update CHANGELOG

be2: improve number extraction
2025-12-08 13:50:38 -08:00 · 2025-02-19 15:43:07 -07:00 · 2025-02-19 15:38:42 -07:00
2 changed files with 2 additions and 22 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@

 ### Bug Fixes
 - only parse CAPE fields required for analysis @mike-hunhoff #2607
+- improve _number_ feature extraction for BinExport @mike-hunhoff #2609

 ### capa Explorer Web

--- a/capa/features/extractors/binexport2/helpers.py
+++ b/capa/features/extractors/binexport2/helpers.py
@@ -349,30 +349,9 @@ def get_operand_register_expression(be2: BinExport2, operand: BinExport2.Operand


 def get_operand_immediate_expression(be2: BinExport2, operand: BinExport2.Operand) -> Optional[BinExport2.Expression]:
-    if len(operand.expression_index) == 1:
-        # - type: IMMEDIATE_INT
-        #   immediate: 20588728364
-        #   parent_index: 0
-        expression: BinExport2.Expression = be2.expression[operand.expression_index[0]]
+    for expression in get_operand_expressions(be2, operand):
        if expression.type == BinExport2.Expression.IMMEDIATE_INT:
            return expression
-
-    elif len(operand.expression_index) == 2:
-        # from IDA, which provides a size hint for every operand,
-        # we get the following pattern for immediate constants:
-        #
-        # - type: SIZE_PREFIX
-        #   symbol: "b8"
-        # - type: IMMEDIATE_INT
-        #   immediate: 20588728364
-        #   parent_index: 0
-        expression0: BinExport2.Expression = be2.expression[operand.expression_index[0]]
-        expression1: BinExport2.Expression = be2.expression[operand.expression_index[1]]
-
-        if expression0.type == BinExport2.Expression.SIZE_PREFIX:
-            if expression1.type == BinExport2.Expression.IMMEDIATE_INT:
-                return expression1
-
    return None
Author	SHA1	Message	Date
Mike Hunhoff	7a66dfc025	update CHANGELOG	2025-02-19 15:43:07 -07:00
Mike Hunhoff	f5db5fd5cf	be2: improve number extraction	2025-02-19 15:38:42 -07:00