I'm happy to inform you that we are entering the beta stage of IDA v5.4!
In addition to numerous small and not that small improvements, the new version will have three debugger modules: bochs, gdb, and windbg, selectable on the fly (the active debugger session will be closed, though ;))
With the bochs debugger, we offer three different worlds: run-any-code-snippet facility, windows-like-environment for PE files, and any-bochs-image bare-bone machine emulation mode. You can read more about this module in our blog: http://hexblog.com/2008/11/bochs_plugin_goes_alpha.html
With gdb, x86 and arm targets are supported. Among other things, it is possible to connect IDA to QEMU or debug a virtual machine inside VMWare. We tried it iPhone as well. However, while it works in some curcimstances, there were some problems on the gdbserver side.
With windbg, user and kernel mode debugging is available. The debugger engine from Microsoft, which is currently the only choice for driver and kernel mode debugging, can be used from IDA. It can automatically load required PDB files and populate the listing with meaningful names, types, etc. Speaking of PDB files, IDA imports more information from them: local function variables and types are retrieved too, c++ base classes are handled, etc.
The gdb and windbg debugger modules support local and remote debugging. We tried to make the debugger modules as open as possible: target-specific commands can be sent to all backend engines in a very easy and user-friendly way.
As usual, better analysis and many minor changes have been made. If you spend plenty of time analyzing gcc generated binaries, you'll certainly appreciate that IDA handles its weird way of preparing outgoing function arguments. Now it can trace and find arguments copies to the stack with mov statements.
The new IDA will support Python out of box, thanks to Gergely Erdelyi, who kindly agreed the Python plugin to be included in the official distribution. In fact, the main IDA window will have a command line to enter any python (or other language) expressions and immediately get a result in the message window.
We will prepare the detailed list of improvements later this week.
the new version of Interactive Disassembler Pro got released a few days ago (2009/01/29).
here are some highlights of new version:
Three new debuggers We continue to add more debugger modules to IDA and improve the existing ones. This version introduces three new debuggers: bochs, gdb, and windbg.
Each of these debuggers deserve a separate article, so only the most interesting highlights here:
Bochs: can run any 32bit code, from a few instructions to whole operating systems. Just click F9 and immediately switch to running state. In fact, any code snippet can be executed in a safe and user friendly way. With the bochs debugger, we offer three different worlds: run-any-code-snippet facility, windows-like-environment for PE files, and any-bochs-image bare-bon machine emulation mode. Please read more about Bochs plugin here: http://hexblog.com/2008/11/bochs_plugin_goes_alpha.html
GDBServer: x86 and arm targets are supported. Among other things, it is possible to connect IDA to QEMU or debug a virtual machine using VMWare.
Windbg: both user and kernel mode debugging are available. IDA can automatically load required PDB files and populate the listing with meaningful names, types, etc. Speaking of PDB files, IDA imports more information from them: local function variables and types are retrieved too, c++ base classes are handled, etc.
The GDBServer and Windbg debugger modules support local and remote debugging. We tried to make the debugger modules as open as possible: target-specific commands can be sent to all backend engines very easily.
Better analysis IDA understands GNU-style function arguments (when they are moved onto the stack instead of being pushed). Analysis is more efficient in general and does does fall into the instruction creation/deletion loop. Many FLAIR signatures have been updated and new ones added.
Command line The command line was present in IDA since very long time but it was not turned on by default. This version activates it and empowers it with the following interpreters:
IDC: native IDA language (we added support for global variables) Bochs: to send arbitrary commands to the Bochs debugger GDBServer:to control GDBServer targets Windbg: to access Windbg extensions and kernel information Python : to program IDA in the popular language
The new IDA supports Python out of box, thanks to Gergely Erdelyi, who kindly agreed the Python plugin to be included in the official distribution.
also new version of Hex-Rays Decompiler got out the same date with these changes:
+ added block comments + added support for function comments + added command to hide cast operators from the output (hotkey is \) + added warnings. they can be suppressed by WARNS1 parameter in hexrays.cfg + derived types are saved into the database: now decompilation results should not differ between sessions + improved the speed of batch decompilation: better handling of decompilation queue + references to " r" and " s" special stack frame members are renamed to "retaddr" and "savedregs" + mach-o: __cls_refs and __message_refs sections are handled in a special way + added special handling for elf .got sections + added special handling for mach-o __pointers section + reserved words can not be used as local variable names. the function name is rejected too + if the user requested a bitfield for a constant, use it even if some bits have no corresponding symbolic names; these bits are printed in hex + added rule: *(x+y) => x[y] + sdk: added get_line_item() to facilitate mapping of line items + sdk: added hxe_text_ready and hxe_print_func events bugfix: expressions with pointers to arrays were suboptimal; if such types were used for function arguments, the output would be wrong bugfix: small (4 byte) arrays could be used as scalars in the output, which was wrong bugfix: if instruction bytes were patched without reanalyzing them, the decompiler could interr bugfix: error message for 16bit applications was wrong bugfix: decompiler could create fastcall functions with __int64 register arguments bugfix: tail call to unknown function could lead to interr bugfix: the decompiler could crash in some exceptional circumstances bugfix: fixed a typo that could lead to a crash bugfix: if a funcarg was also represeting the return value, the function prototype could be modified during analysis bugfix: could interr on a linux syscall if it was the last instruction of the function bugfix: if the user modified a structure field type, it would be detected by the decompiler bugfix: mul64 recognizer could create an interr
路过而已
