IDA 7.6 is now available!

Welcome to IDA 7.6!

 

Highlights

 

Apple Silicon support

IDA for macOS is now available as a native ARM64 binary which can make full use of the M1 chip’s incredible performance.

 

It is hard to overstate just how much IDA benefits from the new speed boost. Autoanalysis completes much quicker, the UI is noticeably snappier, and almost every other feature in IDA seems smoother when running on M1. Our beta testers reported that IDA 7.6 is “incredibly stable” and “way faster” on Apple Silicon – so it seems our excitement is not misplaced.

 

Debugging native arm64 processes is also supported on M1, including arm64e:

See the updated macOS debugging tutorial here.

 

The native ARM build of IDA is available for free to all owners of an active Mac license (including IDA Home users).

 

Golang analysis

The Go language (aka golang) from Google is getting popular thanks to its ease of use, performance, and self-contained binaries not requiring dependencies. Due to some of the language designers’ decisions the golang binaries are quite different from those produced by other compilers and some changes were required in IDA to properly support its peculiarities.

 

Among additions:

 

• parsing of golang-specific metadata to recover function names and boundaries
• support for stack-based parameters and return values even on platfoms that usually use registers (ARM, x64)
• detection of golang-specific string literals

 

Here’s an example of how a stripped golang binary for ARM looks like in IDA 7.5:

and in 7.6:

Almost twice as many functions were recovered and named.

 

Decompiler improvements

 

• automatic renaming of variables

 

Although interactivity is IDA’s selling point, it still tries to do as much as possible to automate mundane tasks. With this release the decompiler will try to automatically assign names to variables and structure fields based on assignments and function calls.

 

See two snippets from decompilation of the same binary. Left: IDA 7.5, right: 7.6.

• improved recognition of stack arrays

 

arrays on stack can be difficult to detect automatically since usually only their first elements are referenced explicitly. We have added heuristics which recover arrays in many typical situations, reducing the need for manual intervention.

• empty lines for better readability

 

If you add GENERATE_EMPTY_LINES = YES to hexrays.cfg, the decompiler will add extra empty lines between compound statements and before labels, which improves readability of long functions.

 

New processor modules: RISC-V and RL78

Our processor selection contiues to expand steadily.

• RISC-V is an open ISA which is starting to become available in various hardware such as the latest iteration of the Espressif Systems wireless platform, ESP32-C3.

• RL78 from Renesas is a 16-bit descendedant of the 8-bit NEC 78k0(s) family previously supported by IDA and is used in various automotive and consumer applications.

 

Bookmarks

 

We also added some new functionality to enrich bookmarks management in the UI.

 

As before, you can use Alt-M/Ctrl-M to add/jump to a bookmark, but now you can also use Ctrl-Shift-M to bring up a separate bookmarks view with the global list of bookmarks that can be grouped into folders:

Also, bookmarked addresses will now be highlighted in the disassembly. You can use Options>Colors to change the highlight color to whatever you want:

 

Other UI improvements

• Processor list in the Load File dialog is now organized using folder view which can be filtered using Ctrl-F

• You can now use cut&paste in folder views instead of dragging things with the mouse
• The Strings list is now cached in the database. The Strings window is one of the most commonly used views in IDA for quick reconnaissance. However, depending on the settings it can take a long to to scan the whole database which had to be repeated each time on reopening the window or reloading the database. Now we cache the list so opening it the second time is almost instant.

 

Compressed macOS and iOS kernelcache support

 

In the recent iOS and macOS versions, the kernelcache files are compressed. Although there are tools available which can decompress them, it’s one more thing to remember. Now IDA handles the standard compressed formats transparently so you can simply load them as standard Mach-O files. Since IDA can also handle ZIP files, you can open them directly from the IPSW updates!

 

Retpoline handling

 

Retpoline (return trampoline) is a compile-time mitigation against the Spectre speculative execution vulnerability disclosed in 2017. Binaries compiled with this option use special thunk functions for indirect jumps which tend to break standard control flow analysis. IDA now detects and handles these thunks transparently, resulting in nice and clean function graphs and pseudocode.

Example binary using retpoline thunks.

In IDA 7.5:

 

and 7.6:

 

 

Python 3.9 support

 

Python 3.9 was released after IDA 7.5 and changed the layout of some internal structures leading to crashes in scripts or plugins using PyQt. IDA 7.6 adds official support for 3.9 (while still supporting previous 3.x versions and 2.7). Python 3.9.1 is also officially available for macOS on ARM64 and can be used by IDA there.