `out_name` output parameter returning the edited function name * `action_ctx_base_t::get_selection_as_ordinals()` converts widget selections to type ordinals * `mark_builtin_widget_by_id()` / `is_builtin_widget_dirty()` convenience helpers * `hexplace_gen_t`: new `dk_addr_deref` data kind and `get_dbg_deref_options()` virtual method ### Type System SDK Changes * New `TAUDT_IFACE` (`0x1000`) flag and `tinfo_t::is_iface()` / `set_iface()` for Objective-C `@interface` support * New `udt_type_data_t::deduplicate_members()` for renaming duplicate field names * New parsing flags: `PT_VOID_OK` (accept void), `PT_NO_MANGLE` (don't mangle names), and corresponding `HTI_VOID_OK` / `HTI_NO_MANGLE` * New `PDF_NO_ANON_NAME` flag for `print_decls()` to skip anonymous types * New `VTBL_LAYOUT_SUFFIX` (`"_layout"`) constant for virtual table layout type naming * Variadic SIMD types: new `simd_info_t::SIMD_VARIADIC` constant and `is_variadic()` method * New `MAX_ARRAY_NELEMS` (`0x7FFFFFFF`) constant for maximum array element count * `choose_local_tinfo()` / `choose_local_tinfo_and_delta()` deprecated * `tinfo_t::build_anon_type_name()` replaces the now-deprecated free function `::build_anon_type_name()` ### Dirtree API * New `dirtree_bulk_move()` and `dirtree_bulk_remove()` for efficient batch operations * New `dirtree_add_event_handler()` / `dirtree_remove_event_handler()` for subscribing to dirtree changes * New `dirtree_make_cursor()` for creating cursors from paths * `set_natural_order()` now returns `dterr_t` instead of `bool` * New `DSF_UNQ_NAMES` flag, `DTE_NOT_ORDERABLE` error code * `dirspec_t::flags` renamed to `dsf_flags` * New IDB events: `dirtree_ordering_changed`, `dirtree_bulk_move` ### Other New APIs * `get_install_root()` — returns the IDA installation root directory (on macOS, higher than `idadir()`) * `bookmarks_t::get_by_inode()` — look up bookmarks by inode * `invalidate_regfinder_xrefs_cache()` — update regtracker caches when data references change * `get_import_entry()` — retrieve import module information by address (new `import_entry_t` struct) * `bpt_location_t::valid()` — check breakpoint location validity * `reg_value_info_t::set_def_itype_for_mov()` — set defining instruction type for mov instructions * `swap128()` — byte-swap a `uint128` value * `btoa128()` — convert a `uint128` to string representation * New `reglist_base_t` CRTP template class in `ua.hpp` for bitmask-based register lists (e.g., ARM `PUSH {R4-R7,LR}`) * New `lexer_janitor_t` (`std::unique_ptr`) RAII wrapper * New `dbg_deref_options_t` struct for debugger stack view dereferencing options ### New Flags and Constants * `REF_LOW32` / `REF_HIGH32` — reference types for low/high 32-bit halves of 64-bit offsets * `REFINFO_USER` (`0x2000`) — ignore fixup when processing refinfo * `SRCLANG_OBJCPP` (`0x20`) — Objective-C++ source language * `PLFM_NDS32` (76) — new processor ID for Andes NDS32 * `PR2_IGNORE_IDA_GUESS` — allow item creation inside IDA-guessed data arrays * `aux_hint_nop` / `PT_padlock` (x86) — hintable NOP flag and VIA PadLock extensions ### Core SDK Changes (pro.h, llong.hpp, loader.hpp, ua.hpp) * `qvector`: new **initializer list constructor** (`qvector v = {1, 2, 3}`) * `qlist`: new **move constructor** and **move assignment operator** * `qlist::swap()` now marked `noexcept` * `qvector::truncate()` now properly handles non-movable types * `save_database()`: default `flags` parameter changed from `-1` to `0` (both mean "use current flags") * `STKVAR_VALID_SIZE` and `STKVAR_KEEP_EXISTING` flags removed from `ua.hpp` * `__HAS_INT128__` macro now auto-defined when `__SIZEOF_INT128__` is available (GCC/Clang) ### Processor Module SDK * `ev_get_simd_types`: new `insn` and `op` optional parameters for filtering SIMD types by instruction context; `out` parameter type changed from `void*` to `simd_info_vec_t*` * `switch_info_t::set_jtable_element_size()` and `set_vtable_element_size()`: fixed operator precedence bug ### Network SDK * `rpc_engine_t` constructor: new `recv_timeout` parameter * Removed `RECV_HELLO_TIMEOUT` constant * `vault_credentials_t` methods are now inline wrappers around exported `vcred_*` functions, enabling easier subclassing from plugins ### New Headers * **`lumina.hpp`** — Complete Lumina protocol, metadata types, serialization, and client API (previously internal) * **`qset.hpp`**, **`qmap.hpp`**, **`qtree.hpp`**, **`qpair.hpp`**, **`qallocator.hpp`**, **`qalloc_shim.hpp`**, **`qida_alloc_shim.hpp`**, **`qiterator.hpp`** — ABI-stable container infrastructure backing the `qset`/`qmap` migration No headers were removed. ### Deprecations Summary * **Widget refresh**: `request_refresh()`, `is_refresh_requested()`, `get_dirty_infos()` replaced by 128-bit equivalents * **`open_calls_window()`**: Function Calls widget removed * **`prompt_function_prototype()`**: use `prompt_function_prototype_ex()` * **`choose_local_tinfo()`** / **`choose_local_tinfo_and_delta()`**: deprecated * **`llong_scan()`**: deprecated in `llong.hpp` ### IDAPython * IDA's `-S` command line arguments now accessible from `sys.argv` *** ## idalib * Added pre-built `idapro` Python wheel (for installation from read-only locations) * New `idat -v` option for verbose output * `idat` no longer deletes existing IDBs * Batch mode now works with temporary databases * `-S` command line switch enabled for IDA Home *** ## Security & Third Party Dependencies * LLVM updated to 21.1.5 * z3 updated to 4.15.3 * pcre2 updated to 10.47 (fixes CVE-2025-58050) * clp updated to 1.17.10 / CoinUtils 2.11.12 * libdwarf updated to 2.2.0 *** ## Minor Improvements / Bugfixes * proc/pc: fixed hinted prefetch decoding * proc/pc: fixed decoding of `ud0` for recent Intel platforms * proc/tricore: simplified extended registers * proc/riscv: fixed endless auto-analysis in some cases * proc/riscv: fixed immediate operand size of `andi` instruction * proc/arm: fixed decoding of `STLEX` instruction * proc/tms320c6: fixed decoding of compact `dstk` instructions * ldr/pe: fixed incorrectly applied relocations in ARMv7 PE files * ldr/macho: fixed wrong stub names for ARM64 Go binaries * dwarf: enhanced RISC-V relocation support (`R_RISCV_ADD*`, `R_RISCV_SUB*`, `R_RISCV_SET*` families) * vd: added `HO_CPP_CONSTANTS` option to print C++ style constants (`true`, `false`, `nullptr`) instead of their C equivalents * vd: `(cast1)*((cast2)x + N)` is now simplified to `*((cast1*)x + N)` when sizes match, removing redundant casts * vd/ppc: updated SP after load/store for correct stack address resolution * vd/riscv: improved recognition of several div/mod patterns on 32-bit RISC-V * vd/v850: major bug fixes and improvements * ui: fixed an issue where stepping in pseudocode would wrongly reset synced disassembly view to function entry * ui: moved "Dereferencing options..." under the `Data format/` submenu * ui: fixed an issue where double-clicking on a function in a filtered Functions view could cause IDA to become unresponsive * ui: fixed an issue where jumping to a stack variable could add an unnecessary entry to the navigation history * ui: fixed an issue where double-clicking on a struct field in pseudocode no longer popped up the rename dialog * ui: made renaming types via `Y` hotkey consistent with global default * ui: output window: added possibility to control auto scrolling (registry setting) * ui: output window: added shift-click to set selections * ui: fixed notepad cursor position being reset on database save * ui: added "Don't save database" button to the close dialog * ui: added license borrowing calendar selector * ui: fixed listing start/end navigation shortcuts (`Ctrl`+`Home`/`End` vs `Ctrl`+`PgUp`/`PgDown` were swapped); macOS now uses native key sequences * ui: fixed an issue where bookmarks could be lost after rebasing * ui/fpe: added the ability to set `void` as a function return type in the Function Prototype Editor * ui/wayland: fixed app icon display, improved docking behavior * ui/macos: added dark mode toggle in toolbar, `.i64` bundle type extension, Dock Menu with recent files * ui/macos: addressed several shortcut issues and collisions * ui/xref\_graph: fixed transparency issue of node description widget * ui/xref\_graph: fixed crash on macOS 15.7.3 * ui/xref\_tree: allowed canceling decompilation when showing argument values * ui/xref\_tree: fixed branch indicator visibility on Windows 11 * kernel: fixed an issue where IDA could lock up when analyzing some obfuscated code patterns * kernel: fixed a crash on startup when `idc.idc` contained syntax errors * types/demangler: added support for floating-point constants as template arguments * dbg/arm64: worked around `PTRACE_DETACH` issue after single-stepping on Linux 3.x/4.x * srv/lumina: increased the default `HELO` timeout from 1 to 10 seconds for all client-run Lumina servers