From 51d852d1b33e73ea13b7bc133986be9c653fa431 Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Mon, 9 Dec 2024 10:02:14 +0000
Subject: [PATCH] inspect-binexport: better handle MSRs exported by Ghidra

closes #2530
---
 scripts/inspect-binexport2.py | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/scripts/inspect-binexport2.py b/scripts/inspect-binexport2.py
index 11e1677e..1e49c98a 100644
--- a/scripts/inspect-binexport2.py
+++ b/scripts/inspect-binexport2.py
@@ -119,8 +119,22 @@ def _render_expression_tree(
 
     elif expression.type == BinExport2.Expression.IMMEDIATE_INT:
         o.write(f"0x{expression.immediate:X}")
-        assert len(children_tree_indexes) == 0
-        return
+        assert len(children_tree_indexes) <= 1
+
+        if len(children_tree_indexes) == 0:
+            return
+        elif len(children_tree_indexes) == 1:
+            # the ghidra exporter can produce some weird expressions,
+            # particularly for MSRs, like for:
+            #
+            #     sreg(3, 0, c.0, c.4, 4)
+            #
+            # see: https://github.com/mandiant/capa/issues/2530
+            child_index = children_tree_indexes[0]
+            _render_expression_tree(be2, operand, expression_tree, child_index, o)
+            return
+        else:
+            raise NotImplementedError(len(children_tree_indexes))
 
     elif expression.type == BinExport2.Expression.SIZE_PREFIX:
         # like: b4