State-of-the-art binary code analysis tools

Highlights

  • Support for non contiguous, fragmented, multiple chunks functions has been added. The analysis of theses functions has been greatly improved.
  • a LINUX console version of IDA is now available. The source code of the TVision library used for the interface will be freely downloadable!
  • REMOTE DEBUGGING between Linux and Windows systems. (only singlethreaded linux applications are supported by the debugger). Source code will also be available.

Changelist

Processor Modules
  • DSP561XX: new processor (in the Professional version)
  • TMS320C3: new processor (in the Professional version)
  • Angstrem KR1878: new processor
  • Motorola HCS12: new processor
  • 6502: immediate instruction operands are unsigned by default (were signed)
  • 6812 debugger: beta test version is ready and included in the distribution
  • 6812: better configuration file; CASM assembler is added
  • 6812: pc relative references are resolved and displayed as comments; cross references for them are created
  • ARM: ADD PC, … stops execution flow
  • ARM: ADD Rn, SP, #offset is automatically converted to a stack variable
  • ARM: ARM processor module has been improved in many aspects thanks to Willem Hengeveld <[email protected]>
  • ARM: IDA knows that LDM Rx, {reg} spoils the register
  • ARM: IDA knows that some BL instructions should be treated as B instructions
  • ARM: MOV PC,… and LDR PC,… instructions are handled better
  • ARM: RVA32 relocation type is supported
  • ARM: arm <-> thumb thunks are recognized
  • ARM: better reaction to the execution flow going to an unexisting address: before there was an error message that it is impossible to assign the segment register T, now the offending address is stored in the problem list.
  • ARM: better register tracing to detect the target of the BX instructions
  • ARM: better support for the thumb mode relocations
  • ARM: glue code is recognized as a jump function
  • ARM: improved the analysis of the jump tables and the glue code
  • ARM: modifying the T register reanalyzes the current instruction
  • ARM: the following sequence does not stop execution: MOV LR, PC; MOV PC, … or BX Rx
  • ARM: thumb instruction can be converted to macros too
  • HPPA: basic blocks are detected properly; added type system; better analysis in general
  • HPPA: option to use mnemonic register names is added. off by default.
  • HPPA: stw/ldw instructions have “,ma/b” completers; unused %sr0 registers are not displayed
  • IA64: better detection of operand sizes
  • IA64: multibyte character constants are allowed for GNU as (desipte the fact that it does not support them)
  • IBM PC: type information for functions called indirectly with complex offset expressions is propagated properly
  • IBM PC: push ##/pop eax is recognized as a sequence equal to “mov eax, ##”
  • PPC: addi instruction is taken into account when tracing the stack pointer
  • PPC: operands are converted to offsets only if the target is present in the program
  • PPC: support for GNU assembler is added
  • PPC: support for R_PPC_ADDR16_HI relocation type is added
  • PPC: type system support is added
Kernel
  • Mulitple chunk functions are supported. IDA will automatically create function tails if this option is turned on. The option is turned on by default for the new databases, for the old database, it is turned off.
  • the idc engine does not use disk files anymore and is now faster.
  • created subdirectories for input file loaders, processor modules, configuration files.
  • Added an option to allow the recognition several copies of the same function
  • Added an option to comment anonymous library functions with the description of the FLIRT signature
  • Argument type information is propagated more actively
  • flair application collisions are marked with comments
  • improved handling of spoiled structure and function frame definitions
  • renaming a function as “exit” stops the execution flow
  • type information is saved for the structure members coming from the type libraries
  • better handling of trivial jump functions
  • slight improvement of jump table handling: .got entries are never considered to be big jump tables
  • the function boundary determination algorithm has been improved
File Formats
  • ELF: added an option to force PHT instead of SHT (useful for viruses and malicious programs)
  • ELF: ARM relocations are supported properly
  • ELF: HPPA relocation information is processed. Since there is enormous number of relocation records, we process only a limited number of them
  • ELF: IDA knows about some internal symbols generated by the ARM compiler
  • ELF: a bad section declaration is not considered as a fatal error during loading; PHT manual load is supported
  • ELF: pressing cancel in the manual mode aborts the whole loading process
  • ELF: introduced environment variable IDA_ELF_PATCH_MODE which can be used to override the patching made by IDA to the database when a new elf file is loaded
  • EPOC: condition and option lines in SIS files are properly recognized and skipped
  • HPSOM: $DLT$ entries are ignored during loading imports
  • AR libraries with ‘\n’ embedded in the file names are processed correctly
  • MS DOS COM files use the metapc processor by default
  • MACH-O: MAC OSX support for the type system is added
User Interface
  • support for multiple selections in various lists has been added
  • debugger: ‘0’, ‘+’ and ‘-‘ keys can now be used to quickly zero, increment or decrement register values
  • debugger: ‘Toggle value’ command added to registers window (useful to quickly toggle flags)
  • debugger: added ‘Add breakpoints’, ‘Enable breakpoints’, ‘Disable breakpoints’ and ‘Delete breakpoints’ commands in popup menu of various lists (functions, names, …) – these commands also accept multiple selection
  • debugger: during debugging, addresses in import section are now displayed as data: allows to easily view and jump to the target
  • debugger: Cancel is now the default button in the debugger warning message (appearing the first time the debugger is started)
  • tracing: added an option in the ‘Tracing options’ window to suspend tracing over library functions (enabled by default)
  • tracing: can now browse in Trace window even if process is not suspended
  • tracing: green arrow (target arrow) is refreshed during backtracing
  • tracing: in the trace window, a trace event selection is conserved (while it is in the trace buffer) – if the last trace event is selected, the selection will continuously remain on the last inserted trace event
  • added option to turn off the autoappend feature
  • can open more than one hex view – these hex views aren’t anymore synchronized with IDA Views by default (to synchronize a hex view with an existing IDA View, use the ‘Synchronize with’ command in the hex view’s popup menu)
  • command line status is now saved in the desktops
  • improved the ‘offsets en masse’ command: now ida verifies if the offset can be applied
  • it is possible to hide the question about a debug file from MSDN
  • most Jump and Search commands now work in hex views
  • positions of dialog boxes related to database are now saved to desktops
  • jumping to a problem does not delete the problem from the list anymore
  • it was not possible to choose an xref to a structure, so this command has been disabled
  • wrong values for the -z switch are catched and reported properly
  • ‘dump to idc’ can dump a selected part of the database
  • the offset in the ‘Structure offsets’ dialog box can be specified as a decimal or hexadecimal value
Scripts & SDK
  • IDC: loadsym.idc is improved to support VisualAge (thanks to Dietrich Teickner)
  • IDC: #import directive can be used instead of #include
  • + IDC: SegByName() returns the segment selector instead of its base address. The base address can be calculated from the selector by using the AskSelector(x)<<4 expression.
  • IDC: Set/GetFunctionAttr(), SetSegmentAttr() functions are added; existing functions are converted to macros using these new functions
  • IDC: added a comment about the color coding
  • IDC: added a flag to generate HTML files for GenerateFile()
  • IDC: loaddef.idc is donated by Dietrich Teickner; loadsym.idc has also been improved.
  • IDC: long running IDC scripts can be cancelled
  • IDC: optimization: idc.idc is parsed only once at the database loading time (used for inline expressions and the calculator; idc scripts including idc.idc will parse it at each compilation)
  • IDC: ord() function to get code of a character is added
  • IDC: removed the 64K limit for the compiled function length
  • IDC: rotate_left() function to rotate bit field is added
  • IDC: the built-in parser looks for the include files in the directory of the current file as well as in the directory of the main input file for ‘”‘ includes
  • IDC: SegAlign() and SegComb() functions are converted to macros; fixed a bug with SEGATTR_DEF_.. constants
  • SDK: HIGH22 and LOW10 offset types are generalised to be VHIGH and VLOW. The processor module can specify the widths of these fixups in the ph.high_fixup_bits field. Currently they are used in the SPARC and HPPA processors.
  • SDK: NULL value may be passed as the tester function to the nexthat, prevthat functions. It means that any address satisfies the criterium.
  • SDK: PR_FULL_HIFXP is introduced. It means: VHIGH fixup type expects the operand value to be equal to the full address of the target, not only the high bits. Used for HPPA HIGH21 fixup types.
  • SDK: UI list functions (choose(), choose2(), …) now support multiple selection => the delete callback prototype was changed accordingly (older plugins can simply return ‘true’ to remain compatible)
  • SDK: added possibility to pass command line options to plugins (get_plugin_options)
  • SDK: added set/get_idc_func_body() to avoid frequent recompilation of IDC functions
  • SDK: debugger: enable_XXX_trace() functions can now disable tracing but conserve trace-over breakpoints
  • SDK: gen_use_arg_types() is added
  • SDK: lread() function is added; this function should be used in the loaders instead of eread(). The lread() function verifies if the read is ok, if not, it informs the user about it and asks if he wants to continue. If the user does not want to continue, the loader_failure() function is called
  • SDK: regex_match() to match regular expressions is added
  • SDK: removed support for the watcom compiler
  • SDK: set_idc_func() to add/remove IDC functions written in C++
  • SDK: the kernel knows about macroinstructions (cmd.flags |= INSN_MACRO); fixup information for macroinstructions is handled in a special way: partial fixups are combined into one full fixup
  • SDK: AS2_BYTE1CHAR is added: for wide byte processors, one character per byte
  • SDK: added the FILE option to the AUTOHIDE keyword for message boxes, to save hidden message box results to IDAMSG.CFG
  • SDK: get_next/prev_member_idx() functions are added; guess_func_type() understands stacks growing up (not tested yet)
Bugfixes
  • BUGFIX: ‘Attach to process…’ and ‘Detach from process’ commands were sometimes not visible
  • BUGFIX: ‘Change stack pointer…’ command in context menu was sometimes displayed 2 times + we now always display it if Stack pointer is visible
  • BUGFIX: ‘Reset desktop’ command was not resetting settings from default hidden windows
  • BUGFIX: -b command line switch was broken
  • BUGFIX: AMD64 RIP addressing was decoded incorrectly if the second operand of the instruction was an immediate value
  • BUGFIX: ARM thumb BLX direct-addr could not be disassembled
  • BUGFIX: AS_STRINV flag could revert the value of ‘inf.wide_high_byte_first’ if the input string for the get_ascii_contents() function was too long to be stored in the buffer.
  • BUGFIX: C166 exts instruction was not emulated properly
  • BUGFIX: EIP was sometimes not properly invalidated on the screen when the debugger was running
  • BUGFIX: HPPA stack frame is created correctly
  • BUGFIX: IDA could enter an endless loop if a data item with an offset was visible on the screen along this the referenced instruction which was leading to the reanalysis of the data item (in other words, the data item causes the reanalysis of the instruction; the instruction leads to the reanalysis of the data). Scrolling aways from such a place would break the loop.
  • BUGFIX: IDA was loading some elf sections even if the user asked not to load them in the manual mode
  • BUGFIX: IDA would report not enough disk space on Windows98 if started in a directory with a double extension (like c:\dir\4.3.2\)
  • BUGFIX: IDC conditions (for breakpoints and tracing) referencing memory bytes were sometimes not properly evaluated
  • BUGFIX: IDC: ltoa() function was broken
  • BUGFIX: IP view was not properly refreshed if IP was not visible and the user switched between threads with same IP (for example 2 sleeping threads)
  • BUGFIX: Intel 8051: IDA crashes if at the loading time the user clears the “create segments” checkbox.
  • BUGFIX: MC6816 module: offset xrefs were not properly created for some operands
  • BUGFIX: PE loader would crash if only the PE header was loaded into the database and all other segments were skipped; made many PE loader messages hideable
  • BUGFIX: PrevHead() IDC function was returning wrong results
  • BUGFIX: R_PPC_ADDR16_LO relocation type was processed incorrectly for object files
  • BUGFIX: TXT: a segfault could occur after closing the Structures or Enums window
  • BUGFIX: TXT: on Windows 9X, it was not possible to enter some characters (like the @ character by pressing AltGr+Q on a German keyboard) => define the TV_IGNORE_RIGHT_ALT_PRESSED environment variable to let IDA ignore such key combinations on Windows 9X
  • BUGFIX: TXT: segfault when you grab the lower right corner of the disassembly window with the mouse and drag it to the left, shrinking the window (qsnprintf() should never return -1)
  • BUGFIX: an xref window would become empty if a modal window with xrefs to the same ea is opened and closed
  • BUGFIX: better handling of thread suspends/resumes for multi-threaded debugging
  • BUGFIX: closing Enums window by pressing ALT-F3 was causing a segfault
  • BUGFIX: colors of hidden areas were restored incorrectly
  • BUGFIX: column widths for the function list were wrong for 64-bit version
  • BUGFIX: epoc: the export table was located incorrectly
  • BUGFIX: debugger: DLL rebasing was not working properly in some cases
  • BUGFIX: debugger: FPU registers were sometimes not properly printed and detected as modified
  • BUGFIX: debugger: IDA was displaying non-readable memory as 0xFF bytes (for example in PAGE_GUARD and PAGE_NOACCESS pages on Windows)
  • BUGFIX: debugger: a breakpoint at address 0 was added if pressing Enter from the Insert command in the Breakpoints window
  • BUGFIX: debugger: addresses in the Breakpoints list were not properly resolved because lists refresh was initialized before the process was properly suspended
  • BUGFIX: debugger: after a suspend, breakpoint conditions containing registers couldn’t be evaluated properly
  • BUGFIX: debugger: breakpoints were not properly handled during library loading (if ‘Stop on library load’ option was enabled)
  • BUGFIX: debugger: database desktop was sometimes overwritten by debugger desktop when process was not properly stopped
  • BUGFIX: debugger: debugger status in the main window titlebar was sometimes not accurate
  • BUGFIX: debugger: exported names (from loaded DLLs) were sometimes not properly displayed during debugging
  • BUGFIX: debugger: fixed minor disassembly view refresh issues when adding or editing breakpoints
  • BUGFIX: debugger: if a user forced a process termination and a pause request was already pending, the ‘Pause process’ command wasn’t working anymore in new debugger sessions
  • BUGFIX: debugger: in some particular cases, segment reorganisation was not working properly after a debugger event
  • BUGFIX: debugger: it was not possible to add a hardware breakpoint at once from the breakpoints window
  • BUGFIX: debugger: it was sometimes impossible to disable hardware breakpoints at runtime
  • BUGFIX: debugger: the ‘Clear trace’ command was not properly refreshing some information like register views, arrows, …
  • BUGFIX: debugger: the ‘Detach from process’ command was sometimes not properly resuming threads
  • BUGFIX: debugger: thread related segments (stack & PAGE_GUARD) were sometimes not properly named – Segments view was not properly updated in some cases
  • BUGFIX: deleting a record from a non-leave leads to a move of another record from a leave page to the freed place, an underflow occurs in the leave page, some records from the sibling of the underflowed page are moved to it, doing so leads to the modification of another record in the parent page, which leads to the overflow of the parent and the parent gets split. At this moment because of the bug we work with a freed page and the database gets corrupted. A bug with a similar situation had been corrected ten years ago.
  • BUGFIX: disassembly paint function was leaking GDI resources
  • BUGFIX: dsp56k ports are attached to the X space, not P space. dsp561xx: better version
  • BUGFIX: entering a long comment with tabulations could crash ida
  • BUGFIX: fixed a typo in sparc autocomments
  • BUGFIX: get_original_long() was wrong
  • BUGFIX: hardware breakpoint (with a size bigger than 1) background color was not red for additionnal lines (like a multi-line comment)
  • BUGFIX: in navigation bar, it was impossible to ‘Zoom in’ if ‘Zoom out’ was disabled (because maximum range was reached)
  • BUGFIX: in some really rare cases get_next_fcref() could never return BADADDR
  • BUGFIX: increased the width of the segment register window columns to fit narrow register values
  • BUGFIX: it was impossible to rename or double-click on a structure stack variable
  • BUGFIX: it was impossible to use function local vars/args in breakpoint conditions
  • BUGFIX: it was not possible to rename bitfield members from the interface
  • BUGFIX: jump tables were not analyzed correctly after Changelist 979
  • BUGFIX: jump to near addresses (which were not visible on the screen but already cached) was not working anymore, probably since Changelist 2655
  • BUGFIX: maximized windows in a saved desktop were sometimes restored as non-maximized
  • BUGFIX: mc6812 module did not know about the “wavr” pseudo-instruction
  • BUGFIX: mc6812 module was not disassembling “etbl”, “tbl” instructions
  • BUGFIX: multiline instructions were not displayed correctly in the graphs
  • BUGFIX: nextaddr(BADADDR) was returning the first address of the program
  • BUGFIX: number of applied functions of a flirt signature takes into account all functions (before some function types were ignored)
  • BUGFIX: patching bytes during debugging would make IDA memorizes the database was patched
  • BUGFIX: register views creation was sometimes leaking GDI resources
  • BUGFIX: repetitive rebasing of the database might lead to a crash
  • BUGFIX: scroll buttons in IDA view scrollbars were not working properly
  • BUGFIX: scrolling the disassembly view using the mouse whlle with the hex view open could lead to an access violation at the beginning and end of the file
  • BUGFIX: segfault when typing an address into the search toolbar if no disassembly view was open
  • BUGFIX: set_debug_name() might cause an access violation
  • BUGFIX: some PE files with bad relocation table could not be loaded
  • BUGFIX: some Visual Age and GNU C++ names were not demangled correctly
  • BUGFIX: some strings couldn’t be typed in the search toolbar due to auto-completion
  • BUGFIX: text version was not displaying error messages about the configuration file
  • BUGFIX: text version: the disassembly window was not refreshed immediately after renaming a stack variable and similar
  • BUGFIX: the Batch() IDC function does not disable the auto-analysis in TXT version anymore
  • BUGFIX: the elf loader was complaining about unusual usage of relocations for some incorrectly stripped executables
  • BUGFIX: the kernel was not saving the current instruction data before calling ph.create_func_frame(); this might lead to worse analysis (mostly for the arm processor)
  • BUGFIX: tracing: addresses not available in database were not displayed during backtracing
  • BUGFIX: tracing: if ‘Trace over debugger segments’ was enabled, tracing in KiUserCallbackDispatcher() function (used for kernel -> userland callbacks) was sometimes stopping with a “Breakpoint instruction reached (not inserted by the debugger)” message
  • BUGFIX: tracing: if the process is running, tracing is started while EIP is in a debugger segment, and ‘Trace over debug segment’ option is enabled, IDA will not add anymore trace events for these debugger segment instructions
  • BUGFIX: tracing: properly log modified register values over debug segments (when ‘Trace over’ option is active)
  • BUGFIX: unloading some corrupted databases to idc would lead to a crash, now ida should complain and continue
  • BUGFIX: unwanted hint of the address zero was displayed in the stack variables window for the processors with ‘:’ after the data labels
  • BUGFIX: when closing a database, last address in IDA view was sometimes continuously saved on the previous addresses stack
  • BUGFIX: Z80 was not allowing to modify the out, in, and similar instruction operands
  • BUGFIX: creating an item crossing a hidden area boundaries would pose display problems in the future
  • BUGFIX: deleting a structure element at the end of the structure might lead to a wrong display (one superfluous data definition line beyond the end of the structure)
  • BUGFIX: if the ‘Print flow chart labels’ option was enabled, labels without valid names were preceded by a ‘7’ character + IDA now uses the prefix line color for these labels
  • BUGFIX: sometimes the application title was not reflecting the database name correctly
  • BUGFIX: using the navigation band with all IDAViews closed could lead to crashes
  • BUGFIX: when creating a flow graph, local labels were redefined as globals
  • BUGFIX: H8: the ‘@’ character was erroneously highlighted as a valid identifier character
  • BUGFIX: debugger: the destination arrow (green arrow) was not properly updated for JLE/JNG instructions
  • BUGFIX: if the database was created in the directory other than the input file directory, the input file name would be replaced by the database name
  • BUGFIX: it was not possible to search with Ctrl-T after pressing Esc in the Alt-T dialog even if the old search string was existing
  • BUGFIX: the stack tracing could be spoiled if the function end was moved back and forth
  • BUGFIX: when creating a new structure, the proposed structure name was incremented if the Cancel button was pressed
  • BUGFIX: when opcode bytes were displayed with a ‘+’, IDA was not extracting the following name properly (if any) => it was then impossible to change this name
Discontinued
  • OS/2 and DOS4GW versions are discontinued. Please make a backup copy if you plan to use them in the future.