Merge pull request #2535 from mandiant/fix/ida-find_byte_sequence

handle IDA 8.3/8.4 vs. 9.0 API change

Author: mr-tz

CHANGELOG.md

@@ -12,6 +12,8 @@
 
 ### Bug Fixes
 
+- handle IDA 8.3/8.4 vs. 9.0 API change @mr-tz
+
 ### capa Explorer Web
 
 ### capa Explorer IDA Pro plugin

capa/features/extractors/ida/helpers.py

@@ -41,7 +41,15 @@ def find_byte_sequence(start: int, end: int, seq: bytes) -> Iterator[int]:
             return
 
         while True:
-            ea, _ = ida_bytes.bin_search(start, end, patterns, ida_bytes.BIN_SEARCH_FORWARD)
+            ea = ida_bytes.bin_search(start, end, patterns, ida_bytes.BIN_SEARCH_FORWARD)
+            if isinstance(ea, int):
+                # "ea_t" in IDA 8.4, 8.3
+                pass
+            elif isinstance(ea, tuple):
+                # "drc_t" in IDA 9
+                ea = ea[0]
+            else:
+                raise NotImplementedError(f"bin_search returned unhandled type: {type(ea)}")
             if ea == idaapi.BADADDR:
                 break
             start = ea + 1