Merge pull request #2535 from mandiant/fix/ida-find_byte_sequence

handle IDA 8.3/8.4 vs. 9.0 API change
mandiant · Dec 9, 2024 · 347601a · 347601a
2 parents f11661f + 8a02b07
commit 347601a
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,8 @@
 
 ### Bug Fixes
 
+- handle IDA 8.3/8.4 vs. 9.0 API change @mr-tz
+
 ### capa Explorer Web
 
 ### capa Explorer IDA Pro plugin

diff --git a/capa/features/extractors/ida/helpers.py b/capa/features/extractors/ida/helpers.py
@@ -41,7 +41,15 @@ def find_byte_sequence(start: int, end: int, seq: bytes) -> Iterator[int]:
             return
 
         while True:
-            ea, _ = ida_bytes.bin_search(start, end, patterns, ida_bytes.BIN_SEARCH_FORWARD)
+            ea = ida_bytes.bin_search(start, end, patterns, ida_bytes.BIN_SEARCH_FORWARD)
+            if isinstance(ea, int):
+                # "ea_t" in IDA 8.4, 8.3
+                pass
+            elif isinstance(ea, tuple):
+                # "drc_t" in IDA 9
+                ea = ea[0]
+            else:
+                raise NotImplementedError(f"bin_search returned unhandled type: {type(ea)}")
             if ea == idaapi.BADADDR:
                 break
             start = ea + 1