pwd9527
commented
6 years ago The sub_4013A0 function does have many "API" calls
Closed pwd9527 closed 6 years ago
pwd9527
commented
6 years ago The sub_4013A0 function does have many "API" calls
demonduck
commented
6 years ago Unfortunately without an example sample hash or an IDB, all I can do is speculate why this is occurring. If you can supply either one of those then I can track down what is happening.
The "id" field is used to keep track if/when metadata from FIRST is applied to your local function. That way updates can be pulled when you select to update your IDB's metadata
pwd9527
commented
6 years ago If you open IDA first, then drag the sample to IDA. This situation is problematic.
The FIRST. Initialize () function is too early. IAT is empty .So "apis = []"
demonduck
commented
6 years ago This should be fixed in the latest commit to the dev branch (https://github.com/vrtadmin/FIRST-plugin-ida/commit/5e4c7f00333a44e65086297df3f98986f5d7fa17). Once FIRST-server 0.1 is released this version will be pushed to the master branch. The plugin in the dev branch should work with both versions.
Thanks for creating this issue, please reopen if the problem is not fixed.
hi,
Sending: {'crc32': 3728824636L, 'functions': '{"4199328": {"comment": "", "opcodes": "U1ZXVYPE+IvYi/uLMotDCDvwcmyLzgNKBIvoA2sMO813XjvwdRuLQgQBQwiLQgQpQwyDewwAdUSLw+g1////6zuLCotyBAPOi/gDeww7z3UFKXMM6yaLCgNKBIkMJCv5iXwkBIsSK9CJUwyL1IvD6ND+//+EwHUEM8DrDLAB6wiLGzv7dYUzwFlaXV9eW8M=", "name": "sub_4013A0", "apis": [], "architecture": "intel32", "prototype": "", "id": null}}',
"apis": [] ??
"id": null ??
thanks