Click here to download~ Major Features
‘instant debugger’: the debugger can be launched and a process started without a database. This feature is available locally and remotely and allows the debugger to be attached to any running process in the system. IDA can be used as the default system debugger. Remote 64-bit debugger for MS Windows 64 running on AMD64/EMT64. IDA itself runs in 32-bit mode while the debugger server runs in 64-bit mode to launch and debug 64-bit applications. full type system support for the ARM processor. IDA supports the function calling conventions and comments function parameters in the same way as it does on PC. The ARM module has been significantly improved: see a list of all the ARM specific enhancements below. Wizard-like interface to load new files. IDA assists the user in the initial load process by asking relevant questions about the file. This interface is configurable with XML files. Processor Modules
new processor: Analog Devices ADSP 218x (advanced version) ARM: “no automatic arm-thumb switch” option has been added. ARM: conditional instructions modifying SP are not taken into account while tracing SP. ARM: ADDAL PC,… always stops the execution flow. ARM: EPOC imported function glue code is recognized. ARM: IDA creates ALIGN directives before and after jump tables in the thumb mode. ARM: IDA displays jump table comments for all types of jump tables. ARM: IDA knows about function calling conventions. ARM: IDA propagates the T bit for all code xrefs; since there are many ARM/THUMB switches now, superfluous directives to switch the mode are not displayed. ARM: R_ARM_PC13 relocation type is supported. ARM: a function consisting of MOV PC,LR in the thumb mode is recognized as a nullsub. ARM: for jump targets: do not automatically switch to another mode if there is already an instruction disassembled in the current mode. ARM: it is possible to modify the operand type of indirect operands like ‘=xxx’. ARM: jump table recognition has been improved. ARM: some BL instructions are treated as simple B (not as function calls): if the target destroys the LR in its first basic block. ARM: thumb mode EPOC apps are recognized and analyzed properly. ARM: IDS files for MFC. ARM: Windows CE types are added. ARM: lots of imrpvement in function creation. ARM: new IDS files. ARM: updated flair signatures. IBM PC: “test x, y” operands are reversed if x and y both are registers. For some obscure reason all assemblers reverse them. IBM PC: alternative collapsed output of structures. IBM PC: better detection of the function frame size. IBM PC: emulator knows about functions starting with mov rX, rX IBM PC: for instruction “lea xxx, ds:###” the second operand is automatically converted to an offset if it makes sense. IBM PC: imul instruction always has signed immediate operand because unsigned negative operands are compiled incorrectly. IBM PC: int xx instructions generate xref to low addresses only in the binary files. IBM PC: support for TASM ideal mode has been added. IBM PC: parameters of linux system calls for pc are commented (there are some problems with some syscalls, like socket()) IBM PC: better handling of the _alloca_probe() function: ida does not blindly delete the stack frame of functions using the __alloca_probe function – this might lead to more unreferenced variables. IBM PC: __chkstk is recognized as a function changing the stack (as __alloca_probe). MC68K: immediate instruction operands are represented as unsigned numbers by default (with some exceptions) 68K: better treatment of pea/lea instructions (please reanalyze existing databases!) PPC: added support for subi/subic instructions based on TOC/segment registers 80196: changing to processor type to 80186NP makes the segment registers available immediately (no need to reload the database) DSP56K: many nops in a row are not disassembled automatically H8/500: considerably improved the analysis, fixed bugs better handling of segment registers for ARM, M7700 File Formats
Wizard-like interface to load new files into the database. COFF: Windows AMD64 files are supported. Relocation information is not handled since documentation is not available. COFF: added support for Window64 object file relocations. Since there is no documentation on the topic, some relocation might be incorrectly handled COFF: improved file format detection for zero filled files COFF: labels with ‘$’ have less priority than normal names COFF: added support for ARM THUMB files (relocations are not supported yet) ELF loader allows to load files for unknown machine types ELF: AMD64 .got relocation types are handled (.plt is not handled yet) PE: crippled files with unusual information about the PE header can be loaded into the database with the file header./LI> PE: in the manual mode IDA rounds up the exact segment size in the header to the file alignment. PE: new option: create flat group. The segment registers will use flat group instead of the real segment names. The default value is specified with the PE_CREATE_FLAT_GROUP parameter in the IDA.CFG file. PE: files with partially corrupt relocation table can be loaded into the database. PE: ida can load truncated import tables. Palm Pilot program analysis is improved (recognize pea/rts sequence, some pilot debug info, handle pea in a special way to create more code) Palm file loader uses 68K universal emulator by default. binary files: by default ida creates 32-bit segments if the input file is bigger than 64K file loaders do not exit() to the operating system in the case of problems with the input file but rather stop the loading process and return to ida the analysis of MS DOS 32-bit extender files has been improved Kernel Enhancements
dump database to idc’: local names are saved to the IDC file added support for __declspec(align(#)) keyword in the type system. bitwise negation works for structure members. checkarg knows about nested structures (yh) coagulation algorithm has been improved. flirt: tiny (less than 8 bytes) unnamed library functions are ignored frame pointer delta has been introduced. This delta is useful for functions with the frame pointer pointing to the middle of the stack frame. Usually the frame pointer points either to the top or to the bottom of the frame. However some new compilers set the frame pointer midway. IDA knows about IBM PC function prologues with such frames and automatically determines the frame pointer delta. For other compilers/processors, the user can specify the detla value in the ‘edit function’ dialog box. ida uses new memory allocation scheme; the old memory allocation algorithm was too conservative in the memory use. if the structure offset is equal to the structure size, then it is displayed as “size struct_name”. it is possible to include local names in the output map file. new environment variable: IDAUSR. This variable specifies the directory with the user-specific settings. speed: ida tries to create function tails only if there is a reference from a function to a non-function. structure variables can be displayed in the terse one-line form if the target assembler supports this representation new output file type: assembly include file. added conditional expressions to the ‘idsnames’ file til selection. Now IDA loads appropriate ntdkk file depending on the input file bitness. the default offset type depends on the current item size (before only the current segment bitness was used to determine it). type system: added support for __declspec(align(#)) and __unaligned keywords. FLAIR utilities are updated to support AMD64 files; Visual C v8.0 signature files are added. TIL files for AMD64 are added; tilib is improved to handle constructs in the new header files. combined vc6win.til and vc6winr.til – vc6winr.til does not exist anymore. the use the -p switch is permitted for old databases. new analysis option: create data offsets when possible. This option leads to more aggressive offset creation which improves the disassembly in most cases. IDA does not comment function call parameters referencing to strings because such comments make the string invisible at the call site __imp_ prefix is ignored in the type libraries. pointers to functions are supported in the parameter propagation; trying to apply a data type to an instruction generates an error message. when creating a thunk function, IDA copies the target prototype to the thunk. in the type libraries, _name@## is the same as ‘name’ (visual c uses both names to denote the same function) more aggressive parameter type propagation. better algorithm to create data arrays. SDK and IDC
IDC: added MakeNameEx() function to have full control on renaming program addresses. SDK,IDC: added functions to manipulate XML values in the internal XML tree. SDK: IDC functions can be called without a database. Built-in functions have a special flag EXTFUN_BASE telling that they must be called with an open database. SDK: SetFileExt, FileExt, hasExt functions are renamed as set_file_ext, make_file_ext, get_file_ext. Additional parameters to check buffer overflows are added. SDK: added a possibility to tell ‘this is definitely not a thunk function’ in the ph.is_jump_func notification for the processor modules; this leads to the slight API change which should not pose any problems with the existing modules. SDK: added more segment alignment codes. SDK: added netnode::end() and netnode::prev() functions. SDK: additional parameter for parse_type() – the name of the declared variable. SDK: bit masks are supported by get_name_value(). SDK: find_error(), find_notype(), tag_skipcode() functions are added. SDK: functions dealing with the signness and bitwise negation are revised; now the bitwise negation has a bit in the flags which allows to use it in the structure and enum definitions. SDK: gen_idc_file() is removed; use gen_file() instead. SDK: introduced ‘stack variable scaling factor’. Used for processors which implicitly scale stack variable references, e.g. tms320c55. SDK: introduced the notion of ‘ephemeral’ segments: debugger segments which are not loader segments. The kernel does not analyze ephemeral segments. SDK: introduced the notion of a ‘loader’ segment. All segments created by loaders have this attribute. SDK: is_32bit_func() is replaced by get_func_bitness(). SDK: leading_zero_important() function has been added. SDK: only debugger segments can be created when the debugger is active. you can use change_segment_status() to convert debugger segments to regular segments afterwards. SDK: ph.kernel_config_loaded callback has been added – for plugins who want to set their own config settings SDK: removed the ph.align_size() callback from the type system callbacks. SDK: shortened some field names in the debugger related structures (thread_id -> tid, etc). SDK: the string list is available to plugins. SDK: new function set_sreg_at_next_code(); ph.setsgr parameters are changed. SDK: introduced AS2_COLONSUF for assemblers with :xx suffixes in the address expressions. SDK: renamed ‘analyse’ -> ‘analyze’ in all function names. SDK: added auto_queue_empty callback. SDK: choose_ioport_device() has no default parameters (so we have a compilation error instead of wrong runtime behaviour). SDK: get_member_ti() accepts NULL as the buffer. SDK: interface to the file loader has been changed. Instead of FILE *, now we use linput_t * (see functions in diskio.hpp). linput_t allows to work with local and remote files. SDK: modified the interface of many functions to avoid buffer overflow vulnerability problems. SDK: new function sanitize_file_name() SDK: renamed cmangle_name() -> decorate_name() SDK: splitSRarea() has been removed. Use splitSRarea1() SDK: added a comment about the necessity of using the invalidate_… functions from the debugger notification callbacks. SDK: added func_t * to the display_flow_graph() SDK: added qisdir() function. SDK: added qvector and qstring template classes to IDA API. SDK: method to obtain the debugger description has been changed: now the init() function of a debugger plugin must fill the ‘dbg’ global variable if it wants to stay in the memory; the run() method is not used for the debuggers anymore User Interface
new command: take memory snapshot. new command: ‘generate include file’. ‘generate assembler file’ does not generate the type declarations anymore. new commands: find error operand and find all error operands. these commands look for operands in red; ‘search for immediate’ has new mode: look for untyped immediate values. ‘disable addresses’ checkbox in the ‘edit segment’ dialog is taken into account even if ‘move adjacent segments’ is on. added a warning message telling that IDA does not handle relocation information of Mach-O files (in other words, external references in Mach-O object files are not resolved). added checkbox to modify ‘loader segment’ attribute. added separate menus to run and attach to processes with no existing database (local & remote). arrows to/from locations with huge number of xrefs are displayed fast. faster display of data items (we do not analyze them repeatedly anymore). graphing commands are available in the text version; the GRAPH_VISUALIZER parameter is moved from idagui.cfg to ida.cfg. gui: added an option to confirm the ‘undefine’ command only if there is a selected area. gui: command line switches are used only for the first database. hidden areas have short comment with the current address by default, words “[PRESS PRESS TO UNCOLLAPSE]” are not added to the comment. if ida is launched with the file name in the command line and the user decided not to load it, then ida quits immediately. mark location: the name of the marked location is proposed as the default mark description. up to 1024 locations can be remembered. the notepad now uses the same font as the disassembly views. the strings window is available in the text version. text: multiple selections are supported in various lists. text: the text version uses the system clipboard under MS Windows. tv: better handling of the keyboard input under NT; fixed a bug with macro_ready; window resizing (YH) tvlinux: xterm-scokey supports Shift-PgUp/Shift-PgDwn key combinations. ui: eventually create 64-bit words by pressing D if the input file contained 64-bit segments. ui: increased the limit on the number of marked locations to 1024 (see the next Changelist!) ui: it is possible to edit the type of data items; the item must have a name in order to have a type. ui: remembers the last settings used in the ‘make array’ command. WINDIR parameter is back in the gui version. ‘Jump to new hex window’ command added in disassembly view popup menu for addresses and operand values ‘log breakpoint instructions’ controls all breakpoint instructions, not only the breakpoints not set by the debugger. CONFIRM_SETFUNCEND_COMMAND config file parameter makes IDA to ask for a confirmation of the ‘set functon end’ command. library module sizes in the library display are shown in hex with the leading zeroes – makes it possible to sort by size. txt: multi-column lists with wide last column (like list of strings) can be scrolled left to see the whole strings. txt: text version always asks for a confirmation of ‘undefine’ command. ui: Shift-F12 opens the strings window in the text version (the same hotkey as in the gui version). ui: the default button for the ‘undefine’ command confirmation dialog box is ‘no’ Debugger
debugger: -r switch to run IDA and debugger without a database. debugger: handle int3 SEH exceptions. debugger was not active if the PE subsystem was not Windows. Now unknown subsystems can be debugged too. debugger knows about fs:xxx references (ida api has changed!); the debugger reference view has been improved (text mode) debugger segments are created in the collapsed form. debugger: ‘Library unloaded’ events display the full path to the unloaded DLL if available (exactly like ‘Library loaded’ events). debugger: IDA automatically detaches from a previously attached process if the user closes the database. debugger: network errors are handled properly and do not lead to ida crashes. debugger: the debugger server checks the interface version number upon connection to ida interface. debugger: changed the default background color. debugger: added a button to reload the exceptions table from the exceptions.cfg file. debugger: exception handling is improved, added exceptions.cfg: the exception handling information for new databases; the exception info originates from this file and is passed to the debugger module. ida can be used as the system just-in time debugger in windows. it is possible to delete problems directly from the ‘choose problem’ modal dialox box. text debugger: ‘set current ip’ and ‘show application screen’ commands have been added. text debugger: added possibility to save/restore the application screen so that ida and the debugger application can share the same screen (YH). text debugger: display the current operand value/address Bugfixes
‘dump to database to idc’ was producing incorrect Function_###() functions. ‘reload input file’ of a database with the resources section of a PE file would not reload the resources section. ‘search for void’ was not stopping at the correct operand in the text version. 16 and 8 bit offset expressions are calculated with appropriate arithmetic. 6812: memory mapping of data references was sometimes wrong; other modifications. 68K module was incorrectly tracing SP for some instructions. 8051: addressing to FSR and RAM has been corrected. AIF loader was not loading properly big endian files. AVR uses OOFW_8 instead of OOFW_IMM dt_byte to represent numbers because dt_byte has 16 bits. AnalyseArea(0, BADADDR) was not working. COFF loader could reject some correct files. Ctrl V was not working in the notepad. IBM PC movmskps instruction was disassembled incorrectly ; movddup, movsldup, movshdup instructions were unknown; (everything due to intel manuals from 2003); only mm form of pmulhuw was disassembled. IBM PC: sldt/str instruction have 16 bit operands because 32 bit operands are rejected by the existing assemblers. Intel docs say that these instruction may have 32-bit operands. IDA complains about patching relocation bytes only if they really change their values. IDA could crash if a function in the navigation stack was destroyed and the user decided to return to it. IDA could spend huge amount of time refreshing the navigation band when loading some files. IDA was too agressive in function tail creation. IDC: if(…) {} could not be executed. IDC: the definition of function with long names were properly parsed but it was impossible to call them properly. MC68K: IDA was not taking into account that lea xxx(sp),sp instruction modifies the stack pointer. MC68K: pea/lea instructions with offset operands were not creating xrefs; fixed a small typo in processor specific options dialog box. MS DOS overlayed exe files were incorrectly assigned the small memory model. PPC module was incorrectly using general registers instead of floating point registers in some instructions. PPC: IDA was too aggressively creating xrefs to lis/addi pairs. PPC: do not truncate TOC offsets to 16 bits anymore. PPC: lfsx first operand is a floating point register. Palm pilot module was using big endian mode for all processors (and the base == 0 regardless of the user settings). SP was not properly traced for F2MC, MC6816, TMS320C54, TMS320C55. TMS320C3 module could crash on some opcodes. TMS320C54 had several problems: wrong data type of memory operands; (DP<<&) Smem operands were displayed incorrectly; wrong xref type of macp, macd instructions. TMS320C54: stack variables were not correct because the return address size was not specified for the module. access violation during analysis if the data segment was not loaded (manual load; refuse to load the .data segment). access violation in the following case: start idag with a wrong file name in the command line, press cancel on the file selection dialog and close ida by pressing the ‘close’ window cross. autoanalysis queue was losing requested addresses in some rare circumstances. collapse the current segment only if the cursor is at the segment start; this is done to avoid segment collapsing when the user presses ‘-‘ inadvertently. comhelper plugin was accepting only “_GUID” as the structure name. compiling an idc file from a running idc script could pose problems. debugger register views were not wide enough. debugger: IDA was sometimes returning wrong paths for loaded DLLs – we now try two different technics to determine the full DLL path, and finally return the export name from the DLL in case of failure. debugger: in some cases it was impossible to manually detach/terminate a process. debugger: attaching to a remote process several times might cause problems. debugger: modifying a register value inside an IDC condition was not working properly for multi-threaded applications. debugger: stepping over “repne jmp short label” would lead to running the application. debugger: the EFLAGS register was not properly updated after the user manually modified a CPU flag. debugger: when switching the main registers window from MDI to desktop/on top, some controls were disappearing. del_cref() might delete a data, not only instruction if there were no references to the target address. displaying hints to collapsed hidden areas could hang ida for long time. double clicking in the list of found items would change the position in the disassembly view but would not switch to it, confusing the user. en masse operations with the value range would not affect non-void operands. function addresss iterator might return a wrong address for some special cases (for functions with several tails and a condition which is not satisfied for some for them). In particular, the list of xrefs to stack variables might be wrong if the function had several tails without any stack variables in them. guess_type() could crash if the address of a pointer referencing to itself was passed. hopefully the problem with persistent ‘please wait’ box is fixed. ida could loop infinitely if a function tail would call itself and could not be converted to a function. if IDA has been minimized, chaning the desktop color would crash IDA. in PE files IDA thought there was a relocation attached to the first address of a segment with relocations. This might have lead to the treatment of entry points at the segment starts as non-function exports but as data exports. it was impossible to cancel an offset operand by pressing ‘o’ in some cases. it was impossible to detach from a process in the suspended state (process would crash). it was impossible to disassemble files with the ‘reg’ extension. it was impossible to load resources of LX files. it was impossible to select one line address range in the text version. it was impossible to set a software breakpoint in a readonly page. it was impossible to specify a function prototype to insert/shift arguments the type of function arguments in the stack frame is adjusted when modifying the function prototype. it was impossible to use any keystrokes in the cpu register window is the focus was on a register value field. Now it reacts only to hex values and backspace. item types are displayed regardless of how the demangled names are displayed. before they were not displayed if demangled names were displayed in the listing as names (not as comments). linux debugger was not closing file handlers before launching the debugged application. linux version was creating ~/.idapro with wrong permissions. linux: information about hidden messages is saved in the user directory, not in ida directory. linux_stub file was missing which made impossible to debug linux programs from ms windows. locret_ labels are generated correctly for wide byte processors with high byte first. message boxes could not be displayed recursively. output map files were wrong after rebasing a PE file. pelf was not aware of module names separated by ‘n’ qbasename() does not crash on NULL (it seems that it was designed not to crash but there was a bug). rebasing the database would lead to the corruption of the function list. references to stack variables at offset 0 from esp were not listed in the xrefs window. removed minor memory leaks (occuring in some cases for IDC expressions returning a string). renaming a variable with a dummy name to which there was a reference from a manual operand would leave the manual operand unchanged. some key combination in the text version were not available. some object files from libraries could not be loaded. structure definitions were not padded correctly at the end. structure pathes were one byte too long in the case of normal members (not really important); added a comment about structure pathes in nalt.hpp. structure sizes were not properly padded. temporary input file from an archive was not deleted at the end. text mode debugger would have a garbage character in the line prefixes of continuation lines. text version was not handling properly database rebasings. text version: displaying a wait box does not change the cursor position in the input line. the ‘Flow chart’ command was broken for a selected code area. the ‘IDC scripts’ toolbar was disappearing when loading scripts and was not restored properly. the ‘Lock highlight’ button was not properly refreshed. the first operand of the 68K moveq instruction should be signed extended to 32-bit. the strings window was empty at the file loading time if a hex view was open. tv (text version): it was not possible to use the clipboard in the notepad. wide byte data array might be displayed incorrectly. windows gcc library was wrong in the sdk. wrong “variable %s not found” message could appear after running an idc script. wrong ARM-THUMB switching after some BX instructions. z180 configuration file had wrong definitions. “reset hidden messages” was not resetting the hidden welcome box. ARM could make the T register value 2 or even 3 H8/500 rtd instruction was disassembled incorrectly. a memory leak in the lexical analyzer is fixed. if the user zooms in on the navigation band and clicks on the left arrow and holds the left mouse button to scroll, and moves the mouse cursor to the left outside of the navigation band window (while holding the button), the band starts scrolling to the right instead of to the left. in some cases IDA would not undecorate the function name for the ‘set type’ command. trying to disassemble a file in the root directory undef linux would crash IDA. when loading .h files IDA was not decorating the function names. ‘Clear trace’ and breakpoints menu items in popup menus of the Trace, Entry points, Functions & Names windows could be duplicated. IDA could crash if a stack view was open, then the corresponding function was deleted and the user tried to create a new stack varaible for the dead function. IDA could hang trying to guess function types for HPPA. IDA could undefine items in the imports segment trying to apply type information; now items in the imports segment are not undefined. Jump commands were not available in popup menu for operands pointing to an undefined value. M32R displacement operands were truncated during display; addi and other instruction operands are signed by default. SDK: debugger: calling run_requests() from a debug event handler was processing waiting step requests too slowly (in fact during idle time). adding/deleting tils always refreshs the disassembly view. fixed a memory leak in the name handling. fixed a memory leak with til files. h8/500: clr.w @-sp was not modifying the stack pointer; slightly changed the output of fucntion headers (always output far/near keyword). hint for the “create flat group” checkbox of the ‘load file’ dialog box was incorrect in the gui version. it was not possible to jump to a location if the cursor was just behind the end of the line on the screen. the xrefs list would not be immediately refreshed after changing the xref parameters using the Options menu. there was a GDI resource leak in the colors dialog box. txt: open the strings window without closing it would make it empty. while deleting debugger segments, IDA could delete the first non-zero flag of the next segment.