From c36bde0f2d9cf4261f1bf09b2f79bd067051d090 Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <willi.ballenthin@gmail.com>
Date: Wed, 6 Apr 2022 15:38:04 -0600
Subject: [PATCH] ida: insn: ignore numbers when SIB present

---
 capa/features/extractors/ida/helpers.py | 5 +++++
 capa/features/extractors/ida/insn.py    | 7 ++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/capa/features/extractors/ida/helpers.py b/capa/features/extractors/ida/helpers.py
index a43283aa..2e2ab87c 100644
--- a/capa/features/extractors/ida/helpers.py
+++ b/capa/features/extractors/ida/helpers.py
@@ -382,3 +382,8 @@ def get_function_blocks(f):
 def is_basic_block_return(bb):
     """check if basic block is return block"""
     return bb.type == idaapi.fcb_ret
+
+
+def has_sib(oper) -> bool:
+    # via: https://reverseengineering.stackexchange.com/a/14300
+    return oper.specflag1 == 1
diff --git a/capa/features/extractors/ida/insn.py b/capa/features/extractors/ida/insn.py
index 31870ddf..70d0a6dd 100644
--- a/capa/features/extractors/ida/insn.py
+++ b/capa/features/extractors/ida/insn.py
@@ -218,7 +218,12 @@ def extract_insn_offset_features(f, bb, insn):
         yield Offset(op_off), insn.ea
         yield OperandOffset(i, op_off), insn.ea
 
-        if insn.itype == idaapi.NN_lea and i == 1 and op.type == idaapi.o_displ:
+        if (
+            insn.itype == idaapi.NN_lea
+            and i == 1
+            and op.type == idaapi.o_phrase
+            and not capa.features.extractors.ida.helpers.has_sib(op)
+        ):
             # for pattern like:
             #
             #     lea eax, [ebx + 1]