Hex-Rays IDA Pro

Debugger:

• Improved macOS 11 kernel debugging

MACHO:

• Improve handling of threaded pointers in iOS kernelcaches
• Support symbolication of macOS11 kernelcaches that link against the boot/sys kext collection. see BOOT_KC_PATH in macho.cfg for an overview

Bugfixes:

• 78K0S: opcode D5 was incorrectly decoded as INC (should be DEC)
• A crafted IDB file could trigger a use-after-free in IDA
• Chooser: the ui_get_chooser_item_attrs event was called with the wrong CHOOSER argument
• Cloning script snippets could corrupt the database
• Debugger: ios debugger was broken on iOS14
• Debugger: ios debugger could fail to fetch the process list on iOS 14
• Debugger: mac/ios/xnu debuggers would create tons of meaningless debugger segments
• Debugger: mac debugger could fail to load symbols from system dylibs
• Debugger: PIN: get rid of warning “Unexpected addrsize of the debugged program”, permit remote PIN to be started by Debug->Attach
• Debugger: linux: debugger could interr when handling program with many short-lived threads
• Debugger: xnu debugger would fail to demangle c++ names after attaching with an empty database
• Decompiler: “create new struct type” could generate a new struct type with forbidden characters, like <
• Decompiler: “push esp/pop reg” was decompiled incorrectly
• Decompiler: automapping variables was too aggressive in some cases
• Decompiler: changing the type of a structure field would cause the loss of the __cppobj attribute
• Decompiler: decompile() would crash if asked to decompile an unexisting function (nullptr)
• Decompiler: fixed a crash on corrupted idbs
• Decompiler: fixed false alarm ‘ignored garbage at the end of the blob…’
• Decompiler: fixed interr 50902
• Decompiler: in some cases the action “Reset pointer type” was not working (had no effect)
• Decompiler: in some cases the decompiler would add a suffix to the user-defined names (myvar->myvara)
• Decompiler: jumping to the pseudocode from another window (for example, from the local types) would fail to activate the window in some cases
• Decompiler: on macOS, the decompiler would use shortcut “Ins” instead of “I” for the “Edit block comment” action
• Decompiler: PPC: if addresses are subtracted assume that the size is being calculated
• Decompiler: renaming a structure field would cause the loss of the __cppobj attribute
• Decompiler: some xrefs to enum members would be missed by Ctrl-Alt-X
• DWARF: IDA could try to allocate too much memory on corrupted files before dying with out-of-memory error
• DWARF: The DWARF plugin could crash IDA (null pointer dereference) with some specially-crafted files
• DWARF: The DWARF plugin could INTERR with specially crafted files
• DWARF: The plugin could cause IDA to crash (stack exhaustion) with some specially crafted input files
• DWARF: The plugin could loop (seemingly) endlessly when encountering a DW_TAG_namespace with a (broken) name whose first character is ‘#’
• DWARF: The plugin could perform a use-after-free during stack unwinding, on some DWARF input files
• DWARF: The plugin could perform a use-after-free on some specially crafted files
• DWARF: validate size of compressed sections before trying to load them
• IDA could complain about “corrupted database” (bad srrange) when opening a rebased and saved database
• IDA could crash when loading a corrupted elf file
• IDA could crash when parsing corrupted PDB files
• IDA could crash when performing certain manipulations with script snippets
• IDA could crash when restoring function information from a corrupted database
• IDA could endlessly loop on some corrupted idbs
• IDA could fail with internal error 20078 on corrupted ELF files
• IDA would crash when loading an ARM64 driver if the default debugger was set to windbg
• IDA would try to allocate huge amount of memory when loading a corrupted elf file
• IDAPython: IDA could exit silently on startup if the Python runtime called exit() during initialization
• IDAPython: ida_bytes.bin_search documentation was lacking
• IDAPython: ida_bytes.next_visea, ida_bytes.prev_visea were not available
• IDAPython: ida_ida.AF_FINAL had value -0x80000000 instead of 0x80000000
• IDAPython: ida_name.MNG_* and ida_name.MT_* values were not exposed
• IDAPython: ida_search.SEARCH_UNICODE was not available after IDA 7.0, while ida_search.find_binary() still is
• IDAPython: if a ‘nav colorizer’ would return a long that couldn’t be converted into 32-bits, IDA would fail reporting the issue in a timely manner, leaving it for later Python code to fail
• IDAPython: internal error 30615 could happen if Python intialization failed
• IDAPython: using ida_kernwin.choose_find() with a non-IDAPython chooser, would crash IDA
• IDAPython: when using Python 2, scripts with magic ‘encoding’ comment could fail to run
• INTERR 1983 could happen in some situations after rebasing
• LUMINA: fixed “Unsupported OpenSSL version” error on macOS11
• Modifying an attribute of a function argument (e.g. adding __hidden) would be saved in the database but would not be immediately reflected in the disassembly
• On windows idat would let the operating system to handle some Ctrl- keys, rendering them unusable in IDA
• Opening IDA without an IDB and opening the script snippets dialog, and then loading an IDB with snippets, would fail to properly load that database’s snippets
• PC: changes in processor specific options were not undone upon Ctrl-Z
• PC: parse_reg_name() could return wrong register types for XMM/YMM/ZMM registers
• PC: some FMA instructions were not decoded in 32-bit mode
• Rebasing the program by an odd number of bytes was not forbidden (and led to problems later)
• Renaming a local type by pressing F2 would lead to its removal from all use sites
• Searching for all occurrences of a byte sequence would not work without an open disassembly view
• Types: creating a c++ structure with a __vftable member in the struct view was not marking the structure as having vftable; only doing so from local types was working
• UI/QT: during auto-analysis, typing in the quick filter (e.g., in the ‘Functions window’) could result in loss of certain characters
• UI/QT: hiding columns when in ‘folders’ mode wouldn’t work
• UI/QT: if entries in the “Structures” or “Enums” widgets were sorted, scrolling by using the scrollbar would jump over some entries
• UI/QT: renaming folders in the “Local types”, would show the editor on the wrong cell (in the ‘Name’ column, even though the folder name is in first column, named ‘Ordinal’.)
• UI/QT: right-click would crash IDA on macOS11 beta7 and later
• UI/QT: the “Command palette” could refuse to keep the user selection, making it hard to use
• UI/QT: the decompiler action “Jump to local type” could fail to select the proper type when the “Local types” view was sorted
• UI/QT: when searching for text in sorted folders views, IDA could loop endlessly
• UI/TXT: it was impossible to “Import” snippets in the ‘Script snippets’ dialog
• UI: Alt+T/Ctrl+T searches in tabular/tree views, wouldn’t wrap around as they should
• UI: choosers starting in “folder” mode, might not have the user-desired sizes for columns
• UI: Cmd+M would not minimize the IDA window on macOS, per convention
• UI: debugger stack view could display values with wrong bitness (e.g. 32-bit values for 64-bit programs)