Highlights

Finally! Finally we drop the MDI user interface and switch to dockable windows. They are simpler to use, more flexible, waste less screen space. Well, you know it yourself. The new interface also includes the improved hex viewer and stack view. The new hex view is much easier to use, can display the data in various formats, allows editing in-place. There is a lot to discover, some screenshots can be checked in the gallery.

Probably the fastest thing to do is to visit the comparison page for more detail about processor modules. In the endless pursuit to improve the disassembly output, we continue to add new methods, tricks, and heuristic rules to IDA. This time the biggest changes are in the ARM and PC modules. The ARM module handles the stack frame, type information, call/jump instructions better than before. The PC module knows about more code patterns, like switch and position-independent code idioms, detects more exception handlers, etc.

Naturally, after adding Windbg support in v5.4, we had to add support for crash dumps. Just specify a crash dump file as the input file and IDA will create a database from it. The debugger can be ‘launched’ to enter the familiar debugger environment with module, thread, and stack windows, where information can be retrieved the usual way. The only thing you cannot do is to resume the execution, that would be an overkill 😉

The previous addition required a big, hopefully invisible, change in the kernel, because the existing storage method could not handle huge gigabyte segments. Previous versions of IDA had a hard limit on the addressing space of the program: max 256MBytes in the default configuration. Modern programs routinely allocate much bigger memories, so we had to find a solution. Now, if a crash dump segment is bigger than a certain size, IDA automatically chooses the sparse storage method. Instead of storing information about every single byte of the program, IDA remebers only useful information. Thus, a 25MB uninitialized array requires just a few bytes of storage to describe it, not 100MB as before.

We would also explicitly mention and say ‘thank you’ to the users who contributed to this release of IDA. Bernhard Mueller from SEC Consult GmbH was very kind to investigate why the Symbian debugger was failing on new devices and contributed an improvement. Robert Krkic generously shared his IDS files for Symbian systems with all IDA users. Thank you guys, your contributions make IDA better and easier to use!

Do you remember that you can add emulated API functions to the Bochs debugger? Just provide an implementation in IDC/Python/C++ and your function is called. For example, you could provide an implementation of the socket() function that would open a socket on the host system or do something else. While this possibility is very useful and remains in place, we added more predefined functions. Now the Visual Studio and Borland C/C++ startup code can be executed without generating exceptions and you can focus on the ‘real’ code.

In addition, we also added the ‘Bochs rc file loader’. It really helps if you already have a bochsrc file and want to debug it with IDA. Just specify it as the input file and IDA will create a nice database for you. No need to create a dummy database, populate it with the code from the boot sector, etc.

Other, probably less visible, improvements include the PDB plugin, the type system, more SDK functions (check out the exec_request_t if you develop multithreaded plugins), etc. The full list is below:

Changelist

Processor Modules

PC: added detection of CException destructor; this helps to detect exception handlers and ignore them during function epilog analysis

PC: added support for another variation of PIC code by GCC

PC: more switches recognized in unoptimized MSVC code

ARM: added support for SUB Rx, R11, #fpoff stack variable references

ARM: added support for switches implemented using TBB/TBH instruction

ARM: better detection of R7-based frames

frames ARM: LDMED can be used for return too

ARM: type info and argument names are propagated for local variables passed by reference

ARM: other unspecified improvements (we removed them to keep the list short and more readable)

ARM: LSL Rx, Ry, #0 and ADD Rx, Ry, #0 are simplified to MOV Rx, Ry

I51: i/o port names are accepted for all segments (before only FSR definitions were handled)

MIPS: much improved analysis

SuperH: simplified display of pc-relative literal loads

File Formats

BOCHRC file loader: it is now possible to start IDA with a bochsrc file as the input file

file as the input file CRASH DMP file loader: it is now possible to start IDA with an MS Windows Crash dump file

COFF: segment permissions are imported for MS object files

ELF: accept PPC64 ELF files

ELF: handle dynamic symbols in MIPS files

ELF: some new SuperH relocations are supported

ELF: added support for ARM TLS relocations

EPOC: added support for multiple imports with the same ordinal

EPOC: user contribution: ids files for epoc6/9 from Robert Krkic

EPOC: since AppTRK does not report thread creation/deletion, IDA forcibly refreshes the thread list if an unknown thread id is encountered

PDB: added the possibility to manually load a specific PDB file; to load only types from the PDB

PDB: added support for anonymous unions. types with bitfields are handled more correctly: we replace them with a corresponding POD type; ida kernel cannot handle bitfields yet

PDB: added support for undefined enum types

PDB: better handling of C++ static methods and functions returning complex types.

PDB: better handling of string literals ([email protected]…)

PDB: information about function argument names is applied, if available in the .pdb file

PDB: symbols can be loaded using EXE headers in the database, either from the module list during debugging or via File menu by specifying a valid base address

PE: added an option in pe.cfg to force loading of all PE file sections (usually .reloc and similar sections are skipped)

PE: if import and/or export tables lie outside .idata segment, they are parsed and formatted

Kernel

Added some common C++ ABI functions to noret.cfg

Added support for __usercall functions with variable number of arguments (…)

functions with variable number of arguments (…) Added functions to handle floating point instructions for the decompiler

Improved the browsing speed for big databases when autoanalysis is busy: moving around in huge databases is much better

Demangler: added support for the latest gcc4

Updated WinCE ARM ids files to Windows Mobile 6.0

Scripts & SDK

IDC: added MoveSegm() and RebaseProgram() functions

IDC: added OpFloat() function

IDC: renamed segment modification functions to start with a verb. Old names continue to be available.

SDK: added append_buf() and unpack_buf(), append_obj() and unpack_obj()

SDK: added build_anon_type_name()

SDK: added build_func_type() to facilitate building of type strings that represent functions

SDK: added callbacks to AskUsingForm so that the dialog can be modified on the fly

SDK: added change_storage_type() to change the storage method of arbitrary address range. please note that the sparse storage method works well only with uninitialized areas with huge objects

SDK: added floating point conversion functions for 64bit values

SDK: added functions for working with imports (enum_import_names and others, see nalt.hpp)

SDK: added get_zero_areas() to retrieve info about huge zero inited ranges

SDK: added exec_request_t – class that allows for code execution in the main thread from any other thread

– class that allows for code execution in the main thread from any other thread SDK: added more convenient areacb_t::for_all_areas2(), which accepts a functor instead of (function,data) pair

SDK: added qlist compiler-independent template

SDK: added qthread_self()

SDK: added set_process_options() to set debugger process options

SDK: added ui_enable_input_hotkeys notification to let plugins temporary disable alphanumeric hotkeys which can interfere with user input

SDK: added replace_wait_box()

SDK: added DBGINV_REDRAW bit to refresh the user interface while invalidating the debugger caches

SDK: bitfield definitions in type strings have been changed. since there was no support for bitfields in the parser, this change should not affect anybody

SDK: introduced dt_ldbl to represent long double types. long double is different from tbyte and can be 8,10,12, or 16 bytes depending on the compiler

SDK: is_sp_based() can now return information about operands which are substracted from stack pointer

SDK: patch_byte() and similar functions return success if they succeed in modifying either process memory or idb. before they were returning true only if both process memory and idb were modified

SDK: windbg kernel mode: added notion of virtual threads

User Interface

UI: it is possible to add several types at once from the local types list (previously only the first one was added)

UI: it is possible to delete segment register change points from the “Jump to segment register” dialog or “Segment registers” view

UI: it is possible to set the base for array indexes display (decimal, hexadecimal, octal or binary)

UI: hex view supports in-place editing, various data formats and unicode strings

UI: unicode strings: unprintable characters are grouped into arrays; extra trailing zeroes are omitted by default

Debugger

breakpoint condition is evaluated only after the breakpoint is hit

Symbian: added support for new AppTRK v3.0.8 (thanks to Bernhard Mueller from SEC Consult GmbH)

Bugfixes