Welcome to IDA 7.3! We are happy to announce that the new version of IDA is available! The new features will definitely please all our users.
Let us start with the most visible new feature: now IDA is fully configurable using CSS files and supports dark mode (based on the very popular IDASkins Dark theme) out of the box. A mandatory screenshot is below:
Among deeper things, let us present kernel debuggers for Apple's XNU on x64 (macOS) and ARM64 (iOS). Because Apple does not provide low-level access to the hardware on their devices, our iOS kernel debugger relies on the Corellium emulator. This is a unique opportunity to debug iOS kernel in an easy and interactive way. In our experience, Corellium is amazing and very easy to use. Combined with the improved support for iOS/macOS kernelcaches, these new features make feasible many new kinds of analyses:
The XNU debugger can also use the VMWare Fusion GDB stub to debug OSX on x64:
You can also debug the UEFI firmware part of the boot process or even custom UEFI modules with source level debugging. Please check our XNU kernel debugging howto for more details on this feature.
Another debugger related news is fast rebasing. Due to widespread use of ASLR, processes get loaded into a new address every time and IDA needs to adjust the database: move all segments to the addresses that the operating system assigned to them. This was a slow process that could take literally hours for big databases.
In IDA 7.3 we implemented another approach for rebasing which is up to 40 times faster and usually takes only a matter of seconds. You no longer have an excuse to take a coffee break every time you start a new debugging session. This makes our debuggers even more pleasant to use ;)
We added one more decompiler, this time for PowerPC 64bit. We will offer it for free to all users who already have an active PowerPC 32bit decompiler. Let us show you a short example. This assembler text:
gets converted into:
Like all our other decompilers, it can produce very nice text, uncluttered without unnecessary variables or casts, with little to no help from the user.
In IDA 7.2, we published the decompiler Microcode API for C++, which allowed implementing custom analysis and optimization steps on top of our decompiler engine. However, most of our users prefer Python over C++, so due to popular demand we added the Python bindings for it. Now you can create custom optimization steps or analysis passes without a single line of C++. Like any first release it's bound to have some rough edges so in case of difficulties with the new bindings our tech support is ready to help you. To help you get started, we are providing Python versions for some of the previously released C++ microcode plugins:
Some of our users expressed interest in synchronized view of the disassembly listing and decompiler output. This functionality was actually already available in previous versions, but we took the opporunity to improve it: now the corresponding lines are colorized and it is even easier to match assembly instructions to the pseudocode:
However, after trying out this window arrangement for some time, we decided to keep the default behavior as is. In our experience the pseudocode produced by our decompiler is usually sufficient to understand the code. In rare cases when consulting the disassembly listing is necessary, a single Tab keypress is enough to switch between the two views instead of taking up valuable screen estate with the split view.
Interested users may play with the PSEUDOCODE_DOCKPOS/PSEUDOCODE_SYNCED parameters in hexrays.cfg
Finally, IDA 7.3 introduces the long awaited undo feature. We were reluctant to implement it in the past because it required huge source code refactoring. Second, it comes with a price of slower analysis (this is why it may be disabled during the initial autoanalysis), more complex codebase, and posssibly more deficiencies we haven't discovered yet. Hopefully our test suite will catch most of the bugs, though.
Without any doubt even IDA veterans will appreciate the undo feature. It is a real travel in time for the database related things. If the user performs some changes (say, creates a function) and then changes his mind, all modifications to the database will be rolled back, including the side effects caused by any third party plugins. On one hand this means that undo is a real thing, but on the other hand it means that undo will adversely affect the memory and CPU consumption. The hardcore users who prefer to have the maximum speed can disable it in the config file or just in the menu. To read about undo (and how it affects your plugins), please follow this link.
Stay tuned, more features to come in the future!