# IDA 9.3 Beta Welcome to the IDA 9.3 Beta Release, and thank you to all our beta testers for joining us! Below are the key highlights and changes introduced in this beta version. {% hint style="info" %} #### Share your feedback Spotted a bug or have a suggestion for the beta? Let us know and contribute to IDA evolution through one of the following channels: * [Hex-Rays Support](https://support.hex-rays.com) (*Early access* feedback form), * Email: , or * Slack: Join the discussion in our dedicated beta channel. If you didn’t receive the invitation link, [contact us](mailto:support@hex-rays.com). {% endhint %} ## What's New in Beta 4 (RC2) ### Bugfixes / Minor * ui/macos: address several shortcut issues / collisions * vd: fix interr triggered when one-shot renaming and retyping function prototypes * vd/mbui: fix interr in graph related actions if "show addresses" is turned on * sdk: merge back hexrays headers / python modules into one header / python module ## What's New in Beta 3 (RC) ### Decompiler #### ARM Common Short Sequence Compression (CSSC) The `ctz`, `cnt`, `abs`, `smax`, `smin`, `umax`, `umin` instructions are now translated to their corresponding compiler intrinsics. ### Architecture Support #### NDS32 EX9.IT The `ex9.it` instructions are now properly resolved from the table that the `$itb` system register points to. Such instructions occur as part of linker relaxation and commonly observed in firmware or other space-constrained environments. ### Bugfixes / Minor * vd: add `HO_CPP_CONSTANTS` option to print c++ style constants (`true`/`false`/`nullptr`) * vd: transform `(cast1)*((cast2)x + N)` into `*((cast1*)x + N)` when `sizeof(cast1) == sizeof(*cast2)` to get rid of some redundant casts * vd/riscv: improve recognition of several div/mod patterns on 32-bit RISC-V * vd/v850: major bug fixes and improvements * ui/vd: make renaming types via `y` hotkey consistent with global default * ui/xref\_graph: apply macOS "dark mode" to xref-graph * ui/xref\_graph: fix fit-in-view behaviour * ui/xref\_graph: add trackpad pinching/zooming * ui/xref\_tree: fix disappearing chevrons * ui/xref\_tree: add column sorting * ui/xref\_tree: add rename support via `n` hotkey * ui/jump\_anywhere: allow jumping to offsets within local types * ui/jump\_anywhere: store user input history * dbg/arm64: work around `PTRACE_DETACH` issue after single-stepping on Linux 3.x/4.x * plugins/idapython: add missing qvector types to ida\_lumina * plugins/idapython: make ida's `-S` command line arguments accessible from `sys.argv` * plugins/idapro: ship pre-built idapro python wheel (for installation from r/o installations) ## What's New in Beta 2 ### Decompiler #### Stock Comments Manage reusable comments in the decompiler. Create, edit, and quickly apply frequently-used comments to pseudocode without retyping. Comments are organized by most-recently-used order. Useful for documenting repetitive patterns like inlined C++ operations (e.g., std::string manipulations). #### Microcode Viewer New toggles and display options: * **EA Prefix Display** Default (off): ``` 1. 1 mov esp.4, ebp.4 ; 804ABA2 u=esp.4 d=ebp.4 1. 2 mov #0.1, cf.1 ; 804ABA8 u= d=cf.1 1. 3 mov #0.1, zf.1 ; 804ABA8 u= d=zf.1 ``` After toggle (on): ``` 1. 1 804ABA2 mov esp.4, ebp.4 ; 804ABA2 u=esp.4 d=ebp.4 1. 2 804ABA8 mov #0.1, cf.1 ; 804ABA8 u= d=cf.1 1. 3 804ABA8 mov #0.1, zf.1 ; 804ABA8 u= d=zf.1 ``` The effective address now appears between instruction number and mnemonic. * **Compact/Detailed View** Detailed: ``` [...] 2. 5 setp rbx.8, rax.8, pf.1 ; 3AB6 u=rax.8,rbx.8 d=pf.1 2. 6 sets (rbx.8-rax.8), sf.1 ; 3AB6 u=rax.8,rbx.8 d=sf.1 2. 7 jz rbx.8, rax.8, @5 ; 3AB9 u=rax.8,rbx.8 ; Successors: 3, 5 3.BLT_2WAY ; Predecessors: 2, 9, 11 ; 2WAY-BLOCK 3 INBOUNDS: 2 9 11 OUTBOUNDS: 4 12 [START=3ABB END=3ACE] MINREFS: STK=0/ARG=50, MAXBSP: 0 ; USE: sp+28.8,(GLBLOW,GLBHIGH) ; DEF: cf.1,zf.1,sf.1,of.1,pf.1,rax.8 ; DNU: cf.1,zf.1,sf.1,of.1,pf.1 3. 1 setb %var_18.8, call !__readfsqword => "unsigned __int64" .8, cf.1 ; 3ABF u=sp+28.8,(GLBLOW,GLBHIGH) d=cf.1 3. 2 seto %var_18.8, call !__readfsqword => "unsigned __int64" .8, of.1 ; 3ABF u=sp+28.8,(GLBLOW,GLBHIGH) d=of.1 3. 3 sub %var_18.8, call !__readfsqword => "unsigned __int64" .8, rax.8 ; 3ABF u=sp+28.8,(GLBLOW,GLBHIGH) d=rax.8 3. 4 setz rax.8, #0.8, zf.1 ; 3ABF u=rax.8 d=zf.1 3. 5 setp rax.8, #0.8, pf.1 ; 3ABF u=rax.8 d=pf.1 3. 6 sets rax.8, sf.1 ; 3ABF u=rax.8 d=sf.1 3. 7 jnz rax.8, #0.8, @12 ; 3AC8 u=rax.8 ; Successors: 4, 12 4.BLT_1WAY ; Predecessors: 3 ; 1WAY-BLOCK 4 INBOUNDS: 3 OUTBOUNDS: 13 [START=3ACE END=3ADA] MINREFS: STK=0/ARG=50, MAXBSP: 48 ; USE: r8.8 ; DEF: rax.8 ; DNU: rax.8 4. 1 mov r8.8, rax.8 ; 3AD2 u=r8.8 d=rax.8 4. 2 goto @13 ; 3AD9 u= ; Successors: 13 [...] ``` Compact: ``` [...] 2. 5 setp rbx.8, rax.8, pf.1 2. 6 sets (rbx.8-rax.8), sf.1 2. 7 jz rbx.8, rax.8, @5 ; Successors: 3, 5 3. 1 setb %var_18.8, call !__readfsqword => "unsigned __int64" .8, cf.1 3. 2 seto %var_18.8, call !__readfsqword => "unsigned __int64" .8, of.1 3. 3 sub %var_18.8, call !__readfsqword => "unsigned __int64" .8, rax.8 3. 4 setz rax.8, #0.8, zf.1 3. 5 setp rax.8, #0.8, pf.1 3. 6 sets rax.8, sf.1 3. 7 jnz rax.8, #0.8, @12 ; Successors: 4, 12 4. 1 mov r8.8, rax.8 4. 2 goto @13 ; Successors: 13 [...] ``` Compact view removes block headers, maturity info, `USE`/`DEF`/`DNU` comments, and `u=`/`d=` annotations. * **Value Numbers** Display [GVN](https://en.wikipedia.org/wiki/Value_numbering) identifiers showing SSA value equivalence: ``` 1. 7 mov rax.8{5}, r8.8{5} ; ^~~~~~~~~^ 1. 8 jz rbx.8{1}, rax.8{5}, @4 ; Successors: 2, 4 ; ^~~~~~~~~~^ 2. 1 jnz (%var_18.8-call !__readfsqword => "unsigned __int64" .8), #0.8, @10 ; Successors: 3, 10 3. 1 mov r8.8{6}, rax.8{6} ; ^~~~~~~~~~^ 3. 2 goto @11 ; Successors: 11 ``` * **Number Origins** Show where constants originate (e.g., `#3.8` becomes `#3@3B0A.8`): Off: ``` 10. 1 mov #3.8, rax.8 ; 3B30 assert u= d=rax.8 ``` On: ``` 10. 1 mov #3@3B0A.8, rax.8 ; 3B30 assert u= d=rax.8 ^~~~ ``` Corresponding disassembly showing the origin of constant `3`: ``` .text:0000000000003B0A cmp rax, 3 ``` * **Display Local Types**: Opens a window showing types used during decompilation ### Programming Language Support #### Golang * Improved type parsing, version detection, and moduledata handling (especially for versions before 1.18) * Refactored string user detection * Refactored version-dependent logic and improved documentation * Bugfixes and improvements in FUNCINFO parsing * Added argument type derivation for more Go-specific functions * Set types for global arguments of Go runtime functions ### Architecture Support #### RISC-V * Added support for Andes V5 extension (`XAndesPerf` only) in decompiler and disassembler. Instruction set extensions are now configurable in processor options (default is "all", with comments on ambiguous instructions): ``` .text:00011708 la a0, view .text:0001170C jal view_update_diff .text:00011710 la a1, quit .text:00011714 la a0, input .text:00011718 jal input_get_diff .text:0001171C nds.lbugp a5, quit ; alt XThead: th.ext .text:00011720 beqz a5, loc_116DC .text:00011722 li a1, 1 .text:00011724 la a0, view .text:00011728 jal view_text ``` * Fixed xrefs to structure members in all cases #### ARM Added NEON intrinsics for ARMv8.2 `AES`, `SHA[1|256|512|3]` and ARMv8.1 `SQRDMX` (Saturating Rounding Doubling Multiply Accumulate/Subtract) instructions in the decompiler. Before: ``` if ( runtime_useAeshash ) { _Q2 = *(_OWORD *)runtime_aeskeysched; __asm { AESE V0.16B, V2.16B AESMC V0.16B, V0.16B AESE V0.16B, V2.16B AESMC V0.16B, V0.16B AESE V0.16B, V2.16B } } else { runtime_memhash32Fallback(v0, v1); } ``` After: ``` unsigned __int32 *v0; // x0 uintptr v1; // x1 uint8x16_t v2; // q0 if ( !runtime_useAeshash ) return runtime_memhash32Fallback(v0, v1); v2 = 0; v2.n128_u32[1] = *v0; v2.n128_u32[0] = v1; return vaeseq_u8( vaesmcq_u8( vaeseq_u8( vaesmcq_u8(vaeseq_u8(v2, *(uint8x16_t *)runtime_aeskeysched)), *(uint8x16_t *)runtime_aeskeysched)), *(uint8x16_t *)runtime_aeskeysched).n128_u64[0]; ``` #### V850 * Recognize compiler-specific prolog/epilog helpers * Recognize padding instructions and hide them * Improve stack frame analsysis of functions using compiler helpers * Detect compiler helpers invoked using the `callt` instruction * Decompile more low-level instructions (BSW, BSH, HSW, HSH, MAC, MACU, ABF, SBF, CLIP\*, SAT\*, ST, SASF, SCH\[01]\[LR], SYNC\*, EI/DI, HALT, LDSR/STSR etc.) #### PC * Add decoding of VIA Padlock instructions #### 80196 * Add support for 8061, 8065, 8096 processor types #### NDS32 * GP-relative addressing improvements * Create dr\_O references when adding gp-derived values into general purpose registers * Create dr\_R/W references when resolving phrase targets * Add address comments whenever addresses are successfully resolved * Report unresolvable memory accesses as problems (helps with firmware base address detection) * Better stack pointer tracing, recognize push25/pop25 prolog/epilog * Add auto comments * Add decoding of DSP extension instructions * Detect many more switch patterns * Filtering and application of ELF mapping symbols (`$c`/`$d`) * Add noreturn analysis * New config options: * Display encoding variant and dollar register prefixes * Enable/disable use of macros * Enable/disable use of gp values ### Loaders #### CLI/.NET * Applied CLI metadata names to native code in mixed assemblies * Fixed several infinite loops and crashes with malformed .NET files * Resolved `MethodSpec` tokens (`0x2B`) * Handled `ExtraData` field in metadata tables stream * Fixed loader failure when `FieldRVA` entry is missing for a field with `fdHasFieldRVA` flag ### ELF * v850: implement support for the `R_V850_PC17` relocation ### UI New option: `Options` -> `General` -> `Misc` -> `Setting type renames target` When enabled, IDA updates the target's name while setting types (for one-shot renaming and retyping via `Y`). When disabled, IDA ignores naming changes and only applies types. ### Bugfixes * decompiler/ppc/golang: improved LR recognition (also for functions with stack canary check) * decompiler/ppc: updated SP after load/store for correct stack address resolution * pc: fixed hinted prefetch decoding * pc: fixed decoding of ud0 for recent Intel platforms * xtensa: added xrefs for enums and structure members * tricore: simplified extended registers * arm: handled new switch pattern using CSNEG from iOS and macOS 26 * ui: fixed an issue where stepping in pseudocode would wrongly reset synced disassembly view to current function entry * ui: added "don't save database" button to the close dialog * ui: moved "Dereferencing options…" under the "Data format/" submenu * ui: fixed an issue where double-clicking on a function name in a filtered "Functions" view could cause IDA to become unresponsive * ui: fixed an issue where jumping to a stack variable could add an unnecessary entry to the navigation history. * ui: fixed an issue where double-clicking on a struct field in pseudocode no longer pops up the rename dialog * ui: added Jump Anywhere to the Jump menu * ui/xref graph: fixed transparency issue of the node description widget * ui/xref\_graph: fixed crash on MacOS 15.7.3 * ui/xreftree: allowed canceling decompilation when showing argument values * ui/xreftree: fixed branch indicator visibility on Windows 11 * licsrv: fixed an issue when IDA 9.2 would crash when trying to get a license from the 9.3 license server ## What's New in Beta 1 ## Highlights * [**Decompiler**](#decompiler): **New V850 decompiler**, microcode manipulation, viewer improvements and more * [**Type system**](#type-system): **Objective-C parser**, more Golang types * [**Teams add-on**](#teams-add-on): **Improved Teams UI now fully integrated into IDA**, eliminating the need for HVUI * [**Architecture support**](#architecture-support): **Apple SVE, SME, MTE ARM64 extensions, Andes Andestar V3 NDS32 (not included in Beta 1)**, improvements to Tricore, ARC, x86/x64, PowerPC, RISC-V, ARM64 * [**Debuggers**](#debuggers): **Android 14-17 native debugging**, Stack view dereferencing * [**UI**](#user-interface): **Improved Xref Tree and Xref Graph**, along with other performance improvements * **FLIRT 2.0** (The new signatures are not included in Beta 1 and are planned for a later beta release) * **New Linux ARM64 Installers** ## Teams add-on IDA Teams is now **merged into stock IDA**. Collaborate on reverse engineering projects with your team without launching any external applications. * **A New Teams top-level menu**: all previously known major functionalities and widgets available from Teams menu. * **Easy access to remote files**: open files from the Hex-Rays Vault Server directly through the Quick Start dialog. * **Discontinued HVUI Application**: the standalone HVUI app is no longer included. Its core functionality has been fully integrated into the main IDA interface. ![Teams menu](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-919c1c356f26cafabadb38c870dda2a1ed665b95%2Fusers_view.png?alt=media) See the [Getting Started Guide](https://github.com/HexRaysSA/docs/blob/9.3/user-guide/teams/integrated-teams.md) to get up and running with integrated Teams. *** ## Type System ### Objective-C Parser **Example - Input Objective-C header:** ```objc @interface NSObject - (id)init; + (id)alloc; @end @protocol MyDelegate - (void)didFinish; @end @interface MyClass : NSObject @property (nonatomic) int value; @property (nonatomic, getter=isEnabled) BOOL enabled; - (void)doAction:(int)action withObject:(id)obj; + (instancetype)sharedInstance; @end @interface MyClass (Extensions) - (void)extendedMethod; @end ``` **Generated type library output:** ```c // Types typedef char BOOL; __objc_interface NSObject {}; __objc_interface __cppobj MyClass : NSObject {int _value; BOOL _enabled;}; // NSObject methods id __cdecl +[NSObject alloc](id, SEL); id __cdecl -[NSObject init](NSObject *self, SEL); // MyClass methods - including auto-generated property accessors MyClass *__cdecl +[MyClass sharedInstance](id, SEL); void __cdecl -[MyClass didFinish](MyClass *self, SEL); // from protocol void __cdecl -[MyClass doAction:withObject:](MyClass *self, SEL, int action, id obj); BOOL __cdecl -[MyClass isEnabled](MyClass *self, SEL); // custom getter void __cdecl -[MyClass setEnabled:](MyClass *self, SEL, BOOL enabled); void __cdecl -[MyClass setValue:](MyClass *self, SEL, int value); int __cdecl -[MyClass value](MyClass *self, SEL); void __cdecl -[MyClass extendedMethod](MyClass *self, SEL); // from category ``` ### Create C Header File: Inline Anonymous Types When exporting types to C header files, IDA creates intermediate anonymous types with hash-based names. The new "Ignore IDA anonymous types" option inlines these types directly into the parent structure, producing cleaner and more portable output. **Before (anonymous types exported separately):** ```c union test::$161DE73CEC70B46D2147F48043C58578 { a a; b b; }; struct test { test::$161DE73CEC70B46D2147F48043C58578; }; struct with_inline_struct_t::$42129BFC740492F1999D6296462C8FF7 { int a; }; struct with_inline_struct_t { with_inline_struct_t::$42129BFC740492F1999D6296462C8FF7 b; }; ``` **After (anonymous types inlined):** ```c struct test { union { a a; b b; }; }; struct with_inline_struct_t { struct { int a; } b; }; ``` This also handles nested inline structures correctly: ```c struct with_inline_struct_2_t { struct { struct { int a; } b; } b; struct { int a; } c; }; ``` ### Fixed Struct Support: Complete Import/Export Roundtrip IDA 9.3 introduces `__fixed` and `__at` attributes for structures with explicit field offsets, enabling **complete roundtripping** of type exporting and importing. Previously, types with explicit offsets (like function stack frames) could be exported to C headers but not re-imported: the offset information was lost. Now IDA headers are fully re-parsable. **New Syntax:** * `__fixed(size)` - Declares a struct with explicit total size * `__at(offset)` - Specifies exact byte offset for a field **Example - Function Stack Frame:** ```c struct __fixed(0x48) x64_prologue_frame { __at(0x0000) void *return_addr; __at(0x0008) void *saved_rbp; __at(0x0010) void *saved_rbx; __at(0x0018) void *saved_r12; __at(0x0020) void *saved_r13; __at(0x0028) void *saved_r14; __at(0x0030) void *saved_r15; __at(0x0038) int local_var1; __at(0x003C) int local_var2; __at(0x0040) void *local_ptr; }; ``` **Example - Packed Embedded Structure (unaligned fields):** ```c struct __fixed(0x20) packed_frame { __at(0x0000) char header; __at(0x0001) __int16 flags; /* unaligned short */ __at(0x0003) int sequence; /* unaligned int */ __at(0x0007) char payload[16]; __at(0x0017) char checksum; __at(0x0018) void *next; }; ``` ### More Golang Types **Full Package Paths in Type Names:** Types now include complete package paths, eliminating ambiguity between identically-named types in different packages: | Before (9.2) | After (9.3) | | -------------------- | ------------------------------------ | | `RTYPE_atomic_Value` | `RTYPE_sync_atomic_Value` | | `RTYPE_cpu_x86` | `RTYPE_internal_cpu_x86` | | `RTYPE_sys_Uintreg` | `RTYPE_runtime_internal_sys_Uintreg` | | `RTYPE_poll_FD` | `RTYPE_internal_poll_FD` | | `RTYPE_func` | `RTYPE_PTR_func` | ![Type Names: Before](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-07820ea61ed2490f25ff246b9d116ea82057919a%2Fshort_names1.png?alt=media) ![Type Names: After](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-7545780b376d5abaa27eaca5fce790ac0ca9376f%2Fshort_names2.png?alt=media) **Hierarchical Type Library Organization:** Types are organized in folders matching Go package paths: ``` /golang/runtime/internal/atomic/runtime_internal_atomic_Uint32 /golang/runtime/internal/atomic/_ptr_runtime_internal_atomic_Uint32 /golang/syscall/syscall_Iovec /golang/internal/poll/internal_poll_FD /golang/fmt/fmt_Formatter /golang/reflect/reflect_Value ``` ![Types organization: Before](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-0aeb10d43e8f6120eecd1b3307b7453a6688fbef%2Ffolders1.png?alt=media) ![Types organization: After](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-04f3298b2d3bb0fc50e2f571efbcb7e9e5158814%2Ffolders2.png?alt=media) **Additional Improvements:** * Better FUNCINFO and Go version detection * Replaced internal `BUILTIN_STRING` with standard Go `string` type * Many standard Go types are now properly recognized without the `struct` prefix: * Better handling of return types of anonymous golang functions when parsing DWARF ![Golang Types: Before](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-8fb29eb254301211d22e857ddf966f93f0916864%2Fvd1.png?alt=media) ![Golang Types: After](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-c56c4a7c4065abc74649e551a9a2fbae58d79215%2Fvd2.png?alt=media) *** ## Architecture Support ### Tricore Improved regfinder for better cross-reference detection and enhanced detection of switch statements. ### ARC: Push/Pop Idiom Recognition Memory store/load operations with auto-increment are now recognized as push/pop instructions, making function prologues and epilogues much easier to understand. **Before (9.2):** ```asm .start:01C001A6 FC 1C 08 B4 st.a r16, [sp,0xC+var_10] .start:01C001AA FC 1C 48 B4 st.a r17, [sp,0x10+var_14] .start:01C001AE FC 1C 88 B4 st.a r18, [sp,0x14+var_18] .start:01C001B2 FC 1C C8 B4 st.a r19, [sp,0x18+var_1C] .start:01C001B6 FC 1C 08 B5 st.a r20, [sp,0x1C+var_20] .start:01C001BA FC 1C 48 B5 st.a r21, [sp,0x20+var_24] .start:01C001BE FC 1C C8 B6 st.a fp, [sp,0x24+var_28] ``` **After (9.3):** ```asm .start:01C001A6 FC 1C 08 B4 push r16 .start:01C001AA FC 1C 48 B4 push r17 .start:01C001AE FC 1C 88 B4 push r18 .start:01C001B2 FC 1C C8 B4 push r19 .start:01C001B6 FC 1C 08 B5 push r20 .start:01C001BA FC 1C 48 B5 push r21 .start:01C001BE FC 1C C8 B6 push fp ``` ### x86/x64 * Follow indirect jumps where target is known at analysis time * Fixed MPX hintable NOP handling ### PowerPC * Fixed wrong plain offset on `addi` instruction ### RISC-V * Fixed endless auto-analysis loop * Enum members now get proper xrefs ### ARM64 #### SVE/SME Instructions for iPhone 17 Kernel IDA 9.3 can now decode Scalable Vector Extension (SVE) and Scalable Matrix Extension (SME) instructions used in Apple's iPhone 17 kernel: ```asm __text:FFFFFE00082434E4 STR Z0, [X2] __text:FFFFFE00082434E8 STR Z1, [X2,#1,MUL VL] __text:FFFFFE00082434EC STR Z2, [X2,#2,MUL VL] __text:FFFFFE00082434F0 STR Z3, [X2,#3,MUL VL] ... __text:FFFFFE00082AFF48 UZP1 V0.4S, V0.4S, V1.4S __text:FFFFFE0008240118 ZIP1 V2.4S, V2.4S, V2.4S ``` These instructions were previously shown as raw bytes or undefined opcodes. #### Memory Tagging Extension (MTE) Intrinsics The decompiler now produces clean intrinsic calls for ARM Memory Tagging Extension instructions, replacing inline assembly blocks. MTE is used in iOS 18+ and Android for memory safety. **Before (9.2) - inline assembly:** ```c __int64 __fastcall create_tag(__int64 _X0, unsigned int a2) { __int64 result; // x0 _X8 = a2; __asm { IRG X0, X0, X8 } return result; } __int64 __fastcall increment_tag1(__int64 _X0) { __int64 result; // x0 __asm { ADDG X0, X0, #0, #7 } return result; } __int64 __fastcall get_tag1(__int64 _X0) { __int64 result; // x0 __asm { LDG X0, [X0] } return result; } __int64 __fastcall set_tag1(__int64 result) { __asm { STG X0, [X1] } return result; } __int64 __fastcall subtract_pointers(__int64 _X0, __int64 _X1) { __int64 result; // x0 __asm { SUBP X0, X0, X1 } return result; } ``` **After (9.3) - clean intrinsics:** ```c void *__fastcall create_tag(void *a1, unsigned int a2) { return __arm_mte_create_random_tag(a1, a2); } void *__fastcall increment_tag1(void *a1) { return __arm_mte_increment_tag(a1, 7u); } void *__fastcall get_tag1(void *a1) { return __arm_mte_get_tag(a1); } void *__fastcall set_tag1(void *result, void *a2) { __arm_mte_set_tag(a2, result); return result; } unsigned __int64 __fastcall subtract_pointers(void *a1, void *a2) { return __arm_mte_ptrdiff(a1, a2); } ``` **Supported MTE Intrinsics:** | Instruction | Intrinsic | Description | | ----------- | ---------------------------------------- | -------------------------------- | | `IRG` | `__arm_mte_create_random_tag(ptr, mask)` | Create random tag | | `ADDG` | `__arm_mte_increment_tag(ptr, offset)` | Increment tag value | | `GMI` | `__arm_mte_exclude_tag(ptr, excluded)` | Get excluded tag mask | | `LDG` | `__arm_mte_get_tag(ptr)` | Load allocation tag | | `STG` | `__arm_mte_set_tag(ptr)` | Store allocation tag | | `SUBP` | `__arm_mte_ptrdiff(a, b)` | Pointer difference ignoring tags | #### ARM64: Decoding of CSSC Instructions Added decoding for comparison and min/max instructions (SMAX, SMIN, UMAX, UMIN, ABS, CNT, CTZ) #### MOV/MOVK Address Construction Disassembler and decompiler now properly optimize ARM64 address construction patterns using MOV/MOVK/MOVW/MOVT instruction sequences, even if scattered, and produce proper cross references. **Before (9.2):** ``` .text:00000000000005FC MOV X8, #0 .text:0000000000000600 MOV W9, #0x64AE .text:0000000000000604 MOVK X8, #0,LSL#16 .text:0000000000000608 MOVK W9, #0x299E,LSL#16 .text:000000000000060C MOVK X8, #0,LSL#32 .text:0000000000000610 MOVK X8, #0,LSL#48 ``` **After (9.3):** ``` .text:00000000000005FC MOV X8, #(WORD0(unk_16120)) .text:0000000000000600 MOV W9, #(WORD0(0x299E64AE)) .text:0000000000000604 MOVK X8, #(WORD1(unk_16120)),LSL#16 .text:0000000000000608 MOVK W9, #(WORD1(0x299E64AE)),LSL#16 .text:000000000000060C MOVK X8, #(WORD2(unk_16120)),LSL#32 .text:0000000000000610 MOVK X8, #(WORD3(unk_16120)),LSL#48 ``` #### Minor * **AARCH64 Relocations**: Support for MOVW\_UABS\_G\[0-3] with custom reference handlers * **iOS PAC Stubs**: Improved recognition of `__auth_stubs` sections * **BTI-enabled PLT**: Recognition of Branch Target Identification-enabled ELF PLT stubs ### Andes Andestar V3 NDS32 IDA now features a processor module for the Andestar V3 NDS32 architecture. **The Andes AndeStar V3 NDS32** is a patented, 32-bit, RISC-style instruction set architecture (ISA) featuring mixed 16-bit/32-bit instructions for power and code density efficiency. It is most used in a wide range of deeply embedded systems and low-power applications, such as IoT devices, microcontrollers, wearables, storage devices and drones. ![Processor module for the Andestar V3 NDS32 architecture](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-53fa8a5fcc1eaa166a7eb730974707a03314ff34%2FNDS32.png?alt=media) *** ## Decompiler ### V850 Decompiler IDA 9.3 introduces decompiler support for the Renesas V850 (aka NEC850 aka RH850) architecture, a popular 32-bit RISC processor used extensively in automotive ECUs and industrial applications. It supports both the modern RH850 ABI and the legacy GCC V850 ABI. ```c void __fastcall matgen(float *a1, int a2, int a3, _DWORD *a4, int a5, int a6, int a7, int a8, float *a9) { int v9; // r27 float *v10; // r28 int v11; // r29 float v12; // r10 float v13; // r11 _DWORD *v14; // r11 int i; // r10 int j; // r24 float *v17; // r27 float *v18; // r29 int k; // r28 float *v20; // [sp+18h] [-10h] float *v21; // [sp+1Ch] [-Ch] int v22; // [sp+20h] [-8h] int v23; // [sp+24h] [-4h] *a9 = 0.0; if ( a3 > 0 ) { v20 = a1; v23 = 4 * a2; v21 = a1; v22 = 0; v9 = 1325; do { v10 = v21; v11 = 0; do { ++v11; v9 = (int)(3125 * ((3125 * v9) & 0x8000FFFF)) % 0x10000; v12 = ((double)v9 - 32768.0) * 0.00006103515625; *v10 = v12; v13 = v12; if ( v12 <= *a9 ) v13 = *a9; *a9 = v13; ++v10; } while ( v11 != a3 ); ++v22; v21 = (float *)((char *)v21 + v23); } while ( v22 != a3 ); v14 = a4; for ( i = 0; i != a3; ++i ) *v14++ = 0; for ( j = 0; j != a3; ++j ) { v17 = v20; v18 = (float *)a4; for ( k = 0; k != a3; ++k ) { *v18 = *v18 + *v17++; ++v18; } v20 = (float *)((char *)v20 + v23); } } } ``` ### Microcode Manipulation The Microcode Viewer now supports deleting instructions and specifying values for registers and local variables to influence the decompilation process. ### Fine Grained Control of Assignment Propagation Added user-controllable "Forbid assignment propagation" option (available from the context menu). ### Value Range Optimization The analysis of conditionals now includes enhanced value range tracking.\ For instance, in a conditional such as `(unsigned int)(a2 - 1) <= 5`, we can determine that `a2` falls within the interval `[1, 6]`. **Real-world example**: ``` if ( (unsigned int)v7 >= 0xA000 ) { ... if ( (unsigned int)(v7 - 0x1000) > 0x1000 ) { ``` The second `if` statement is now discarded since its condition will always be true. ### "Decompile all" now in IDA Home & IDA Pro Essential Now available in IDA Home & Essential editions *** ## Debuggers ### Android 14+ native debugging The Android debugger now properly handles Android 14 (and more recent) apps. Since PAC is becoming more prevalent also in the Android world, we also added support for properly stepping over protected indirect control flow transfer instructions (RETAA, ...). ![Android 14+ native debugging](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-ded0e0ae2fd60877cfe9ce27998199ea0eda77c9%2Fandroid-native-debugging.png?alt=media) ### Stack View Dereferencing The debugger stack view now supports automatic dereferencing, matching the functionality previously available only in the register widget. View pointed-to values directly in the stack view during debugging sessions. You can enable this option via the context menu, under Data format → Addresses with dereferencing. ![Stack View Dereferencing](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-61e5f328d78a4557ad9cd0ccda681f606ec84516%2Fstack-view-dereferencing.png?alt=media) *** ## User Interface ### Faster Dirtree Widgets We have done a first pass of speed improvements. While IDA 9.2 could at times take a very long time to respond (esp. with large selections), IDA 9.3 will be much more pleasant to work with. * Widgets exposing tabular data should be behaving considerably better with large datasets * Search operations are now much snappier for widgets with huge amounts of entries (100k+) * Sorting & filtering (e.g., `Ctrl`+ `F`) have been improved along the way Further performance optimizations are planned, so stay tuned! ### Xref Tree The Xref Tree widget introduced in IDA 9.2 has been significantly enhanced. The tree can now leverage the register tracker and decompiler to display known function argument values at call sites, providing immediate insight into the parameters being passed to functions without needing to navigate to each individual call site. ![Xref Tree with Parameter Values](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-8d91035fb79c53f986938e221e9336ab069f526c%2Fxref_tree_93.png?alt=media) Additional improvements include: * Multi-selection support with standard `Shift` and `Ctrl` modifiers for batch operations * Search functionality: press `/` to open search, then use `F3` to jump between matches (only works with data that has already been expanded in the tree) * Column management: columns can be reordered and resized, with a context menu on column headers to control which columns are displayed * Action system integration: xref tree actions can now be mapped and customized just like any other IDA GUI action, allowing for personalized keyboard shortcuts and workflow integration * Improved dark theme support on macOS ### Xref Graph This release improves mostly the graph interaction. * Now, you don't need to chase the nodes anymore, as they won't move when the cursor is hovering over them. Additionally, **it's now possible to pin the nodes in place** so you can always know exactly where they are - just press `P` to do so. * Furthermore, in order to keep the graph responsive, we've added a warning that will pop up when the graph's capacity is exceeded. This way, you won't accidentally overload the graph and cause it to slow down. The capacity can be adjusted in the configuration file. * Graph management is now located in a logical place: View → Graphs → Manage... and a lot of tiny improvements done. * Finally, the Xref Graph now **supports a dark theme**. Your eyes will thank us! ![Xref Graph Default Theme](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-2c919e2f56f148a1317053cc1b26856c70d75ee1%2FXrefGraphDefaultTheme.png?alt=media) ![Xref Graph Dark Theme](https://3899235193-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fd4yKxBBBv1qcoSuL2US4%2Fuploads%2Fgit-blob-595d14469e33755069581c387894ca2a3bf5f06e%2FXrefGraphDarkTheme.png?alt=media) ### Jump Anywhere Improvements * Faster parallel search for large databases (improved search responsiveness) * Added support for demangled names * Improved search ranking algorithm * Better integration with the "undo" mechanism ### Platform-Specific * **Linux Wayland**: Fixed app icon display, improved docking behavior * **macOS**: Dark mode toggle in toolbar, `.i64` bundle type extension, DockMenu with recent files ### General Improvements * System shortcuts for listing start/end navigation (`Ctrl`+ `Home`/`End`) * License borrowing calendar selector * Local Types: Removed redundant "Parse declarations" command *** ## Minor * arm: detect objc stubs padding (brk #1 instructions) * ui: output: add possibility to control auto scrolling (registry setting) * ui: output: shift-click to set selections * ui: jumpanywhere: efficient indexer search algorithm *** ## SDK & Build * **Simplified build process for developers**: * The C++ SDK now supports CMake for building * The IDAPython build process has been simplified to work with SWIG 4.2 and 4.3 from default package managers (apt on Linux, winget on Windows, brew on macOS), eliminating the need for manually-built SWIG * **Direct Lumina API access** via lumina.hpp (C++) and ida\_lumina (Python), enabling devs to extract and apply Lumina metadata programmatically from within IDA. * **Other Enhancements**: * Added `get_import_entry()` public function (for PE files only!) * **Hex-Rays SDK**: Split `hexrays.hpp` into 4 files for better modularity: * `hexrays.hpp` (main header, reduced size) * `hexrays_ctree.hpp` (C tree definitions) * `hexrays_defs.hpp` (definitions and constants) * `hexrays_micro.hpp` (microcode definitions) *** ## idalib * `idat -v` option for verbose output * Prevent idat from deleting existing IDBs * Allow batch mode for temporary databases * `-S` command line switch enabled for IDA Home *** ## Security & Third Party Dependencies * llvm: update llvm to 21.1.5 * z3: update z3 to 4.15.3 * pcre: update pcre to 10.47 (fixes CVE-2025-58050) * clp: update to clp 1.17.10 / CoinUtils 2.11.12 * libdwarf: update libdwarf to 2.2.0 ## Known Issues * PySide6 crashes under Python 3.14 {% hint style="info" %} #### Share your feedback Spotted a bug or have a suggestion to the IDA 9.3 beta release? Let us know and contribute to IDA evolution: * via [support](https://support.hex-rays.com) (*Early access* feedback form), or * at {% endhint %}