Hex-Rays IDA Pro v7.2.181105
With this version of IDA we publish the decompiler intermediate language: the microcode. We were planning to do it since very long time but the microcode was constantly evolving, we could not do it. After ten years of evolution it looks mature and ready to be published. We believe that it will permit our users to implement much more powerful and higher level analysis algorithms than before. In the future we plan to use the microcode in IDA too: if the decompiler is present, the analysis will be improved automatically.
Second, we improved the debugger module API in IDA v7.1. While the rest of the API was modernized in v7.0, we had no time to handle the debugger API. Now it is done, and we have new shiny calls (and got rid of the legacy definitions). While at it, we also improved the speed of the binary search and added support for named threads. Unfortunately, the change of the API means that third party debugger plugins need to be ported to IDA v7.1. We prepared a short porting guide for that, please see:here.
We removed two debugger modules with this release:WinCEandSymbian. We haven’t heard any feedback about them since ages and nobody voiced against it when we polled our users on our forum, so we decided to let the obsolete stuff to disappear.
There are numerous tiny improvements, both in IDA in the Decompiler. While we do not list all of them below, the output of both tools became clearer and easier to read in many cases.
- ARM: add remaining ARMv8.1 instructions (SQRDMLAH and SQRDMLSH)
- ARM: combine MOV+MOVK sequences into one macro instruction with final immediate value (ARM64)
- ARM: use ‘imagerel’ operator for RVA offsets
- MIPS: convert lwl/lwr and similar sequences to the corresponding unaligned load/store macros (ulw/uld/etc.)
- PC: added decoding of UD0 and UD1 instructions
- PPC: always allow VLE code and offer the user to set all code to VLE when loading binary files
- DALVIK: added support for “invoke-polymorphic”, “invoke-polymorphic/range”, “invoke-custom”, “invoke-custom/range” instructions
- COFF: default to Windows-1252 (or the local 8-bit encoding) for i386 files
- Mach-O: IDA now loads symbols present in possible, separate .dSYM file
- dex: added support for multidex android packages
- dex: added support for DEX file format 038
- debugger: OSX: introduce SYMBOL_PATH in dbg_macosx.cfg. This can significantly speed up symbol loading when using the Remote Mac OSX Debugger
- debugger: added support for thread names
- debugger: iOS: support remote process list for iOS 10 and later
- debugger: improved the speed of binary search in process memory (1000 times or more)
- debugger: use hardware breakpoints for tracing if “use hardware temporary breakpoints” is set
- ios_deploy: added “applist” phase
- ios_deploy: added “probe” phase
- ios_deploy: fix “kill” phase for iOS 10 and later
- ios_deploy: fix “proclist” phase for iOS 10 and later
- ios_deploy: improved “launch” and “kill” phases so that they work with any arbitrary application (even System apps)
- GDB: added support for GDB stubs reporting unavailable registers
- GDB: added support for QPassSignals (when an exception is set to pass to application, not suspend, and to be silent)
- GDB: improved calculation of maximum packet size supported by remote stub
- GDB: improved detection of architecture and setup of register sets
- removed WinCE and Symbian debuggers
- kernel: added support for 64-bit ‘bytes’ in ida64
- kernel: improved handling of noret functions
- kernel: improved heuristics of function detection
- kernel: improved switch recognition
- kernel: improved system eh region detection and analysis
- kernel: made create_generic_linput() and related functions thread-safe
- rtti: improved auto detection of ‘complete object locator’ as referrence before vtable
- FLIRT: ICL: added signatures for icl175 (Intel C++ 17.5)
- FLIRT: ICL: added signatures for icl180 (Intel C++ 18.0)
- FLIRT: ICL: added signatures for icl181 (Intel C++ 18.1)
- FLIRT: VC: added signatures for vc1412 (Visual Studio 2017.5)
- FLIRT: pelf: added support for x86_64 relocations 41 (R_X86_64_GOTPCRELX) and 42 (R_X86_64_REX_GOTPCRELX)
- FLIRT: vc/vc64: added signatures for ucrt 16299 (Windows 10 Fall Creators Update SDK)
- TIL: added a type library for Objective-C
- TIL: added prototypes for dispatch_sync(), dispatch_async() and other block-related functions to macosx.til
- TIL: added struct Block_layout and related _Block_xxx functions to macosx.til
- CFG: Added ‘Chinese’ culture file
- CFG: added config variable APPEND_IDB_EXT: append or replace input file extension by the database extension when constructing an IDB name
- CFG: removed CACHE_NODE_SIZE, changed config parameter XREF_CACHE_LIMIT to XREF_CACHE_COUNT, the maximum number of xref cache entries may be specified
We have many news this time, but let us start with the most desired and requested one: support for ARM v8.3 instructions. With the advent of the new iPhone XS many reverse engineers started to stumble on these new instructions. Besides, they include a new security mechanism: Pointer Authentication Code. It makes exploiting software vulnerabilities much more difficult but it requires modifications in our file parsing and analysis methods. And yes, the upcoming IDA Pro supports it nicely:
The decompiler supports them too and can show the PAC verifications in the output code as compiler intrinsics, or hide them, which is the default behaviour:
The new iOS 12 dyld caches and kernel caches with tagged pointers are handled nicely too.
When loading an iOS12 kernelcache in IDA 7.1, many pointers lead nowhere and kexts are not detected.
Speaking of dyld caches, one of the common complaints we’ve had that usually you have to choose to load either a complete cache to see all modules (which takes forever), or a single module (and see pointers leading nowhere when they point to other, unloaded modules). We’ve tried to address it with the “load module with dependencies” option but it turned out to be quite limited in practice.
Now you don’t have to choose anymore! Even if you load a single module and see a red-colored pointer denoting non-existing memory, just right-click it to load the mising module into the database:
Among other decompiler improvements: a method to handle multiple stack variables that occupy the same stack slot, better optimization engine, better handling of cast operators, better type derivation, more aggressive C expression simplification, for-loop recognition, many subtle bugs are gone, etc. We hope that working with the decompiler will be more pleasant and seamless.
We also improved the microcode API that was initially published in v7.1. Unfortunately we had to shuffle so many things that the new API is not compatible with the old one but we promise that we will try to keep it stable from now on.
Finally, with IDA v7.2 we introduce a new (experimental) Lumina server. Think of it as about a public storage of popular function patterns. The lumina server holds metadata about functions (like names, comments, prototypes, operand representation, etc). IDA can ask Lumina to recognize functions in the current database and apply the corresponding metadata. It is like FLIRT but it is dynamic, stores more information, and can recognize functions that FLIRT can not.