Highlights

Welcome to IDA 7.4! We are happy to announce that the new version of IDA is available!

Python 3 support

Aspreviously announced, IDA 7.4 comes with Python 3 support out of the box. Since the vast majority of existing scripts and plugins were written for Python 2, it is still supported and remains the default. However, you don't have to be stuck with one version: it is possible to switch between Python 2 and Python 3 and even between different versions of Python 3 without reinstalling IDA.

We have prepareda porting guide for switching to Python 3for anyone who elects to go with Python 3, and might have to do some adjustments to their scripts.

Python 2: 6.95 compatibility APIs OFF by default

IDA 7.4 alsoturns off 6.95 API compatibility by default. We have written aporting guidefor helping with this as well.

New processor modules:

S390(z/Architecture)

New structure editor

Simplified C++ names

expanded GDB support

Tricore, 68K, RH850 are now supported via the GDB protocol. This can be useful for debugging code in a simulator like QEMU or TRACE32.

Decompiler improvements

In addition to the constant improvements to the decompiler engine (seecomparison) we also keep tweaking the UI based on the customers' feedback. Just a few examples from this release:

matching parentheses/brackets are now highlighted in the pseudocode and you can quickly jump between them (default hotkey: '%')

local variable declarations can be collapsed by default

shifted pointerscan be easily created in the "Convert to struct *" dialog

"Global cross-references" list is available in the pseudocode view for structure members and enums (of course, the results will vary depending on how well your database is populated with types). Results are shown as decompiled code lines unlike standard xrefs which show disassembly. The default hotkey is Shift-X.

Complete changelist

Processor Modules

+ 68K: allow using special labels A5BASE and A4BASE for a5- and a4-relative addressing in any file format, not just Palm PRC

+ ARM: add PLDW A32/T32 instruction

+ ARM: add support for A32 and T32 instructions from ARMv8 Cryptographic Extension

+ ARM: implemented ARMv8 FPU instructions for AArch32 state (floating-point conditional select etc.)

+ ARM: implement ARMv8 SIMD instructions for AArch32

+ ARM: ARMv8.1 AArch32 rdma extension support (VQRDMLAH/VQRDMLSH)

+ ARM: assume that BRK stops execution on iOS

+ ARM: support for new A64 switch variation from iOS 13

+ ARM: support AArch64 ILP32 files (A64 code in ELF32 container)

+ PC: added option that controls recognition of thunk functions

+ PPC: added support for Power ISA Version 3.0 B

+ PPC: support switches that use e_slwi instruction

+ PPC: support switches that use 'lr' register instead of 'ctr' for branching

+ S390: new processor module for the IBM S/390 and z/Architecture processors (only ELF format is supported for now)

+ M16C/80: new processor family from the Renesas M16C series

+ R32C: new processor family from the Renesas M16C series

File Formats

+ ELF: added basic support for MSP430 files (no handling of e_flags, no relocations)

+ PDB: automatically fallback to MSDIA for old MSF 2.0 PDB files (Windows only)

+ Amiga: load hunk files to 0x10000 by default since area around 0 is used by the OS

+ MACHO: mark sections of the __DATA_CONST segment as read-only

Debugger

+ DEBUGGER: added support for Motorola 68K processors

+ DEBUGGER: added support for Renesas RH850 processors

+ DEBUGGER: added support for Tricore processors

+ DEBUGGER: GDB: added support for Lauterbach's TRACE32 simulator

+ DEBUGGER: iOS: added support for iPadOS 13

Kernel/Misc

+ kernel: improved data coagulation

+ kernel: improved function recognition

+ kernel: producing HTML will now put the colors in CSS classes rather than hardcoding them for each element

+ kernel: the function with a tail cannot be a thunk function

+ kernel: use NaN, +Inf or -Inf for floating-point numbers

+ kernel: use regular expressions to beautify the IDA names (e.g. STL template names). See cfg/goodname.cfg for details

+ kernel: added new ABI bit ABI_HUGEARG_ALIGN: use natural type alignment for an argument even if its alignment exceeds double native word size

+ FLAIR: PCF: support more TMS320C55 COFF relocations

+ FLAIR: removed support for parsing omf166 files

+ FLIRT: Added signatures for vc1422, vc1423 (Visual Studio 2019.2, 2019.3)

+ FLIRT: Added MFC signatures for vc1422,vc1423 (Visual Studio 2019.2, 2019.3)

User Interface

+ ui/qt: added "Clone" command to the "Execute script" widget

+ ui/qt: added get_custom_viewer_location() to retrieve locations that are suitable to be used with custom_viewer_jump()

+ ui/qt: added user-contributed 'darcula' theme

+ ui/qt: mouse Ctrl+clicking in the navigation band will cause IDA to add an entry to the navigation history

+ ui/qt: mouse Shift+clicking in the navigation band will cause IDA to select text in the disassembly listing

+ ui/qt: pressing <Alt+Enter> in choosers with addresses will jump to that address in a new disassembly view

+ ui/qt: refactored both the "Edit", and the context menu for setting custom data types and formats

+ ui/qt: the 'Colors' dialog now provides an "Apply" button, making it easier to see the real impact of changes on the application's widgets

+ ui/qt: Local Types editor now shows sizes and offsets of structure and its fields during editing

+ ui: by default do not ask for a confirmation of actions which can be easily reverted by Undo, e.g. ('detach function tail', 'Undefine' and 'Set function end').

+ ui: log "Don't display this message again" messages into the Output Window

Scripts & SDK

+ IDAPython: added support for Python 3.x (default is still 2.7)

+ IDAPython: Python script and plugin samples are now shipped with IDA in "python/examples" subdirectory

+ IDAPython: added an example how to use show_wait_box()/hide_wait_box()

+ IDAPython: exposed place_t::serialize() & place_t::deserialize()

+ IDAPython: the IDA < 7.0 compatibility layer is now turned off by default; please seeherefor more information

SDK: added HIF_NOCASE to set_highlight() for programmatically setting a case-insensitive highlight.

Decompilers

+ hexrays: added 'show global xrefs'; it works for struct and enum members

+ hexrays: added support for highlighting matching parentheses pairs

+ hexrays: added shortcut "%" to jump to the matching parenthesis or (curly/square) bracket in the pseudocode window

+ hexrays: added config var COLLAPSE_LVARS to collapse local variables declarations by default

+ hexrays: added support for the "format" attribute when parsing ellipsis args for called functions

+ hexrays: added support for _m_prefetch, _m_prefetchw intrinsics

+ hexrays: added support for the _InterlockedCompareExchange64 intrinsic

+ hexrays: added support for more software floating-point helpers (floatdidf etc.)

+ hexrays: try to automatically convert numbers to symbolic constants in expressions involving enum types

+ hexrays: better removal of the references to __security cookie

+ hexrays: create arrays more agressively using heuristic rules

+ hexrays: now we try to rename the variables that receive the return value of GetProcAddress

+ hexrays: decompiler may automatically create variable mapping in simple cases (e.g. for copies of input arguments)

+ hexrays: sdk: added DECOMP_ALL_BLKS to include unreachable blocks in the microcode

+ hexrays: sdk: added modify_user_lvar_info()

+ hexrays: stop hiding read accesses to fs:0

+ hexrays: user may enter pointer shift delta in "Convert to struct *..." action to prepare the shifted pointer

+ hexrays: x86: int 3/__debugbreak() now only stops execution flow in case it happens in disassembly (controlled by the "Analyze int 3 instructions" processor-specific options)

BUGFIXES

BUGFIX: 6816: IDA could crash when opening saved IDBs for the 6816 processor (and potentially some others)

BUGFIX: ARC: function arguments initialized in delay slots were not commented properly

BUGFIX: ARM64: in some cases invalid instructions could be erroneously decoded as SMOV/UMOV

BUGFIX: ARM: analysis could loop endlessly if a location could be interpreted as both an offset and an OWORD. This was common in iOS 13.1 kernelcaches.

BUGFIX: ARM: registers S0-S31 could not be used in __usercall function prototypes

BUGFIX: EBC: IDA could fail to disassemble some EBC instructions

BUGFIX: M16C: PUSHC instruction was not changing the stack pointer value as it should

BUGFIX: MIPS: ABI selection could be set incorrectly on reopening a saved database

BUGFIX: MIPS: mftr/mttr instructions could be decoded incorrectly

BUGFIX: MSP430: function flow graphs were wrong because call instructions were not marked as such

BUGFIX: MSP430: instructions with .rpt prefix could not be decoded

BUGFIX: MSP430: suba and incda instructions were not handled properly when tracking SP changes

BUGFIX: PIC16: relative jump/call destination address was being truncated to 16 bits

BUGFIX: PPC: fixed incorrect value of LR after the VLE call in the regtracker

BUGFIX: PPC: ida was creating 16-bit stack variables instead of 8-bit stack variables in some cases; the difference in the listings is very minor

BUGFIX: DWARF: IDA could fail to determine the proper type for some prototypes arguments

BUGFIX: DWARF: IDA could INTERR with code 30304 with certain types of constructs in the debug information

BUGFIX: PDB: IDA could crash when parsing a debug entry with size 0

BUGFIX: PE: IDA could complain about "invalid unwind data" in valid files (such as Windows kernel)

BUGFIX: SWIFT: IDA would fail to demangle names with "j_" prefixes and "_N" suffixes

BUGFIX: DBG: gdb: check for network error when setting the resume mode

BUGFIX: DBG: ios,xnu debuggers used incorrect flag names for arm64 CPSR register

BUGFIX: DBG: linux_server could crash (nullptr dereference) because of a malicious client

BUGFIX: DBG: linux_server would crash if a malicious copy of ida would send 'close_file' request on an unopened channel

BUGFIX: DBG: malicious copy of ida could crash the debugger server

BUGFIX: DBG: password protected debug server could crash if a malicious copy of IDA was sending a packet without a password

BUGFIX: kernel: IDA (32-bit) could hang when analyzing data close to the maximum address (0xFFFFFFFF)

BUGFIX: kernel: IDA could generate too many empty lines for an unnamed entry in a special segment

BUGFIX: kernel: IDA could truncate Delphi strings representation

BUGFIX: kernel: now we delete info about patched bytes when segment bounds were changed and addresses disabled

BUGFIX: kernel: on an updgrade from a pre-7.0 database, Unicode strings in structures would be converted incorrectly

BUGFIX: kernel: saving more than 65535 segment selectors was impossible

BUGFIX: idat: cursor was positioned wrongly on a chooser line when using fast search

BUGFIX: idat: disassembly listing was not refreshed after changing the listing options

BUGFIX: idat: ida was truncating the beginning of all too long names in choosers, but this logic should be applied only to file paths

BUFGIX: UI: "Switch debugger" dialog would not show up if only one debugger was available for current database (in fact it can be also used to set "No debugger" as the default)

BUGFIX: UI: the Functions window could reload unnecessarily when dealing with collapsed functions

BUGFIX: ui/qt: "hints" background color, and "highlight" color were not converted from IDA 7.2's registry to IDA 7.3 CSS

BUGFIX: ui/qt: chooser actions would not be updated when context menu was invoked

BUGFIX: ui/qt: depending on where the cursor was placed on a line, switching to the graph view could cause an animation to be triggered, even when not justified

BUGFIX: ui/qt: double-clicking on an entry in "Local types" to synchronize it with the IDB, was not undo-able

BUGFIX: ui/qt: dragging around a widget that was previously in a splitter could crash IDA

BUGFIX: ui/qt: file dialogs were broken for ida64.app on macOS 10.15

BUGFIX: ui/qt: IDA could crash when "IDA View-A" and "Pseudocode-A" were synchronized

BUGFIX: ui/qt: IDA could crash when switching desktops

BUGFIX: ui/qt: IDA could sometimes hang upon "Desktop reset"

BUGFIX: ui/qt: in the "Output window" Ctrl+Left/Right was not navigating through words as it should have

BUGFIX: ui/qt: initial autoanalysis could take significantly longer than in previous versions of IDA, for the same file

BUGFIX: ui/qt: on OSX IDA could crash if very fast drag & drop operations were performed on tabbed widgets

BUGFIX: ui/qt: snippets view: we have to save the current script before running it, otherwise undo will destroy it

BUGFIX: ui/qt: The color buttons could be missing a 'reset' companion button once a color was set

BUGFIX: ui/qt: The "Load file" dialog could be misplaced, especially when opening a new file in an existing IDA instance.

BUGFIX: ui/qt: the "Output window" could jump to the wrong place when navigating to the end, or when selecting (and with long lines, the problem was even more visible)

BUGFIX: ui/qt: the "Output window" could jump when selection was going beyond bounds

BUGFIX: ui/qt: the "Output window" would always come up visible after restoring a desktop where it was not visible

BUGFIX: ui/qt: the dark theme would cause regular tabular views to hide their vertical header (on the left)

BUGFIX: ui/qt: undoing an action would erroneously reset the navbar zoom level

BUGFIX: ui/qt: when creating choosers, IDA could ignore some columns properties in case the chooser was modified earlier and the database was saved

BUGFIX: ui/qt: when creating modal choosers, IDA could miscompute the best size, and make a horizontal scrollbar visible even when not needed

BUGFIX: ui/qt: when docking widgets around, it could happen that some widget end up unexpectedly scrolled to the right

BUGFIX: ui/qt: when selecting with the mouse in the "Output window", the cursor wouldn't scroll the view if the selection was going out of the viewport

BUGFIX: ui/qt: IDA would unnecessarily ask for Accessibility permissions on OSX 10.14 Mojave

BUGFIX: ui: after returning a borrowed license, IDA would complain about a failure to connect to the license server; change behavior so that IDA exits immediately after returning the license (since it doesn't have a license anymore)

BUGFIX: ui: clicking "OK" instead of using Enter when trying to detach a function chunk with multiple parents would not work

BUGFIX: ui: signed enums members were printed as unsigned numbers in the Enums window

BUGFIX: IDAPython: in custom graphs, it was impossible to reset the selection

BUGFIX: IDAPython: do not trigger the "Running Python script" wait dialog when the script itself has already called show_wait_box()

BUGFIX: IDAPython: GraphViewer.SetNodeInfos could trigger errors if the 'node_info_t.ea' field was not set

BUGFIX: IDAPython: keeping references of the type field of udt_member_t could crash IDA

BUGFIX: IDAPython: mbl_array_t.deserialize() was unusable

BUGFIX: IDAPython: some return types in the SWiG-generated docstrings were wrong

BUGFIX: IDAPython: using argloc_t::consume_scattered() could crash IDA

BUGFIX: IDAPython: when some attributes were missing from a ida_kernwin.Choose instance, the Show() method could return -1 without indicating what the error was

BUGFIX: IDC: idc.idc had wrong definitions of dt_ldbl, dt_byte32, dt_byte64

BUGFIX: hexrays: an explicitly unsynchronized "Pseudocode" view, could re-synchronize itself with a "IDA View-A" the next time <Tab> was pressed (if PSEUDOCODE_SYNCED was set to YES)

BUGFIX: hexrays: arm: fixed incorrect decompilation of CDP, CDP2 instructions (CRd was erroneously represented as Rd in the intrinsic function call)

BUGFIX: hexrays: arm64: fixed incorrect translation of instruction CSINV

BUGFIX: hexrays: decompiler could crash when browsing the pseudocode

BUGFIX: hexrays: decompiler could erroneously convert into _cdecl functions with scattered register arguments

BUGFIX: hexrays: fixed a division by zero

BUGFIX: hexrays: fixed interr 50194 (happened when a shifted pointer is a member of a structure)

BUGFIX: hexrays: fixed mbl_array_t serialization bugs

BUGFIX: hexrays: fixed the value of the 'ea' field of some cexpr_t objects

BUGFIX: hexrays: hxe_curpos was generated too early, and 'vdui_t::cpos' could hold outdated information

BUGFIX: hexrays: in some cases inlined 'strcpy' could be incorrectly combined on Big Endian platforms

BUGFIX: hexrays: in some cases the switch value was miscalculated

BUGFIX: hexrays: leave 64-bit negated constant as is, output it as unsigned

BUGFIX: hexrays: some undefined variables were not marked as such

BUGFIX: hexrays: when using Hexrays_Hooks, returning code 2 from 'create_hint' (to instruct the decompiler to append its own hints) would fail to display any hint at all in case the decompiler didn't add its own

BUGFIX: hexrays: some push/pop sequences could be wrongly optimized away