Welcome to IDA 7.2!
We have many news this time, but let us start with the most desired and requested one: support for ARM v8.3 instructions. With the advent of the new iPhone XS many reverse engineers started to stumble on these new instructions. Besides, they include a new security mechanism: Pointer Authentication Code. It makes exploiting software vulnerabilities much more difficult but it requires modifications in our file parsing and analysis methods. And yes, the upcoming IDA Pro supports it nicely:
The decompiler supports them too and can show the PAC verifications in the output code as compiler intrinsics, or hide them, which is the default behaviour:
When loading an iOS12 kernelcache in IDA 7.1, many pointers lead nowhere and kexts are not detected.
In IDA 7.2, pointers are resolved correctly and kexts are marked up.
Speaking of dyld caches, one of the common complaints we've had that usually you have to choose to load either a complete cache to see all modules (which takes forever), or a single module (and see pointers leading nowhere when they point to other, unloaded modules). We've tried to address it with the "load module with dependencies" option but it turned out to be quite limited in practice.
Now you don't have to choose anymore! Even if you load a single module and see a red-colored pointer denoting non-existing memory, just right-click it to load the mising module into the database:
Wait a little for load to finish, repeat as necessary for other addresses:
...and navigate to the destination to continue analysis!
Naturally this only works as long as you still have the original cache file present, but it still should speed up your work.
By the way, for Apple software we also implemented recognition of blocks. We support both global and local (stack based) blocks. The objc plugin parses block descriptors and automatically makes structures representing local context captured by the block. Now the decompiler output looks like this:
In fact there are many other Objective-C improvements, see them all in a submenu:
Note: some of this functionality only works if you have the decompiler for the platform being analyzed.
Our debugger can handle many new OSX and iOS features and can debug iOS 12 applications, including stack unwinding in code using PAC instructions:
export _NT_SYMBOL_PATH='srv*/home/symbols*https://msdl.microsoft.com/download/symbols'and IDA will automatically download PDB files for you! A screenshot is not descriptive in this case but please note that it was done on Linux:
We use our own PDB parser on all platforms but it is possible to switch back to MS DIA if there is a need.
It supports PIC24/30/33 series and comes with an extensive configuration file.
We've also extended the classic 8-bit PIC series with support for the "Enhanced Mid-range" (PIC1XF1XXX) instructions. IDA automatically tracks changes to the bank registers made with movlb and movlp, which is useful when analyzing big programs spread over multiple banks.
Many new RH850 instructions such as bit operations or long-range conditional branches are supported as well:
now looks crystal clear:
Here "C" is a complex class with multiple base classes, which in turn has multiple base classes, etc...
Among other decompiler improvements: a method to handle multiple stack variables that occupy the same stack slot, better optimization engine, better handling of cast operators, better type derivation, more aggressive C expression simplification, for-loop recognition, many subtle bugs are gone, etc. We hope that working with the decompiler will be more pleasant and seamless.
We also improved the microcode API that was initially published in v7.1. Unfortunately we had to shuffle so many things that the new API is not compatible with the old one but we promise that we will try to keep it stable from now on.
(yes, you guessed it right, green means lumina :)
Any user can push information to Lumina. Currently the Lumina database is not very big but we hope it will get populated and become useful very fast. So do not get disappointed too fast if it does not recognize all your standard functions yet, but we will work on it!