IDA: 5.3 Comparison Page

Welcome to the IDA v5.3 comparison page! Below you will find side-by-side comparisons of IDA v5.2 and v5.3 disassemblies. Please maximize the window too see both columns simultaneously.

The following original exhibits are displayed on this page:

  1. New PDB plugin - disassembly
  2. New PDB plugin - type information
  3. PIC code - MAC binary
  4. PIC code - Linux binary
  5. Better function recognition
  6. Better jump table recognition
  7. ARM (iPhone, Symbian) - PIC code
  8. ARM (iPhone) - Type information

NOTE: these are just some selected examples, there are many other improvements not mentioned on this page.

New PDB plugin - disassembly
mov edx, [ebp+arg_8]
push edx
mov eax, [ebp+arg_4]
push eax
mov ecx, [ebp+arg_0]
call linput_t__read_cache
jmp short loc_428122
; ---------------------------------------------------------------------------
loc_428107: ; CODE XREF: qlread+24j qlread+33j
or eax, 0FFFFFFFFh
jmp short loc_428122
; ---------------------------------------------------------------------------
jmp short loc_428122
; ---------------------------------------------------------------------------
loc_42810E: ; CODE XREF: qlread+1Bj
mov ecx, [ebp+arg_8]
push ecx
mov edx, [ebp+arg_4]
push edx
mov eax, [ebp+arg_0]
mov ecx, [eax+4]
push ecx
call qfread
loc_428122: ; CODE XREF: qlread+Cj qlread+45j ...
pop ebp
retn 0Ch
qlread endp
mov edx, [ebp+arg_8]
push edx ; size_t
mov eax, [ebp+arg_4]
push eax ; void *
mov ecx, [ebp+arg_0]
call ?read_cache@linput_t@@QAEHPAXI@Z ; linput_t::read_cache(void *,uint)
jmp short loc_428122
; ---------------------------------------------------------------------------
loc_428107: ; CODE XREF: qlread(x,x,x)+24j
; qlread(x,x,x)+33j
or eax, 0FFFFFFFFh
jmp short loc_428122
; ---------------------------------------------------------------------------
jmp short loc_428122
; ---------------------------------------------------------------------------
loc_42810E: ; CODE XREF: qlread(x,x,x)+1Bj
mov ecx, [ebp+arg_8]
push ecx ; size_t
mov edx, [ebp+arg_4]
push edx ; void *
mov eax, [ebp+arg_0]
mov ecx, [eax+4]
push ecx ; FILE *
call _qfread@12 ; qfread(x,x,x)
loc_428122: ; CODE XREF: qlread(x,x,x)+Cj
; qlread(x,x,x)+45j ...
pop ebp
retn 0Ch
_qlread@12 endp
Please note that the function names are better, they have the argument count suffixes. The function arguments have been found and correctly labeled.
New PDB plugin - type information
IDA v5.2 could not extract any type information from PDB files. The new version populates the local types window with all types, all of them ready to use. The only shortcoming we are aware of is that we can not handle nested anonymous structs and unions. We will fix this in the future.
PIC code - MAC binary
dyld_stub_binding_helper proc near
call $+5
pop eax
push dword ptr [eax+34D6Fh]
mov eax, [eax+34E53h]
jmp eax
dyld_stub_binding_helper endp
; =============== S U B R O U T I N E =======================================
; int _dyld_func_lookup(const char *dyld_func_name, void **address)
__dyld_func_lookup proc near
call $+5
pop eax
mov eax, [eax+34E43h]
jmp eax
__dyld_func_lookup endp
dyld_stub_binding_helper proc near
call $+5
pop eax
push ds:(dyld__mh_dylib_header - 1291h)[eax]
mov eax, ds:(dyld_lazy_symbol_binding_entry_point - 1291h)[eax]
jmp eax
dyld_stub_binding_helper endp
; =============== S U B R O U T I N E =======================================
; int _dyld_func_lookup(const char *dyld_func_name, void **address)
__dyld_func_lookup proc near
call $+5
pop eax
mov eax, ds:(dyld_func_lookup_pointer - 12A5h)[eax]
jmp eax
__dyld_func_lookup endp
Please note meaningful names in v5.3 and unhelpful hexadecimal offsets in v5.2. Needless to say that proper naming leads to plenty of other niceties: you will have correct cross reference information, better annotates listing, better data segment, etc.
PIC code - Linux binary
; ---------------------------------------------------------------------------
loc_4DF89BFB: ; CODE XREF: _init+90j
mov [ebx+2Ch], eax
test eax, eax
jnz short loc_4DF89C25
mov eax, [ebx-108h]
movzx edx, word ptr [eax]
mov eax, [ebx-120h]
cmp [eax+34h], dx
jz short loc_4DF89C25
movzx eax, dx
mov [esp+18h+var_18], eax
call __setfpucw
loc_4DF89C25: ; CODE XREF: _init+2Ej _init+43j
mov eax, [ebp+arg_0]
mov [ebx+37F4h], eax
mov [ebx+37F8h], edi
mov eax, [ebx-140h]
mov [eax], esi
; ---------------------------------------------------------------------------
loc_4DF89BFB: ; CODE XREF: _init+90j
mov (__libc_multiple_libcs - 4E09AFF4h)[ebx], eax
test eax, eax
jnz short loc_4DF89C25
mov eax, ds:(__fpu_control_ptr - 4E09AFF4h)[ebx]
movzx edx, word ptr [eax]
mov eax, ds:(_rtld_global_ro_ptr - 4E09AFF4h)[ebx]
cmp [eax+34h], dx
jz short loc_4DF89C25
movzx eax, dx
mov [esp+18h+var_18], eax
call __setfpucw
loc_4DF89C25: ; CODE XREF: _init+2Ej _init+43j
mov eax, [ebp+arg_0]
mov ds:(__libc_argc - 4E09AFF4h)[ebx], eax
mov ds:(__libc_argv - 4E09AFF4h)[ebx], edi
mov eax, ds:(environ_ptr_0 - 4E09AFF4h)[ebx]
mov [eax], esi
The listing on the left is not readable but the one on the right poses no problems. This is a big time saver.
Better function recognition
byte_60ACCB87 db 8Bh ; DATA XREF: .text:stru_60B0A53Co
dd 452BE445h, 75FF50E0h, 0F1C1E8E0h, 6AFFFFh, 0CDE8006Ah
dd 0CC000396h, 0CCCCCCCCh
db 0CCh
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_60ACCB87 proc near ; DATA XREF: .text:stru_60B0A53Co
mov eax, [ebp-1Ch]
sub eax, [ebp-20h]
push eax ; unsigned int
push dword ptr [ebp-20h] ; void *
call ?ScrubBuffer@@YGXPAXI@Z ; ScrubBuffer(void *,uint)
push 0
push 0
call __CxxThrowException@8 ; _CxxThrowException(x,x)
sub_60ACCB87 endp
We made numerous tiny improvements to the analysis engine. The above example illustrates just one particular case. While there are lots of similar examples, we will limit ourselves to this single snippet. Anyway, you get the idea...
Better jump table recognition
cmp [ebp+var_54], 4
ja loc_1312EB
mov edx, [ebp+var_54]
shl edx, 2
lea eax, (dword_130FD8 - 130FACh)[ebx]
mov eax, [edx+eax]
add eax, ebx
jmp eax
; ---------------------------------------------------------------------------
dword_130FD8 dd 40h ; DATA XREF: sub_130F9E+2Dr
dd 0BBh, 167h, 58h, 28Eh, 0C708458Bh, 0C40h, 458B0000h
dd 2C408B08h, 850FC085h, 1EAh, 0B455B60Fh, 8D084D8Bh, 28ED4083h
dd 89008B00h, 89182444h, 0C7142454h, 102444h, 8B000000h
dd 44891045h, 458B0C24h, 2444890Ch, 2444C708h, 304h, 240C8900h
dd 23A8BE8h, 0FC08500h, 0C084C095h, 1AF840Fh, 0B6E90000h
dd 8B000001h, 508B0845h, 8458B30h, 392C408Bh, 0AC850FC2h
dd 0F000000h, 8BB475B6h, 0C0830845h, 24048914h, 290480E8h
dd 8BC78900h, 0C0830845h, 24048914h, 29070EE8h, 8BC28900h
dd 838D084Dh, 28ED40h, 4489008Bh, 74891824h, 44C71424h
dd 1024h, 7C890000h, 54890C24h, 44C70824h, 10424h, 0C890000h
dd 3A0EE824h, 0C0850002h, 84C0950Fh, 8B4274C0h, 0C0830845h
dd 24048914h, 290424E8h, 8BC28900h, 408B0845h, 29D1890Ch
dd 89C889C1h, 45C7BC45h, 1C0h, 0BC458D00h, 4244489h, 89C0458Dh
dd 43E82404h, 8B002906h, 0B0458900h, 20CE9h, 8458B00h
cmp [ebp+var_54], 4 ; switch 5 cases
ja loc_1312EB ; default
mov edx, [ebp+var_54]
shl edx, 2
lea eax, (off_130FD8 - 130FACh)[ebx]
mov eax, [edx+eax]
add eax, ebx
jmp eax ; switch jump
; ---------------------------------------------------------------------------
off_130FD8 dd offset loc_130FEC - offset loc_130FAC ; DATA XREF: sub_130F9E+2Do
dd offset loc_131067 - offset loc_130FAC ; jump table for switch statement
dd offset loc_131113 - offset loc_130FAC
dd offset loc_131004 - offset loc_130FAC
dd offset loc_13123A - offset loc_130FAC
; ---------------------------------------------------------------------------
loc_130FEC: ; CODE XREF: sub_130F9E+38j
; DATA XREF: sub_130F9E:off_130FD8o
mov eax, [ebp+arg_0] ; jumptable 00130FD6 case 0
Another spectacular example.
We added many new jump table patterns in v5.3, for both PC and ARM.
ARM (iPhone, Symbian) - PIC code
LDR R3, =loc_145CC
ADD R3, PC, R3
MOV R0, R3 ; path
MOV R1, #0x10 ; mode
BL _dlopen
; ---------------------------------------------------------------------------
off_2720 DCD loc_145CC ; DATA XREF: sub_2550+84r
off_2724 DCD loc_145BC ; DATA XREF: sub_2550+B0r
off_2728 DCD loc_145A8 ; DATA XREF: sub_2550+D4r
off_272C DCD loc_14528 ; DATA XREF: sub_2550+164r
LDR R3, =(aUsrLibLibsyste - 0x25E0)
ADD R3, PC, R3 ; "/usr/lib/libSystem.B.dylib"
MOV R0, R3 ; path
MOV R1, #0x10 ; mode
BL _dlopen
; ---------------------------------------------------------------------------
off_2720 DCD aUsrLibLibsyste - 0x25E0 ; DATA XREF: sub_2550+84r
; "/usr/lib/libSystem.B.dylib"
off_2724 DCD a__cxa_atexit - 0x260C ; DATA XREF: sub_2550+B0r
; "__cxa_atexit"
off_2728 DCD a__cxa_finalize - 0x2630 ; DATA XREF: sub_2550+D4r
; "__cxa_finalize"
off_272C DCD aAtexit - 0x26C0 ; DATA XREF: sub_2550+164r
; "atexit"
The listing on the left is plainly wrong because IDA v5.2 did not know to handle PIC code. The new version analyzes it without any problems and without any user intervention.
ARM (iPhone) - Type information
; ---------------------------------------------------------------------------
MOV R1, R11
ADDS R0, R4, #0
ADDS R2, R5, #0
BL _strlcpy
MOVS R2, #0
ADDS R0, R4, R0
ADDS R4, R0, #1
STRB R2, [R0]
MOV R0, R11
BLX _strlen
LDR R1, =aOctet
SUBS R2, R5, R0
ADDS R0, R4, #0
BL _strlcpy
; ---------------------------------------------------------------------------
MOV R1, R11 ; char *
ADDS R0, R4, #0 ; char *
ADDS R2, R5, #0 ; size_t
BL _strlcpy
MOVS R2, #0
ADDS R0, R4, R0
ADDS R4, R0, #1
STRB R2, [R0]
MOV R0, R11 ; char *
BLX _strlen
LDR R1, =aOctet ; char *
SUBS R2, R5, R0 ; size_t
ADDS R0, R4, #0 ; char *
BL _strlcpy
IDA v5.3 uses type information for iPhone executables. Please note that function arguments have automatically been labeled. The user may specify function prototypes and use all predefined types from the macosx type library.
This is all for the moment. Please come back for more examples!