IDAPython has been modified a lot. We manually wrapped many new functions and classes. We documented all manually wrapped functions. Online documentation is here: idapython_docs
Some "idaapi.cvar" variables have been moved to "idaapi.". In particular, the idaapi.cvar.cmd is now accessible as idaapi.cmd.
Recent script box (Alt+7) and run python script (Alt+9) are replaced with Alt+F7 and Alt+F9 respectively
Plugins can be implemented in Python or IDC.
See samples in "sdk\plugins\script_plg"
Processor modules too can be implemented in Python or IDC. See:
We have addded many SDK functions to IDAPython to support processor modules.
- sdk\module\script\ebc.py: EFI Byte code processor module. It works with EBC PE files.
- sdk\module\script\msp430.py: MSP430 is a simple 27-instructions 16-bit RISC processor from TI.
- sdk\module\script\proctemplate.py: Processor module script template
If you analyze iPhone/iPad file, the following improvements are essential:
- parsing of the LC_DYLD_INFO and LC_ROUTINES loader commands (more names are recovered)
- improved tracing of register values for ARM that discovers more references
- improved offset auto-conversion: now you should see less false positives (e.g. no xrefs into middle of instructions)
- indirect calls via register are resolved when possible, and a comment is added with the final address
- better Thumb/ARM mode switch tracing
- when splitting segments, T register is not reset to 0 but the old value at the split point is reused
- support for PIC code generated by GCC 4.4.x (GOT loading)
- various other fixes and improvements
- ARM architecture options for disassembly can be configured in the UI (Processor-specific options), in IDA.CFG or on command line (see documentation; ARMv6 is default)
- for Mach-O files and ELF files with EABI attributes the architecture is set automatically according to the flags in the binary
- support for NEON SIMD instructions (available if ARMv7 is selected); they are commonly found in the current iPhone/iPad files
- when ARMv7 is selected, a unified syntax is used for VFP and NEON instructions (Vxxx instead of old Fxxx)
You can define your own data types. For more details, see:
Also check out "sdk\plugins\custview\custview.cpp" and IDAPython\examples\ex_custdata.py
We have ported the bochs debugger plugin to Linux. See this tutorial to learn how to configure and use it. The plugin functions similarly to the Windows bochs debugger plugin except that you need to set up environment variables and copy some Windows DLLs to Linux.
The PDB plugin now works without having MS DIA DLLs registered in the system (i.e. no need to install the full Visual Studio). It is enough to either install VS 2005 or 2008 runtime redistributable or copy msdiaNN.dll into IDA's directory. It now imports much more types from PDB files with private symbols.
We improved WinDbg support:
- Added non-invasive debugging support. You may find this feature useful if you want to attach to a program that is already being debugged.
- The plugin will not automatically set the PDB path to %TEMP%\ida, one has to manually specify the symbol path (_NT_SYMBOL_PATH env var or .sympath command)
- Minor bug fixes and speed improvements
- Typing ".reload /f" will update the symbols state in the UI as well
Alt-F7: Open script file
Alt-F9: Opens the recent scripts chooser.
- Ctrl+E to edit
- Del to delete
- Ins to insert a new script to the list
Please find more information here about the -t and -S switches
We replaced the listbox with a richtext control, allowing the users to:
- double click on any identifier or address to jump to it if applicable
- select and copy portions of text
- search for text in the log
- Jumping to debug names automatically creates code
- Right click on a module in module window offers to jump to module base
- debugger: added support for MSR, XMM and MMX registers
- debugger: added support for model specific registers registers (win32)
- breakpoints: breakpoints have a flag to allow the kernel to invalidate memory layout and contents before evaluating a script condition
- added DbgByte/DbgWord/DbgDWord functions to read debuggee memory directly
- the breakpoint list window also shows the instruction comment