Hex-Rays IDA Pro

IDA PRO Version 7.5 is now released!

We are proud to announce the release of IDA PRO version 7.5 today! Join us in discovering your IDA Pro with many new features and improvements!

 

Highlights

 

1. Folder view

A tree-like folder view is available in many IDA standard views. You can create folders and move items between them. To start with, the following views have it:

 

Functions and Names

 

Imports

 

Structures

 

Enums

 

Local types

 

For Structures and Enums, the tree panel is shown by default, for other views it can be enabled via the “Show Folders” context menu item.

 

Users can create, rename and delete folders, and move items between them. This will help organizing information when dealing with large binaries.

 

2. MIPS decompiler

 

A new decompiler has been added to our lineup. Any 32-bit MIPS binary supported by IDA can be decompiled, including compact encodings. The infamous delay slots are handled transparently and seamlessly.

 

Here are a few screenshots:

 

Big-endian MIPS32 code

 

Little-endian MIPS32 code

 

MIPS16e code

 

microMIPS code

 

3. Lumina for MIPS and PPC:

Lumina function is now available for MIPS and PPC binaries.

 

4. iOS/macOS improvements

 

We have added type libraries with most major APIs and additional frameworks from macOS and iPhone SDKs. They are especially useful when paired with the decompiler.

 

List of initially available type libraries

 

Sample of x86_64 user-mode code using CoreFoundation APIs

 

Sample of ARM64 kernel code using IOKit classes

 

In addition, we improved support for the KTRW debugger. Breakpoints and watchpoints works with it out of box using the same Corellium-ARM64 configuration.

 

On the decompiler side, we added support for atomic ARM64 instructions such as CAS (compare-and-swap), LDADD (atomic add) and many others. They are translated into corresponding C11 functions from stdatomic.h, so you should see fewer _asm{} blocks when dealing with code compiled for arm64e.

 

ARM Atomic

 

Other selected items

 

PC: ELF binaries employing Intel CET (Control-flow Enforcement Technology) are becoming very common due to Debian enabling this compiler option by default, followed by Fedora and other Linux distros. We now support such binaries out of box, including in the decompiler. We have also added support for several new instructions that were added recently to Intel and AMD processors.

 

Intel CET

 

ARM: Recent compilers targeting 32-bit ARM code prefer using MOVW and MOVT instruction pairs to load 32-bit constants and addresses instead of constant pool as was common in the past. While IDA already handled such pairs when they were placed together, advanced optimizations can place these pairs apart, preventing IDA from combining them, discovering the full value and adding a cross-reference to the destination. We have improved our heuristics to handle such scattered pairs and added an option so analysis can be tuned to be more or less aggressive depending on your specific binary.

 

ARM MOVT

 

ARM MOVT

 

ARM MOVT

 

Complete changelist:

 

Processor modules:

• ARC: added support for ARCv2 EM instruction set
• ARM: added an option to control detection of 32-bit constants loaded by scattered pairs of MOVW+MOVT instructions
• ARM: improved detection of functions with delayed prolog setup
• MIPS: added support for multi-GOT binaries ($gp can have different values in different parts of the binary)
• V850/RH850: don’t create functions for PIC calls (to next address)
• PPC: added many new instructions from e200 cores (NXP MPC57xx, ST SPC58xx):
  • Cache Bypass Storage (lbdcbx lhdcbx lwdcbx stbdcbx sthdcbx stwdcbx dsncb)
  • e200z490 (AIOP) instructions (e_lqw e_stqw e_ldwcb e_ldbrw e_byterevw and more)
  • MPU instructions (mpure, mpuwe, mpusync)
• PC: added support for endbr instruction in prolog analysis
• PC: added decoding of WAITPKG instructions (TPAUSE, UMONITOR, and UMWAIT)
• PC: added decoding of TSX instructions (XRESLDTRK and XSUSLDTRK)
• PC: added decoding of instructions CLDEMOTE, ENCLV, SERIALIZE
• PC: added decoding of Direct Store instructions (MOVDIRI and MOVDIR64B)
• PC: added decoding of MCOMMIT and RDPRU instructions (AMD Zen2)

 

File Formats:

• AMIGA: implement rebasing for Amiga hunk file loader (contributed by Vladimir Kononovich)
• ELF: ignore internal compiler symbol gcc2_compiled
• ELF: pc: handle PLT stubs in binaries compiled with Intel CET support (-fcf-protection)
• ELF: accept files with PT_LOAD segments running over end of file
• ELF: MIPS: implemented relocations R_MIPS_GOT_PAGE, R_MIPS_GOT_OFST
• ELF: MIPS: add support for MIPS64 complex relocations
• MACHO: allow the user to configure the type libraries loaded for new macho files. see TIL_CONFIG in macho.cfg
• TDS: added support for tds files concatenated with the exe file

 

Installer:

• default to Python 3; bundle Python 3.8.2 with Windows installer

 

Debugger:

• debugger: added support for Bochs 2.6.10
• debugger: added debugging support for Zilog Z80 processors
• debugger: gdb: improve debugging of multi-thread programs
• debugger: ios: added iPhone SE 2 to list of known devices/li>
• debugger: PIN: support building pintool with pin 3.13
• debugger: xnu: improved ktrw support. breakpoints/watchpoints/registers now work as expected with ktrw, using the “Corellium-ARM64” configuration. no other manual setup is needed.

 

Kernel / Misc.:

• demangler: add c++20 spaceship and co_await operators for VC++ and GCC
• KERNEL: add std::_Xlength_error() to the list of no-returning functions
• Lumina: Lumina functionality is available for MIPS and PPC binaries

 

FLIRT / TILS / IDS:

• TIL: introduced new macosx type libraries, built directly from headers in MacOSX.sdk/iPhoneOS.sdk (including all Objective-C and C++ Frameworks). see macosx_sdk*.til/iphoneos_sdk*.til
• TIL: introduced new type libraries specifically for XNU kernel and KEXT binaries, built directly from the XNU source code. see xnu.til/xnu_arm.til
• FLIRT: Added MFC signatures for vc1424 (Visual Studio 2019.4)
• FLIRT: Added MFC signatures for vc1425 (Visual Studio 2019.5)
• FLIRT: ICL: Added signatures for icl200 (Intel C++ 20.0)
• FLIRT: ICL: Added signatures for icl201 (Intel C++ 20.1)
• FLIRT: VC: Added signatures for vc1424 (Visual Studio 2019.4)
• FLIRT: VC: Added signatures for vc1425 (Visual Studio 2019.5)

 

User Interface:

• UI: many IDA views now provide an alternative, tree-like folder view
• UI: added actions to search for register definition or register use (Shift+Alt+Up, Shift+Alt+Down)
• UI: it is now possible to add, delete, enable & disable breakpoints from the ‘Function calls’ widget
• UI: The “Breakpoints” chooser now also reports the state (Enabled/Disabled/Unresolved) in a column, instead of only through the icon.
• UI: within a session, IDA will by default remember and restore dialogs positions & sizes (configurable through RESTORE_DIALOGS_GEOMETRIES)
• UI: debugger: the current thread is now shown in bold
• UI: debugger: include the hostname and port number in the error message about failed connection
• UI: removed the limitation on syncing similar views (e.g. now it’s possible to sync 2 idaviews)
• UI: show filename of the file being loaded during the loading process
• UI: “create struct from data”: when used inside a struct, ignore dummy field names like “field_xxx”
• UI: added get_synced_group(), to retrieve information about what widgets are synchronized.