IDA 9.3 Beta

Welcome to the IDA 9.3 Beta Release, and thank you to all our beta testers for joining us! Below are the key highlights and changes introduced in this beta version.

Spotted a bug or have a suggestion to the IDA 9.3 beta release? Let us know and contribute to IDA evolution through one of the following channels:

Hex-Rays Support (Early access feedback form),
Email: [email protected], or
Slack: Join the discussion in our dedicated beta channel. If you didn’t receive the invitation link, contact us.

What's New in Beta 1

Highlights

Decompiler: New V850 decompiler, microcode manipulation, viewer improvements and more
Type system: Objective-C parser, more Golang types
Teams add-on: Improved Teams UI now fully integrated into IDA, eliminating the need for HVUI
Architecture support: Apple SVE, SME, MTE ARM64 extensions, Andes Andestar V3 NDS32 (not included in Beta 1), improvements to Tricore, ARC, x86/x64, PowerPC, RISC-V, ARM64
Debuggers: Android 14-17 native debugging, Stack view dereferencing
UI: Improved Xref Tree and Xref Graph, along with other performance improvements
FLIRT 2.0 (Beta 1 includes support for ARM64 Windows signatures only)
New Linux ARM64 Installers

Teams add-on

IDA Teams is now merged into stock IDA. Collaborate on reverse engineering projects with your team without launching any external applications.

A New Teams top-level menu: all previously known major functionalities and widgets available from Teams menu.
Easy access to remote files: open files from the Hex-Rays Vault Server directly through the Quick Start dialog.
Discontinued HVUI Application: the standalone HVUI app is no longer included. Its core functionality has been fully integrated into the main IDA interface.

See the Getting Started Guide to get up and running with integrated Teams.

Type System

Objective-C Parser

Example - Input Objective-C header:

@interface NSObject
- (id)init;
+ (id)alloc;
@end

@protocol MyDelegate
- (void)didFinish;
@end

@interface MyClass : NSObject <MyDelegate>
@property (nonatomic) int value;
@property (nonatomic, getter=isEnabled) BOOL enabled;
- (void)doAction:(int)action withObject:(id)obj;
+ (instancetype)sharedInstance;
@end

@interface MyClass (Extensions)
- (void)extendedMethod;
@end

Generated type library output:

// Types
typedef char BOOL;
__objc_interface NSObject {};
__objc_interface __cppobj MyClass : NSObject {int _value; BOOL _enabled;};

// NSObject methods
id __cdecl +[NSObject alloc](id, SEL);
id __cdecl -[NSObject init](NSObject *self, SEL);

// MyClass methods - including auto-generated property accessors
MyClass *__cdecl +[MyClass sharedInstance](id, SEL);
void __cdecl -[MyClass didFinish](MyClass *self, SEL);           // from protocol
void __cdecl -[MyClass doAction:withObject:](MyClass *self, SEL, int action, id obj);
BOOL __cdecl -[MyClass isEnabled](MyClass *self, SEL);           // custom getter
void __cdecl -[MyClass setEnabled:](MyClass *self, SEL, BOOL enabled);
void __cdecl -[MyClass setValue:](MyClass *self, SEL, int value);
int __cdecl -[MyClass value](MyClass *self, SEL);
void __cdecl -[MyClass extendedMethod](MyClass *self, SEL);      // from category

Create C Header File: Inline Anonymous Types

When exporting types to C header files, IDA creates intermediate anonymous types with hash-based names. The new "Ignore IDA anonymous types" option inlines these types directly into the parent structure, producing cleaner and more portable output.

Before (anonymous types exported separately):

union test::$161DE73CEC70B46D2147F48043C58578
{
  a a;
  b b;
};

struct test
{
  test::$161DE73CEC70B46D2147F48043C58578;
};

struct with_inline_struct_t::$42129BFC740492F1999D6296462C8FF7
{
  int a;
};

struct with_inline_struct_t
{
  with_inline_struct_t::$42129BFC740492F1999D6296462C8FF7 b;
};

After (anonymous types inlined):

struct test
{
  union
  {
    a a;
    b b;
  };
};

struct with_inline_struct_t
{
  struct
  {
    int a;
  } b;
};

This also handles nested inline structures correctly:

struct with_inline_struct_2_t
{
  struct
  {
    struct
    {
      int a;
    } b;
  } b;
  struct
  {
    int a;
  } c;
};

Fixed Struct Support: Complete Import/Export Roundtrip

IDA 9.3 introduces __fixed and __at attributes for structures with explicit field offsets, enabling complete roundtripping of type exporting and importing. Previously, types with explicit offsets (like function stack frames) could be exported to C headers but not re-imported: the offset information was lost. Now IDA headers are fully re-parsable.

New Syntax:

__fixed(size) - Declares a struct with explicit total size
__at(offset) - Specifies exact byte offset for a field

Example - Function Stack Frame:

struct __fixed(0x48) x64_prologue_frame
{
    __at(0x0000) void *return_addr;
    __at(0x0008) void *saved_rbp;
    __at(0x0010) void *saved_rbx;
    __at(0x0018) void *saved_r12;
    __at(0x0020) void *saved_r13;
    __at(0x0028) void *saved_r14;
    __at(0x0030) void *saved_r15;
    __at(0x0038) int local_var1;
    __at(0x003C) int local_var2;
    __at(0x0040) void *local_ptr;
};

Example - Packed Embedded Structure (unaligned fields):

struct __fixed(0x20) packed_frame
{
    __at(0x0000) char header;
    __at(0x0001) __int16 flags;    /* unaligned short */
    __at(0x0003) int sequence;     /* unaligned int */
    __at(0x0007) char payload[16];
    __at(0x0017) char checksum;
    __at(0x0018) void *next;
};

More Golang Types

Full Package Paths in Type Names: Types now include complete package paths, eliminating ambiguity between identically-named types in different packages:

Before (9.2)

After (9.3)

RTYPE_atomic_Value

RTYPE_sync_atomic_Value

RTYPE_cpu_x86

RTYPE_internal_cpu_x86

RTYPE_sys_Uintreg

RTYPE_runtime_internal_sys_Uintreg

RTYPE_poll_FD

RTYPE_internal_poll_FD

RTYPE_func

RTYPE_PTR_func

Hierarchical Type Library Organization: Types are organized in folders matching Go package paths:

/golang/runtime/internal/atomic/runtime_internal_atomic_Uint32
/golang/runtime/internal/atomic/_ptr_runtime_internal_atomic_Uint32
/golang/syscall/syscall_Iovec
/golang/internal/poll/internal_poll_FD
/golang/fmt/fmt_Formatter
/golang/reflect/reflect_Value

Additional Improvements:

Better FUNCINFO and Go version detection
Replaced internal BUILTIN_STRING with standard Go string type
Many standard Go types are now properly recognized without the struct prefix:
Better handling of return types of anonymous golang functions when parsing DWARF

Architecture Support

Tricore

Improved regfinder for better cross-reference detection and enhanced detection of switch statements.

ARC: Push/Pop Idiom Recognition

Memory store/load operations with auto-increment are now recognized as push/pop instructions, making function prologues and epilogues much easier to understand.

Before (9.2):

.start:01C001A6 FC 1C 08 B4          st.a    r16, [sp,0xC+var_10]
.start:01C001AA FC 1C 48 B4          st.a    r17, [sp,0x10+var_14]
.start:01C001AE FC 1C 88 B4          st.a    r18, [sp,0x14+var_18]
.start:01C001B2 FC 1C C8 B4          st.a    r19, [sp,0x18+var_1C]
.start:01C001B6 FC 1C 08 B5          st.a    r20, [sp,0x1C+var_20]
.start:01C001BA FC 1C 48 B5          st.a    r21, [sp,0x20+var_24]
.start:01C001BE FC 1C C8 B6          st.a    fp, [sp,0x24+var_28]

After (9.3):

.start:01C001A6 FC 1C 08 B4          push    r16
.start:01C001AA FC 1C 48 B4          push    r17
.start:01C001AE FC 1C 88 B4          push    r18
.start:01C001B2 FC 1C C8 B4          push    r19
.start:01C001B6 FC 1C 08 B5          push    r20
.start:01C001BA FC 1C 48 B5          push    r21
.start:01C001BE FC 1C C8 B6          push    fp

x86/x64

Follow indirect jumps where target is known at analysis time
Fixed MPX hintable NOP handling

PowerPC

Fixed wrong plain offset on addi instruction

RISC-V

Fixed endless auto-analysis loop
Enum members now get proper xrefs

ARM64

SVE/SME Instructions for iPhone 17 Kernel

IDA 9.3 can now decode Scalable Vector Extension (SVE) and Scalable Matrix Extension (SME) instructions used in Apple's iPhone 17 kernel:

__text:FFFFFE00082434E4    STR     Z0, [X2]
__text:FFFFFE00082434E8    STR     Z1, [X2,#1,MUL VL]
__text:FFFFFE00082434EC    STR     Z2, [X2,#2,MUL VL]
__text:FFFFFE00082434F0    STR     Z3, [X2,#3,MUL VL]
...
__text:FFFFFE00082AFF48    UZP1    V0.4S, V0.4S, V1.4S
__text:FFFFFE0008240118    ZIP1    V2.4S, V2.4S, V2.4S

These instructions were previously shown as raw bytes or undefined opcodes.

Memory Tagging Extension (MTE) Intrinsics

The decompiler now produces clean intrinsic calls for ARM Memory Tagging Extension instructions, replacing inline assembly blocks. MTE is used in iOS 18+ and Android for memory safety.

Before (9.2) - inline assembly:

__int64 __fastcall create_tag(__int64 _X0, unsigned int a2)
{
  __int64 result; // x0
  _X8 = a2;
  __asm { IRG             X0, X0, X8 }
  return result;
}

__int64 __fastcall increment_tag1(__int64 _X0)
{
  __int64 result; // x0
  __asm { ADDG            X0, X0, #0, #7 }
  return result;
}

__int64 __fastcall get_tag1(__int64 _X0)
{
  __int64 result; // x0
  __asm { LDG             X0, [X0] }
  return result;
}

__int64 __fastcall set_tag1(__int64 result)
{
  __asm { STG             X0, [X1] }
  return result;
}

__int64 __fastcall subtract_pointers(__int64 _X0, __int64 _X1)
{
  __int64 result; // x0
  __asm { SUBP            X0, X0, X1 }
  return result;
}

After (9.3) - clean intrinsics:

void *__fastcall create_tag(void *a1, unsigned int a2)
{
  return __arm_mte_create_random_tag(a1, a2);
}

void *__fastcall increment_tag1(void *a1)
{
  return __arm_mte_increment_tag(a1, 7u);
}

void *__fastcall get_tag1(void *a1)
{
  return __arm_mte_get_tag(a1);
}

void *__fastcall set_tag1(void *result, void *a2)
{
  __arm_mte_set_tag(a2, result);
  return result;
}

unsigned __int64 __fastcall subtract_pointers(void *a1, void *a2)
{
  return __arm_mte_ptrdiff(a1, a2);
}

Supported MTE Intrinsics:

Instruction

Intrinsic

Description

IRG

__arm_mte_create_random_tag(ptr, mask)

Create random tag

ADDG

__arm_mte_increment_tag(ptr, offset)

Increment tag value

GMI

__arm_mte_exclude_tag(ptr, excluded)

Get excluded tag mask

LDG

__arm_mte_get_tag(ptr)

Load allocation tag

STG

__arm_mte_set_tag(ptr)

Store allocation tag

SUBP

__arm_mte_ptrdiff(a, b)

Pointer difference ignoring tags

ARM64: Decoding of CSSC Instructions

Added decoding for comparison and min/max instructions (SMAX, SMIN, UMAX, UMIN, ABS, CNT, CTZ)

MOV/MOVK Address Construction

Disassembler and decompiler now properly optimize ARM64 address construction patterns using MOV/MOVK/MOVW/MOVT instruction sequences, even if scattered, and produce proper cross references.

Before (9.2):

.text:00000000000005FC                 MOV             X8, #0
.text:0000000000000600                 MOV             W9, #0x64AE
.text:0000000000000604                 MOVK            X8, #0,LSL#16
.text:0000000000000608                 MOVK            W9, #0x299E,LSL#16
.text:000000000000060C                 MOVK            X8, #0,LSL#32
.text:0000000000000610                 MOVK            X8, #0,LSL#48

After (9.3):

.text:00000000000005FC                 MOV             X8, #(WORD0(unk_16120))
.text:0000000000000600                 MOV             W9, #(WORD0(0x299E64AE))
.text:0000000000000604                 MOVK            X8, #(WORD1(unk_16120)),LSL#16
.text:0000000000000608                 MOVK            W9, #(WORD1(0x299E64AE)),LSL#16
.text:000000000000060C                 MOVK            X8, #(WORD2(unk_16120)),LSL#32
.text:0000000000000610                 MOVK            X8, #(WORD3(unk_16120)),LSL#48

Minor

AARCH64 Relocations: Support for MOVW_UABS_G[0-3] with custom reference handlers
iOS PAC Stubs: Improved recognition of __auth_stubs sections
BTI-enabled PLT: Recognition of Branch Target Identification-enabled ELF PLT stubs

Andes Andestar V3 NDS32

IDA now features a processor module for the Andestar V3 NDS32 architecture.

The Andes AndeStar V3 NDS32 is a patented, 32-bit, RISC-style instruction set architecture (ISA) featuring mixed 16-bit/32-bit instructions for power and code density efficiency. It is most used in a wide range of deeply embedded systems and low-power applications, such as IoT devices, microcontrollers, wearables, storage devices and drones.

Decompiler

V850 Decompiler

IDA 9.3 introduces decompiler support for the Renesas V850 (aka NEC850 aka RH850) architecture, a popular 32-bit RISC processor used extensively in automotive ECUs and industrial applications. It supports both the modern RH850 ABI and the legacy GCC V850 ABI.

void __fastcall matgen(float *a1, int a2, int a3, _DWORD *a4, int a5, int a6, int a7, int a8, float *a9)
{
  int v9; // r27
  float *v10; // r28
  int v11; // r29
  float v12; // r10
  float v13; // r11
  _DWORD *v14; // r11
  int i; // r10
  int j; // r24
  float *v17; // r27
  float *v18; // r29
  int k; // r28
  float *v20; // [sp+18h] [-10h]
  float *v21; // [sp+1Ch] [-Ch]
  int v22; // [sp+20h] [-8h]
  int v23; // [sp+24h] [-4h]

  *a9 = 0.0;
  if ( a3 > 0 )
  {
    v20 = a1;
    v23 = 4 * a2;
    v21 = a1;
    v22 = 0;
    v9 = 1325;
    do
    {
      v10 = v21;
      v11 = 0;
      do
      {
        ++v11;
        v9 = (int)(3125 * ((3125 * v9) & 0x8000FFFF)) % 0x10000;
        v12 = ((double)v9 - 32768.0) * 0.00006103515625;
        *v10 = v12;
        v13 = v12;
        if ( v12 <= *a9 )
          v13 = *a9;
        *a9 = v13;
        ++v10;
      }
      while ( v11 != a3 );
      ++v22;
      v21 = (float *)((char *)v21 + v23);
    }
    while ( v22 != a3 );
    v14 = a4;
    for ( i = 0; i != a3; ++i )
      *v14++ = 0;
    for ( j = 0; j != a3; ++j )
    {
      v17 = v20;
      v18 = (float *)a4;
      for ( k = 0; k != a3; ++k )
      {
        *v18 = *v18 + *v17++;
        ++v18;
      }
      v20 = (float *)((char *)v20 + v23);
    }
  }
}

Microcode Manipulation

The Microcode Viewer now supports deleting instructions and specifying values for registers and local variables to influence the decompilation process.

Fine Grained Control of Assignment Propagation

Added user-controllable "Forbid assignment propagation" option (available from the context menu).

Value Range Optimization

The analysis of conditionals now includes enhanced value range tracking. For instance, in a conditional such as (unsigned int)(a2 - 1) <= 5, we can determine that a2 falls within the interval [1, 6].

Real-world example:

    if ( (unsigned int)v7 >= 0xA000 )
    {
      ...
      if ( (unsigned int)(v7 - 0x1000) > 0x1000 )
      {

The second if statement is now discarded since its condition will always be true.

"Decompile all" now in IDA Home & IDA Pro Essential

Now available in IDA Home & Essential editions

Debuggers

Android 14+ native debugging

The Android debugger now properly handles Android 14 (and more recent) apps. Since PAC is becoming more prevalent also in the Android world, we also added support for properly stepping over protected indirect control flow transfer instructions (RETAA, ...).

Stack View Dereferencing

The debugger stack view now supports automatic dereferencing, matching the functionality previously available only in the register widget. View pointed-to values directly in the stack view during debugging sessions.

User Interface

Faster Dirtree Widgets

We have done a first pass of speed improvements. While IDA 9.2 could at times take a very long time to respond (esp. with large selections), IDA 9.3 will be much more pleasant to work with.

Widgets exposing tabular data should be behaving considerably better with large datasets
Search operations are now much snappier for widgets with huge amounts of entries (100k+)
Sorting & filtering (e.g., Ctrl+ F) have been improved along the way

Further performance optimizations are planned, so stay tuned!

Xref Tree

The Xref Tree widget introduced in IDA 9.2 has been significantly enhanced. The tree can now leverage the register tracker and decompiler to display known function argument values at call sites, providing immediate insight into the parameters being passed to functions without needing to navigate to each individual call site.

Additional improvements include:

Multi-selection support with standard Shift and Ctrl modifiers for batch operations
Search functionality: press / to open search, then use F3 to jump between matches (only works with data that has already been expanded in the tree)
Column management: columns can be reordered and resized, with a context menu on column headers to control which columns are displayed
Action system integration: xref tree actions can now be mapped and customized just like any other IDA GUI action, allowing for personalized keyboard shortcuts and workflow integration
Improved dark theme support on macOS

Xref Graph

This release improves mostly the graph interaction.

Now, you don't need to chase the nodes anymore, as they won't move when the cursor is hovering over them. Additionally, it's now possible to pin the nodes in place so you can always know exactly where they are - just press P to do so.
Furthermore, in order to keep the graph responsive, we've added a warning that will pop up when the graph's capacity is exceeded. This way, you won't accidentally overload the graph and cause it to slow down. The capacity can be adjusted in the configuration file.
Graph management is now located in a logical place: View → Graphs → Manage... and a lot of tiny improvements done.
Finally, the Xref Graph now supports a dark theme. Your eyes will thank us!

Jump Anywhere Improvements

Faster parallel search for large databases (improved search responsiveness)
Added support for demangled names
Improved search ranking algorithm
Better integration with the "undo" mechanism

Platform-Specific

Linux Wayland: Fixed app icon display, improved docking behavior
macOS: Dark mode toggle in toolbar, .i64 bundle type extension, DockMenu with recent files

General Improvements

System shortcuts for listing start/end navigation (Ctrl+ Home/End)
License borrowing calendar selector
Local Types: Removed redundant "Parse declarations" command

Minor

arm: detect objc stubs padding (brk #1 instructions)
ui: output: add possibility to control auto scrolling (registry setting)
ui: output: shift-click to set selections
ui: jumpanywhere: efficient indexer search algorithm

SDK & Build

Simplified build process for developers:
- The C++ SDK now supports CMake for building
- The IDAPython build process has been simplified to work with SWIG 4.2 and 4.3 from default package managers (apt on Linux, winget on Windows, brew on macOS), eliminating the need for manually-built SWIG
Direct Lumina API access via lumina.hpp (C++) and ida_lumina (Python), enabling devs to extract and apply Lumina metadata programmatically from within IDA.
Other Enhancements:
- Added get_import_entry() public function (for PE files only!)
Hex-Rays SDK: Split hexrays.hpp into 4 files for better modularity:
- hexrays.hpp (main header, reduced size)
- hexrays_ctree.hpp (C tree definitions)
- hexrays_defs.hpp (definitions and constants)
- hexrays_micro.hpp (microcode definitions)

idalib

idat -v option for verbose output
Prevent idat from deleting existing IDBs
Allow batch mode for temporary databases
-S command line switch enabled for IDA Home

Security & Third Party Dependencies

llvm: update llvm to 21.1.5
z3: update z3 to 4.15.3
pcre: update pcre to 10.47 (fixes CVE-2025-58050)
clp: update to clp 1.17.10 / CoinUtils 2.11.12
libdwarf: update libdwarf to 2.2.0

Known Issues

PySide6 crashes under Python 3.14

Spotted a bug or have a suggestion to the IDA 9.3 beta release? Let us know and contribute to IDA evolution:

via support (Early access feedback form), or
at [email protected]

Last updated 0 minutes ago

Was this helpful?