IDA: What’s new in 6.2

Highlights

  • GUI installers for Linux and OS X No more manual extraction of tar archives for Linux or OS X.
    A new installer will be provided for ease of installation.

    Linux installer screenshot:

    OS X installer screenshot:

  • Proximity view The proximity viewer allows the user to see and browse the relationships between functions, global variables, constants, etc…

    It can be used, for example, to visualize the complete callgraph of a program, to see the path between 2 functions or what global variables are referenced from some function.

  • PE+ support for Bochs (64-bit PE files) Now the Bochs debugger plugin supports debugging basic PE+ executables.
    API emulation via scripting also works as usual. Click here for more details.


    (Screenshot of a PE+ malware being debugged with the Bochs debugger plugin)

  • UI shortcut editor With this feature, it will be possible to change and re-assign the shortcuts of built-in IDA actions and the default shortcuts of plugins, external menu entries and IDC scripts.

    More about the shortcut editor
  • UI filters in choosers This feature will be very handy when it comes to filtering out the content of choosers in order to show or highlight the items that matter.

    More about the chooser filters
  • Database snapshots In this version, it will be possible to take database snapshots and restore them when needed (hierarchical snapshots are supported as well).

  • Automatic new version check Checking for new Hex-Rays products version has been improved. This new addition will check for new versions of IDA Pro or the Hex-Rays Decompilers.

  • Cross-references to structure members Another nice addition are xrefs to structure members. This features comes in handy when reversing/tracking data structure use in a program for example.

  • ARM and iOS analysis improvements Apple is not standing still and in iOS 5 the default compiler will be LLVM instead of GCC. It produces somewhat different code and we have improved our processor module to handle it. Compare two snippets of the same file.

    In IDA Pro 6.1:

    In IDA Pro 6.2:

    As you can see, we now also parse and analyze Objective-C 2.0 metadata structures produced by the compiler. Using that information, we rename methods, create structures for classes, and apply C-style prototypes to methods for better results in the decompiler.

    We have also added support for the dyld_shared_cache format used in current iOS versions.

    kernelcache files are also recognized now and are split into separate KEXTs.

  • IDAPython 1.5.3 IDAPython has been updated. The most notable additions:
    • More form control support (refer to AskUsingForm() documentation in the SDK)
    • New processor and UI notification callbacks
    • New APIs and samples
    • IDC compatible netnode support
    • ! and ? pseudo commands to shell execute and retrieve documentation
    • Support for extending IDC functions using Python
    • Working with patched bytes
    • Binding of hotkeys with Python functions (no need to go through IDC anymore)
  • Floating licenses An IDA Pro with floating license can be installed on many computers but only the purchased number of seats can be used simultaneously. Floating licenses require installation of a license manager to track the license use. This feature is useful for enterprises who want to optimize the license use.

Changelist

Processor Modules
  • + 65816: A 65816 CPU module (used in SNES consoles)
  • + ARM: better tracking of cross-references in code produced by LLVM compiler (MOVW+MOVT pairs)
  • + Dalvik: decode instructions produced by dexopt (odex)
  • + HCS12X: implemented extended direct addressing (using DIRECT Direct Page register)
  • + PC: improve recognition of x64 switches produced by GCC
  • + PC: most assemblers encode mov ds, ax and mov ds, eax differently; handle it in the same way
  • + PC: some sparse switches produced by Visual C++ for x64 were not recognized
  • + PC: __SEH_prolog and similar functions were not properly handled in debugged modules
  • + PC: display “66 90” as “xchg ax, ax”
  • + PPC: decode tlbie and tlbiel with an optional immediate operand
  • + SuperH: track values loaded into the gbr register
  • + Z8: added configuration file for device-specific registers, including the Extended Register File banks
  • + Z8: detect the use of different register banks by tracking changes to the register pointer (RP) value
File Formats
  • + SMC: added a SNES rom loader
  • + ELF: added support for MN10200 and MN10300 (AM33, AM34) files
  • + ELF: added support for x64 TLS relocations in object files
  • + ELF: ARM: added support for R_ARM_THM_PC8 relocation
  • + LOD: added a loader for Motorola DSP56000 .LOD files
  • + MACHO: entry point was not set properly for some packed files
  • + MACHO: parse Objective-C 2.0 metadata, rename methods, create structures
  • + MACHO: support dyld_shared_cache file format
  • + MACHO: detect OS X/iOS kernelcache files and split the image into kext subfiles
  • + PE: added support for ARMv7 relocations (MOV32T)
  • + PE: create segments for gaps between sections when complete file is mapped to memory
  • + PE: manually loading PE files will prompt before processing the export directory and the TLS entries
  • + PE: overlays can now be loaded in manual mode
  • + UImage: added a loader for U-Boot images
  • + PDB: support PDBs for ARMv7 files
Kernel
  • + Improved display of self-modifying code which changes during debugging
  • + Track cross-references to structure members
FLIRT & TILS
  • + TIL: tilib: added support the new constructs from VC10 header files
  • + TIL: added VC10 TIL file
  • + FLIRT: pelf: added R_ARM_THM_PC8 support
Scripts & SDK
  • + IDAPython: added add_hotkey and del_hotkey() to associate hotkeys with Python functions
  • + IDAPython: added execute_sync() to insert a function call into the UI message queue
  • + IDAPython: added execute_ui_requests()
  • + IDAPython: added idatuils.ProcessUiActions() to process more than one UI action at a time
  • + IDAPython: added IDC array functions in idc.py module
  • + IDAPython: added IDC hash functions in idc.py module
  • + IDAPython: Added MakeCustomData() (and related MakeCustomDataEx)
  • + IDAPython: added ph_get_operand_info()
  • + IDAPython: Added Structs() and StructMembers() generator functions
  • + IDAPython: added support for multiline text input in the Form class
  • + IDAPython: added the assemble callback
  • + IDAPython: added timer functions
  • + IDAPython: added ui_term/ui_save/ui_saved/ui_get_ea_hint UI notifications
  • + IDAPython: added visit_patched_bytes()
  • + IDAPython: better error reporting for plugin scripts, loaders and processor modules
  • + IDAPython: introduced the ‘!’ (shell command) and ‘?’ (Python help) pseudo commands to the CLI
  • + IDAPython: it is now possible to add/register new IDC functions from Python
  • + IDC: added GetNsecStamp()
  • + IDC: DecodeInstruction() now exposes the canonical feature and mnemonic
  • + IDC: it is now possible to catch IDC script interruption (with a try/catch) and resume exection if needed
  • + IDC: renimp.idc: added support for PE+
  • + SDK: added ALOPT_IGNPRINT option for get_max_ascii_length()
  • + SDK: added execute_ui_requests() to execute a list of UI requests asynchronously
  • + SDK: added extlang->run_statements() callback
  • + SDK: added find_extlang_by_name()
  • + SDK: added gen_rand_buf() to generate random data
  • + SDK: added get_ascii_contents2()
  • + SDK: added LP_USE_SHELL bit to launch_process() to launch commands using a shell
  • + SDK: added new breakpoint management functions to work with source and module relative breakpoints
  • + SDK: added qcopyfile()
  • + SDK: added qfsize() and deprecated efilelength()
  • + SDK: added qtime64_t and supporting functions
  • + SDK: added read/write_dbg_memory(), set_reg_vals() and get_dbg_memory_info()
  • + SDK: added register_addon() to allow registration of plug-ins and other add-ons for the About box
  • + SDK: added save_database_ex()
  • + SDK: added snapshot management plugin sample
  • + SDK: added snapshot manipulation functions
  • + SDK: added ui_requests plugin sample
  • + SDK: added visit_patched_bytes()
  • + SDK: exec requests can now set code = 0 inside their execute method to delegate their destruction to handle_exec_request
  • + SDK: exported base64_encode/base64_decode functions
  • + SDK: introduced ASKBTN_XXX constants for askyn() and askbuttons() functions
  • + SDK: moved debugger related functions to dbg.hpp (get_dbg_byte, etc)
  • + SDK: updated the “uunp” plugin to support PE+ when used in manual reconstruction mode
  • + SDK: Windbg: added debugger extension interface
  • + SDK: removed support for create_flow_chart() and flow_chart_t. Please use qflow_chart_t instead.
  • + SDK: UI: added a way to specify and retrieve user data in forms
  • + SDK: UI: added the close() method to form actions
  • + SDK: UI: added timers API for plugins
  • + SDK: UI: qt: added the code viewer control
  • + SDK: UI: qt: added the get_attrs callback to embedded choosers
User Interface
  • + GUI installer for Linux and OS X
  • + UI: added the proximity browser view
  • + UI: added IDA_NOEH environment variable to disable IDA exception handler on Windows
  • + UI: setting IDA_MINIDUMP=NO disables minidump writing on Windows
  • + UI: File/IDC command (Shift-F2) has been replaced with File/Script command to execute a statement with a selected extlang
  • + UI: Edit/Patch functionality is now enabled by default
  • + UI: added “Edit/Patch/Apply patches to input file” functionality to directly save the patches back to the input file
  • + UI: added combobox and multi-line edit controls to forms (AskUsingForm())
  • + UI: added a menu item “Report a bug or an issue…”
  • + UI: added a status bar context menu item for quick access to processor-specific analysis options
  • + UI: added an option to automatically check for new versions and request updates for IDA
  • + UI: added database snapshots support
  • + UI: added the ‘select nodes of this color’ right click menu command (available in the graph mode)
  • + UI: AskUsingForm_c() no longer exits IDA in case of form syntax error. Very useful when building forms dynamically from IDAPython
  • + UI: idag.exe and idau.exe are discontinued
  • + UI: idaq now uses CHM (HTML Help) under Windows
  • + UI: plugins can now be quickly executed using the “Quick plugin run” functionality (Ctrl-3)
  • + UI: qt: added the MSG_DELAYED_UPDATE configuration option
  • + UI: qt: added the shortcut editor
  • + UI: qt: all Ctrl-Ins copy shortcuts were changed to Ctrl-C
  • + UI: OSX: ‘I’ key is used in place of ‘Ins’ on OS X
Debugger
  • + Added the ‘-I’ command line switch to install IDA as a just-in-time debugger
  • + debugger: added “event condition” debugger option to allow breaking when a debug event matches a given criteria
  • + debugger: huge zero filled arrays are displayed faster in the debugger (do not use the dup construct for them)
  • + Bochs: added option to disable Activation context and SearchPath() usage (this allows loading libraries from current directory or search path w/o activating context applied)
  • + Bochs: added support for PE+ (64-bit PE files)
  • + PDB: handle MIPS16 and ARMv7 files (low bit of the symbol address specifies Thumb/MIPS16 bit)
  • + Win32/Linux/Mac debuggers now support I/O redirection
  • + Win32 debuggers now have a new window to show the SEH list
  • + Windbg: added option to disable debugger auto launch for crash dump files
Bugfixes
  • BUGFIX: ‘edit breakpoints’ dialog was still wrong in 6.1
  • BUGFIX: ‘search for undefined address’ (Ctrl-U) was not working correctly in debugger segments
  • BUGFIX: an exception in asynchronious execution request (execute_sync) could crash ida
  • BUGFIX: ARM: instructions combined into macros inside IT blocks could lead to wrong disassembly
  • BUGFIX: armuclinux server was probably broken (it was using a separate thread to listen to debugee events but uclinux seems to have issues with that)
  • BUGFIX: associating .idb extension with idaq was broken
  • BUGFIX: Bochs debugger in disk image mode would display wrong addresses sometimes (caused by optimizer bug in VS2010 compiler)
  • BUGFIX: bochs was not handling sections with vsize==0 properly
  • BUGFIX: bochsrc loader was failing to load the boot sector of the disk images if it was larger than 4GB
  • BUGFIX: choosing a device configuration in some processors could crash IDA on Windows
  • BUGFIX: clicking on the title of a group node could crash IDA
  • BUGFIX: debthread could not handle a hung remote server correctly
  • BUGFIX: debugger: long DNS lookup for the connected peer name could lead to failure of the remote debugging session
  • BUGFIX: demangler option “no return types of functions” had no effect for Borland mangled names
  • BUGFIX: DOS: programs with Borland overlays (FBOV) were loaded incorrectly
  • BUGFIX: EPOC: imports from hal.dll were not renamed
  • BUGFIX: Executing a script that could cause a desktop switch (start or stop debugger) from the recent scripts window would crash IDA
  • BUGFIX: find_binary() was crashing if radix of 0 was passed
  • BUGFIX: find_strmem2() with STRMEM_INDEX was broken
  • BUGFIX: get_next_struc_idx(-1) was not returning -1 as it should
  • BUGFIX: get_type_size() could return >0 value for some illegal types
  • BUGFIX: High 64 bit addresses were not being parsed properly by IDAPython in idaq64
  • BUGFIX: IDA could crash if starting the application the first time failed (e.g. application path was wrong)
  • BUGFIX: IDA could interr when trying to edit an address name in stack view
  • BUGFIX: ida was failing with interr 40419 while rendering some graphs
  • BUGFIX: IDAPython: Calling set_script_timeout() from callbacks may show the script wait box dialog with no possibility to close it
  • BUGFIX: IDAPython: dbg_bpt was called instead of dbg_trace for a DBG_Hooks class implementation
  • BUGFIX: IDAPython: dbg_read|write_memory() and dbg_get_thread_sreg_base() were broken
  • BUGFIX: IDAPython: del_menu_item() was failing to delete menu items inserted in the middle of a menu list
  • BUGFIX: IDAPython: get_blob() was returning a buffer with at most MAXSPECSIZE bytes
  • BUGFIX: idapython: idaapi.get_item_head() was ignored
  • BUGFIX: IDAPython: idc.GetString()/idaapi.get_ascii_contents()/idautils.Strings() were limited to MAXSTR string length
  • BUGFIX: IDC: DelStruc() was behaving as a ‘void’ function (always returning 0)
  • BUGFIX: IDC: on OS X, macros with 6 or more arguments would cause a syntax error
  • BUGFIX: IDC: rotate_left() was broken
  • BUGFIX: if a function lost some basic blocks (for example, because the user truncated it), its flowchart might be rendered with some empty nodes
  • BUGFIX: if a read or read/write hardware breakpoint and a software breakpoint were defined at the same address, IDA would get confused when such such a breakpoint gets hit
  • BUGFIX: illegal graph group info in the IDB could crash IDA
  • BUGFIX: immediate search could not match the search criteria against defined data items
  • BUGFIX: import libraries for gcc under ms windows were erroneously including _alloca and _main symbols.
  • BUGFIX: in some cases IDA was trying to read memory outside of ranges provided by a debugger module
  • BUGFIX: It was not possible to suspend Bochs if the debuggee was continously calling an API which is emulated by an IDC script
  • BUGFIX: launch_process() was crashing in unix if command line arguments were NULL
  • BUGFIX: linker directives with non-ascii characters in coff files would be displayed incorrectly
  • BUGFIX: location of relative breakpoint was displayed in absolute notation in some cases
  • BUGFIX: multithreaded Android applications could not be debugged on some devices
  • BUGFIX: non-null terminated strings were printed incorrectly for assemblers with ASCIIZ directives (such as AIX PPC assembler)
  • BUGFIX: Opening a crash dump file was failing in some cases
  • BUGFIX: opening a malicious idb could lead to launching of debugger on any file (including files accessible with webdav)
  • BUGFIX: PC: handling of __fastcall calling convention for Delphi was wrong
  • BUGFIX: PC: mov to/from CRn/DRn ignore the mod field and always treat operands as registers (thanks to Ange Albertini)
  • BUGFIX: PC: type information from .til files was not used for __fascall APIs (e.g. KfAcquireSpinLock)
  • BUGFIX: PPC: dccci instruction with non-zero operands was decoded incorrectly
  • BUGFIX: PDB: loading symbols for a module in memory (during debugging) could fail
  • BUGFIX: PDB: old way of retreiving symbols (via dbghelp.dll) did not work for 64-bit modules loaded above 4GB
  • BUGFIX: PDB: the “Load debug symbols” command was trying to use local files even when debugging remotely
  • BUGFIX: PE loader could not properly handle relocations of type IMAGE_REL_BASED_DIR64
  • BUGFIX: PE: files with exceedingly big relocation table size could not be loaded
  • BUGFIX: PE: MIPS16 and ARMv7 exports and .pdata entries were not handled correctly
  • BUGFIX: PE: some files with bogus/huge ImageSize could not be loaded (thanks to Ange Albertini)
  • BUGFIX: qrealloc() was freeing the original pointer if allocation failed
  • BUGFIX: qsem_create() was ignoring the initial value in mac
  • BUGFIX: qt: askfile_c() was returning paths with forward slashes (/) on Windows; this broke some old plugins
  • BUGFIX: qt: custom graphs were sometimes displaying some additional misplaced context-menu items
  • BUGFIX: qt: forms with no dialog buttons (yes, no, cancel) would cause a crash
  • BUGFIX: qt: jump buttons in the CPU Registers window were not working correctly on OSX
  • BUGFIX: Qt: On OS X, shortcuts not defined inside idagui.cfg could contain the wrong modifier
  • BUGFIX: qt: rendering on mac had problems because of a bug in the Carbon API
  • BUGFIX: qt: some actions were not disabled in the stack frame view
  • BUGFIX: qt: the jump xref action was missing in the stack frame view
  • BUGFIX: qt: the strings sub-menu was missing letter shortcuts
  • BUGFIX: qthread_kill() was freeing qthread_t in Windows; it should not
  • BUGFIX: running ida with -z10000 could lead to deadlocks or crashes (for win32/linux/mac debugger modules)
  • BUGFIX: SDK: askfile_c() default answer was not populated properly if it contained an absolute file path
  • BUGFIX: SDK: qfilesize() now returns 0 if file is too large or does not exist (use get_qerrno() to tell between the two).
  • BUGFIX: second failed attempt to launch the debugger would lead to interr
  • BUGFIX: some edges of the graph would be rendered incorrectly after deleting an uncollapsed group (only if the graph contained more than one group)
  • BUGFIX: text version of ida could hang while executing a script that handles numerous debug events
  • BUGFIX: the form change callback of AskUsingForm() may be called recursively (leading to a crash) when using fa.set_field_value()
  • BUGFIX: the function flowchart with custom layout and collapsed groups could be refreshed incorrectly in some cases
  • BUGFIX: UI: “set segment register value dialog” was still using segment selectors even if the processor module had PR_SGROTHER flag set
  • BUGFIX: UI: it was not possible to set a structure member’s type to Float from the menus
  • BUGFIX: UI: refreshing the graph was not resetting all the variables, some were still pointing to old nodes
  • BUGFIX: UI: text version was crashing when calling up “Processor-specific options”
  • BUGFIX: UI: the “Analysis enabled” checkbox in the load file dialog did not work as expected for non-x86 files
  • BUGFIX: UI: the notepad text could exceed the maximum size and overwrite other blob indexes
  • BUGFIX: under Windows, IDA still loaded a plugin even if it was renamed to e.g. plugin.plw1 (because the short name extension was still .plw)
  • BUGFIX: Windbg 64bit was always proposing to run the dbgsrv even for 32bit apps
  • BUGFIX: Windbg debugger in kernel mode would show one big segment called MEMORY in some cases
  • BUGFIX: windbg debugger plugin was ignoring the DBGTOOLS value in ida.cfg
  • BUGFIX: Windbg plugin was not able to restore absolute breakpoints on the process start if the memory was not already mapped
  • BUGFIX: Windbg plugin was not working properly in kernel debugging with reconnect mode
  • BUGFIX: Windbg: re-attaching to the kernel debugger may in some cases yield an empty module list (in the modules list window)
  • BUGFIX: Windows plugins that used create_flow_chart() function (e.g. Color Loops) were crashing IDA 6.1.
  • BUGFIX: IDAPython: calling reserve() on a movable type regvals_t was crashing due to regval_t.clear() with grabage values