IDA: What’s new in 6.6

x64 Decompiler

It was tough and it required even more research than was planned but finally it arrived. The 64-bit decompiler for x64 code is as simple to use as our other decompilers, and fast as well. Below is very short disassembly listing and the decompiler’s output for it:

Naturally, it is the very first version and some edges are still rough, but overall it can handle real world code very well.

Dalvik Debugger

Since Android devices become more and more popular, we implemented a debugger for them. It can debug both on the Dalvik bytecode level and on the source code level. Below is a picture showing the bytecode debugging:

And this is the same application on the source code level:

Naturally, the user can switch between the two views any time.

IDA knows about the Dalvik objects and show them in a structured way (if the debug info was not stripped):

Please see our Dalvik debugging tutorial for more info!

PySide is shipped with IDA

The title says it all. Since it is easy to create nice interactive plugins with PySide, we decided to include it with IDA. Now all IDA copies will have it properly installed and configured, so as a plugin writer you can rely on its existence!

UI improvements

Many small but useful features have been added or improved. Here’s just a few:

  • Multiline breakpoint conditions

    Python users will love this: now it is possible to write a multiline condition right in the ‘edit breakpoint’ dialog box. IDA even accepts function definitions there!

  • Functions can be used in IDC snippets

    Now you can use the same scripts as in separate .idc files: IDA will compile all functions present in the script and run the main() function, if it’s present.

Complete changelist

  • Processor Modules
    • ARM: decode ARMv7 optional Virtualization Extension instructions (HVC, ERET, banked register MRS/MSR)
    • ARM: decode optional ARMv7-A instructions SDIV and UDIV
    • ARM: decode the stand-alone “second half of Thumb BL instruction” as “BL LR, #imm”, if currently selected processor does not support Thumb-2
    • CLI/.NET: put user strings into a pseudo-segment (e.g. so that they can be deobfuscated)
    • CLI/.NET: use full names when naming methods; this reduces naming conflicts and makes the Function List more useful for .NET binaries
    • MIPS: added support for n32/n64 ABI
    • MIPS: when tracking registers, assume that $t9 is initialized with the function’s address
    • PC: Added a GCC switch idiom.
    • PC: handle morte non-optimized GCC switch patterns
    • PC: handle non-PIC form of GCC x64 switch (jmp ds:table[reg*8])
    • PC: improve analysis of functions that use __EH_prolog3 helpers
    • PC: improved prolog analysis
    • PPC: support for additional instructions available in some Freescale e200z cores (Volatile Context Save/Restore APU and EFPU2)
    • Tricore: support for architecture V1.6
  • File Formats
    • COFF: added support for EBC object files
    • COFF: recognize and load Visual C++ /GL files (link-time code generation). Note: since such files contain custom Microsoft bytecode, the code can’t be disassembled.
    • DWARF: (basic) support for runtime GCC 4.8.2-produced DWARF4 information.
    • DWARF: Allow the plugin to mark function prototypes as being definitive (so e.g. the decompiler can rely on them).
    • DWARF: At load-time, it is now possible to fine-tune the DWARF plugin regarding calling conventions.
    • DWARF: Can now configure whether DWARF data should be loaded when in batch mode.
    • DWARF: Initial support for Golang-produced DWARF debugging information.
    • ELF: added support for some ARCompact relocations
    • ELF: MIPS: use DT_MIPS_GP_VALUE to determing the executable’s gp register value
    • PE: better handling of files where .idata is merged into .rdata
    • PE: IA64: handle IMAGE_REL_BASED_IA64_IMM64 relocations
    • PE: improve debug directory formatting
    • PE: parse new fields in the Load Configuration Directory added in Windows 8.1 (control flow guard metadata)
    • PE: X64: parse .pdata section at load time and create function boundaries accordingly.
    • PDB: added support for annotations (e.g. NT_ASSERT macro in checked builds)
  • Kernel
    • improved printing of unicode strings in the watch view, locals, and in the ‘export data’ command
    • argument locations in function prototypes are specified with @<reg>; the old syntax <reg> is accepted too for the moment; we will suppress it in the next release
  • Decompilers
    • introduced is_mul_ok() helper function to represent multiplication overflows checks
    • introduced qmemcpy() which always copies byte by byte, from low to high addresses
    • added recognition of inlined bswap() function
    • double clicking on a label jumps to it
    • the decompiler may use __spoils keyword to specify registers that are not spoiled by the function
    • improved recognition of register save/restore patterns
    • ‘volatile’ keyword can be used to override constness of an individual item
    • if an int 2Ch instruction has NT_ASSERT() comment (e.g. extracted by the PDB plugin from PDB annotations), show it as NT_ASSERT() macro call instead of just __int2c()
  • FLIRT, TIL & IDS
    • FLIRT: added EBC startup signature for PE (EFI) files
    • PCF: handle EBC object files
  • Scripts & SDK
    • IDAPython: Don’t intercept SIGPIPE, SIGXFZ, SIGXFSZ & SIGINT signals on Unix platforms; leave them for IDA to handle.
    • IDAPython: added the decompiler bindings
    • IDAPython: Expose simpleline_t type to IDAPython. That lets the user to set the bgcolor & text for each line in the decompilation.
    • IDC: added “elang” attribute to the Breakpoint class (scripting language for the breakpoint condition)
    • installer/Windows: check if Python actually works after installing; offer user to retry the installation
    • SDK: added askfile2() for extended open/save file dialog with support for file masks
    • SDK: added ‘extlang_changed’ IDP event
    • SDK: added qstring methods ltrim(), rtrim(), trim2()
    • SDK: added support for custom arglocs
    • SDK: check_process_exit() now has a ‘timeout’ argument
    • SDK: form_actions_t is extended with set/get methods for fields of different types to enable compile-time argument type checking
    • SDK: replaced addblanks() by a safer function add_spaces(), which accepts the buffer size
  • User Interface
    • UI: scripting language for the condition field can be specified for every breakpoint separately
    • UI: breakpoint conditions can now be multi-line (use “…” button to open a multi-line editbox)
    • UI: Ctrl-C/Ctrl-Ins copies the currently highlighted text to clipboard (if there is no selection)
    • UI: export_data plugin will now offer to export the item under cursor if there is no selection
    • UI: OSX: IDA’s main window will now appear as the top level window on OSX when idaq is started with an IDB file on the command line
  • Debugger
    • debugger: IDA reacts faster to the cancel button while searching for binary patterns
    • debugger: now it is possible to stop a long memory snapshot retreival
    • GDB: added an option to enable/disable the use of stub’s single-stepping support for some broken systems (e.g. MIPS or ARM Linux)
  • Bugfixes
    • BUGFIX: 78K0S: instruction “MOV [HL+byte], A” was decoded incorrectly (displacement was always zero)
    • BUGFIX: a reference to a wrongly defined type was considered to be equal to a valid reference (fortunately this occurs rarely)
    • BUGFIX: ARC: some instructions setting flags were decoded without the .f suffix
    • BUGFIX: arglocs for vc32 fastcall CC: only UDT pointers are passed on the stack, hidden arguments (e.g. ‘this’) distribute according to ‘fastcall’ policy
    • BUGFIX: ARM: arm64 instruction aliases BFI and BFXIL were decoded incorrectly
    • BUGFIX: ARM: autoanalysis could loop indefinitely in some rare situations when there was a bogus xref into the middle of a macro instruction
    • BUGFIX: bfltldr.py was not working anymore.
    • BUGFIX: btree compress could produce a corrupted base
    • BUGFIX: creating an array type with wrong array attributes could crash IDA or create wrong type
    • BUGFIX: debugger: when attaching to x64 process without an existing database, “IP” and “SP” special registers were detected incorrectly
    • BUGFIX: Debugging an ASLR-enabled binary (which will rebase the IDB) was not rebasing the navigation history.
    • BUGFIX: During breakpoints export operation always export hardware breakpoint sizes
    • BUGFIX: DWARF loading could crash IDA in certain circumstances involving complex graphs of objects with variations (i.e., whose padding bytes are re-used when inherited.)
    • BUGFIX: ELF: dynamic info could be parsed incorrectly for some uClibc files
    • BUGFIX: Fixed exporting of breakpoints with complex conditions, which contains quoted strings
    • BUGFIX: fixed internal error that could occur when loading a pdb file with unaligned bitfields
    • BUGFIX: fixed interr 603
    • BUGFIX: Fixed representation of the chooser filters in “Modify filter” dialog. The collumn was always shown as ‘*’
    • BUGFIX: fixed wrong direction of the floating point conversion
    • BUGFIX: function argument location could be calculated incorrectly for arguments containing unaligned union fields (gcc64)
    • BUGFIX: function argument location was calculated incorrectly for some structures containing arrays as members
    • BUGFIX: GDB: duplicate threads could appear in the thread list in some situations
    • BUGFIX: GDB: maximum packet size was not respected when doing memory writes
    • BUGFIX: GDB: SendDbgCommand() with PIN’s GDB backend would take at least one second (value or of the GDB timeout setting)
    • BUGFIX: GDB: when single-stepping in some thread, IDA could issue a “continue” packet for another thread instead
    • BUGFIX: hexrays: “add pseudocode comments” was broken
    • BUGFIX: hexrays: an indirect call to a noret function in the middle of a function was not supported
    • BUGFIX: hexrays: ARM decompiler could generate references to wrong (unexisting) global variables in some cases
    • BUGFIX: hexrays: ARM decompiler could miss some return instructions and represent them as JUMPOUTs
    • BUGFIX: hexrays: (ARM) if the user turned off macros after analyzing the database, the decompiler could interr or generate wrong output
    • BUGFIX: hexrays: (ARM) big endian decompilation had constant halves swapped
    • BUGFIX: hexrays: decompiler could create overalpping input arguments and later interr
    • BUGFIX: hexrays: decompiler could erroneously optimize away some expressions like ‘x*N & M’ and replace them with zero
    • BUGFIX: hexrays: decompiler could interr if 32-byte enum type was defined (too wide)
    • BUGFIX: hexrays: decompiler could interr on a comma operator whose type is a bitfield
    • BUGFIX: hexrays: decompiler could interr on some variadic functions
    • BUGFIX: hexrays: decompiler was always moving register arguments to the beginning of the argument list in the pseudocode window
    • BUGFIX: hexrays: def-list for strcat() was sometimes calculated incorrectly
    • BUGFIX: hexrays: enabled negation of 128-bit values, apparently they can occur even in 32-bit programs
    • BUGFIX: hexrays: expression like “(x * N) < 0” could be optimized wrongly in some rare cases
    • BUGFIX: hexrays: fixed a couple of minor memory leaks
    • BUGFIX: hexrays: fixed interr 50375
    • BUGFIX: hexrays: fixed interr 50396
    • BUGFIX: hexrays: fixed interr 50513
    • BUGFIX: hexrays: fixed interr 50708
    • BUGFIX: hexrays: fixed interr 50715
    • BUGFIX: hexrays: fixed interr 50860
    • BUGFIX: hexrays: fixed interr 51049
    • BUGFIX: hexrays: ftst instruction was not decompiled
    • BUGFIX: hexrays: hints for union members were wrong (off=N; where N is the member number, not the offset)
    • BUGFIX: hexrays: if the return value of a function call was used but could not influence the logic of the program, the call could be optimized out, which is wrong
    • BUGFIX: hexrays: movd/movq insructions with a register destination were decompiled incorrectly
    • BUGFIX: hexrays: recursive patterns could be applied wrongly and lead to an interr
    • BUGFIX: hexrays: ScreenEA() would sometimes return BADADDR in the decompiler view because some pseudocode locations cannot be mapped to an address. Now it tries to return the closest EA, or the function’s EA in the worst case.
    • BUGFIX: hexrays: the rule to recognize signed modulo by power2 could interr
    • BUGFIX: HT_VIEW example plugin could crash on non-graph views.
    • BUGFIX: IDA could crash trying to print a function declaration (a function returning a pointer to an array of pointers to arrays)
    • BUGFIX: IDA could interr when parsing “int func(int,void)”
    • BUGFIX: IDA could not attach to a remote PIN debugger – tried to launch a local pintool instance instead
    • BUGFIX: IDA could stop with internal error 498 when loading some pdb files
    • BUGFIX: IDA graphs could become corrupted, or even crash IDA, on some versions of linux.
    • BUGFIX: IDA now starts up in the foreground when run from the command line on mac (instead of hiding behind the terminal window)
    • BUGFIX: IDA would crash if the __FILE__ macro was used in a function prototype
    • BUGFIX: IDA would fail to import huge (>0x1FFFFFFF bytes) structures from pdb files
    • BUGFIX: IDA wouldn’t display, in the ‘Use standard symbolic constant’, enum values that have bit 31 set to 1.
    • BUGFIX: IDA could behave incorrectly under Wine due to a bug exposed by the differences in Wine’s MSVCRT implementation
    • BUGFIX: IDA could crash when loading big PE files with zero-filled areas
    • BUGFIX: idaw.exe could crash upon closing the database
    • BUGFIX: IDAPython: for non-code locations, idc.GetOpnd() would create instructions instead of returning empty result
    • BUGFIX: IDAPython: idb_event::area_cmt_changed was never received in IDB_Hooks (and descendants)
    • BUGFIX: IDAPython: idb_event::ti_changed, and idb_event::op_ti_changed notifications were not accessible in IDAPython
    • BUGFIX: IDAPython: op_t.value was truncated to 32 bits under IDA64.
    • BUGFIX: IDAPython: print_tinfo() wouldn’t return a valid string.
    • BUGFIX: IDAPython: readsel2() was not usable.
    • BUGFIX: IDAPython: read_selection() was buggy for 64-bit programs.
    • BUGFIX: IDAPython: StructMembers() considered holes in structures, and didn’t properly iterate through the whole structure definition.
    • BUGFIX: IDAPython: There was no way to call calc_switch_cases() from IDAPython.
    • BUGFIX: IDAPython: when using multi-select/multi-edit choosers, erroneous event codes could be sent at beginning & end of batch deletion of lines.
    • BUGFIX: IDAPython: When, in a PluginForm#OnCreate, the layout of IDA was requested to change (for example by starting a debugging session), that PluginForm could be deleted and create an access violation.
    • BUGFIX: IDC/Python: GetTinfo(“”) was causing an interr
    • BUGFIX: IDC/Python: SetType would work incorrectly if an invalid string was passed
    • BUGFIX: If closing of one of DockWidget causing the closing of other DockWidgets then changing (reset/load) of desktop layout crashed Ida.
    • BUGFIX: if the user renamed the segments to use dummy segment names like segXXX, IDA would be unable to find such segments by name
    • BUGFIX: In flat rendering mode, standing on a border line of an instruction (i.e., “——-“) that is located right before data, and pressing ‘C’ to make code (in order to turn that data into code), could scroll the view by 1 line if the MakeCode command failed.
    • BUGFIX: In graph view, leaving the mouse on an edge wouldn’t show “To:/From:” hints anymore.
    • BUGFIX: in graph view, we can now highlight text by dragging the mouse outside the boundary of a node.
    • BUGFIX: In some cases, switching from flat view to graph view could have the side-effect of moving the cursor down by one or more lines, which changes the EA.
    • BUGFIX: incorrect handling of argument location (gcc64) for some nested unions and unions containing big structures as members
    • BUGFIX: Instances of type tinfo_t couldn’t be properly used when they were aggregated by other types.
    • BUGFIX: it was impossible to check out the IDA Pro floating license if both Starter and Pro licenses were present
    • BUGFIX: kernel: reloading a binary file would work incorrectly if extra segments were added before the file data
    • BUGFIX: kernel: user-defined offsets with “subtract” flag set were not working properly for processors that implement ph.translate callback (e.g. MIPS)
    • BUGFIX: M68K: ColdFire instructions REMU.L/REMS.L were decoded as DIVU.L/DIVS.L
    • BUGFIX: Mach-O loader’s check for valid section index was not correct.
    • BUGFIX: MACHO: zeroed out symbols were incorrectly considered as imports with unknown names
    • BUGFIX: Middle-button clicking anywhere to the right of a rightmost tab would crash IDA.
    • BUGFIX: MIPS module was not marking switch instructions with a special mark (as it is done for x86 code, for example)
    • BUGFIX: MIPS: arguments in fpu registers were not properly commented in __usercall prototypes
    • BUGFIX: Moving the structures in the structures window didn’t work as expected.
    • BUGFIX: Once pulled out from the main window, a PluginForm (or derivative) might not receive events properly anymore.
    • BUGFIX: opening a file with the name starting with @ would lead to a fatal error (instead of a nice error message)
    • BUGFIX: PC: register tracker could incorrectly use previous register values after a popad instruction, leading to wrong comments
    • BUGFIX: pdb with a union of bitfields would cause an internal error
    • BUGFIX: PE: IDA on Linux/OS X would crash when trying to load .NET filles without a User Strings stream
    • BUGFIX: PPC: “branch always” instruction had a hidden condition field operand, even though condition is ignored for it
    • BUGFIX: PPC: use/change operand flags were set incorrectly for some instructions
    • BUGFIX: PPC: IDA could crash due to stack overflow when analyzing some long functions
    • BUGFIX: Pulling the miniview out could cause a crash.
    • BUGFIX: Regex-based filters could be un-applied once the “Modify filters…” window was closed.
    • BUGFIX: reloading the input file with wrong PE file could lead to interr
    • BUGFIX: Renaming a group node by clicking on the ‘rename’ icon didn’t repaint.
    • BUGFIX: Rewritten the wrong algorithm for the areas moving
    • BUGFIX: SDK: call_system() with NULL or empy string argument did not create an interactive shell as expected
    • BUGFIX: SDK: func_item_iterator_t() could stop enumeration prematurely if the starting address was in a tail chunk
    • BUGFIX: SDK: get_output_curline()/get_output_cursor() were returning wrong results if wrapped lines were present in output
    • BUGFIX: SDK: it was impossible to override default behavior of some output window events (msg_click, msg_dblclick, msg_keydown)
    • BUGFIX: SDK: next_unknown() could return wrong result for sparse storage
    • BUGFIX: size of an empty base class can be reported as 1 byte in some (rare) circumstances
    • BUGFIX: Some jmp instructions could create “function chunks” in some inappropriate places (e.g., .plt stubs.)
    • BUGFIX: Some proximity browser graphs could cause IDA to crash.
    • BUGFIX: the application bitness (32 or 64 bit) was not set in some cases
    • BUGFIX: The DWARF plugin could interr on some erroneous DWARF data for complex types.
    • BUGFIX: the type of a struct member would not be displayed when pressing ‘F’
    • BUGFIX: tinfo_t objects created from IDAPython could cause an assertion failure at exit time.
    • BUGFIX: type comparison was not taking into account the pointer attributes
    • BUGFIX: Tricore: some xrefs were created with incorrect type
    • BUGFIX: TXT: the “OS Shell” command did not work
    • BUGFIX: UI: creating an array of structs in the struct window could fail
    • BUGFIX: UI: double-clicking on addresses when using WinDbg debugger did not always work as expected
    • BUGFIX: UI: exclude filters on ‘(any)’ column could fail filtering the list of data.
    • BUGFIX: UI: in the message about insufficient disk space, “available” space could be displayed as zero.
    • BUGFIX: UI: it was impossible to stop the process of taking a memory snapshot while big segments were being processed
    • BUGFIX: UI: on OS X, IDA would report “Unknown C++ exception” instead of “Out of memory” error
    • BUGFIX: UI: if an overly long trace description was entered, IDA would crash (Thanks to Alberto Garcia Illera who reported this bug)
    • BUGFIX: Usage of IDAPython’s DropdownListControl was broken.
    • BUGFIX: valid-position range information was missing when moving a structure around.
    • BUGFIX: When “recent files” history was set to more than 10, the entries past 10 in the “File” menu wouldn’t be numbered.
    • BUGFIX: When debugging, variables of type ‘*’ that were stored directly in a register were not properly printed in the “Locals” view.
    • BUGFIX: when importing PDB info, some bitfields would be imported incorrectly
    • BUGFIX: When in graph view, modifying a function so as to change its structure wouldn’t always refresh the graph.
    • BUGFIX: When the program is rebased, the location history is rebased as well.
    • BUGFIX: When the user would pull the miniview out, move out of the graph view to the decompilation view, come back to the disassembly view, the floating window would take focus, and actions could be dispatched to the decompilation view instead of the graph view.
    • BUGFIX: When using a non-default color palette, re-setting a node to its default color could lead to glitchy rendering where node margins are white, & the rest of the node is colored.
    • BUGFIX: with some IDBs, IDA would start with an oversized arrows window, causing the disassembly view to be squeezed to the right and barely visible.