From bb053561ef215034282fef0de11303811a07a6fb Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Wed, 5 Jul 2023 18:03:57 +0200
Subject: [PATCH 1/5] import-to-ida: decode MD5 to hex

---
 scripts/import-to-ida.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/import-to-ida.py b/scripts/import-to-ida.py
index 058c2553..c0f788c6 100644
--- a/scripts/import-to-ida.py
+++ b/scripts/import-to-ida.py
@@ -28,6 +28,7 @@ Unless required by applicable law or agreed to in writing, software distributed
  is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and limitations under the License.
 """
+import binascii
 import json
 import logging
 
@@ -77,7 +78,7 @@ def main():
     #
     # see: https://github.com/idapython/bin/issues/11
     a = doc["meta"]["sample"]["md5"].lower()
-    b = ida_nalt.retrieve_input_file_md5().lower()
+    b = binascii.hexlify(ida_nalt.retrieve_input_file_md5()).decode("ascii").lower()
     if not a.startswith(b):
         logger.error("sample mismatch")
         return -2

From 169b3d60a81ff0ac8fc7be1ef2d1c67ea3292678 Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Wed, 5 Jul 2023 18:04:15 +0200
Subject: [PATCH 2/5] import-to-ida: update to use v5 JSON format

closes #1584
---
 scripts/import-to-ida.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/scripts/import-to-ida.py b/scripts/import-to-ida.py
index c0f788c6..fd762f58 100644
--- a/scripts/import-to-ida.py
+++ b/scripts/import-to-ida.py
@@ -94,8 +94,11 @@ def main():
 
         name = rule["meta"]["name"]
         ns = rule["meta"].get("namespace", "")
-        for va in rule["matches"].keys():
-            va = int(va)
+        for address, match in rule["matches"]:
+            if address["type"] != "absolute":
+                continue
+
+            va = address["value"]
             rows.append((ns, name, va))
 
     # order by (namespace, name) so that like things show up together

From 19a5ef8a644327f2fe436a73ccea390adaf95c6e Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Wed, 5 Jul 2023 18:21:03 +0200
Subject: [PATCH 3/5] import-to-ida: use existing result document json parser

---
 scripts/import-to-ida.py | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/scripts/import-to-ida.py b/scripts/import-to-ida.py
index fd762f58..8b9b3471 100644
--- a/scripts/import-to-ida.py
+++ b/scripts/import-to-ida.py
@@ -29,13 +29,16 @@ Unless required by applicable law or agreed to in writing, software distributed
 See the License for the specific language governing permissions and limitations under the License.
 """
 import binascii
-import json
 import logging
 
 import ida_nalt
 import ida_funcs
 import ida_kernwin
 
+import capa.rules
+import capa.features.freeze
+import capa.render.result_document
+
 logger = logging.getLogger("capa")
 
 
@@ -65,40 +68,37 @@ def main():
     if not path:
         return 0
 
-    with open(path, "rb") as f:
-        doc = json.loads(f.read().decode("utf-8"))
-
-    if "meta" not in doc or "rules" not in doc:
-        logger.error("doesn't appear to be a capa report")
-        return -1
+    result_doc = capa.render.result_document.ResultDocument.parse_file(path)
+    meta, capabilities = result_doc.to_capa()
 
     # in IDA 7.4, the MD5 hash may be truncated, for example:
     # wanted: 84882c9d43e23d63b82004fae74ebb61
     # found: b'84882C9D43E23D63B82004FAE74EBB6\x00'
     #
     # see: https://github.com/idapython/bin/issues/11
-    a = doc["meta"]["sample"]["md5"].lower()
+    a = meta["sample"]["md5"].lower()
     b = binascii.hexlify(ida_nalt.retrieve_input_file_md5()).decode("ascii").lower()
     if not a.startswith(b):
         logger.error("sample mismatch")
         return -2
 
     rows = []
-    for rule in doc["rules"].values():
-        if rule["meta"].get("lib"):
+    for name in capabilities.keys():
+        rule = result_doc.rules[name]
+        if rule.meta.lib:
             continue
-        if rule["meta"].get("capa/subscope"):
+        if rule.meta.is_subscope_rule:
             continue
-        if rule["meta"]["scope"] != "function":
+        if rule.meta.scope != capa.rules.Scope.FUNCTION:
             continue
 
-        name = rule["meta"]["name"]
-        ns = rule["meta"].get("namespace", "")
-        for address, match in rule["matches"]:
-            if address["type"] != "absolute":
+        ns = rule.meta.namespace
+
+        for address, _ in rule.matches:
+            if address.type != capa.features.freeze.AddressType.ABSOLUTE:
                 continue
 
-            va = address["value"]
+            va = address.value
             rows.append((ns, name, va))
 
     # order by (namespace, name) so that like things show up together

From 694143ce6bf31eca8669c05ef51262d29a97aad3 Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Wed, 5 Jul 2023 18:24:37 +0200
Subject: [PATCH 4/5] import-to-ida: use Metadata type not json document

---
 scripts/import-to-ida.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/import-to-ida.py b/scripts/import-to-ida.py
index 8b9b3471..42c56445 100644
--- a/scripts/import-to-ida.py
+++ b/scripts/import-to-ida.py
@@ -28,8 +28,8 @@ Unless required by applicable law or agreed to in writing, software distributed
  is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and limitations under the License.
 """
-import binascii
 import logging
+import binascii
 
 import ida_nalt
 import ida_funcs
@@ -76,7 +76,7 @@ def main():
     # found: b'84882C9D43E23D63B82004FAE74EBB6\x00'
     #
     # see: https://github.com/idapython/bin/issues/11
-    a = meta["sample"]["md5"].lower()
+    a = meta.sample.md5.lower()
     b = binascii.hexlify(ida_nalt.retrieve_input_file_md5()).decode("ascii").lower()
     if not a.startswith(b):
         logger.error("sample mismatch")

From bf5b2612c89acfe6ae5923a610cf1bc9c1a3851b Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Wed, 5 Jul 2023 18:27:20 +0200
Subject: [PATCH 5/5] changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9334beea..23294012 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -46,6 +46,7 @@
 - Add logging and print redirect to tqdm for capa main [#749](https://github.com/mandiant/capa/issues/749) [@Aayush-Goel-04](https://github.com/aayush-goel-04)
 - extractor: fix binja installation path detection does not work with Python 3.11
 - tests: refine the IDA test runner script #1513 @williballenthin
+- import-to-ida: fix bug introduced with JSON report changes in v5 #1584 @williballenthin
 
 ### capa explorer IDA Pro plugin