IDA: What's new in 6.9

Welcome to IDA 6.9!
Below are the highlights: • The biggest news is the ARM64 decompiler, a long awaited tool.
We are proud that it works well and can handle floating point and even some NEON instructions.

• We reworked the way we handle the navigation in the user interface and many related things. Now it is possible to synchronize between views, use the navigation history in structure and enum views, etc. Overall the user interface is more responsive.
• Our oldest processor module for x86 got improved to decode many new fancy instructions
• We switched from PySide to PyQt; from Qt4 to Qt5; from VS2010 to VS2015.
All these changes are mostly internal but using newer libraries and development tools should improve your experience with IDA.

Complete changelist

Processor Modules
65816: many improvements
ARM: implemented reading of vfp registers for arm remote servers
ARM: implemented calculation of function argument locations for aarch64
ARM: improved register tracking
ARM: added support for security_push/pop_cookie functions (thumb mode)
ARM64: added support for varargs in non-framed function
PC: improved detection of function boundaries in PE+ files with unwinding metadata (.pdata section)
PC: added AVX comparison pseudo-ops
PC: added decoding of AVX-512 extensions
PC: added decoding of MPX extensions
PC: added decoding of SGX extensions
PC: added decoding of SHA extensions
PC: added decoding of XOP extensions
PC: added decoding of CLFLUSHOPT, CLWB, and PCOMMIT instructions
PC: added decoding of PREFETCHWT1 instruction
PC: added decoding of RDPKRU and WRPKRU instructions
PC: added decoding of XRSTORS, XSAVEC, and XSAVES instructions
PC: added support for switch patterns from more recent versions of clang
PC: added support for switch patterns from llvm-gcc
PC: improved prolog analysis
PIC18: added support for PIC18F2682/2685/4682/4685 devices
PPC: added support for PPC SystemV EABI and PPC64 AIX and SystemV ABIs
PPC: improved handling of function arguments
PPC: improved naming of stack variables
PPC: improved tracking of SP register
PPC: added support for memory mapping
MIPS64: convert standard sequences (lui, ori, li, etc) to dli macros
SH4: improved switch recognition (thanks to Zak Escano!)
SNES: improved loader, and included snes's spc loader. Thanks, Gocha
SPC700: new processor module for super nintendo spc700. Thanks, Gocha
avr.cfg: added description of ATmega644p (thanks to Aliaksandr Chailytko)

File Formats
DWARF: Environment variable IDA_NORELOC will be honored by the plugin, and no relocations will be performed in the DWARF sections (can be useful for VxWorks-produced binaries.)
ELF: added AArch64 relocations
ELF: improved detection of truncated files
ELF: tweaked a bit analysis options (added AF_PURDAT)
MACHO: small improvement for parsing Swift metadata
MACHO: support for OSX apple-protected binaries (at least for versions 10.6 - 10.11)
PE: improved parsing of CFGuard function tables (additional flag bytes are now recognized and skipped)
PE: unnamed export entries are no longer given a dummy name in the Exports window
PE: when using manual loading, it is now possible to use the "don't show again" checkbox to load (or skip) all subsequent sections at once
PE: print the PE timestamp in the file's info comment
.net: we use our own file parser on all platforms, including windows too
uimage: add support for images that use gzip compression

added support for ARM64 Android binaries (android_server64)
mac_server now supports codesigning to avoid having to run it as root. it can be codesigned just like  gdb
GDB: allow for additional features in the XML sent by the remote stub
GDB: allow the user to specify additional/custom register layouts using the config file and XML target descriptions
GDB: added support for x64 targets

IDS: MS Windows IDS files have been updated to Windows XP SP3
IDS: added Windows 7 sp1 x64 IDS files
IDS: update wince/arm/coredll.idt with some missing ordinals
TIL: support for type definitions that have long names (> 512 characters)
added DEMNAME_FIRST config paramter (if both type and demangled name are present, it selects one of them)
added STORE_USER_INFO config parameter; if turned off, info about the database creator will not be stored in the database
added a config option XREF_CACHE_LIMIT to limit memory usage of the cross-references cache. This allows analyzing huge files in IDA at the cost of some slowdown
added signatures for ICL15
added signatures for VC12 (VS2013) and VC14 (VS2015)
added signatures for Embarcadero RAD Studio xe5 to xe10 Update 1
improved sigmake collision detection
improved sigmake speed
added support for Linux syscall-based system calls
any directives of any configuration files can overridden by user-specified files placed in %IDAUSR%/cfg/
IDA doesn't recognize the IDAPLG environment variable anymore: the more versatile IDAUSR should be used instead
IDAUSR environment variable can hold more than 1 path, which will be searched in order when looking for files
databases can be uploaded to Hex-Rays' web server in background
demangler: added support for __vectorcall, __clrcall
improved analysis speed of some obfuscated files
pelf: Added support for AARCH64 (ARM64)
added more noreturning function names

User Interface
ui: added functionality to synchronize between user-specified viewers
ui: added syntax highlighting for IDC and Python
ui: added support for multiple keyboard shortcuts per action
ui: "search all" can now be used in "Structures", "Enums", and any user-created viewer
ui: proximity view: double-clicking on an edge will take you to the node at the other end of the edge
ui: proximity view: it is now possible to see details about paths, and copy their information
ui: traced instructions are now highlighted in debug mode
ui: Ctrl+DblClick on name in idaview opens target in the new view
ui: Add syntax highlighting to Import/Export of colors + reset it when "Reset" button is pressed
ui: Listing views (IDA View-A, Structures, Enumerations, ...) can now be scrolled horizontally with 2-finger scrolling (e.g., on trackpads), or by using Alt+ on Windows.

Scripts & SDK
IDC: added PrintLocalTypes()
SDK: added PR_OUTER that must be specified for processor modules that support outer operands
SDK: event hooks: changed the way new event listeners are registered. now new listeners are appeneded to the end of the list and therefore will receive events last. hopefully it will lead to better logic because usually it is the ui and the processor module who will get first hooked; and only then plugins. it means that the processor modules and ui will be first to react to the events
SDK: functions to retrieve the input file size
SDK: functions to calculate/retrieve the SHA256 hash of the input file
SDK: introduced the notion of 'ABI name' in IDA; it can be set using set_compiler2() function; processor modules are in general responsible for recognizing it and setting up various config bits in IDA accordingly
SDK: added new flag: SETMENU_FIRST: add item to the beginning of menu (to be used in attach_action_to_popup)
IDAPython: IDP_Hooks, IDB_Hooks, UI_Hooks & DBG_Hooks are now automatically generated from the list of notifications in the corresponding .hpp headers
switched from PySide to PyQt

BUGFIX: 'user-defined offset' dialog was broken if custom offset types were present (for tricore, for example)
BUGFIX: 64-bit ARM branch addresses to missing addresses would be truncated to 32 bits in the output
BUGFIX: 64bit mach-o loader: incorrect hangling of PRELINK_INFO
BUGFIX: ARM: GCC Thumb1 compressed switches that used the __gnu_thumb1_case_si helper were handled incorrectly
BUGFIX: ARM: incorrect calculation of locations for some big function arguments caused interr 50904 in decompiler
BUGFIX: ARM: incorrect disassembling of instructions FMAXV, FMAXNMV
BUGFIX: Automatic snapshot flag was not stored in snapshots of newly created databases
BUGFIX: DOS loader would accept an input file simply because it had a .exe extension
BUGFIX: COFF: parsing files with empty string tables was broken
BUGFIX: DWARF could fail with some complex ARM ADS 6.x-generated DWARF files
BUGFIX: DWARF relocations to '.debug_*' sections were erroneously handled
BUGFIX: DWARF: badly-broken files with corrupt .debug_abbrev sections could cause the DWARF plugin to segfault (NULL-pointer dereference.)
BUGFIX: DWARF: GCC-produced DWARF type information whose name is "__int128 unsigned" wasn't properly sanitized
BUGFIX: DWARF: Unexpected structuring of complex types in ADS-produced binaries could get the DWARF plugin cause an INTERR
BUGFIX: DWARF: some llvm7-generated construct could cause the plugin to INTERR
BUGFIX: During auto-analysis, don't rename stack locations of function F, if those names would conflict with register aliases within function F
BUGFIX: During debugging, it was impossible to set flag registers individually
BUGFIX: During debugging, when the user is asked for a mapping path, and presses 'Esc' to set it as ignored, and 'Esc' again to dismiss the 'Mappings' dialog, the path that would be ignored was that of the file, not that of the directory containing the file
BUGFIX: During debugging, when the user is initially asked for a mapping, he/she couldn't add another right after that, before dismissing the 'mappings' dialog
BUGFIX: ELF: IDA would refuse to load files with non-PT_LOAD segments lying outside of the file
BUGFIX: Exporting module-relative breakpoints to IDC wouldn't properly escape '\' path elements separators
BUGFIX: FLIRT: parsing of Watcom OMF libraries was broken
BUGFIX: Fixed binary search. Now this dialog can be used also for search of any input values up to uint64 size both for big/little endianness for any size of byte (8-, 16-, 24-, 32-bit)
BUGFIX: For 64-bit binaries, IDA could display truncated values in special segments (e.g., 'extern', 'abs', ...)
BUGFIX: IDA could abort with interr 1226 when repairing a corrupted database
BUGFIX: IDA could corrupt old databases when upgrading pages containing long (size>255) keys
BUGFIX: IDA could crash during debugging, when asked for a binary path mapping, and if the user choses to add yet another mapping but leaves it empty
BUGFIX: IDA could crash on osx when trying to clear the message window while the focus is in the script snippet window
BUGFIX: IDA could crash when zooming out of proximity view
BUGFIX: IDA could erroneously report 'database bitness differs from debugged application bitness' when attaching to a process in batch mode
BUGFIX: IDA could interr when passing 0 as the bufsize parameter to tag_remove()
BUGFIX: IDA could not create a 32-bit flat offset inside of a 16-bit segment in some cases (by default IDA creates seg:off pairs for 16bit segments)
BUGFIX: IDA could not load dwarf debug info for a module when remote debugging
BUGFIX: IDA could show in hints wrong value of a FPU/XMM register operand
BUGFIX: IDA was not able to jump to a secondary IDA View, Hex View or Pseudocode window from search results, in case the last-visited view was closed
BUGFIX: IDA was unnecessarily retrieving the python GIL in a callback called by the kernel, resulting in a significant slowdown on mac
BUGFIX: IDA would fail to load PDB symbols for .pdb files selected via the file browser
BUGFIX: IDA would reject the names of some types from newer windows executables
BUGFIX: IDAPython couldn't set the language of a breakpoint condition, and thus couldn't express conditions in other languages than IDC
BUGFIX: IDAPython's get_idasgn_desc() doesn't return the number of matches. Added get_idasgn_desc_with_matches()
BUGFIX: IDAPython's get_member_by_fullname() was not usable, and only 1 variation of get_member_by_id() was usable
BUGFIX: If the IDA View was in graph mode before starting a debugging session, it wouldn't be restored to graph mode after the debugging session ends
BUGFIX: In 64-bit IDA, IDAPython would fail to generate proper wrappers for the objects returned by calc_switch_cases()
BUGFIX: In case a "Fat" Mach-O file had 2 versions of the _same_ architecture (e.g., ARMv7 & ARM64), the DWARF plugin could attempt loading the wrong one
BUGFIX: In the "Function calls:" window's "callers" part, the address of the call instruction would be printed twice, instead of having the address only once and then the function name
BUGFIX: JumpOpXref was not working on a name with forbidden (non-identifier) characters if pressed on the name at the beginning of the disassembly listing
BUGFIX: LX: loader could return garbage data for packed pages
BUGFIX: Leaving a mark, and then right-clicking on the address of an instruction could cause IDA to INTERR with the code 520
BUGFIX: Loading an additional non-IDS/IDT file could cause IDA to INTERR
BUGFIX: PC: fixed VSIB index registers
BUGFIX: PC: fixed operand size for scalar FMA instructions
BUGFIX: PDB: Remote PDB could return garbage data on unix
BUGFIX: PIN, instant debugging mode: module could report incorrect process bitness after attaching
BUGFIX: PIN: in some cases IDA could not suspend running process
BUGFIX: PIN: pintool could hang on a multithreaded windows application (race condition)
BUGFIX: PIN: pintool did not suspend application before reporting PROCESS_ATTACH event to IDA
BUGFIX: PIN: pintool reported broken module name with PROCESS_ATTACH event
BUGFIX: PPC ddedpd, ddedpdq, denbcd, denbcdq opcodes were not properly supported
BUGFIX: PPC: IDA did not display the function stack frame correctly
BUGFIX: Pressing Home,End when in the "quick filter" of a chooser will move the cursor to the beginning or to the end of the filter line, instead of scrolling the list of items to the beginning or the end
BUGFIX: RVCT-produced DWARF info with duplicate typedefs could cause the DWARF plugins some issues
BUGFIX: Selecting an area, pressing 't' to choose between matching structs (or almost-matching structs), and requesting to "Add missing fields" to a struct that would otherwise match, could crash IDA
BUGFIX: Setting NLSPATH to a very large value could cause IDA to crash at startup
BUGFIX: Setting a module-relative breakpoint, without specifying the module name, could crash IDA at database-save time
BUGFIX: Shift+Up/Down/PageUp/PageDown when modifying the quick filter of a chooser wouldn't add rows to the selection but rather clear the selection, and select only 1 item
BUGFIX: Some ARM ELF relocations (R_ARM_CALL, R_ARM_JUMP24, ...) could be incorrect
BUGFIX: Some PPC opcodes were causing IDA to exit with interr 10185
BUGFIX: The DWARF plugin could fail loading GCC 3.3.3-produced UDTs with declared-only inherited types
BUGFIX: The DWARF plugin could fail spotting colliding typedefs in clang-produced DWARF information
BUGFIX: When exporting types, IDA could crash after trying to forward declare a non-local type
BUGFIX: When failing to updating a breakpoint's size/type through update_bpt(), IDA could leave the breakpoint in a state preventing it from being usable anymore
BUGFIX: When making code, if segments had to be adjusted, IDA could crash because of recursive calls to generate_disassembly()
BUGFIX: When selecting negative "standard constant" enumerators, IDA could display the operand as a faulty number, instead of as that symbolic constant
BUGFIX: When the start address of function with chunks was changed, the "owner" and "referers" field of function tails were not updated and could hold the address of non-function area. In this case any modification of function using screanEA from tails range fails. The problem is solved by fixing "owner" and "referers" of tails using new start ea of the function
BUGFIX: Win32 debugging: could leave EIP in the middle of an instruction, in some cases a step over/into an x86/x86_64 callgate was requested (i.e., system call), and if that callgate called us back, hitting a breakpoint in user code
BUGFIX: __declspec(align(x)) was parsed incorrectly in some cases
BUGFIX: alignment for complex situations like "void (***func[])() was not parsed/printed correctly
BUGFIX: aloc_visitor_t could not be fully utilized from idapython
BUGFIX: area_visitor2_t could not be fully utilized from idapython
BUGFIX: c166: Fixed ida crash if bad cc code for jmpr, jmpa, calla, jmpi, calli instructions is stored in the database
BUGFIX: calling QTime::elapsed() from idleEvent() would significantly slow down analysis time on mac
BUGFIX: checking for the new versions the second time could fail
BUGFIX: coldfire: ida was decoding illegal addressing modes for the move instruction
BUGFIX: copying from customer views to clipboard was broken
BUGFIX: dbg: dalvik: the unregistered request for deferred breakpoint prevented the debugger detach
BUGFIX: dbg: fixed wrong 64-bit address truncation to 32-bit
BUGFIX: dbg: win32: dirty memory block was returned in memory info
BUGFIX: debugger: fixed interr 1203 which could happen in presence of DLLs with very long (>1024 bytes) export names
BUGFIX: defining a new structure oe enum in the presence of a forward declaration would change the ordinal number of the forward declaration
BUGFIX: ebc: fixed some wrong references and exceptions
BUGFIX: error color was printed as blue when generating html files
BUGFIX: exception code was displayed incorrectly in the 'edit exception' dialog
BUGFIX: fixed handling of empty structs: ida was considering them to be 1-byte size while gcc treats them as 0-byte size
BUGFIX: fixed interr 1060 which could occur if the target compiler was not set
BUGFIX: fixed interr 40178
BUGFIX: fixed interr 50295
BUGFIX: fixed interr 984 which could occur during importing pdb files
BUGFIX: fixed memory corruption (seemingly without any consequences) made by askstr()
BUGFIX: floating point operands of data items would be printed incorrectly for big endian processors
BUGFIX: gdb: 64-bit debuggers were using 32-bit register layouts
BUGFIX: hcs12x: Fixed instruction opcodes for xgate instruction set (sub and sbc instructions and their aliases were swapped)
BUGFIX: highlighting and scrolling could be sluggish in the disassembly views, especially on osx
BUGFIX: ida could crash if the user closed the database and terminated the debugger session at once (only in some rare circumstances)
BUGFIX: ida could crash on some corrupted 64-bit PE files
BUGFIX: ida could crash when deleting a segment
BUGFIX: ida could fail with "rpc timeout" if the debugger server was trying to print while ida was waiting for debug events
BUGFIX: ida could hang trying to display nested varsize structs in the middle of a struct (where they do not make sense)
BUGFIX: ida could interr with code 1006 when deleting local types
BUGFIX: ida could not parse some nested types (like type1::type2 inside a struct)
BUGFIX: ida was not using the default calling convention for validating function types; if it was set to something wrong, interrs could occur in the decompiler
BUGFIX: ida would fail to launch debugger after copying the dll to debug to the remote computer (only if debugging dll, not exe)
BUGFIX: idal/idaw couldn't generating valid GDL graphs when run in batch mode
BUGFIX: idapython: ui/qt: docking: ida could crash if the dock wich is active is moved using set_dock_pos
BUGFIX: idaw could sometimes reset the window size to 80x24 even if not asked to do so
BUGFIX: idc: ParseTypes could not parse a enum if some of its members were already used in other types
BUGFIX: idc: sizeof() function was broken
BUGFIX: in linux text version of IDA, it was impossible to cancel a long-running operation
BUGFIX: in some cases IDA could abort with mesage "page allocation error"
BUGFIX: in the 'Structures' view, removing fields from aggregated structure (leading to gaps appearing in aggregating structure), and then re-defining those fields wouldn't reclaim those bytes
BUGFIX: interr 50913 could occur if a previously valid type was rendered invalid
BUGFIX: interr 543 was occurring at the exit time
BUGFIX: interr 814 could occur when deleting local types
BUGFIX: interr 973 could be displayed by mistake in some rare cases
BUGFIX: it was impossible to create a usable instance of enum_member_visitor_t from idapython
BUGFIX: it was impossible using ui to add sp change point to express changes between function chunks
BUGFIX: ldr: elf: preserved patch_mode noform bits during "Local options" dialog; option "Create base for debugging" setting cannot be changed, fixed
BUGFIX: ldr: elf_x64: callback x64_patch() used patch_mode from the wrong place
BUGFIX: linux_server: fallback to accept() if accept4() is not implemented
BUGFIX: mc68k module was not generating xrefs to struct members
BUGFIX: mc68k: address bus width for mc68000, mc68010, cpu32 reduced to 24 bits
BUGFIX: name color for references into the middle of a struct/array was wrong
BUGFIX: offset expressions for wide-byte processors were truncated
BUGFIX: osx: once idaq was launched, double clicking on idaq64 would not launch idaq64 but simply switch to idaq
BUGFIX: pc: when deleting segments basereg info was still retained
BUGFIX: replacing a enum with another enum that had fewer member could lead to interr 1263
BUGFIX: sdk: tinfo_t::get_final_type_name() would return wrong names for typedefs to forward declarations
BUGFIX: searching for binary patterns would fail in some cases for processors with non-standard byte size
BUGFIX: sh3: "bad optype" message could be displayed if the user changed an operand type when staying after comma inside an operand like this: (h'XX, rY)
BUGFIX: sh3: ida would not detect that after indirect calls to non-returning functions the execution flow stops
BUGFIX: sigmake could interr with code 577
BUGFIX: sigmake would output corrupt data with pattern lengths greater than 255
BUGFIX: some data cross references would not be deleted when deleting the corresponding data item
BUGFIX: srec output was broken (markers in format strings were not replaced properly.)
BUGFIX: stack analysis could cause an internal error in some very rare cases
BUGFIX: struct_field_visitor_t and related functions could not be fully utilized from idapython
BUGFIX: the string window was missing some strings when the debugger was active
BUGFIX: tinfo_visitor_t could crash on yet unresolved tinfo objects
BUGFIX: tinfo_visitor_t could not be fully utilized from idapython
BUGFIX: tricore would print empty @HIS() if the target address of the HIGHA16 offset was wrong (it should print the operand as a number in this case)
BUGFIX: ui/qt: display_tform() could still place the widget back into the main window, in case that widget had a title with ',' in it (amends 59726, really.)
BUGFIX: ui: Fixed broken layout of "Enter reference information" dialog if custom reference info is used
BUGFIX: ui: forms: "Change segment attributes" dialog set wrong attribute alignments
BUGFIX: ui: local variable type cast in "Watch View" was broken, added test cases
BUGFIX: ui: qt: Fixed the behavior of display_tform ( or ui_show_form or form.Show() in python). If the form already exists then its position is not changed
BUGFIX: ui: qt: Removed displaying of empty popup menus for IdaCustomMemos
BUGFIX: ui: qt: set AutoFillBackground property to true for TMyDialog. Overwise in some cases background is not painted
BUGFIX: user graph nodes could be rendered too small on osx
BUGFIX: v850: Fixed decoding of ld.hu instruction
BUGFIX: watches could not be deleted from the watch list via the Debugger menu
BUGFIX: windbg debugger could fail with interr 520
BUGFIX: windbg, kernel mode: in some cases ida failed to resume execution after a breakpoint
BUGFIX: windbg: in some cases DETACH request could return incorrect code (FAIL instead of SUCCESS)
BUGFIX: windmp: dump loader would incorrrectly try to continue if the debugging engine initialization failed, leading to a crash
BUGFIX: PE: some sections with valid data were skipped by default because the discardable flag was set
BUGFIX: PE: intentionally corrupted .NET PE files could corrupt heap or could trigger a static buffer overwrite
BUGFIX: PE: it was not possible to manually load a section which is skipped by default
BUGFIX: ntapi.til: definition of ULONGLONG was wrong (it was defined as "double")
BUGFIX: sdk: function addresss iterator might return a wrong address for some special cases;
BUGFIX: the 'xrefs to' view would duplicate the list for every refresh
BUGFIX: ui: Fixed graph printing. Added the menu item "print graph" to the popup menu
BUGFIX: ui: IDA would crash when clicking "Compile" in breakpoint's condition editor and the condition was empty.
