StackStrings, error when using with binary/shellcode files

[joseph-hannon]

Error
I get the error below when trying to use StackStrings on a shellcode blob, however it does work (excellently!) when I use it on normal PE files.

Error:

Failed while executing plugin_t.run():
Traceback (most recent call last):
  File "C:/Program Files/IDA 7.1/plugins/stackstrings_plugin.py", line 60, in run
    flare.stackstrings.main()
  File "C:/Program Files/IDA 7.1/plugins\flare\stackstrings.py", line 250, in main
    vw = jayutils.loadWorkspace(filePath)
  File "C:/Program Files/IDA 7.1/plugins\flare\jayutils.py", line 247, in loadWorkspace
    vw.loadFromFile(filename)
  File "C:\python27-x64\lib\site-packages\vivisect\__init__.py", line 2140, in loadFromFile
    fname = mod.parseFile(self, filename)
  File "C:\python27-x64\lib\site-packages\vivisect\parsers\blob.py", line 44, in parseFile
    raise Exception('Blob loader *requires* arch option (-O viv.parsers.blob.arch="<archname>")')
Exception: Blob loader *requires* arch option (-O viv.parsers.blob.arch="<archname>")

Cause
I believe the error is because in blob.py parseFile() tries to work out the architecture based on magic bytes which obviously aren't there, since the architecture is needed for emulation it throws an exception.

Solution
In jaysutils.py when loading a Vivisect workspace if the IDA loader is a Binary one then either ask the user the architecture or base it on info from the IDA API, code in https://reverseengineering.stackexchange.com/a/11398 gives you that. Then explicitly tell Vivisect the architecture.

[williballenthin]

may be able to steal logic from here: https://github.com/williballenthin/viv-utils/blob/master/viv_utils/idaloader.py#L221-L232