Instructions unreadable in IDA 7.6

Question

Instructions unreadable in IDA 7.6

clarkewd opened this issue 2 years ago · comments

Hello and thank you for your work on snowman.

It works great in IDA 7.5 (left) but in IDA 7.6 (right) the instructions appear blank:

When I click somewhere in the Instructions box, the C++ output window jumps so I believe the instructions are there, but are somehow invisible.

I also tried the dark stylesheet but that doesn't solve it:

clarkewd commented 2 years ago

Thank you

yegord · Answer 1 · Tue Feb 15 2022 02:17:49 GMT+0800 (China Standard Time)

What happens if you select instructions, e.g., by pushing Ctrl-a in the instructions view?

clarkewd · Answer 2 · Thu Feb 17 2022 00:48:27 GMT+0800 (China Standard Time)

Clicking different areas in the blank instructions view causes different areas to highlight inside the C++ view.

Pressing Ctrl-a in the instructions view causes most of the code in the C++ view to be highlighted, with the exception of the structs at the very top.

This happens on the plugin version inside of IDA 7.6, but not IDA 7.5. And the desktop/standalone version also works fine:

Checking the dependencies shows:

Looks like the relevant files are:

ida64.dll
Qt5Widgets.dll
Qt5Core.dll
Qt5Gui.dll

I checked the versions of the QT dll files and with both IDA 7.5 and 7.6 they are version 5.6.3.0. The ida64.dll does not show a version number (or I don't know how to find it) but the size of the file has changed between IDA 7.5 and 7.6 - so maybe that is somehow related to this bug?

ps: Please ignore that my snowman64.dll file in the screenshot is in the IDA base directory and not in the plugins directory - this was just temporary to allow Dependencies to find the dll files.

yegord · Answer 3 · Thu Feb 17 2022 03:13:05 GMT+0800 (China Standard Time)

If you open the list of sections or the inspector, do they also appear blank in IDA 7.6?

clarkewd · Answer 4 · Thu Feb 17 2022 03:37:55 GMT+0800 (China Standard Time)

Yes, everything except the C++ and log view:

yegord · Answer 5 · Thu Feb 17 2022 04:04:54 GMT+0800 (China Standard Time)

If you create a text file with the following content:

QTreeView { color: red; background-color: blue }

and load it using Snowman's File/Load style sheet... menu item, does it change something?

clarkewd · Answer 6 · Thu Feb 17 2022 04:30:28 GMT+0800 (China Standard Time)

This is the result:

Let me know how else I can help.

yegord · Answer 7 · Thu Feb 17 2022 04:36:18 GMT+0800 (China Standard Time)

Interesting. And if you push Ctrl-A, Ctrl-C in the instructions view, does it copy some instructions into the clipboard?

clarkewd · Answer 8 · Thu Feb 17 2022 04:57:53 GMT+0800 (China Standard Time)

Indeed it does, here's a sample:

7ff7dc7c7f20: push rbp
7ff7dc7c7f22: push rdi
7ff7dc7c7f23: push r14
7ff7dc7c7f25: lea rbp, [rsp-0xa0]
7ff7dc7c7f2d: sub rsp, 0x1a0
7ff7dc7c7f34: mov qword [rbp-0x28], 0xfffffffe
7ff7dc7c7f3c: mov [rsp+0x1d0], rsi
7ff7dc7c7f44: mov rsi, rcx
7ff7dc7c7f47: mov [rbp-0x20], rcx
7ff7dc7c7f4b: mov dword [rsp+0x30], 0x0
7ff7dc7c7f53: xor r8d, r8d

yegord · Answer 9 · Thu Feb 17 2022 05:45:25 GMT+0800 (China Standard Time)

Does the problem go away if you overwrite 7.6's Qt libraries with 7.5's Qt libraries?

clarkewd · Answer 10 · Thu Feb 17 2022 08:01:36 GMT+0800 (China Standard Time)

I get an error if I replace them. They look to be the same version:

But the md5s are different:

-- IDA Pro 7.6 ---
cb12b0f8da4ee2accabf5ece08a93b7a *Qt5Core.dll
9f977373b13a4759cd20a4fc5227dff0 *Qt5Gui.dll
655e155392cc3849adcfd8a8fd800a00 *Qt5PrintSupport.dll
07f6d8d06d409c009259f6a4594f0c39 *Qt5Widgets.dll

-- IDA Pro 7.5 SP3 ---
770c19c0938faaec8a471291af3b8258 *Qt5Core.dll
e3ddcbf6454378030fb21616c301418f *Qt5Gui.dll
9202512581c2ecdcbc68101bd609cdb1 *Qt5PrintSupport.dll
ce299d5dca46de56813e8e5c269c961f *Qt5Widgets.dll

yegord · Answer 11 · Thu Feb 17 2022 16:18:25 GMT+0800 (China Standard Time)

It looks like Hex Rays are patching the Qt they ship with IDA.
It also looks like IDA 7.6's Qt is broken: QTreeView's rendering is torn off in the patched version.
Most likely, Hex Rays use the commercial Qt license, so, you cannot make them disclose their patches.
I do not have any suggestions at this point.

clarkewd · Answer 12 · Thu Feb 17 2022 23:50:51 GMT+0800 (China Standard Time)

Thank you for troubleshooting. I tried w/ the latest IDA 7.7 and it's also doing the same thing. I checked the versions between 7.6 and 7.7 and they did a jump from QT 5.6.3.0 to 5.15.3.0 although snowman worked on IDA 7.5 with the QT version also showing 5.6.3.0

Do you think it would solve the issue if the snowman plugin was statically linked with the QT libraries as not to depend on IDA's? If so I will try and figure out how to compile it like that...

yegord · Answer 13 · Fri Feb 18 2022 03:07:47 GMT+0800 (China Standard Time)

I vaguely remember some problems caused by having two Qt libraries in the same process.

Something along the lines of a Qt widget created by the plugin using QtInstanceOne being passed to IDA, which calls some methods of the widget using QtInstanceTwo's method implementation, the latter crashing because it looks into QtInstanceTwo's global state that does not know anything about the widget created in QtInstanceOne.

So, I am more pessimistic than optimistic here.