IDA 7.6

  • A+
所属分类:安全工具

HighlightsApple Silicon support

IDA for macOS is now available as a native ARM64 binary which can make full use of the M1 chip’s incredible performance.

It is hard to overstate just how much IDA benefits from the new speed boost. Autoanalysis completes much quicker, the UI is noticeably snappier, and almost every other feature in IDA seems smoother when running on M1. Our beta testers reported that IDA 7.6 is “incredibly stable” and “way faster” on Apple Silicon – so it seems our excitement is not misplaced.

Debugging native arm64 processes is also supported on M1, including arm64e:


See the updated macOS debugging tutorial here.

The native ARM build of IDA is available for free to all owners of an active Mac license (including IDA Home users).

Golang analysis

The Go language (aka golang) from Google is getting popular thanks to its ease of use, performance, and self-contained binaries not requiring dependencies. Due to some of the language designers’ decisions the golang binaries are quite different from those produced by other compilers and some changes were required in IDA to properly support its peculiarities.

Among additions:

parsing of golang-specific metadata to recover function names and boundaries

support for stack-based parameters and return values even on platfoms that usually use registers (ARM, x64)

detection of golang-specific string literals

Here’s an example of how a stripped golang binary for ARM looks like in IDA 7.5:


and in 7.6:


Almost twice as many functions were recovered and named.

Decompiler improvements

automatic renaming of variables

Although interactivity is IDA’s selling point, it still tries to do as much as possible to automate mundane tasks. With this release the decompiler will try to automatically assign names to variables and structure fields based on assignments and function calls.


See two snippets from decompilation of the same binary. Left: IDA 7.5, right: 7.6.



improved recognition of stack arrays

arrays on stack can be difficult to detect automatically since usually only their first elements are referenced explicitly. We have added heuristics which recover arrays in many typical situations, reducing the need for manual intervention.


empty lines for better readability

If you add GENERATE_EMPTY_LINES = YES to hexrays.cfg, the decompiler will add extra empty lines between compound statements and before labels, which improves readability of long functions.


New processor modules: RISC-V and RL78

Our processor selection contiues to expand steadily.

RISC-V is an open ISA which is starting to become available in various hardware such as the latest iteration of the Espressif Systems wireless platform, ESP32-C3.


RL78 from Renesas is a 16-bit descendedant of the 8-bit NEC 78k0(s) family previously supported by IDA and is used in various automotive and consumer applications.


Bookmarks

We also added some new functionality to enrich bookmarks management in the UI.

As before, you can use Alt-M/Ctrl-M to add/jump to a bookmark, but now you can also use Ctrl-Shift-M to bring up a separate bookmarks view with the global list of bookmarks that can be grouped into folders:


Also, bookmarked addresses will now be highlighted in the disassembly. You can use Options>Colors to change the highlight color to whatever you want:


Other UI improvements

Processor list in the Load File dialog is now organized using folder view which can be filtered using Ctrl-F


You can now use cut&paste in folder views instead of dragging things with the mouse

The Strings list is now cached in the database. The Strings window is one of the most commonly used views in IDA for quick reconnaissance. However, depending on the settings it can take a long to to scan the whole database which had to be repeated each time on reopening the window or reloading the database. Now we cache the list so opening it the second time is almost instant.

Compressed macOS and iOS kernelcache support

In the recent iOS and macOS versions, the kernelcache files are compressed. Although there are tools available which can decompress them, it’s one more thing to remember. Now IDA handles the standard compressed formats transparently so you can simply load them as standard Mach-O files. Since IDA can also handle ZIP files, you can open them directly from the IPSW updates!



Retpoline handling

Retpoline (return trampoline) is a compile-time mitigation against the Spectre speculative execution vulnerability disclosed in 2017. Binaries compiled with this option use special thunk functions for indirect jumps which tend to break standard control flow analysis. IDA now detects and handles these thunks transparently, resulting in nice and clean function graphs and pseudocode.

Example binary using retpoline thunks.

In IDA 7.5:

 

and 7.6:

 

Python 3.9 support

Python 3.9 was released after IDA 7.5 and changed the layout of some internal structures leading to crashes in scripts or plugins using PyQt. IDA 7.6 adds official support for 3.9 (while still supporting previous 3.x versions and 2.7). Python 3.9.1 is also officially available for macOS on ARM64 and can be used by IDA there.


Full list of changes and new features:

NB: some items may have been already mentioned in IDA 7.5 SP1-3 release notes

Processor modules:

6502: disassemble 65C02-specific opcodes STP and WAI

68K: display ranges of Dx and Ax registers explicitly in the movem instruction

ARM: add support for ARMv8.4-RCPC instructions (LDAPUR, STLUR)

ARM: add support for golang ABI

ARM: added support for parsing ARM64 exception handler information in PE files

ARM: condition flags (ZF, CF etc.) can be used as argument locations

ARM: decode ARMv8.5-A BTI instruction

ARM: decode ARMv8.5 barrier instructions

ARM: fixed switch with CSEL

ARM: improve detection of functions in binaries using PAC or BTI

ARM: improve propagation of pointer types and names loaded using LDR(literal) instructions

ARM: improve switch detection in Thumb code produced by ARM 5.x MDK compiler

ARM: support ARMv8.5-A Memory Tagging Extension (MTE) instructions

ARM: support half-precision floating (FP16) operands

AVR: support AVR XMEGA family chips which do not have general-purpose registers in data memory (contributed by Lukas Kuzmiak from insighti)

AVR: print operands for instructions movw, adiw, sbiw as register pairs

MIPS: add support for EABI32

MIPS: support EVA load/store instructions (LBE, LBUE, LHE, LHUE, LWE, SBE, SHE, SWE, CACHEE, PREFE, LLE, SCE, LWLE, LWRE, SWLE, SWRE).

MIPS: support interAptiv custom instructions (MIPS16e2 COPYW/UCOPYW, MIPS32 SAVE/RESTORE)

MIPS: support the MIPS16e2 Application-Specific Extension instructions (used in the InterAptiv core)

PC: add FXSAVE64 and FXRSTOR64 instructions

PC: add support for AVX512 VAES (EVEX-encoded AES-NI instructions)

PC: add support for stack-based golang abi

PC: add VGF2P8AFFINEINVQB, VGF2P8AFFINEQB and VGF2P8MULB instructions

PC: decode sysenter and sysexit instructions in long mode (they’re supported on Intel processors)

PC: recognize and handle calls to retpoline thunks (__x86_indirect_thunk_rXX)

PPC: add support for EFP(Embedded Floating Point) 2.0 instructions efdmin, efdmax, efdsqrt, efdcfh, efdcth

PPC: improved recognition of position-independent switches

PPC: improved recognition of switches that use clrlwi to mask off the number of cases

RISCV: new processor module (initially supporting RV32GC and RV64GC)

RL78: new processor module

File Formats:

DWARF: fix detection of golang files, improve use of golang-specfic DWARF info

DWARF: support batch-loading dwarf files from a macOS11 KDK into an MH_FILESET kernelcache idb

ELF: mips: handle the most frequently used microMIPS relocations

ELF: mips: process MIPS16 relocations

ELF: .gnu_debugdata (MiniDebugInfo) sections are now recognized and parsed

MACHO: handle dyld slide info v4 (used in WatchOS dyld_shared_cache_arm64_32)

MACHO: handle LC_DYLD_EXPORTS_TRIE in macOS11/iOS14 binaries

MACHO: ignore the dummy symbol radr://5614542 that may be added by the strip(1) tool

MACHO: improve analysis of dyldcache files from macOS11/iOS14

MACHO: improve handling of threaded pointers in iOS kernelcaches

MACHO: introduce type libraries for MacOSX11.0.sdk and iPhoneOS14.0.sdk

MACHO: native support for compressed kernelcaches (lzfse, lzss, lzvn), optionally wrapped in img4 container

MACHO: parse LC_DYLD_CHAINED_FIXUPS for arm64e binaries. this should heavily improve the analysis for iOS 14 binaries compiled with Xcode 12

MACHO: support new MH_FILESET kernelcache format from macOS 11

MACHO: support symbolication of macOS11 kernelcaches that link against the boot/sys kext collection

PE: rename standard dummy control flow guard thunks (_guard_check_icall_nop, _guard_dispatch_icall_nop)

Debugger:

bochs: updated ida to support bochs 2.6.11

dalvik: added device connection string (ADB_CONNECT), to simplify Corellium usage

dalvik: added option JDWP_WAIT_FOREVER to wait for JDWP reply infinitely, this helps to debug the shared library of Dalvik application

debugger: don’t exit IDA if creating a debugger segment fails

debugger: win32: add ‘Stack’ column and ‘Follow in stack view’ context menu to the “SEH list” window

debugger: macOS: add servers for debugging arm64 and arm64e applications on Apple Silicon

Kernel / Misc.:

improved handling of corrupted IDBs: detect when a function object is missing and try to fix it

kernel: support variable-sized structures in unions

types: allow specification of stack offsets of function arguments (with __usercall); also, return location can be on the stack

types: if applying a function type to data which can be a pointer (e.g. dword or qword) then convert the type to a function pointer

FLIRT / TILS / IDS:

TIL: add _PEB_LDR_DATA to the standard “undocumented” structures for mssdk_* tils

TIL: added type libraries for xnu-7195

User Interface:

UI: added a database cache for the strings list

UI: added NAVBAND_FORCE_GAPS option (defaults to NO), to control whether the navigation band should display gaps between adjacent segments

UI: added the “Clear…” action to the string list window

UI: automatically sync new enum types to the idb

UI: bookmark list can be opened as separate non-modal view which supports folders

UI: bookmarked lines are highlighted with their own customizable overlay color

UI: debugger hints would override decompiler hints

UI: in folders, add cut & paste as an alternative means of moving items around

UI: it is now possible to expand/collapse multiple folders at once, using Ctrl+Numpad+/Ctrl+Numpad-

UI: shortened names of many additional views

UI: save the xrefs window position in the text UI

UI: the navigation band now highlights the segment the mouse is currently hovering

UI: the quick filter (in the tabular, or folders views) can be targeted to only 1 column, or all of them (the default)

UI: The “Create Struct From Data” command will now use demangled method names for the new structure members if used on a vtable (list of function pointers)

UI: themes: implement @ifdef/@ifndef/@else/@endif preprocessing directives for our .css files

UI: Using T(structure offset) on a struct member and picking another struct, sets its type to “struct *”

Plugins:

golang: new plugin to parse and use metadata produced by the Go compiler and Go-specific idioms (pclntab, fixed-length string literals)

eh_parse: improve EH metadata parsing for x64 and ARMv7/ARM64 PE files

OBJC: fixed objc:RunUntilMessageReceived action for macOS11/iOS14

OBJC: improve Objective-C metadata parsing for macOS11/iOS14 (specifically __objc_methlist structures)

OBJC: plugin will now put all decoded Objective-C types in an “objc” folder in the Local Types view

PDB: Network communications while looking for PDB file can be restricted (option PDB_NETWORK in pdb.cfg)

PDB: support new UDT tags generated by VS2019

swift: enabled swift plugin for elf files too, since they can be encountered in the wild

TDS: improved handling of long names

Decompilers:

decompiler: “set call type” is available in more situations

decompiler: add an intrinsic function for the x87 fbstp instruction

decompiler: added a rule ‘and (x|y), #n => or (x&#n), (y&#n)’

decompiler: added action “Quick rename”

decompiler: added an option to decompile library functions too

decompiler: added convenience functions: locate_lvar(), rename_lvar()

decompiler: added create_cfunc()

decompiler: added GENERATE_EMPTY_LINES; it improves readability by introducing empty lines between blocks of code

decompiler: added global xrefs to entire structs/unions

decompiler: added hints to ‘goto LABEL’ instruction

decompiler: added hxe_build_callinfo: plugins now can provide call prototypes dynamically

decompiler: added mba_t::set_maturity, it can be used to skip some decompilation passes (to be used with caution)

decompiler: added new function mba_t::build_helper_call

decompiler: added new methods to codegen_t: store_operand(), load_effective_address()

decompiler: added option AUTO_UNHIDE – automatically unhide collapsed items in the pseudocode view when jumping to them

decompiler: added option HO_NON_FATAL_INTERR: permit decompilation after an internal error

decompiler: added the distribution rule for or/and

decompiler: do not use ‘l’ and ‘ll’ and the loop index names anymore

decompiler: extended ‘split expression’ to support 64-bit ‘not equal’ operator

decompiler: extended the functionality of global xrefs to all local types, not only to udts and enums

decompiler: improve decompilation of ternary operator expressions

decompiler: improve recognition of array stack variables

decompiler: improved detection of bool return value

decompiler: improved detection of optimized array references like &buf[i-1]

decompiler: improved handling of imagebase relative addressing

decompiler: improved management of guessed types

decompiler: improved recognition of some signed divisions

decompiler: improved recognition of x64 strcmp

decompiler: improved use of return statements, now we create more of them

decompiler: mips: add support for EABI32

decompiler: never automap variables having a potentially undefined value

decompiler: now the decompiler replaces unused call arguments with UNUSED_ARG(); the unused arguments can be marked with the “__unused” keyword

decompiler: optimize bit test operations on variables with a known set of values

decompiler: pc: decompile bit operations (bt, bts, btr) on 16-bit operands as custom intrinsics (e.g. _bittest16).

decompiler: print too long function prototypes on multiple lines

decompiler: rename local variables more aggressively, to get more meaningful names

decompiler: slightly improved goto elimination

decompiler: user-defined cross-references can be used to inform the decompiler about the target of an indirect branch

Scripts & SDK:

idapyswitch: add Anaconda 2020.02/11 to the ignore list

IDAPython: added an example showing how to color a chooser according to its contents

IDAPython: added an example showing how to toggle pseudocode lines’ background using UI hooks

IDAPython: added an example showing how to use ida_kernwin.create_menu() to create toplevel menus, or submenus

IDAPython: added an example showing how to use custom_viewer_jump()

IDAPython: added an example of using ida_bytes.bin_search()

IDAPython: provide an index page for the examples

IDAPython: exposed ida_ieee module, to deal with internal representation of floating values

IDAPython: ida_gdl.gdl_graph_t (& subclasses) are now available

IDAPython: prepare for Python 3.10

SDK: added DP_SZHINT (and WOPN_DP_SZHINT) for set_dock_pos() to let plugin writers specify a desired size for plugin widgets

SDK: added set_vftable_ea() to tie a vftable type and the address of its instance in the idb

SDK: file2base() and mem2base() change storage type to non-sparse

SDK: IDA now sends a ‘ui_desktop_applied’ event after a desktop has been applied

SDK: improved create_align() to accept length=0; it will be inferred from the alignment exponent in this case

SDK: introduced fpvalue_t that represents floating point values in internal format. it replaces ushort[6], which means that the source code of some plugins may require changes. however, binary compatibility is maintained

SDK: introduced processor_t::ev_update_call_stack

SDK: renamed confusing inf_is_32bit() -> inf_is_32bit_or_higher(); added inf_is_32bit_exactly(), inf_is_16bit(), inf_get_app_bitness()

Bugfixes:BUGFIX: "push esp/pop reg" was decompiled incorrectlyBUGFIX: .NET: some floating point values could be printed truncatedBUGFIX: 68K: extended-precision floating point constants were not displayed correctlyBUGFIX: 78K0S: opcode D5 was incorrectly decoded as INC (should be DEC)BUGFIX: Alt+T/Ctrl+T searches in tabular/tree views, wouldn't wrap around as they shouldBUGFIX: ARM: IDA could destroy a user-defined switch statementBUGFIX: avr: relative jumps/calls could be truncated on parts with more than 64K of program memory.BUGFIX: backward searching for bytes could fail in certain casesBUGFIX: chooser: the ui_get_chooser_item_attrs event was called with the wrong CHOOSER argumentBUGFIX: clear_cached_cfuncs() was not clearing the global xref cacheBUGFIX: Command+M would not minimize the IDA window on macOS, per convention.BUGFIX: debugger: linux: the collected thread may die prematurely before attaching, ignore itBUGFIX: debugger: xnu debugger would fail to demangle c++ names after attaching with an empty databaseBUGFIX: decompiler SDK: wrong return code in udcall_t::compare()BUGFIX: decompiler would try to use shortcut "Ins" instead of "I" for the "Edit block comment" action on macOS.BUGFIX: deleting local types could generate interr 81BUGFIX: dscu plugin was broken if the user changed the "Input file" field in the Process Options dialog.BUGFIX: dscu: plugin would work incorrectly after rebasing a dyldcache databaseBUGFIX: DWARF: IDA could try to use too much memory on corrupted files before dying with out-of-memoryBUGFIX: DWARF: plugin could cause IDA to crash (stack exhaustion) with some specially crafted input filesBUGFIX: DWARF: plugin could crash IDA (null pointer dereference) with some specially-crafted filesBUGFIX: DWARF: plugin could INTERR and cause IDA to exit on specially crafted files with bad function namesBUGFIX: DWARF: plugin could loop (seemingly) endlessly when encountering a DW_TAG_namespace with a (broken) name whose first character is '#'BUGFIX: DWARF: plugin could perform a use-after-free on some specially crafted filesBUGFIX: DWARF: plugin could perform a use-after-free during stack unwinding, on some DWARF input filesBUGFIX: DWARF: validate size of compressed sections before trying to load themBUGFIX: ELF: fixed processing of the R_X86_64_32S reloc;BUGFIX: ELF: PPC: IDA could crash when loading a corrupted elf fileBUGFIX: find_plugin() would load previously unloaded plugin even with load_if_needed=falseBUGFIX: fixed interr 50729 that could occur after mapping a local variableBUGFIX: forcing plugin to be unloaded by setting PLUGIN_UNL in the run() method did not work for PLUGIN_MULTI pluginsBUGFIX: IDA could crash at restart time (e.g. when restoring a snapshot) if some of plugins installed post-event visitorsBUGFIX: IDA could crash with an internal error when stepping into functions with long names  if "Reconstruct the stack" was enabled in debugger optionsBUGFIX: IDA could crash in some cases when using accessibility features (e.g. a screen reader)BUGFIX: IDA could endlessly loop on some corrupted idbsBUGFIX: IDA could erroneously complain about "CRC32 mistmatch" when opening legacy IDBs (from IDA 5.x or earlier)BUGFIX: IDA could fail with internal error 20078 on corrupted ELF filesBUGFIX: IDA could produce an internal error while analyzing database after rebasingBUGFIX: IDA would crash when loading an ARM64 driver if the default debugger was set to windbgBUGFIX: IDA would create many useless *_hidden segments when loading an XNU kernelcache.BUGFIX: IDA would not properly keep track of the imagebase for dyldcache idbs.BUGFIX: IDA would try to allocate huge amount of memory when loading a corrupted elf fileBUGFIX: idapyswitch could fail to detect Python3 versions installed via homebrew on macOSBUGFIX: idapyswitch would not respect the "-r" switch (dry run)BUGFIX: IDAPython: 'coding: ' comments were not respected when loading a script file.BUGFIX: IDAPython: added a 'bytes' property to Python classes wrapping C++ arraysBUGFIX: IDAPython: IDA could exit silently on startup if the Python runtime called exit() during intialization (can happen with some Python distributions like Anaconda). Now we try to detect such situation and show an explicit error message.BUGFIX: IDAPython: ida_bytes.bin_search documentation was lackingBUGFIX: IDAPython: ida_bytes.next_visea, ida_bytes.prev_visea were not availableBUGFIX: IDAPython: ida_hexrays.mop_t.[_make_cases|_make_callinfo|_make_pair|_make_insn] could crash IDABUGFIX: IDAPython: ida_hexrays.mop_t.make_fpnum was unusableBUGFIX: IDAPython: ida_ida.AF_FINAL had value -0x80000000 instead of 0x80000000BUGFIX: IDAPython: ida_kernwin.del_hotkey could delete the wrong action, and cause IDA to crashBUGFIX: IDAPython: ida_name.MNG_* and ida_name.MT_* values were not exposedBUGFIX: IDAPython: ida_search.SEARCH_UNICODE was not available after IDA 7.0, while ida_search.find_binary() still isBUGFIX: IDAPython: idapyswitch now supports Python 3.9BUGFIX: IDAPython: IDAPython-on-Python3.9 was unusable because the result of evaluating expressions was not printedBUGFIX: IDAPython: idautils.Strings.setup() would not apply the 'ignore_instructions' parameterBUGFIX: IDAPython: if a 'nav colorizer' would return a long that couldn't be converted into 32-bits, IDA would fail reporting the issue in a timely manner, leaving it for later Python code to failBUGFIX: IDAPython: if a Python loader & a Python processor module had the same file name, the processor module couldn't be loadedBUGFIX: IDAPython: internal error 30615 could happen if Python intialization failedBUGFIX: IDAPython: using ida_kernwin.choose_find() with a non-IDAPython chooser, would crash IDABUGFIX: IDAPython: using ida_kernwin.set_nav_colorizer() could cause IDA to crash at exit-timeBUGFIX: IDAPython: when using Python 2, scripts with magic 'encoding' comment, could fail to runBUGFIX: in ev_renamed event, the 'local_name' could be wrongly reported as 'true' if a local label was requested to be deleted but ida automatically replaced it with a dummy name. this may happen if the item with the name had xrefs to itBUGFIX: it was impossible to pass REFINFO_SUBTRACT and REFINFO_SIGNED into op_offset();BUGFIX: kernel: functions could be restored incorrectly from a corrupted IDBBUGFIX: loading single modules from a dyldcache was unusually slow on OSX Catalina.BUGFIX: M68K: some fmovem variations were disassembled incorrectlyBUGFIX: mac debugger could fail to attach to a process after previously detaching from it.BUGFIX: mac debugger could fail to load symbols from system dylibs (revealed by macOS11 beta 4).BUGFIX: mac debugger would show "Input file is missing" error when debugging a dyldcache lib on macOS11.BUGFIX: mac/ios/xnu debuggers would create tons of meaningless debugger segments.BUGFIX: macho loader could fail to load a correct SDK til in some cases.BUGFIX: MIPS: 'search for register access' could hangBUGFIX: MIPS: IDA could show incorrect names and comments for CP0 registers when select was not zeroBUGFIX: modifying an attribute of a function argument (e.g. adding __hidden) would be saved in the database but would not be immediately reflected in the disassemblyBUGFIX: objc analysis could fail due to arm64e tagged pointers.BUGFIX: objc plugin could create invalid xrefs to Objective-C methods during decompilation (IDA-2487)BUGFIX: objc plugin could fail to create structures in the database after a rebase operation.BUGFIX: on windows idat would let the operating system to handle some Ctrl- keys, rendering them unusable in idaBUGFIX: PC: 'in' instruction in 64-bit mode uses EAX and not RAX register.BUGFIX: PC: endbr64 instruction is suported in 32-bit and 16-bit modesBUGFIX: PC: extra prefix was not always displayed on a separate line.BUGFIX: PC: fix decoding of instructions that use VEX.W/EVEX.W in 32-bit modeBUGFIX: PC: fix operand type for long mode 'call far' to dt_tbyte (2-byte selector plus 8-byte offset)BUGFIX: PC: fix operand types for many VEX-encoded AVX/AVX2 instructionsBUGFIX: PC: fixed decoding of some AVX instructions in 32-bit modeBUGFIX: PC: huge functions could cause a simplex algorthm failureBUGFIX: PC: in 32-bit mode, the target must be truncated to 16 bits if the instruction uses prefix 66 and/or 67.BUGFIX: PC: in 64-bit mode the operand size for near call is forced to 64-bits.BUGFIX: PC: in MOVSXD r16, r/m16 instruction, the first operand is a 16-bit register.BUGFIX: PC: parse_reg_name() could return the wrong result for XMM/YMM/ZMM registersBUGFIX: PC: processor specific options were not undone upon Ctrl-ZBUGFIX: PC: some FMA instructions were not decoded in 32-bit modeBUGFIX: pdb: COFF: subsection SYMBOLS of ".debug$T" may have zero size, use the remaining bytes of section ".debug$T"BUGFIX: pdb: do not interr on bad-formed udtBUGFIX: pdb: fix looping in LF_MODIFIER leafBUGFIX: pdb: fixed out-of-bounds read array accessBUGFIX: pdb: fortify TPI/IPI streams header parsingBUGFIX: pdb: in rare cases the last bytes of a stream could be read incorrectlyBUGFIX: pdb: IPI stream could be parsed incorrectlyBUGFIX: pdb: size of a scalar type could be wrongBUGFIX: pdb: SKIP symbol could be harmful in specially-crafted pdb-fileBUGFIX: PPC: e_ori. with the condition record bit was wrongly simplified to e_nop.BUGFIX: rebasing a dyldcache idb could break the analysis because relocations were not applied to pointers in the slide infoBUGFIX: rebasing the program by an odd number of bytes was not forbidden (and led to issues later)BUGFIX: renaming a local type by pressing F2 would lead to its removal from all use sitesBUGFIX: repeatable comments for structure members were not printed when using data cross-refences instead of structure offset operandsBUGFIX: sdk: qdetach_tty()/qcontrol_tty() were leaving /dev/tty open in some casesBUGFIX: searching for all occurrences of a byte sequence would not work without an open disassembly viewBUGFIX: TIL: layout of _TEB and _PEB structures was not correct in mssdk_win7 and later .til files.BUGFIX: Tricore: processor module could incorrectly detect function arguments passed on stack ([sp]0 was not handled)BUGFIX: Tricore: struct offset with selection command did not work for this processor moduleBUGFIX: try block lines could be missing when reopening the IDBBUGFIX: type parser could misbehave with fully-qualified destructor names in class definitionsBUGFIX: types: creating a c++ structure with a __vftable member in the struct view was not marking the structure as having vftable; only doing so from local types was workingBUGFIX: ui/qt: during auto-analysis, typing in the quick filter (e.g., in the 'Functions window') could result in loss of certain charactersBUGFIX: ui/qt: Hiding columns when in 'folders' mode, wouldn't workBUGFIX: ui/qt: if entries in the "Structures" or "Enums" widgets were sorted, scrolling by using the scrollbar would jump over some entriesBUGFIX: ui/qt: on Linux, IDA could crash if some initialization failed, and IDA's main window was moved to another screen before exitingBUGFIX: ui/qt: on OSX, IDA could appear to hang during debuggingBUGFIX: ui/qt: opening certain views (e.g., "Function calls") through the "Quick view" (Ctrl+1) could failBUGFIX: ui/qt: Performing undo with souce-level breakpoints defined could cause IDA to INTERRBUGFIX: ui/qt: renaming folders in the "Local types", would show the editor on the wrong cell (in the 'Name' column, even though the folder name is in first column, named 'Ordinal'.)BUGFIX: ui/qt: the "Command palette" could refuse to keep the user selection, making it hard to useBUGFIX: ui/qt: the decompiler action "Jump to local type" could fail to select the proper type when the "Local types" view was sortedBUGFIX: ui/qt: using 'Save as...' could result in an unwanted additional entry appearing in the "recent files" section of the 'File' menuBUGFIX: ui/qt: using set_dock_pos() with no target dock and DP_SZHINT, would ignore the size hintsBUGFIX: ui/qt: when in folders mode, fast jumping by row number wouldn't workBUGFIX: ui/qt: when searching for text in sorted folders views, IDA could loop endlesslyBUGFIX: ui/qt: while debugging, drag & dropping an unsynchronized & invisible "Pseudocode-A" tab could crash IDABUGFIX: ui/txt: certain commands (close, tile, cascade, ...) could trigger INTERR 49589BUGFIX: ui/txt: it was impossible to "Import" snippets in the 'Script snippets' dialogBUGFIX: ui/txt: opening a hex view in idat would result in a crashBUGFIX: UI: "fast searches" in a folder view, could cause IDA to freeze, or crash in certain casesBUGFIX: UI: a long, unbreakable line in the "Output window" would cause other long (but breakable) lines to not be laid out according to the viewport size, and thus require scrollingBUGFIX: UI: an error message on debug start would show connection string with erronously appended port number when using WinDbg debuggerBUGFIX: UI: calling delete_menu() could cause IDA to crash at exit-timeBUGFIX: UI: choosers starting in "folder" mode, might not have the user-desired sizes for columnsBUGFIX: UI: debugger stack view could display values with wrong bitness (e.g. 32-bit values for 64-bit programs)BUGFIX: UI: depending on the selected font, register views could truncate representation of long valuesBUGFIX: UI: F1 in the 'Functions' window now shows the correct help topicBUGFIX: UI: folder lists in various views could become empty if undo was used after saving the databaseBUGFIX: UI: Hex View in databases using certain encodings (typically UTF-8), could show a glitch in the rendering of 'combining' unicode codepointsBUGFIX: UI: IDA could crash when stopping debugging, if certain manipulations were performed on the 'Functions window'.BUGFIX: UI: IDA on Windows could show a warning "The operation completed successfully." when checking for updates using an up-to-date build.BUGFIX: UI: in "Structures" and "Enums", creating a new type when the tree selection is not a folder, would create the type at the toplevel instead of the current oneBUGFIX: UI: in cases where the address space is very fragmented, zooming in the navigation band could lead to incorrect positioningBUGFIX: UI: in folders view, triggering a rename, but not actually renaming (by e.g., leaving the name untouched, or clicking somewhere else), would cause an annoying message in the "Output window".BUGFIX: UI: in the "Output window", if a long line had to be broken up into multiple 'physical' lines, clicking in the middle of one of those physical lines would place the cursor to its beginningBUGFIX: UI: in the "Structures" and "Enums" widget, jumping to a structure or enum that's currently not selected, could either fail, or cause the companion tree to be out-of-syncBUGFIX: UI: in the "Structures" or "Enums" widget, selecting a folder containing items, and deleting that folder, wouldn't properly update the listing contentsBUGFIX: UI: in the "Structures" or "Enums" widgets, the listing could be missing types after an undo operationBUGFIX: UI: invoking "Xref graph" commands could produce "Wrong specification" warning intead of showing the graphBUGFIX: UI: it was impossible to expand the hints shown in the "IDA View-A", when the cursor was positioned on an 'XREF'.BUGFIX: UI: it was impossible to turn columns off/on in tabular views when they are in folders modeBUGFIX: UI: filtering folders-enabled views, should hide the folders that don't have any contentBUGFIX: UI: pressing Enter in a dirtree widget would erroneously edit the item on macOS.BUGFIX: UI: when exporting data as a "String literal", IDA could fail to properly decode text for IDBs that use UTF-8 as internal encodingBUGFIX: UI: when using dark theme on macOS and linux, text within combobox menus could be clippedBUGFIX: UI: when using dark theme on macOS, selected items in tree views could be colored incorrectly.BUGFIX: UI: list of local types could change after enabling foldersBUGFIX: UI: opening an ida_kernwin.PluginForm at a specific position could failBUGFIX: UI: quick searching (i.e., by simply typing a string) in tabular/tree views might not yield the expected results.BUGFIX: UI: rebasing a tree widget could cause IDA to show empty entriesBUGFIX: UI: scrolling in the navigation band could jitter with very segmented address spacesBUGFIX: UI: searching for all occurrences of a binary data in "Hex View-1", closing "Hex View-1" and then attempting to jump, would cause IDA to crashBUGFIX: UI: selecting a portion of an identifier for highlighting, and then searching up/down (Alt+Up/Alt+Down) for that text, would cause the entire identifier to become highlightedBUGFIX: UI: sorting folders would only sort folders contents, but not the folders themselvesBUGFIX: UI: the 'grabbable' band for a floating window (used to dock it back) was not easy to spotBUGFIX: UI: the "Current line" message could fail to display in some views when folders were enabledBUGFIX: UI: the "Watch List" window wouldn't refresh when one of its items was renamed from the disassembly listingBUGFIX: UI: the column "func#" in the Signatures list was not properly sortable as a numberBUGFIX: UI: types could be duplicated in the folder view of 'Local types' windowBUGFIX: UI: Undo wouldn't cause previously-rebased 'Imports' to get their original address backBUGFIX: UI: using quick filtering with a regex, wouldn't highlight the part of the string that matches (as it does for lexicographical searches)BUGFIX: UI: when folders are enabled in tabular views, 'Copy/Copy all' could fail to work as expected.BUGFIX: UI: when folders were enabled on certain widgets, and the IDB was saved (e.g., by clicking on the 'save' icon), but then not saved again when closing, the widget would show up in no-folders modeBUGFIX: UI: when switching to a folders-enabled chooser, the folders might fail to have focusBUGFIX: UI: with certain fonts, the 'registers' widget could truncate the register names/values by a few pixels, making it harder to readBUGFIX: UI: zooming in the navigation band, could lose localityBUGFIX: Using "Jump to local type..." in a Pseudocode view's context menu wouldn't expand the tree of types to the right place (assuming the "Local types" has been toggled to be using folders.)BUGFIX: debugger: single-stepping could be sluggish with multi-threaded apps, especially in the Mac debugger (see Debugger>Debugger options>Optimize single-stepping. it is enabled by default for Mac debugger).BUGFIX: decompiler: "create new struct type" could generate a new struct type with forbidden characters, like <BUGFIX: decompiler: arm64: some references to external symbols would not be resolvedBUGFIX: decompiler: assignments to members of structurs later passed by reference could be optimized awayBUGFIX: decompiler: automapping variables was too aggressive in some casesBUGFIX: decompiler: bit-manipulation instructions 16-bit registers were emulated incorrectly (shift count is only 4 bits for them)BUGFIX: decompiler: changing the type of a structure field would cause the loss of the __cppobj attributeBUGFIX: decompiler: decompile() would crash if asked to decompile an unexisting function (nullptr)BUGFIX: decompiler: decompiler could crash after using "extract func" if a pseudocode window with the deleted function info was presentBUGFIX: decompiler: fixed a crash in the recognition of magic divisionsBUGFIX: decompiler: fixed a crash on corrupted idbsBUGFIX: decompiler: fixed an endless loop (extremely rare)BUGFIX: decompiler: fixed interr 52194BUGFIX: decompiler: global xref cache could become stale after a user action that was changing only the line numbers (like adding a comment)BUGFIX: decompiler: in some cases 'split expression' had no effectBUGFIX: decompiler: in some cases action "Reset pointer type" was not working (had no effect)BUGFIX: decompiler: in some cases decompiler could generate a wrong post-increment/decrement operatorBUGFIX: decompiler: in some cases the decompiler would add a suffix to the user-defined names (myvar->myvara)BUGFIX: decompiler: in some cases the user could not add variadic arguments to a function callBUGFIX: decompiler: jumping to the pseudocode from another window (for example, from the local types) would fail to activate the window in some casesBUGFIX: decompiler: ppc: fixed address arithmetics when subtracting addressesBUGFIX: decompiler: recognition of inlined memset() was too aggressive in some cases (a xor loop could be converted to memset)BUGFIX: decompiler: renaming a structure field would cause the loss of the __cppobj attributeBUGFIX: decompiler: shifted pointers with negative offsets were not always applicableBUGFIX: decompiler: some assignments could not be splitBUGFIX: decompiler: some xrefs to enum members would be missed by Ctrl-Alt-XBUGFIX: decompiler: stale cached pseudocode was not refreshed in some casesBUGFIX: decompiler: the decompiler could crash when displaying the global xref list if the cache was staleBUGFIX: decompiler: trying to rename a variable as "@@x" would lead to a fatal errorBUGFIX: decompiler: while(2){switch...} could be decompiled incorrectly in some casesBUGFIX: decompiler: wrmsr instruction could be decompiled wrongly (value of edx was unused)BUGFIX: decompiler: x87 fscale instruction was decompiled incorrectlyBUGFIX: windbg: segment bitness could be determined incorrectly


https://down.52pojie.cn/Tools/Disassemblers/


IDA 7.6


本文始发于微信公众号(利刃信安):IDA 7.6

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: