ida: insn: ignore numbers when SIB present

2026-02-04 11:07:53 -08:00 · 2022-04-06 15:38:04 -06:00
parent 1a44dd8a2b
commit c36bde0f2d
2 changed files with 11 additions and 1 deletions
--- a/capa/features/extractors/ida/helpers.py
+++ b/capa/features/extractors/ida/helpers.py
@@ -382,3 +382,8 @@ def get_function_blocks(f):
 def is_basic_block_return(bb):
    """check if basic block is return block"""
    return bb.type == idaapi.fcb_ret
+
+
+def has_sib(oper) -> bool:
+    # via: https://reverseengineering.stackexchange.com/a/14300
+    return oper.specflag1 == 1
--- a/capa/features/extractors/ida/insn.py
+++ b/capa/features/extractors/ida/insn.py
@@ -218,7 +218,12 @@ def extract_insn_offset_features(f, bb, insn):
        yield Offset(op_off), insn.ea
        yield OperandOffset(i, op_off), insn.ea

-        if insn.itype == idaapi.NN_lea and i == 1 and op.type == idaapi.o_displ:
+        if (
+            insn.itype == idaapi.NN_lea
+            and i == 1
+            and op.type == idaapi.o_phrase
+            and not capa.features.extractors.ida.helpers.has_sib(op)
+        ):
            # for pattern like:
            #
            #     lea eax, [ebx + 1]