ida pro 7.0 新变化

ida pro 7.0 新变化(作为tester, 有幸获得额外3个月的技术支持):

  • 简单说一下, 关于keypatch已全面支持 ida 7.0(x86, x64)
    https://github.com/keystone-engine/keypatch 做了一点适配
    安装步骤, 可以参见
    http://blog.csdn.net/fjh658/article/details/52268907 (题外话)

  • 自身二进制架构变化 (同时发布x86, x64; 在OS中, 可同时安装)

    • x64 主打新变化 (跟着OS趋势走(64位), 所有之前的32位插件, 都要重新 适配, 编译)
    • x86 延续了6.95的功能做了部分增强, 修复bug. (过渡兼容阶段)
  • 大量的c/c++ API做了重构
    • 参见
      https://www.hex-rays.com/products/ida/7.0/docs/api70_porting_guide.shtml
  • 对应的idapython API也跟着变化
    • 为了兼容性6.95, 参见
      https://www.hex-rays.com/products/ida/7.0/docs/idapython_backward_compat_695.shtml
  • 全面支持国际化(主打UTF-8)
    • 字符串自动分析
      https://www.hex-rays.com/products/ida/7.0/docs/strlits.shtml
    • 字符串国际化显示
      ida pro 7.0 新变化_第1张图片
    • 无处不在的国际化
      http://blog.csdn.net/fjh658/article/details/77839882
    • exception handling information and RTTI
      • 支持c/c++异常机制的识别 (实测目前还不是支持的很好, 尤其是macho架构)
        ida pro 7.0 新变化_第2张图片
  • improved Objective C support
    • 效果 (decompiler 减少了objc_msgSend的使用)
      ida pro 7.0 新变化_第3张图片
    • built-in插件
      ida pro 7.0 新变化_第4张图片
    • built-in插件详细设置(注意 max list)
      ida pro 7.0 新变化_第5张图片
  • 支持最新的macOS(10.13), iOS(11)调试
    • mac_server64, mac_server 增加了apple证书, 不再需要root执行
  • 大量的bug修复(贡献了7,8有效的bug,改进)
    Complete changelist

Processor Modules

ARM: added one more pattern of thumb->arm transition
ARM: arm64: use simplified aliases for UBFM/SBFM instructions when applicable
ARM: handle vfp instructions: VMOV immediate, VCVTB, VCVTT, VCVT with a fixed point operand
ARM: reduced complexity of the SP-analysis from quadratic to linear;
ARM: added a fix for Thumb switches with full addresses
ARM: added support of the new clang’s switch pattern for arm64
ARM: extended LDRB switch pattern
ARM64: take into account instruction STP can load callee arguments into stack - add corresponding comments to such instructions
MIPS: recover more cross-references from stripped statically-linked PIC ELF files
MSP430: added simplification “movx @SP+, dst” -> “popx dst”
PC: added decoding of Control-flow Enforcement extension
PC: added decoding of newer AVX-512 extensions (4FMAPS, 4VNNIW, and VPOPCNTDQ)
PC: added new switch pattern
PC: decode PTWRITE instruction
PC: decode VMFUNC instruction
PC: detect more switch patterns from clang
PC: improved epilog detection
PC: improved prolog detection
PC: improved stack frame analysis in x64 files
PC: support another variation of x64 table-based switch with switch variable stored on the stack
PPC: added missed extended mnemonics ‘rotld’
PPC: added new config flag PPC_ABI_EMBEDDED/ISA_EABI;
PPC: added support of PowerPC64 ELF V2 ABI
PPC: improved switch patterns;
PPC: r13-based operands are printed using simplified @sda suffix
SuperH: improved detection of functions when addresses are calculated with movi20s + add/sub
SuperH: added register definitions for SH7256
TMS320C3: improved stack tracing
tricore: added TRICORE_DEVICE and TRICODE_IORESP config parameters so that they can be set from scripts
File Formats

DWARF: Store file/line number information in IDB (only if requested, since it comes with a performance penalty)
ELF: added processing of many previously unsupported PPC64 relocations
ELF: annotate headers (ELF, PHT, SHT) and convert more known data to structs (symtab, strtab, relocations, dynamic information)
ELF: annotate preinit/init/fini function arrays
ELF: convert all strtab entries to ascii strings (even the ones that are not referenced)
ELF: describe DT_HASH and DT_GNU_HASH
ELF: describe symbols using symtab from DYNAMIC section
ELF: detect overlapping sections in SHT and prevent them from processing data (but still load them in the database)
ELF: don’t obliterate data when patching PLT
ELF: don’t skip processing relocations if symbol index is 0 (happens with IRELATIVE relocs)
ELF: IDA now uses the PHT by default instead of the SHT to load segments from ELF files
ELF: improved support for TLS variables in relocatable files
ELF: load symbols using symtab from DYNAMIC section when .dynamic section yields no symbols
ELF: PLT relocations for pc are now processed at relocation-application-time, instead of relying on the presence of a .plt section
ELF: ppc: added new ida.cfg variable PPC_FIX_GNU_VLEADRELOC_BUG to work around binutils bug 20744
ELF: process .ctors/.dtors sections for all architectures
ELF: recognize PLT stub functions from R_386_GLOB_DAT relocations
MACHO: support dyld_shared_cache files from OSX 10.13 and iOS 11
MACHO: support dyld cache slide info v2. This should improve analysis for dyld_shared_cache files from iOS 10 and OSX 10.12
MACHO: improved analysis of single modules within dyld_shared_cache files that have slide info
MACHO: added an option to load for single module plus its dependencies for dyld cache
MACHO: fixed incorrect resolution of Mach-O import table entries in files using both LC_DYLD_INFO_ONLY and LC_SYMTAB
MACHO: improved speed of objc metadata parsing
MACHO: support for apple-protected binaries from OSX versions < 10.6
MACHO: support x64 macOS kernelcaches with ketxs relocated at runtime
MACHO: added processing of the ARM64_RELOC_ADDEND relocation;
MACHO: allow the user to override the ASLR slide for dyld_shared_cache files
OBJC: added Objective-C Analysis Plugin; the plugin tries to create an xref between calls to objc_msgSend and the function that will ultimately be called by msgSend
OBJC: perform Objective-C specific analysis on the decompiler output
OBJC: implemented a “step into” action for Objective-C (Debugger>Run until message received)
OBJC: allow user to jump to a method definition given a selector string (Jump>Jump by selector)
OBJC/MACHO: IDA can now extract Objective-C type info via ‘Load debug info’ in the Modules view during debugging
OBJC: now objc metadata can be parsed on demand, not just at load time
OBJC: implement demangling of objective-C methods in Swift classes
TDS: added support for executable with debug info appended to the end of the file
PDB: added an explicit check for odd paths (e.g. UNC) of pdb files; if such a path is detected, we display one more warning to the user
Debugger

debugger: iOS: support debugging on iOS 11
debugger: iOS: support source-level debugging in Remote iOS Debugger
debugger: iOS: support Appcalls in Remote iOS Debugger
debugger: iOS: added support for ARM(64) FPU/NEON registers
debugger: iOS: identify regions of process memory in greater detail
debugger: iOS: always allow the user to specify a pid when attaching to a process
debugger: OSX: support debugging on OSX 10.13
debugger: OSX: improved support for debugging system libs from /usr/lib and /System/Library/Frameworks (any libs included in the dyld_shared_cache)
debugger: OSX: identify regions of process memory in greater detail
debugger: remote mac debuggers are signed and don’t have to be run as root
debugger: BOCHS: added support for Bochs 2.6.9
debugger: LINUX: added environment variable IDA_SKIP_SYMS to ignore the exported names from the main module
debugger: LINUX: try to load separate debug info file for libpthread.so, if environment variable DEBUG_FILE_DIRECTORY is set
debugger: GDB: added software breakpoint for powerpc
debugger: GDB: added support for banked ARM register layouts
debugger: GDB: added support for no-acknowledgment mode (QStartNoAckMode) for reliable connections (set by default; unset by changing the stub options)
debugger: GDB: added support for uploading files to the server
debugger: GDB: enable “run a program before starting debugging” option and “Choose a configuration” for all processors including x86/x64
debugger: GDB: fetch processes list from gdbserver if supported
debugger: GDB: fetch target description from gdb stub as early as possible (mimic GDB behavior)
debugger: GDB: show the full path to be run if the user enabled “Run external program before debugging” before actually executing it
debugger: PIN: added support for appcall
debugger: debug servers can now be launched with ‘-kk’ to specify that in case the connection between IDA & them is broken, the process should be terminated immediately
ios_deploy: added “codesign” and “appify” phases
ios_deploy: added “usbproxy” phase
ios_deploy: added “launch” phase
ios_deploy: added “kill” and “proclist” phases
ios_deploy: added “install_ex” phase
Kernel/Misc

kernel: switched to PCRE2 for the regular expression engine. Now Perl extensions (\s, \d, \w and so on) can be used in regular expressions
kernel: improved handling of ‘noret’ function attribute (fix endless looping in some cases);
kernel: documented ABANDON_DATABASE in ida.cfg
kernel: added separate “mingw” abi name; it can be specified for the visual studio compiler
kernel: renamed environment variable NONAMES to be IDA_NONAMES
FLIRT: Added detection of 32-bit mingw/mingw-w64 startup functions
FLIRT: Added detection of 64-bit mingw-w64 startup functions
FLIRT: Added detection of Android Bionic libc startup for ARM
FLIRT: Added MFC signatures for vc1410 (Visual Studio 2017)
FLIRT: Added MFC signatures for vc143 (Visual Studio 2015 Update 3)
FLIRT: Added signatures for Android NDK/ARM (up to version 13b)
FLIRT: BC: added signatures for xe102 (RAD Studio 10.2 Tokyo)
FLIRT: DM: added signatures for Digital Mars 2.073.0
FLIRT: ICL: Added signatures for icl164 (Intel C++ 16.4)
FLIRT: ICL: Added signatures for icl170 (Intel C++ 17.0)
FLIRT: ICL: Added signatures for icl171 (Intel C++ 17.1)
FLIRT: ICL: Added signatures for icl174 (Intel C++ 17.4)
FLIRT: VC: Added signatures for vc1410 (Visual Studio 2017)
FLIRT: VC/VC64: added signatures for ucrt 15063 (Windows 10 Creators Update SDK)
FLIRT: pcf/pelf/plb/…: added option to modify pattern using regex (-E)
FLIRT: pcf/pelf/plb/…: added option to skip bytes before first label at pattern beginning
FLIRT: remove __ehhandler and __unwindfunclet pseudo-functions from signatures
FLIRT: the parser tools now remove by default any bytes before the first label (unset with -L)
FLIRT: mingw, mingw-w64: added detection of 32- and 64-bit mingw-w64 startup functions from the sourceforge builds (7.1.0rev2 and 7.2.0rev0)
FLIRT: sigmake: document -v (verbose) switch
FLIRT: upgraded ulink signatures
IDS: Added IDS files for MFC120 and MFC140
PCF: added option to specify startup segment name
PCF: the -s option (skip unknown relocations) has been renamed to -k
SIG: added signatures for VS ucrt 14393 (Windows 10 Anniversary Update SDK)
TIL: Updated UEFI TILs to version 2.5
TIL: Updated NTAPI type library
TIL: Added type library for Android NDK
RTTI: new plugin for parsing RTTI (run-time type information) produced by MSVC, GCC and LLVM in PE, COFF and ELF files
RTTI: added detection for MSVC’s ThrowInfo and related sub structures
RTTI: added type information to comment for catchable types
EH_PARSE: new plugin to parse EH (exception handling) information present in ELF, COFF, Mach-O, and PE files. NOTE: enable display in Options-General-Try block lines
User Interface

UI/qt: ability to delete breakpoints by group
UI/qt: ability to toggle between mangled & demangled versions of “Imports” & “Exports”
UI/qt: added fuzzy-searching in choosers
UI/qt: implemented ability to write custom actions for individual registers in the “General registers” (and similar) view (E.g., during a debugging session)
UI/qt: on Windows, text in message boxes (and warnings, errors, …) can now be selected with the mouse, and copied to clipboard (it was already the case on OSX & Linux)
UI/qt: when copying tabular data (e.g. from choosers) to the clipboard, IDA now generates tab-separated values instead of aligning the text with spaces
UI/qt: when running on Linux/X11, selecting parts of the disassembly with the mouse (or Shift+navigation), will update the X11 ‘selection’ clipboard (limited to what’s visible on the screen.)
UI/qt: the Python/IDC command line auto-completion now responds to “Shift+Tab” appropriately, and goes back in history
UI/debugging: improve the formatting of the Call Stack window
UI/txt: decompiler can now be used interactively in the text version of IDA
UI: create/add/delete segment messages could be mixed up in the log
UI: do not ask permission to overwrite empty files, no info will be lost anyway
UI: pressing F9 with no debugger selected now starts the process automatically after user selects a debugger
UI: added a new action “copy field info to pointers”; it copies name and type info from a struct definition to the pointed locations for the current struct variable;
UI: all navigation actions are now proper actions, allowing their shortcuts to be overriden (and to be triggered programmatically.)
UI: many cursor movement actions can now be assigned another user-defined shortcuts
UI: mention that selector values are in paragraphs
UI: proximity view: added option to not show the collapsed nodes
UI: script snippets are now automatically saved to the database (and thus persisted to disk when the user presses Ctrl+W)
UI: script snippets: Pressing or

你可能感兴趣的:(逆向技术)