IDA Pro 5.7 highlights
DebuggersAmong the various changes and additions to the debugger kernel and modules, we:
- added support for MMX/XMM registers:
- added more actions to the modules window:
- Load debug symbols: Load additional PDB symbols
- Jump to module base: Jumps to the module base in the current view
- Analyze module: Converts the module segments to non-debugger segments and analyzes the module. Handy when analyzing crashdump files
- added Bochs 2.4.2 support.
Bochs 2.4.2 introduced range read/write physical watchpoints. If a watchpoint was added from the Bochs command line interface IDA Pro will suspend the execution when the watchpoint triggers.
Bochs Linux debugger pluginIf you found Bochs debugger plugin useful in the past (e.g. for low level programming, malware and code snippet emulation), then you may take advantage of the same functionality under Linux / MacOS.
Please refer to the tutorial to learn more how to configure and use the plugin.
(Debugger running Under Ubuntu 9 x86)
Apart from bug fixes and minor speed improvements, we added non-invasive debugging support. This ability to attach to processes that are already being debugged comes handy when you want to create crashdumps or inspect handles and other kernel objects.
Make sure you enable this option from the Debugger/Debugger Options/Specific debugger options dialog:
If you are debugging 64-bit applications using idag64, the Windbg plugin will offer to run the debugger server for you automatically:
When the debugger server is no longer needed make sure to terminate it.
Processor modules and Plugins
It is now possible to write scriptable loaders, processor modules and plugins. If you always wanted your scripts to automatically execute when a database is loaded and unload/deinitialize when the database is closed, then turn your script into a plugin script with just a few additional lines of code.
If we get enough requests about writing debugger modules using scripts, we may add this facility in the future.
We refactored and improved the IDAPython (now version 1.4.0) plugin (and the extlang_t interface by adding new facilities to call object methods, query properties and so on).
This has lead to significant speed gains as demonstrated by Ero Carrera’s blog post.
We also documented all the manually wrapped functions and utility classes which were poorly documented with the example scripts.Please refer to the documentation of the pseudo module pywraps for more information.
The graphical user interfaceWe did some last minute changes to the GUI and some of the features described before were changed:
- The recent scripts window can be configured to be a dockable window or a modal dialog (check idagui.cfg / RECENT_SCRIPTS_MODAL)
- No need to hold the Alt key in order to jump to identifiers, instead simply double click on it
- Output window is now searchable: use Alt-T to start the search and Ctrl-T to search for the next match
Kernel and processor modules
We have added support for almost all ARMv7 instructions, including NEON (aka Advanced SIMD). NEON instructions can be found in the code made for Cortex-A8 processors, such as the one in iPhone 3GS and iPad.
Because ARM uses new, unified syntax for NEON and VFP (Vector Floating Point) instructions in ARMv7, we use the new syntax if NEON is enabled. Otherwise we still display old mnemonics for VFP instructions, as they’re what most people are used to.
The only instructions still missing from ARMv7 are ThumbEE instructions which are supposed to be used for JIT compilation of bytecode-based languages. We have not yet encountered any real-life code using it.
You can choose which architecture version to use when disassembling ARM code. This can be done interactively in the “Processor-specific options dialog” :
via the command-line:
idag -parm:ARMv6T2 firmware.binor by editing IDA.CFG:
ARM_DEFAULT_ARCHITECTURE = "ARMv6";For ARM Mach-O files or ELF files that include EABI attributes, the architecture version is set automatically from the flags in the file.
MIPS moduleWe have improved the register tracing and now almost all indirect code and data references are recognized. Here’s one of the many samples:
We have also added decoding of the MIPS16e instructions jrc, jalrc, save, restore etc.).
PC moduleOne small but important new feature is the improvement in the parsing of SEH (Structured Exception Handling) in Win32 files. It is especially useful when disassembling drivers which use SEH extensively.
Notice that the finally handler is not converted into a separate function as before (because of the call), but is correctly added to the main function.
Python processor modulesWe added two new processor module scripts written entirely in Python. They can be used as a template when developing your own.
- ebc.py: EFI Byte code processor module:
- msp430.py: MSP430 is a simple 27-instructions 16-bit RISC processor from TI.
We hope that the new features make your reversing job more easier. Please feel free to send us comments, suggestions and feature requests.