We have many news this time, but let us start with the most desired and requested one: support for ARM v8.3 instructions. With the advent of the new iPhone XS many reverse engineers started to stumble on these new instructions. Besides, they include a new security mechanism: Pointer Authentication Code. It makes exploiting software vulnerabilities much more difficult but it requires modifications in our file parsing and analysis methods. And yes, the upcoming IDA Pro supports it nicely:

The decompiler supports them too and can show the PAC verifications in the output code as compiler intrinsics, or hide them, which is the default behaviour:

The new iOS 12 dyld caches and kernel caches with tagged pointers are handled nicely too.

When loading an iOS12 kernelcache in IDA 7.1, many pointers lead nowhere and kexts are not detected.

In IDA 7.2, pointers are resolved correctly and kexts are marked up.

Speaking of dyld caches, one of the common complaints we’ve had that usually you have to choose to load either a complete cache to see all modules (which takes forever), or a single module (and see pointers leading nowhere when they point to other, unloaded modules). We’ve tried to address it with the “load module with dependencies” option but it turned out to be quite limited in practice.

Now you don’t have to choose anymore! Even if you load a single module and see a red-colored pointer denoting non-existing memory, just right-click it to load the mising module into the database:

Wait a little for load to finish, repeat as necessary for other addresses:

…and navigate to the destination to continue analysis!

Naturally this only works as long as you still have the original cache file present, but it still should speed up your work.

By the way, for Apple software we also implemented recognition of blocks. We support both global and local (stack based) blocks. The objc plugin parses block descriptors and automatically makes structures representing local context captured by the block. Now the decompiler output looks like this:

In fact there are many other Objective-C improvements, see them all in a submenu:

Note: some of this functionality only works if you have the decompiler for the platform being analyzed.

Our debugger can handle many new OSX and iOS features and can debug iOS 12 applications, including stack unwinding in code using PAC instructions: