ida pro 7.0 新变化

最新推荐文章于 2023-05-26 14:38:55 发布
最新推荐文章于 2023-05-26 14:38:55 发布
阅读量1.1w 收藏
点赞数
分类专栏: 逆向技术 文章标签: ida plugin 逆向 逆向工程 ida-pro
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/fjh658/article/details/78036412
版权
ida pro 7.0 新变化(作为tester, 有幸获得额外3个月的技术支持):

Processor Modules

ARM: added one more pattern of thumb->arm transition
ARM: arm64: use simplified aliases for UBFM/SBFM instructions when applicable
ARM: handle vfp instructions: VMOV immediate, VCVTB, VCVTT, VCVT with a fixed point operand
ARM: reduced complexity of the SP-analysis from quadratic to linear;
ARM: added a fix for Thumb switches with full addresses
ARM: added support of the new clang’s switch pattern for arm64
ARM: extended LDRB switch pattern
ARM64: take into account instruction STP can load callee arguments into stack - add corresponding comments to such instructions
MIPS: recover more cross-references from stripped statically-linked PIC ELF files
MSP430: added simplification “movx @SP+, dst” -> “popx dst”
PC: added decoding of Control-flow Enforcement extension
PC: added decoding of newer AVX-512 extensions (4FMAPS, 4VNNIW, and VPOPCNTDQ)
PC: added new switch pattern
PC: decode PTWRITE instruction
PC: decode VMFUNC instruction
PC: detect more switch patterns from clang
PC: improved epilog detection
PC: improved prolog detection
PC: improved stack frame analysis in x64 files
PC: support another variation of x64 table-based switch with switch variable stored on the stack
PPC: added missed extended mnemonics ‘rotld’
PPC: added new config flag PPC_ABI_EMBEDDED/ISA_EABI;
PPC: added support of PowerPC64 ELF V2 ABI
PPC: improved switch patterns;
PPC: r13-based operands are printed using simplified @sda suffix
SuperH: improved detection of functions when addresses are calculated with movi20s + add/sub
SuperH: added register definitions for SH7256
TMS320C3: improved stack tracing
tricore: added TRICORE_DEVICE and TRICODE_IORESP config parameters so that they can be set from scripts
File Formats

DWARF: Store file/line number information in IDB (only if requested, since it comes with a performance penalty)
ELF: added processing of many previously unsupported PPC64 relocations
ELF: annotate headers (ELF, PHT, SHT) and convert more known data to structs (symtab, strtab, relocations, dynamic information)
ELF: annotate preinit/init/fini function arrays
ELF: convert all strtab entries to ascii strings (even the ones that are not referenced)
ELF: describe DT_HASH and DT_GNU_HASH
ELF: describe symbols using symtab from DYNAMIC section
ELF: detect overlapping sections in SHT and prevent them from processing data (but still load them in the database)
ELF: don’t obliterate data when patching PLT
ELF: don’t skip processing relocations if symbol index is 0 (happens with IRELATIVE relocs)
ELF: IDA now uses the PHT by default instead of the SHT to load segments from ELF files
ELF: improved support for TLS variables in relocatable files
ELF: load symbols using symtab from DYNAMIC section when .dynamic section yields no symbols
ELF: PLT relocations for pc are now processed at relocation-application-time, instead of relying on the presence of a .plt section
ELF: ppc: added new ida.cfg variable PPC_FIX_GNU_VLEADRELOC_BUG to work around binutils bug 20744
ELF: process .ctors/.dtors sections for all architectures
ELF: recognize PLT stub functions from R_386_GLOB_DAT relocations
MACHO: support dyld_shared_cache files from OSX 10.13 and iOS 11
MACHO: support dyld cache slide info v2. This should improve analysis for dyld_shared_cache files from iOS 10 and OSX 10.12
MACHO: improved analysis of single modules within dyld_shared_cache files that have slide info
MACHO: added an option to load for single module plus its dependencies for dyld cache
MACHO: fixed incorrect resolution of Mach-O import table entries in files using both LC_DYLD_INFO_ONLY and LC_SYMTAB
MACHO: improved speed of objc metadata parsing
MACHO: support for apple-protected binaries from OSX versions < 10.6
MACHO: support x64 macOS kernelcaches with ketxs relocated at runtime
MACHO: added processing of the ARM64_RELOC_ADDEND relocation;
MACHO: allow the user to override the ASLR slide for dyld_shared_cache files
OBJC: added Objective-C Analysis Plugin; the plugin tries to create an xref between calls to objc_msgSend and the function that will ultimately be called by msgSend
OBJC: perform Objective-C specific analysis on the decompiler output
OBJC: implemented a “step into” action for Objective-C (Debugger>Run until message received)
OBJC: allow user to jump to a method definition given a selector string (Jump>Jump by selector)
OBJC/MACHO: IDA can now extract Objective-C type info via ‘Load debug info’ in the Modules view during debugging
OBJC: now objc metadata can be parsed on demand, not just at load time
OBJC: implement demangling of objective-C methods in Swift classes
TDS: added support for executable with debug info appended to the end of the file
PDB: added an explicit check for odd paths (e.g. UNC) of pdb files; if such a path is detected, we display one more warning to the user
Debugger

debugger: iOS: support debugging on iOS 11
debugger: iOS: support source-level debugging in Remote iOS Debugger
debugger: iOS: support Appcalls in Remote iOS Debugger
debugger: iOS: added support for ARM(64) FPU/NEON registers
debugger: iOS: identify regions of process memory in greater detail
debugger: iOS: always allow the user to specify a pid when attaching to a process
debugger: OSX: support debugging on OSX 10.13
debugger: OSX: improved support for debugging system libs from /usr/lib and /System/Library/Frameworks (any libs included in the dyld_shared_cache)
debugger: OSX: identify regions of process memory in greater detail
debugger: remote mac debuggers are signed and don’t have to be run as root
debugger: BOCHS: added support for Bochs 2.6.9
debugger: LINUX: added environment variable IDA_SKIP_SYMS to ignore the exported names from the main module
debugger: LINUX: try to load separate debug info file for libpthread.so, if environment variable DEBUG_FILE_DIRECTORY is set
debugger: GDB: added software breakpoint for powerpc
debugger: GDB: added support for banked ARM register layouts
debugger: GDB: added support for no-acknowledgment mode (QStartNoAckMode) for reliable connections (set by default; unset by changing the stub options)
debugger: GDB: added support for uploading files to the server
debugger: GDB: enable “run a program before starting debugging” option and “Choose a configuration” for all processors including x86/x64
debugger: GDB: fetch processes list from gdbserver if supported
debugger: GDB: fetch target description from gdb stub as early as possible (mimic GDB behavior)
debugger: GDB: show the full path to be run if the user enabled “Run external program before debugging” before actually executing it
debugger: PIN: added support for appcall
debugger: debug servers can now be launched with ‘-kk’ to specify that in case the connection between IDA & them is broken, the process should be terminated immediately
ios_deploy: added “codesign” and “appify” phases
ios_deploy: added “usbproxy” phase
ios_deploy: added “launch” phase
ios_deploy: added “kill” and “proclist” phases
ios_deploy: added “install_ex” phase
Kernel/Misc

kernel: switched to PCRE2 for the regular expression engine. Now Perl extensions (\s, \d, \w and so on) can be used in regular expressions
kernel: improved handling of ‘noret’ function attribute (fix endless looping in some cases);
kernel: documented ABANDON_DATABASE in ida.cfg
kernel: added separate “mingw” abi name; it can be specified for the visual studio compiler
kernel: renamed environment variable NONAMES to be IDA_NONAMES
FLIRT: Added detection of 32-bit mingw/mingw-w64 startup functions
FLIRT: Added detection of 64-bit mingw-w64 startup functions
FLIRT: Added detection of Android Bionic libc startup for ARM
FLIRT: Added MFC signatures for vc1410 (Visual Studio 2017)
FLIRT: Added MFC signatures for vc143 (Visual Studio 2015 Update 3)
FLIRT: Added signatures for Android NDK/ARM (up to version 13b)
FLIRT: BC: added signatures for xe102 (RAD Studio 10.2 Tokyo)
FLIRT: DM: added signatures for Digital Mars 2.073.0
FLIRT: ICL: Added signatures for icl164 (Intel C++ 16.4)
FLIRT: ICL: Added signatures for icl170 (Intel C++ 17.0)
FLIRT: ICL: Added signatures for icl171 (Intel C++ 17.1)
FLIRT: ICL: Added signatures for icl174 (Intel C++ 17.4)
FLIRT: VC: Added signatures for vc1410 (Visual Studio 2017)
FLIRT: VC/VC64: added signatures for ucrt 15063 (Windows 10 Creators Update SDK)
FLIRT: pcf/pelf/plb/…: added option to modify pattern using regex (-E)
FLIRT: pcf/pelf/plb/…: added option to skip bytes before first label at pattern beginning
FLIRT: remove __ehhandler and __unwindfunclet pseudo-functions from signatures
FLIRT: the parser tools now remove by default any bytes before the first label (unset with -L)
FLIRT: mingw, mingw-w64: added detection of 32- and 64-bit mingw-w64 startup functions from the sourceforge builds (7.1.0rev2 and 7.2.0rev0)
FLIRT: sigmake: document -v (verbose) switch
FLIRT: upgraded ulink signatures
IDS: Added IDS files for MFC120 and MFC140
PCF: added option to specify startup segment name
PCF: the -s option (skip unknown relocations) has been renamed to -k
SIG: added signatures for VS ucrt 14393 (Windows 10 Anniversary Update SDK)
TIL: Updated UEFI TILs to version 2.5
TIL: Updated NTAPI type library
TIL: Added type library for Android NDK
RTTI: new plugin for parsing RTTI (run-time type information) produced by MSVC, GCC and LLVM in PE, COFF and ELF files
RTTI: added detection for MSVC’s ThrowInfo and related sub structures
RTTI: added type information to comment for catchable types
EH_PARSE: new plugin to parse EH (exception handling) information present in ELF, COFF, Mach-O, and PE files. NOTE: enable display in Options-General-Try block lines
User Interface

UI/qt: ability to delete breakpoints by group
UI/qt: ability to toggle between mangled & demangled versions of “Imports” & “Exports”
UI/qt: added fuzzy-searching in choosers
UI/qt: implemented ability to write custom actions for individual registers in the “General registers” (and similar) view (E.g., during a debugging session)
UI/qt: on Windows, text in message boxes (and warnings, errors, …) can now be selected with the mouse, and copied to clipboard (it was already the case on OSX & Linux)
UI/qt: when copying tabular data (e.g. from choosers) to the clipboard, IDA now generates tab-separated values instead of aligning the text with spaces
UI/qt: when running on Linux/X11, selecting parts of the disassembly with the mouse (or Shift+navigation), will update the X11 ‘selection’ clipboard (limited to what’s visible on the screen.)
UI/qt: the Python/IDC command line auto-completion now responds to “Shift+Tab” appropriately, and goes back in history
UI/debugging: improve the formatting of the Call Stack window
UI/txt: decompiler can now be used interactively in the text version of IDA
UI: create/add/delete segment messages could be mixed up in the log
UI: do not ask permission to overwrite empty files, no info will be lost anyway
UI: pressing F9 with no debugger selected now starts the process automatically after user selects a debugger
UI: added a new action “copy field info to pointers”; it copies name and type info from a struct definition to the pointed locations for the current struct variable;
UI: all navigation actions are now proper actions, allowing their shortcuts to be overriden (and to be triggered programmatically.)
UI: many cursor movement actions can now be assigned another user-defined shortcuts
UI: mention that selector values are in paragraphs
UI: proximity view: added option to not show the collapsed nodes
UI: script snippets are now automatically saved to the database (and thus persisted to disk when the user presses Ctrl+W)
UI: script snippets: Pressing or

冯建华
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 4
    评论
专栏目录
《反汇编分析工具》 (Hex-Rays IDA Pro)v6.1 Advanced (一)
11-02
IDA Pro v6.1 Advanced,分两部分上传,这是第二部分 《反汇编分析工具》 (Hex-Rays IDA Pro)v6.1 Advanced (一) 《反汇编分析工具》 (Hex-Rays IDA Pro)v6.1 Advanced (二)
3款MSP430反汇编反编译工具软件
09-09
3款MSP430反汇编反编译工具软件,本人实测,想要的拿走 3款MSP430反汇编反编译工具软件,本人实测,想要的拿走
IDA Pro 学习笔记(一) - 启动 IDA
qq_39585393的博客
10-09 515
IDA Pro 学习笔记(一) - 启动 IDA #启动 IDA 启动 IDA,有一个欢迎界面 之后有一个对话框 选择 New 将启动一个对话框来选择将要分析的文件 选择 Go 将使 IDA 打开一个空白的工作区 如果要选择分析的文件,可以直接拖到 IDA 工作区 也可以在菜单栏选择 File -> Open 来打开 选择 Previous 可以打开其下“最近用过的文件”列表中的一个文件 历史记录列表的最大长度为 10,可以通过编辑 idagui.cfg 或 idatui.cfg 来修改 文件加载
IDA权威指南阅读笔记2
darmao的博客
07-25 308
1.之前查看当前函数被哪个函数调用了都是去跳转到LR寄存器(arm)的地址,看这个地址在哪个函数里,现在发现这个功能IDA提供了 依次点击:View--->openSubviews--->Functions calls 即可 显示如图: 2.查看栈相对变化量: 依次点击 Options--->General,勾上 stack pointer 看看多了什么:
[转]失业的娱乐-IDA逆向工程入门
c_cacal的专栏
10-10 1万+
【文章标题】: 失业的娱乐-IDA逆向工程入门(一)【文章作者】: layper【作者邮箱】: [email protected]【作者主页】: http://blog.csdn.net/layper/【下载地址】: 自己搜索下载【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!-------------------------------------------------
IDA反编译的几个注意和技巧
热门推荐
qq_36535153的博客
04-08 1万+
IDA逆向程序的经验总结关于F5汇编代码不能转成c的伪代码的几个问题总结关于一些类型转换以及指针和地址的总结最可以拿来当教训的应该是 hide cast 功能1.jmpout的问题功能快捷键合理的创建标题,有助于目录的生成如何改变文本的样式插入链接与图片如何插入一段漂亮的代码片生成一个适合你的列表创建一个表格设定内容居中、居左、居右SmartyPants创建一个自定义列表如何创建一个注脚注释也是必...
IDA权威指南》复习笔记
kernweak的博客
08-24 2181
几种调用约定区别 _cdecl是C的调用约定,从右向左参数依次入栈,调用者平衡堆栈。所以函数外add+x平衡堆栈 _stdcall是微软的调用约定,从右向左参数依次入栈,被调用者平衡堆栈,所以平衡堆栈为retXXX fastcall是stdcall变体,x86下前两个参数用寄存器ecx,edx,后面跟_stdcall一致。 C++ 调用约定,非静态成员函数与标准函数不同,需要this指针,指向被调用的的对象,这个由被调用方提供给,thiscall为MS提供的C++ 调用约定,被调用者平衡堆栈,this指针在
IDA 反编译 将MEMORY[0x20006D3D]等类似的前面带有MEMORY的数组 改成其他的变量类型
qq_36535153的博客
10-28 2127
类似于这种的MEMORY 改成我们自己想要的变量类型 让反编译更加流畅 解决办法:在IDA->VIEW->Open SubView->Segmengs 打开 程序段区 快捷键 shift-F7 然后再空白处 右键 Add segment 插入你自己的段名 选择段的起始地址和结束地址 插入segment 成功后 就可以看到如下的效果 就可以自己去修改这些地址的名称了 ...
IDA memory dump
江南小虫虫的博客
05-26 745
ida 内存dump的两种方式
SEH异常之编译器原理探究
hongduilanjun的博客
09-14 690
这里调用,然后调用入口程序相当于这里才是一个进程开始执行的地方这里有一个call调用,跟进去看看发现有修改fs:[0]的操作,这里就相当于编译器为我们注册了一个异常处理函数这里到里面的里面看一下,这里有一个注册SEH异常处理函数的操作//{int i = 1;return 0;return 0;可以发现线程也是从开始的然后跟进调用可以发现还是注册了一个异常处理函数还是去IDA里面看函数,发现也注册了一个SEH异常的函数。
IDAPro7.0 for Mac,
01-21
逆向工具-IDA mac版 安装即用。
IDA Pro 7.0 Mac 10.15 版本(亲测)能用
11-07
逆向的都懂,一个反编译工具,主要是他这个在 mac OS 15上也能用(亲测)
IDA Pro7.0使用技巧总结.docx
05-31
俗话说,工欲善其事,必先利其器,在二进制安全的学习中,使用工具尤为重要,而IDA又是玩二进制的神器。破解加密神器
ida pro 7.0免费版,反汇编使用,so cool,可以看so源码!
11-02
ida pro 7.0免费版,反汇编使用,so cool,可以看so源码!
IDApro权威指南》个人学习笔记
最新发布
10-11
IDApro权威指南》个人学习笔记
IDA 7.0
09-16
IDA Pro 7.0是一款世界顶级的交互式反汇编工具,软件主要用在反汇编和动态调试等方面,支持对多种处理器的不同类型的可执行模块进行反汇编处理,具有方便直观的操作界面,可以为用户呈现尽可能接近源代码的代码,...
IDA_Pro_v7.0_64位加使用说明文档
12-24
IDA Pro(交互式反汇编器专业版)是应用最广泛的静态反汇编工具,在IT领域有着举足轻重的地位,本软件经过本人测试可在win10 win7等64位和32位系统里运行,内附有帮助说明大家学习使用。
linux ida pro 7.0
06-24
### 回答1: Linux是一个非常流行的操作系统,而IDA Pro 7.0是一款著名的反汇编工具。这两者之间的结合可以提供强大的分析和调试功能,让开发者能够更深入地了解二进制文件的结构和功能,以便更好地进行漏洞分析、逆向工程、威胁情报等方面的工作。 借助于Linux的优点,如开源、强大的网络功能、优秀的安全性能等,开发者可以更加自由地使用和运行IDA Pro 7.0,进行各种尝试和实验。同时,Linux与IDA Pro 7.0的结合还可以提供更高效的反汇编速度和更好的代码分析和重构功能,使得开发者可以更准确地理解和掌握二进制文件中的代码。 总之,Linux IDA Pro 7.0是一个非常有用的工具组合,可以大大提高开发者的反汇编和分析效率,帮助他们更好地应对日益严峻的安全威胁。无论是在企业应用还是个人项目中,Linux IDA Pro 7.0都是一个非常值得推荐的选择。 ### 回答2: Linux是一种开源操作系统,IDA Pro 7.0是一种专业的逆向工程软件。这两个工具可以在一起使用,帮助安全研究人员、代码审计人员以及黑客等在安全领域中发挥出色的作用。 Linux的开放性使得其具有高度的自由度,用户可以自由配置、自定义和修改其软件。这使得Linux成为更加适合逆向工程和黑客使用的操作系统之一。同时,IDA Pro 7.0作为一种高端的反汇编和调试软件,可以帮助用户深入挖掘目标程序的代码逻辑,理解并分析其算法、数据结构等。 使用Linux系统进行逆向工程可以带来很多优势,比如更高的自由度、更多的调试细节控制、更广泛的工具选择等等。此外,IDA Pro 7.0在Linux上也拥有很好的运行性能,并且常常被用于Linux平台上的逆向工程。 总之,Linux和IDA Pro 7.0的结合为安全研究人员提供了一个强大和自由的工具链,可以帮助他们更好地挖掘程序的内部细节和漏洞,更好地保护计算机安全。 ### 回答3: Linux是一种自由和开放源代码的操作系统,它很受程序员们的欢迎,因为它有许多适合程序员使用的工具和软件。其中一个应用广泛的软件是IDA Pro 7.0,它是一款可执行文件反汇编和静态分析的高级工具。因此,IDA Pro 7.0在Linux系统上的应用非常有用。 首先,IDA Pro 7.0在Linux平台上具有广泛的应用,它可以帮助程序员对应用程序、驱动程序和操作系统进行逆向分析,从而进行软件漏洞分析和加固。因为IDA Pro 7.0有专业级的反汇编、静态分析及交互式调试功能,所以对于安全专家或黑客来说它是一种必备工具。 其次,IDA Pro 7.0在Linux系统上具有良好的兼容性,即使在不同的Linux发行版上也能够正常运行。它还支持多种操作系统和平台,包括Windows、Mac OS X、iOS、Android等,可以帮助开发者在各种环境下快速进行开发和调试。 此外,IDA Pro 7.0在Linux系统上具有良好的性能和可靠性。因为Linux是一种高效、稳定和安全的操作系统,而IDA Pro 7.0又是一款高级软件,所以在Linux系统上它可以高效地运行,而且是目前最为可靠的反汇编和逆向分析软件之一。 综上所述,Linux和IDA Pro 7.0是一对非常有用的组合。通过它们的结合,程序员可以更快、更精确地完成开发和反汇编工作,而且在安全领域也可以发挥出更强大的作用。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 4
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值