search

polymorf / findcrypt-yara

IDA pro plugin to find crypto constants (and more)
BSD 3-Clause "New" or "Revised" License
1.31k stars 232 forks source link

TypeError: 'yara.StringMatch' object is not subscriptable #44

Open 4hem opened 1 year ago

4hem commented 1 year ago

Failed while executing plugin_t.run(): Traceback (most recent call last): File "D:/tools/IDA_Pro_7.7/plugins/findcrypt3.py", line 224, in run self.search() File "D:/tools/IDA_Pro_7.7/plugins/findcrypt3.py", line 180, in search values = self.yarasearch(memory, offsets, rules) File "D:/tools/IDA_Pro_7.7/plugins/findcrypt3.py", line 197, in yarasearch self.toVirtualAddress(string[0], offsets), TypeError: 'yara.StringMatch' object is not subscriptable

serv0id commented 1 year ago

https://github.com/polymorf/findcrypt-yara/pull/45

muha2xmad commented 1 year ago

The same problem here with yara-python 4.3.1

muha2xmad commented 1 year ago

I solved this problem by installing yara-python 4.2

1198287349 commented 8 months ago

The yarsearch function needs to be modified as follows:

def yarasearch(self, memory, offsets, rules): print(">>> start yara search") values = list() matches = rules.match(data=memory) for match in matches: for stringR in match.strings: name = match.rule for string in stringR.instances: if name.endswith("API"): try: name = name + "" + idc.GetString(self.toVirtualAddress(string.offset, offsets)) except: pass value = [ self.toVirtualAddress(string.offset, offsets), match.namespace, name + "_" + hex(self.toVirtualAddress(string.offset, offsets)).lstrip("0x").rstrip("L").upper(), stringR.identifier, repr(string.matched_data) ] idaapi.set_name(value[0], name