What’s New in IDA 9.2

-> ARM: Detecting Obfuscated Switches

Let’s look at an ARM example demonstrating several switch-related patterns that can be considered as obfuscation or, at the very least, non-standard control flow that complicates reverse engineering.

What’s happening in this code?

• Multiple chained indirect jumps (jump tables)
  The function repeatedly computes a value, bounds it (CMP X8, #3 + CSEL X8, XZR, X8, GT), loads a function pointer from a table, and jumps to it with BR X8.
  This is a switch statement implemented with computed gotos.
  
  
• Bounds-forcing via CSEL
  The use of CMP X8, #3 and CSEL X8, XZR, X8, GT is a form of bounds-forcing. CSEL X8, XZR, X8, GT means “If X8 > 3, set X8 to 0 (force to a valid case); otherwise keep X8 as-is.”
  Such patterns can be used to “force” an index into a valid range, but also as a trick to obscure the actual set of cases.
  
  
• Switch pattern re-used inside each case
  After entering a case block, the function often sets up new values, recomputes an index, and again jumps through the switch table.
  This makes the control flow non-linear and difficult for static analysis and decompilation.

-> ARM: Detecting Obfuscated Switches

The real improvement comes in the decompiler. Cases that are never executed are now detected and eliminated from the output. In the example below, the switch jump depends on v1, but we can see the value can be either 3 or 1.

                                                      Output before 9.2 ↓                                                                

                                                      Output after 9.2 ↓

New config option:
This optimization can be controlled through the new OPT_VALRNG_SWITCH_NCASES option added to hexrays.cfg.

Set to 32 by default, the value indicates that any switches with a higher number of cases are to be skipped from this optimization.

-> RISC-V: Recognizing Non-Standard Patterns

Several patterns were added to the RISC-V processor module. Here’s a typical example of position-independent jump tables: the table stores offsets, not absolute addresses, so you add back the base.
Note how the number of cases is manipulated through bitwise operations at 279E2A and 279E2C. And IDA 9.2 can easily detect that.

Sometimes custom instructions are used to extract the switch index and access the jump table. This is the case with Xuantie’s custom instructions (e.g., th.extu and th.lrw), which make jump tables more compact and efficient, but are not standard RISC-V.

We’ve collected lots of non-standard RISC-V samples and used them to improve our switch pattern recognition.

Why it Matters

Automatic switch recognition dramatically helps decompilers and analysts. Prior to these improvements, users had to manually reconstruct the real control flow, or risk misunderstanding how the program works.

Availability & Access

These improvements will be included in IDA Pro 9.2, available in all editions where decompilers are supported.

However, please note:

• The RISC-V decompiler is not available in IDA Free.
• The new ARM switch optimization can be configured via the OPT_VALRNG_SWITCH_NCASES setting in hexrays.cfg.

These changes are bundled with the product release and not available in the GitHub repo.

Looking Ahead

As architectures and obfuscation techniques continue to evolve, we’ll keep expanding support and refining analysis. Thanks to our community for their real-world examples and feedback that helped drive the direction of these updates—keep it coming!