The most frequently asked question we get during the IDA Pro trainings, on the support forum or via support emails is: “When will IDA Pro support the undo feature?” or “How can I undo an operation in IDA Pro”.
Our answer has always been: “Sorry, it is not possible to undo in IDA Pro” or “This feature will eventually be implemented sometime in the future”.
In this blog post, we introduce the new database snapshots feature that will be present in IDA Pro 6.2:
Why there is no undo option in IDA Pro
The lack of the undo facility stems from the fact that IDA Pro’s database format is not transactional. Each operation in IDA Pro may entail a great deal of other operations that can change the database contents massively.
Take for instance the case when the user goes over an unexplored area and press “C” to create code. This is what happens:
- IDA tries to create instructions
- For each instruction there could be side effects:
- Creating code, functions or data items
- A new target address is added to the analysis queue
- Another unexplored area will become explored
- The whole algorithm keeps on repeating itself until the analysis queue becomes empty
So, sometimes pressing “C” in one place can completely change the database (functions will be created, data items will be defined, xrefs will be generated, etc…).
What about the case of deleting a segment:
- Segment deletion will also entail deletion of all instructions
- Deletion of all related cross references
- etc…
What we discussed so far are the extreme cases, but what about simply undoing a rename operation? It is true that such a simple operations can be easily tracked, recorded and undone if needed.
In fact, IDA Pro provides a set of callbacks (IDB/IDP callbacks) that allow the programmer to register a callback function that will be triggered in a pre/post manner. The programmer will have a chance to record the operation, modify it before it is carried by the kernel or just handle it completely without passing it to the kernel.
Here’s an excerpt from “idp.hpp”:
// IDB event group. Some events are still in the processor group, so you will
// need to hook to both groups. These events do not returns anything.
// The callback function should return 0 but the kernel won't check it.
// Use the hook_to_notification_point() function to install your callback.
enum event_code_t
{
byte_patched, // A byte has been patched
// in: ea_t ea, uint32 old_value
cmt_changed, // An item comment has been changed
// in: ea_t ea, bool repeatable_cmt
enum_created, // An enum type has been created
// in: enum_t id
enum_deleted, // An enum type has been deleted
// in: enum_t id
enum_renamed, // An enum or member has been renamed
// in: tid_t id
....
enum_cmt_changed, // An enum or member type comment has been changed
// in: tid_t id, bool repeatable
destroyed_items, // Instructions/data have been destroyed in [ea1,ea2)
// in: ea_t ea1, ea_t ea2, bool will_disable_range
....
Real life plugins that use the IDP/IDB callback mechanism include the collabREate plugin by Chris Eagle and the IDA Sync plugin written by Pedram Amini. Nonetheless, those plugins do not aim at providing an undo functionality rather a way to make reverse engineering with IDA Pro a collaborative effort.
Introducing the database snapshot feature
Since the “undo” feature may not be implemented in the near future, we thought of implementing a nice and convenient way to take database snapshots and restore them easily from IDA Pro.
In a nutshell, an IDA Pro database snapshot is a copy of the current database with the following name: databasename_mmddyyyy_hhmmss.idb. In the future, we could optimize the database storage requirement so that only the difference will be stored on disk.
This new database snapshot feature is very similar to “VM snapshots” feature found in most virtualization products (such as VMWare, VirtualBochs, QEmu, etc…) where the user can take a snapshot of the VM at any point in time and work with it (restore, delete, etc…).
Taking a snapshot will be accessible from two places:
- The first is in the file menu (or by pressing the Ctrl-Shift-W hotkey):
- And the second method is through the database snapshot manager interface:
The snapshot manager interface
In the snapshot manager interface window, the user will be able to restore, rename, delete or take a snapshot:
Finally, we would like to thank our kind customers that keep on giving us suggestions and ideas that help us improve the product.