IDA Pro 5.7 highlights

We have released a IDA Pro 5.7 few days ago. The complete whatsnew can be found here.
In this blog post we will highlight some of the major changes and additions of this release.


Debuggers

Among the various changes and additions to the debugger kernel and modules, we:

  • added support for MMX/XMM registers:

  • added more actions to the modules window:

    • Load debug symbols: Load additional PDB symbols
    • Jump to module base: Jumps to the module base in the current view
    • Analyze module: Converts the module segments to non-debugger segments and analyzes the module. Handy when analyzing crashdump files

  • added Bochs 2.4.2 support.
    Bochs 2.4.2 introduced range read/write physical watchpoints. If a watchpoint was added from the Bochs command line interface IDA Pro will suspend the execution when the watchpoint triggers.

Bochs Linux debugger plugin

If you found Bochs debugger plugin useful in the past (e.g. for low level programming, malware and code snippet emulation), then you may take advantage of the same functionality under Linux / MacOS.


(Debugger selection)


(Debugger configuration)


(Debugger running Under Ubuntu 9 x86)

Please refer to the tutorial to learn more how to configure and use the plugin.

WinDbg debugger

Apart from bug fixes and minor speed improvements, we added non-invasive debugging support. This ability to attach to processes that are already being debugged comes handy when you want to create crashdumps or inspect handles and other kernel objects.

Make sure you enable this option from the Debugger/Debugger Options/Specific debugger options dialog:

If you are debugging 64-bit applications using idag64, the Windbg plugin will offer to run the debugger server for you automatically:

When the debugger server is no longer needed make sure to terminate it.

Scripting

Processor modules and Plugins

It is now possible to write scriptable loaders, processor modules and plugins. If you always wanted your scripts to automatically execute when a database is loaded and unload/deinitialize when the database is closed, then turn your script into a plugin script with just a few additional lines of code.

If we get enough requests about writing debugger modules using scripts, we may add this facility in the future.

IDAPython improvements

We refactored and improved the IDAPython (now version 1.4.0) plugin (and the extlang_t interface by adding new facilities to call object methods, query properties and so on).
This has lead to significant speed gains as demonstrated by Ero Carrera’s blog post.

We also documented all the manually wrapped functions and utility classes which were poorly documented with the example scripts.

Please refer to the documentation of the pseudo module pywraps for more information.

The graphical user interface

We did some last minute changes to the GUI and some of the features described before were changed:

  • The recent scripts window can be configured to be a dockable window or a modal dialog (check idagui.cfg / RECENT_SCRIPTS_MODAL)
  • No need to hold the Alt key in order to jump to identifiers, instead simply double click on it
  • Output window is now searchable: use Alt-T to start the search and Ctrl-T to search for the next match

Kernel and processor modules

ARM module

We have added support for almost all ARMv7 instructions, including NEON (aka Advanced SIMD). NEON instructions can be found in the code made for Cortex-A8 processors, such as the one in iPhone 3GS and iPad.


Because ARM uses new, unified syntax for NEON and VFP (Vector Floating Point) instructions in ARMv7, we use the new syntax if NEON is enabled.
Otherwise we still display old mnemonics for VFP instructions, as they’re what most people are used to.
The only instructions still missing from ARMv7 are ThumbEE instructions which are supposed to be used for JIT compilation of bytecode-based languages. We have not yet encountered any real-life code using it.

You can choose which architecture version to use when disassembling ARM code. This can be done interactively in the “Processor-specific options dialog” :


via the command-line:

idag -parm:ARMv6T2 firmware.bin

or by editing IDA.CFG:

ARM_DEFAULT_ARCHITECTURE = "ARMv6";

For ARM Mach-O files or ELF files that include EABI attributes, the architecture version is set automatically from the flags in the file.

MIPS module

We have improved the register tracing and now almost all indirect code and data references are recognized. Here’s one of the many samples:
Before:

After:

We have also added decoding of the MIPS16e instructions jrc, jalrc, save, restore etc.).

PC module

One small but important new feature is the improvement in the parsing of SEH (Structured Exception Handling) in Win32 files.
It is especially useful when disassembling drivers which use SEH extensively.

Notice that the finally handler is not converted into a separate function as before (because of the call), but is correctly added to the main function.

Python processor modules

We added two new processor module scripts written entirely in Python. They can be used as a template when developing your own.

  • ebc.py: EFI Byte code processor module:

  • msp430.py: MSP430 is a simple 27-instructions 16-bit RISC processor from TI.

Closing words

We hope that the new features make your reversing job more easier. Please feel free to send us comments, suggestions and feature requests.

Last but not least, we expect to start the beta testing of the new IDA Qt interface soon. If you are interested and have an active IDA Pro license do not hesitate to contact us.

Published by

Elias Bachaalany

Hi, I am Elias, a former Hex-Rays employee and an IDA Pro enthusiast. I love reverse engineering and more especially writing tools and articles about it. I also co-authored a couple of books on the topic, which you can see on Amazon.com (http://amzn.to/1P1G0ID).