ГЛАВНЫЕ НОВОСТИ В IDA Pro 4.9

• Добавлен отладчик для устройств Windows CE, работающих на процессоре ARM

  Особенности отладчика:
  • Удаленный сервер отладки не нужно запускать вручную, IDA сама запустит его автоматически, используя соединение ActiveSync. Если отлаживаемого файла не будет на устройстве, то он тоже будет скопирован.
  • Процессоры ARM не поддерживают пошаговое исполнение программ, поэтому оно эмулируется программно. К сожалению программное эмулирование не дает пошагово исполнять системные библиотеки.
  • Прерывание (breakpoint) в coredll.dll и в других системых областях приводит к зависанию устройства, причем помогает только жесткий перезапуск (hard reset). Это происходит из-за того, что прерывания видны всем процессам в системе, а не только отлаживаемому процессу. Для того, чтобы избежать таких проблем, отладчик не позволяет устанавливать прерывания в coredll.dll и по адресам >= 0x80000000.
  • Из-за невозможности установить прерывание в запрещенных областях (см. предыдущий пункт), шансы приостановить (pause) программу очень малы если она проводит большинство времени в системых вызовах.
  • Отладчик умеет работать с hardware data breakpoints, если процессор поддерживает их. В частности, Intel xScale процессоры их поддерживают.
  • Отладчик использует системные таблицы для определения текущей конфигурации памяти устройства. Он считает, что системная память (адреса >= 0x80000000) никогда не меняются.
  • В Windows CE текущий процесс отображается в двух регионах памяти: в слоте процесса и слоте №0. IDA использует слот#0 и не знает про отображение на слот процесса.
  • Отладчик умеет работать только с 32битной версией IDA под управлением MS Windows, потому что ActiveSync API доступен только для этой платформы.

• Улучшенная работа с PDB файлами

  IDA использует полностью автоматизированный механизм для получения и применения PDB файлов от Microsoft Symbol Server. Браузер интернет больше не используется и больше не нужно вручную распаковывать файл. Одно нажатие - и файл будет скачан с сервера и применен.

• Отладчик

  Среди многих улучшений отладчика, в дополнение к ARM отладчику три заслуживают упоминания здесь:
  • улучшена скорость трассировки для разработчиков плагинов
  • новый плагин: универсального распаковщик PE файлов. на этом плагине видна улучшенная скорость работы трассировки. Этот плагин поставляется вместе с исходниками (его можно улучшить до такой степени, чтобы он поддерживал практически все имеющиеся паковщики)
  • улучшена работа с исключениями. при желании можно сделать все исключения абсолютно прозрачными для отлаживаемого приложения. также пользователь можно решить, что делать с исключения, в самый последний момент времени: передать его приложения или маскировать. Даже если приложение использует исключения EXCEPTION_BREAKPOINT или EXCEPTION_SINGLE_STEP, отладчик сумеет разобраться, кто инициировал исключение и поступит соответственно.

• Стабильный SDK

  По многочисленным просьбам, начиная с этой версии мы обязуемся поддерживать совместимость IDA API. Разработчики плагинов несомненно оценят эту новость. Мы будем продолжать добавлять новые фукнции, но старые фукнции менять не будем.

• Обновленный деманглер

  Встроенный деманглер обновлен и теперь понимает имена, созданные компилятором GNU v3.x и новыми компиляторами от Микрософт. Больше не нужно подключать внешний деманглер к IDA.

• MIPS Release 2

  Добавлена поддержка MIPS32 architecture release 2.

• 3х байтовые данные

  Эта новость заинтересует пользователей микроконтроллеров: теперь IDA знает про 3х байтовые данные, умеет создавать и отображать их в листинге. Есть даже возможность указания, в каком порядке используются эти байты. В настоящее время 3х байтовые данные доступны для Motorola 6812.

• Поддержка больших баз данных

  Мы были вынуждены убрать ограничение на размер bTree базы данных в IDA. Теперь очень большие программы (больше 100МБ кода) могут быть дизассемблированы.

PROCESSOR MODULES

• new processor: Atmel OAK DSP (courtesy of Ivan Litvin)
• 6812: IDA does not create an xref for (L)BRN instructions anymore; BRN and CPS instruction are replaced by SKIP1/SKIP2 pseudoinstructions
• ARM: better handling of glue code
• ARM: IDA knows that STR Rn, [SP,-4]! changes the stack pointer
• ARM: jump table recognition has been improved
• ARM: tail call using the 'B' instruction is recognized if it is preceded with LDM SP!,...
• ARM: updated WinCE coredll.ids and added undocumented functions
• ARM: MOV PC,... is recognized as an instruction which spoils register values
• C166: it is possible to use zero offsets, enum members and other representations for indirect addressing like [rX]. In other words, [rX] can be replaced by [rX+symbol_denoting_zero] using appropriate commands in IDA
• IBM PC: parameter comments are applied to all instructions, not only on restrict set of instructions; parameter location were not always correct for borland and watcom __fastcall calling conventions
• IBM PC: Watcom & GNU __fastcall calling convention is supported
• IBM PC: SEH_prolog function is recognized and handled by IDA
• M68K: addi.l #imm,... automatically selects the number sign
• MIPS: default MIPS processor is simple MIPS, not R5900
• PPC: processor module can display up to 4 operands per instruction
• MIPS: MIPS32 release 2 and MIPS5 instructions are supported

FILE FORMATS

• COFF: gcc link directives are recognized
• COFF: files with no sections were considered as incorrect files; now ida accepts them (but this might lead to misdetections)
• COFF: IBM PC: ida sets up the compiler by demangling all names and selecting the compiler which gives most demangled names
• ELF: added support for ARM LOPROC symbol type
• ELF: communal variables in Kylix files are loaded into the database
• ELF: IDA knows about DT_PLTGOT record
• ELF: much better patching for PIC mode; additional loading options flag in added to the user interface
• ELF: support for new ABI v3.0 has been added
• ELF: try to load unknown elf images upon user request
• ELF: IDA tries to detect the GNUC++ compiler based on the symbols in the input file
• EPOC: default string style is unicode
• EPOC: thumb mode rom images are supported
• PE: DllEntryPoint function prototype has been added
• PE unpacker plugin: this plugin uses the debugger to let the program to unpack itself in the memory and as soon as the execution reaches the original entry point, it suspends the program; the user then may take a memory snapshot
• TDS: IDA knows about Borland's TDS debug information files
• PDB: IDA uses a new fully automated method of downloading PDB files from the Microsoft Symbol Server

KERNEL

• demangler has been improved to support GNU v3.x demangling scheme and new Microsoft compilers
• automatically detect Visual C++ object files and set the target compiler
• 'force zero offset' applied to a structure offset operand which is represented as the structure size appends the first structure field to the operand representation
• array indexes are displayed for the arrays of terse structures
• better treatment of wrongly created function tails: a wrong tail might have led to other wrong tails, so after converting it to a function we have to recreate all other function tails
• it is possible to rename a register to itself (useful to create register comments)
• while forming a function prototype if undecorating the name fails, try to demangle it and get the bare name
• better analysis of unicode strings: ida creates them only on 4byte boundaries
• btree databases bigger than 512MB are supported
• IDA supports 3-byte items. The user can specify the order of bytes using the TRIBYTE_ORDER ida.cfg parameter
• more strings are discovered and created during the analysis
• when the default string type is unicode, IDA checks for C strings as well
• FLAIR: REL_I386_CLR_TOKEN relocation type is supported
• FLIRT: Visual C++ signatures has been updated
• IDA creates thunk functions for ibm pc more aggressively
• IDA doesn't display anonymous structures in the structure selection lists (for new databases)
• IDA tries to apply type information for names like j_func and func_0
• initialized union instances are allowed; ida will display the union using the definition of the first union field
• ntddk.til has been updated; wdm.til has been added

IDC & SDK

• IDC: error message about calling an undefined function includes the function name
• IDC: GetString() function has been added
• IDC: MakeUnknown() function to undefine a range of addresses has been added
• IDC: isEnabled() macro allows to check if an address is valid
• SDK: IDA API has been frozen for future binary compatibility
• SDK: add_regvar() modifies existing regvar definitions to define a new variable which overlaps the existing variables
• SDK: add_sourcefile() function does not fail if there already was a source file defined at the specified range; in this case it will delete or modify the old definitions to make a hole big enough to hold the new file
• SDK: add_stkvar2() function to add stack variables from plugins; tds plugin uses it
• SDK: added a flag to allow the use of constructs not supported by the target assembler. It is INFFL_ALLASM bit in inf.s_genflags. The inf.use_allasm() function checks this bit
• SDK: areacb_t::make_hole() function can be used to make holes in area definitions
• SDK: AUTOHIDE NONE and similar keywords in the dialog box messages can appear not only in the format string but also in the final string as well
• SDK: closing_comment() to get the comment closing sequence
• SDK: debugger structures are aligned at 4 bytes to avoid problems on ARM processor
• SDK: is_ret_insn() function and callback are added
• SDK: make_visible_name() has additional argument - output buffer size
• SDK: new function calc_bare_name() to get the smallest possible form of a name (try to undecorate and demangle)
• SDK: new function parse_types(); IDC: new function ParseTypes()
• SDK: new function: get_flags_ex(). The new function get_flags_novalue() built on top of get_flags_ex() does not return the MS_VAL and FF_IVL fields of the flags and therefore is much faster for remote debugging; it is not exported yet (todo later!) but the kernel uses it during the segment deletion which improves the speed
• SDK: ph.guess_memory_model is replaced by ph.setup_til
• SDK: rotate_left() function is exported
• SDK: SetFlags, SetFlbits, ClrFlbits() functions do not modify the MS_VAL and FF_IVL flag fields; uFlag global variable does not contain these fields; the kernel updates the uFlag automatically (if the modified address is equal to cmd.ea), so there is no need to update uFlag manually in the emulator function of processor modules
• SDK: setup_selector() allocates a new selector for values not fitting in 16 bits only for IBM PC. Other processors will use 32-bit segment bases
• SDK: the processor name is stored in the debugger description structure to allow instant debugging for processors different from IBM PC
• SDK: added new data type: 3byte; doData() function is removed because it can be replaced by do_data_ex()
• SDK: btoa..() functions accept a buffer for the answer; atoa() function is obsolete and removed (use ea2str())
• SDK: close_chooser() to close open non-modal list views
• SDK: dbg->stopped_at_debug_event() does take require 'event' as the parameter;
• SDK: elnum_t is replaced with int
• SDK: func_does_return() is added; it is better to use this function instead of examining FUNC_NORET flag directly
• SDK: get_name_expr() accepts a buffer for the answer and returns the answer length; new function: out_name_expr() is easier to use in the processor modules; append_disp() is replaced with print_disp() which does not append but simply uses the given buffer and returns the answer length
• SDK: IDC compile/run functions return the error message in the specified buffer (before it was a in a static storage); the return value is a bool meaning success of the operation
• SDK: interface to netnode functions returning big objects has been changed. Now these functions put the results into the specified bugger. This is a big change in IDA API leading to the modifications of many functions. This change is a small step in the direction of multithreaded model.
• SDK: is_alloca_probe notification code has been added
• SDK: lexical analyzer is thread-safe and can be called from several threads for different inputs
• SDK: new function qerrstr() and qerrcode()
• SDK: nexthat, prevthat functions accept 'user_data' parameter for thread-safe handling
• SDK: now the memory config and contents are not automatically refreshed at each debug notification; the plugin must call invalidate_dbgmem_config() and/or invalidate_dbgmem_contents() to get the current view
• SDK: PLUGIN_PROC and PLUGIN_FIX flags are added; plugin management is moved to the kernel
• SDK: refresh_navband() to refresh the navigation band
• SDK: standard file functions like fopen() are not visible by default - use qfopen() and similar functions; the standard functions can be enabled by the USE_STANDARD_FILE_FUNCTIONS preprocessor symbol
• SDK: strarray() accepts a buffer for the answer; qstrerror() accepts a buffer for the answer; ivalue1,2,3 functions are deleted
• SDK: take_memory_snapshot() function is added
• SDK: term_database() function is added
• SDK: zip_inflate/zip_deflate() functions accept 'user_data' parameter
• SDK: added get_reg_name() to get the name of the specified register
• SDK: bring_debugger_to_front() is added
• SDK: dbg_trace can be used to filter trace events
• SDK: find_text() function is exported
• SDK: get_first_module(), get_next_module() debugger functions are added
• SDK: new dbg_process_attach & dbg_process_detach notifications are generated in all cases ([request_]attach|detach_process() or not)
• SDK: new function add_menu_item(), del_menu_item() (only in the gui version for the moment)
• SDK: the asynchronous start_process() command now terminates as soon as the process is started and generates a 'dbg_process_start' notification
• SDK: ua_emu() and ua_out() functions are not in IDA API anymore
• SDK: user-defined form buttons can be configured in the dialog definition

USER INTERFACE

• ui: it is possible to add/delete exception codes from the user interface
• a disassembly/hex view can be attached to a hex/disassembly view or to a register value when debugging (through the 'Synchronize with' command in the view's popup menu)
• gui: register variable definition ranges are displayed in the hints
• gui: text entry dialog boxes are resizeable
• gui: Imports and Exports windows now automatically select the nearest entry just below the current address if any
• maximal size of instant idc script executed by Shift-F2 is increased to 16KB
• 'jump to file offset' treats the input as a hex number by default
• reaction time to cancelling a file load has been much improved
• ui: 'make array' command is faster because it does not calculate additional information which was displayed on the dialog box
• ui: it is possible to jump to the structure definition by pressing Enter on the "size structname" expression in the disassembly view
• ui: register variable definitions are printed at the beginning of the register definition area (was at the beginning of the function)
• ui: editing a standard structure makes it non-standard
• ui: if IDA detects that the new name entered by the user is already used in the program, it proposes to set 'create anyway' flag

DEBUGGER

• remote debugging: debugger module for Windows CE running on ARM has been added
• the decision whether to mask/unmask an exception can be taken upon resuming program execution
• debugger: 'Run to cursor' now continues the execution if used at IP (useful to iterate in loops)
• debugger: diminished the wait time of stopping a task which does not stop reason from 4 seconds to 3 seconds
• debugger: added 'Enable breakpoints' and 'Disable breakpoints' commands in popup menu of the Breakpoints list - these commands also accept multiple selection
• debugger: ida knows about popf instructions and that they might set the trace bit; if the currently stepped instruction sets the trace bit, then the resulting exception is reported back to the application - this allows to single step such instruction with preserving all application functionality; the user may also cancel the 'continue execution' command
• debugger: unexpected trace bit exceptions are passed to the application first; this allows to debug a program using exception 0x80000004 internally
• remote debugging: ida proposes to copy the local input file to the remote computer if it is missing

BUGFIXES

• 'make array' would ignore instructions when calculating the maximal array size
• 'wait' box might stay on the screen after a long operation
• a non-modal chooser was stealing the focus of a (modal) dialog box if opened from inside this one
• ARM module was creating sp based stack variables too early - this could lead to superfluous stack variables in some cases
• arrows referencing addresses outside of the screen were sometimes displayed
• Borland RTTI plugin was crashing at the dialog box
• c166: buffer for the memory mappings display was too short for 64bit 16 mappings
• checking a manual operand might fail
• corrected description of askbuttons() function
• database garbage collection errors would lead to immediate exit (the error message was printed to stdout); now ida reports about them using a message box
• debugger: an error message was displayed when cancelling the 'Process options...' dialog box
• debugger: IDA was sometimes unable to obtain the debug privilege in order to debug a system process
• debugger: register values were not properly displayed with large fonts
• debugger: the 'Command "BreakpointToggle" failed' message was displayed when cancelling the 'Breakpoint settings' dialog box
• debugger: tracing could cause infinite loops once the trace buffer was full
• debugger: tracing was erroneously disabled if it was started inside a debugger segment, the 'Trace over debugger segments' option was enabled, and the debugger segment was calling code inside the database segment
• disassembly and hex views were refreshed too often, causing slow browsing
• dsp56k was not disassembling some movem instructions
• editing anterior/posterior comments would remove the last empty line
• elf loader would skip sections with wrong type even if the user wanted to load them in the manual mode
• EPOC ROM images were truncated by the size of the ROM header
• error message about using register names while the debugger was not active would display garbage instead of the register name
• FR call instruction was not disassembled correctly
• IBM PC 'assembly' command would not accept labels in instruction operands
• IBM PC: movhpd, movldp, movntdq instruction do not allow register-to-register encodings but IDA was disassembling them
• IDA could automatically destroy an instruction if a data item overlapping it is defined
• IDA could hang trying to display very long string result in the calculator
• IDA was proposing the default array size of one for uninitialized data if the debugger was active
• IDA was using the debuggee command line switches when the debugger was started with the -r switch
• IDC DelConst(Ex) function was not available
• IDC: empty statement after 'else' would lead to incorrect execution
• if the entry point ends up having a name different from "start" then its name in the entry point list would be missing
• if the last segment in the program was close to the memory top, the binary search could fail
• if the plugin had PLUGIN_UNL then its init() would not be called when the plugin was invoked the second time
• in some very rare cases the list of names of a debugged program might get corrupted
• information about original bytes patched when the debugger was active would be lost
• it was impossible to assign Fx keys as IDC hotkeys
• it was impossible to use a negated symbol constant
• it was not possible to debug 32-bit applications under Windows64
• java: floating point numbers were not displayed correctly
• loading old databases under linux for big endian processors might lead to problems due to unexpected saving of database at the load time
• mc68k was always using offset base 0 for lea/pea instructions
• mc68k: pea/rts might create wrong cref; execution flow was always stopping at it
• MIPS module was not disassembling some MIPS32 opcodes
• multi monitor systems: IDA was positioning windows on the main monitor regardless where they were before
• mysterious access violations when renaming a stack variable are fixed
• only the first hardware breakpoint was working correctly
• PE files with unaligned section pointers would be loaded incorrectly
• PE modules were not accepted for imported function names even if they contained exported names
• PIC config files were wrong
• renaming a stack variable of a function with a prototype might lead to wrong prototype and subsequent crash
• repeatable comments for structure offsets at 0 were not printed if the 0 constant was not explicitly present in the instruction
• rotate_left() all 32-bits on 32-bit ida was not working
• some functions would not be destroyed at the end of a debugging session
• some imported functions would not have correct attributes because the imports segment was created after the attempt to set their types; now the type libraries for imported modules are loaded after creation of import segments (it concerns mainly pe files)
• some processor modules were not taking into account the possibility of custom instruction types
• tab order in 'Breakpoint settings' dialog box was not properly defined
• text version: warning messages in the batch mode were displayed as garbage in the messages window
• the 'Clear trace' command from the 'Edit' menu in the 'Trace window' was not properly refreshing the window if no trace line was selected
• the definition of a structure member of a unicode string type had wrong length
• the pdb plugin was not unloaded after the use despite of the 'PLUGIN_UNL' flag
• the segment register window by default had too narrow columns in the 64-bit version
• the stack trace window was not restored at the beginning of a debugging session
• the status line was not immediately redrawn after a function renaming
• the system menu icon of a maximized MDI window was continuously appearing/disappearing when starting various commands such as 'D'
• the type of structures with floating pointer members was not correctly guessed/determined
• TMS320C54 and TMS320C55 files could hang when loading wrong input file
• using floating point constants in IDC might lead to runtime errors
• VS.NET: double floating point constants were displayed incorrectly in the 64bit version
• when removing a function tail, the stack change points of the tail were not removed
• XlatAsciiOutput was not working correctly in all cases
• 'jump to end' in the structures window was jumping to the last field of the last structure instead of positioning the cursor at the structure end
• bin_search() was not working properly when the debugger was active; take_memory_snapshot() recalculates the tail flags (required to display properly data arrays after a snapshot)
• dragging toolbars out of debug registers window would change its size unnecessarily
• ida could erroneously report a mismatch between the database and the executable file if the input file name was changed after initializing the debugger; now we pass the input file name to the 'start_process' function and to 'get_process_info' function
• ida could hang if the structure definitions were corrupted
• IDA was always proposing enum_1 as the default enumeration name
• it was possible to create mutually nested structure types
• it was possible to use a name starting with a digit using the MakeName() IDC function
• modifying the stack frame of a deleted function could lead to a crash
• on Windows, breakpoints occuring while another thread is terminating could cause the debugger to freeze
• possible endless loop in get_bmask_enum()
• resolve_typedef() result was not always checked against NULL
• trying to fix the suspended threads problem when creating a breakpoint in shared code of a multi-threaded application