Reverse Engineering
- LLEF is a plugin for LLDB to make it more useful for RE and VRgithub.com GitHub - foundryzero/llef: LLEF is a plugin for LLDB to make it more useful for RE and VR
LLEF is a plugin for LLDB to make it more useful for RE and VR - foundryzero/llef
- Windows PE Packer x86github.com GitHub - czs108/Windows-PE-Packer: 🗜️ A packer for Windows x86 executable files written in C and Intel x86 Assembly. The new file after packing can obstruct reverse engineering.
🗜️ A packer for Windows x86 executable files written in C and Intel x86 Assembly. The new file after packing can obstruct reverse engineering. - czs108/Windows-PE-Packer
A packer for Windows x86 executable files written in C and Intel x86 Assembly. The new file after packing can obstruct reverse engineering.
- Abusing undocumented features to spoof PE section headerssecret.club Abusing undocumented features to spoof PE section headers
Introduction Some time ago, I accidentally came across some interesting behaviour in PE files while debugging an unrelated project. I noticed that setting the SectionAlignment value in the NT header to a value lower than the page size (4096) resulted in significant differences in the way that the im...
Abusing PE
Amazing write-up from x86mathew:
Abusing undocumented features to spoof PE section headers.
- Rust Binary Analysis, Feature by Featureresearch.checkpoint.com Rust Binary Analysis, Feature by Feature - Check Point Research
Problem Statement You attempt to analyze a binary file compiled in the Rust programming language. You open the file in your favorite disassembler. Twenty minutes later you wish you had never been born. You’ve trained yourself to think like g++ and msvc: Here’s a loop, there’s a vtable, that’s a glob...
When you disassemble a file compiled with rust, you will say that I am glad I did not disassemble a file compiled with haskell.
- https://hex-rays.com/products/ida/news/8_3/
IDA Teams and Lumina
lumina: add a UI action to inspect a function's metadata history lumina: allow specifying up to two Lumina servers (public or private, in any order) lumina: metadata history can now be browsed on private Lumina servers Teams: use licenses from vault server on IDA side (no more need for ida.key files on the client)
Procesor modules
ARM: ARM64 system registers are now displayed using symbolic names ARM: set offsets/xrefs for LDRD/STRD if the base register is known Dalvik: support for const-method-handle and const-method-type bytecode instructions (DEX 039/Android 10) MIPS: improved analysis of functions with large stack frames for MIPS16 MIPS: improved the regtracker PPC: added Power ISA 3.0C Ultravisor-related instructions PPC: support LSP (Lightweight Signal Processing) extension instructions, available in some MPC57xx cores PPC: support Power ISA 3.1, including prefixed instructions RISCV: register tracker can now be configured via settings in ida.cfg
File formats
DEX: annotate hidden API section (DEX 039) ELF: ppc: parse and use .gnu.attributes and .PPC.EMB.apuinfo sections to detect the used ISA extension ESP: new loader for the Espressif images, supporting images from ESP8266 (Xtensa) to ESP32-C6 (RISC-V)
FLIRT / TILS / IDS
TIL: added type library for Android ARM64 TIL: suppport attribute((flag_enum)) or __bitmask attribute on enums
Standard plugins
DWARF: improve handling of unsigned 'char' types; now they're mapped to 'char' on IDA's side (instead of 'unsigned __int8') DWARF: significantly speed up importing of type information golang: added "detect and parse golang metadata" command golang: annotate funcInfo's funcFlag field golang: handle different functions with the same name in pclntab golang: use full package prefix for functions dirtree goomba: new plugin for optimizing mixed boolean expressions (MBA) in pseudocode idaclang: added presets of predefined arguments for common platforms idaclang: updated libclang to 16.0.0 OBJC: set prototypes for some widely used objc methods (e.g. objc_alloc_init) OBJC: support iOS16 optimized objc_retain_xY/objc_release_xY stubs OBJC: support objc_msgSend$... stubs
Kernel/Misc
installer: Missing dependencies on Linux are now checked and reported at install time kernel: properly support operand types for 3rd to 8th operands licensing: the EULA has been updated and unified across all IDA editions and license types network: added ability to use an HTTP CONNECT-style proxy network: added support for HTTP CONNECT proxy basic authentication
Scripting & SDK
IDAPython: added an example showing how to paint over an existing graph's edges IDAPython: added support for Python 3.12 IDAPython: enable access to the global debug variable+ IDAPython: improve doc for str2ea (use text from the SDK header) SDK/Python: added get_config_value for retrieving arbitrary JSON values in config files SDK/Python: notepad APIs (get_ida_notepad_text/set_ida_notepad_text) now synchronize the database/UI state SDK/UI: added ability to dynamically change values in combobox in forms SDK: added functions validate_idb(), move_privrange() SDK: added methods edit_named_type_details()/edit_numbered_type_details() to edit local type enum/udt details SDK: added parse_decl_ex()
UI
UI: "Color instruction" action now also colorizes undefined items in the selection (previously they were skipped) UI: Added support for Unicode 15.0, now more string literals are detected and displayed correctly UI: allow editing struct.enum comments in the type editor UI: during autoanalysis, mark choosers with a filter and/or sorting as outdated instead of updating immediately UI: improved performance for refreshing choosers when there is no sorting or filtering UI: provide the ability to specify icons for actions through CSS themes UI: show comments for strlits or mangled names on each member of a string array in the disassembly listing UI: the graph options are now saved in the desktop UI: teams: Allow picking a chunk to use from the context menu in addition to the toolbar button/hotkey UI: teams: save desktop layout in the database using user's name so that each user's desktop is not overridden by others
Decompilers
decompiler: added a new API function change_hexrays_config() to update the hexrays configuration, e.g. to set the analysis options or disable warnings after IDA start decompiler: added the option to disable some optimizations decompiler: arm: detect usage of X8 for reurning structures on ARM64 and add a hidden 'retptr' argument when callee prototypes is guessed by IDA decompiler: enable IDAPython API for the cloud decompiler (IDA Home, IDA Educational) decompiler: exported set_lvar_name() which can be used to rename local variables decompiler: improve callee type guessing (detect arguments passed by reference) decompiler: improve fastcall/thiscall calee detection decompiler: improved guessing of call types (detect more fastcall/thiscall calls without stack arguments) decompiler: improved propagation of zero values
Bugfixes
BUGFIX: decompiler: assignment to a stack variable used by reference in a syscall could be erroneously removed BUGFIX: decompiler: corrupted info in the database could lead to crashes during decompilation BUGFIX: decompiler: decompiler could cause IDA to crash if an error happened during plugin initialization BUGFIX: decompiler: fixed a crash that could occur when deleting a function in the presence of outlined functions BUGFIX: decompiler: fixed numerous interrs BUGFIX: decompiler: indirect jumps in outlined code were handled incorrectly BUGFIX: decompiler: jumps to outlined functions were handled incorrectly BUGFIX: decompiler: the "select union member" action (Alt-Y) could fail in some cases BUGFIX: ELF: Android ARM64 JNI files would incorrectly use 32-bit type library BUGFIX: formatting golang metadata could fail for some 64-bit binaries if they used addresses above 32-bit address space BUGFIX: IDA on Linux would not start if libsecret-1 or libglib-2.0 were not present BUGFIX: idapyswitch would accept buggy Anaconda 2022 distributions which would later cause IDA to crash BUGFIX: IDAPython: ida_dbg.get_dbg_byte() was not usable BUGFIX: IDAPython: non-modal Python forms (using class Form) could cause crashes on the ARM macOS build of IDA BUGFIX: IDAPython: the bookmarks_t object was not usable from IDAPython BUGFIX: kernel: fixed printing of opcode bytes for processors which use two-byte grouping (PR_WORD_INS flag) BUGFIX: kernel: idat64 would try to load picture_search plugin, although it only works in GUI version BUGFIX: Lumina: fixed interr 1512 which could occur on wrong directives in lumina.conf BUGFIX: MACHO: IDA 8.2 would fail to recover tagged pointers in arm64e dyld caches BUGFIX: MACHO: iOS16+ branch mappings/stubs regions were not loaded in "complete" and "dependencies" modes, leading to missing symbols BUGFIX: MACHO: when loading a complete dyld cache for iOS16, authenticated pointers would retain tagged values BUGFIX: MIPS: TX19A-only MIPS16 BAL does not have a delay slot BUGFIX: PDB: IDA would fail to load PDBs with page size 8192 (e.g. from recent Chrome builds) BUGFIX: PE: Load Config Directory comments for ProcessHeapFlags and ProcessAffinityMask fields were swapped in 32-bit files BUGFIX: PE: some files using EH4 metadata (__CxxFrameHandler4) could produce bogus "DATABASE IS CORRUPTED" warnings on load BUGFIX: Teams: IDA would crash silently on start if the license was expired but within the grace period BUGFIX: teams: IDA would sometime fail to save the login credentials BUGFIX: Teams: Vault server no longer refuses to work when there are not enough licenses BUGFIX: ui/qt: get_viewer_graph wouldn't return the mutable_graph_t instance for proximity views BUGFIX: UI: binary search with selection would fail if cursor was at the end of selection BUGFIX: UI: fixed an accelerator clash in the Cross-references tab of the Options dialog box BUGFIX: UI: graph printing did not work on Windows and macOS BUGFIX: UI: license agreement dialog was mis-interpreting UTF-8 text for Latin-1 BUGFIX: UI: renaming a structure (or an enum) from the listing, could result in the left-hand list being outdated BUGFIX: UI: some of the search actions were not respecting user selection