
	S I G M A K E
	-------------

Sigmake takes pattern files as the input and creates a signature file.
It can take several pattern files at once.
Usage:

	sigmake [-sw] pattern-file(s) sig-file

where
	switches (-sw) may be kept in indirect file '@file'
	(one switch per line)

input pattern files are file1+file2+file3...
wildcard input file names are allowed too.
the default extension of the input files is .PAT
the default extension of the output file is .SIG
The name of the output file should be no more than 8 symbols for compatibility.

collision resolving
-------------------
Sigmake looks for and takes as the input file <outfile>.exc (<outfile> is name of
output signature file). This file contains a list of excluded function names
and other directives for sigmake. EXC file is a text file. Sigmake will
automatically create an EXC file if it doesn't exist. It an EXC file exists, sigmake
will append information to it.

If sigmake creates an EXC file, then you must edit it and re-run sigmake.

NOTE: although sigmake uses all information from pat files, it doesn't
write everything into sig file. Some information during this process
is lost and therefore the process is not reversible.

Decription of switches
----------------------

	-x...  name of file with excluded function names
	       default is <outfile>.exc

	-c     Check presence of ctype directive. If this switch is specified,
	       the input pattern files  must be prepared with -c switch of
	       parselib.

	-d...  debugging output file (default: <outfile>.err)
	       This file contains dump of output signature file.

	-n...  signature file title for IDA.
	       If not specified, "Unnamed sample library" is taken by default.
	       This title will appear in the window of signatures in IDA.


	-D...  name is data name, not code name
	       Not recommended to use, because the same effect may be achieved
	       by the directive in EXC file.

	-a...  application types the signature may be applied to.
	       Combination of bits. When in doubt, set a bit.
	       (list of bits can be displayed by -ha switch)
			0001 console
			0002 graphics
			0004 program (EXE)
			0008 library (DLL)
			0010 driver  (VxD)
			0020 Single-threaded
			0040 Multi-threaded
			0080 16bit
			0100 32bit
               GUI version of IDA does not use this information
	       TXT version: The signature file will appear in the abridged list of
	       signatures if bit is set.

	-o...  os types the signature may be applied to.
	       Combination of bits. When in doubt, set a bit.
	       (list of bits can be displayed by -ho switch)
	       		0001 MS DOS
			0002 MS Windows
			0004 OS/2
			0008 Netware
               GUI version of IDA does not use this information
	       TXT version: The signature file will appear in the abridged list of
	       signatures if bit is set.

	-f...  file format types the signature may be applied to.
	       Combination of bits. When in doubt, set a bit.
	       (list of bits can be displayed by -hf switch)
	       		00000001 MS DOS EXE File
			00000002 MS DOS COM File
			00000004 Binary File
			00000008 MS DOS Driver
			00000010 New Executable (NE)
			00000020 Intel Hex Object File
			00000040 MOS Technology Hex Object File
			00000080 Linear Executable (LX)
			00000100 Linear Executable (LE)
			00000200 Netware Loadable Module (NLM)
			00000400 Common Object File Format (COFF)
			00000800 Portable Executable (PE)
			00001000 Used-defined format
			00002000 Object Module Format (OMF)
			00004000 S-record format
			00008000 ZIP archive
               GUI version of IDA does not use this information
	       TXT version: The signature file will appear in the abridged list of
	       signatures if bit is set.

	-p...  processor id
	       (list of ids can be displayed by -hp switch or taken
                from idp.hpp in IDA SDK)
               GUI version of IDA does not use processor ids
	       TXT version: the signature file will appear in the abridged list of
	       signatures if the id is set correctly.
	       Default is 0 (IBM PC).

	-s     make startup signature.
	       This switch must be specified for startup signatures.
	       Sigmake produces slightly different signature file if this
	       switch is specified. For example, references to functions can't
	       be used in startup signatures because a startup signature is
	       applied at the start of disassembling and no function names
	       are present yet.

	-t...  minimal length of normal function. if function is smaller
	       then a fixup reference is generated. default: 16(decimal)

	-h#    help (#:a-apptype,o-ostype,f-formats,p-processor)


Format of EXC file
------------------

EXC file is a text file.
Lines starting with a semicolon are comment lines.
Sigmake stops reading EXC file when it encounters a line starting with

;------

and will append information from that file position. Since this line
is generated each time sigmake creates an EXC file, don't forget to
remove them. Otherwise sigmake will ignore your modifications in the
EXC file.
Sigmake automatically creates EXC file if it is not present.
It starts EXC file with the following lines:

;--------- (delete these lines to allow sigmake to read this file)
; add '+' at the start of a line to select a module
; add '-' if you are not sure about the selection
; do nothing if you want to exclude all modules

EXC file contains names of functions to be excluded from the signature file.
Sigmake writes names in groups. Each group represents one or more collisions.
Each module is represented with one line, for example:

_remove                                           	00 0000 558BEC1EB441C55604CD211F720433C0EB0450E8....5DC3................
_unlink                                           	00 0000 558BEC1EB441C55604CD211F720433C0EB0450E8....5DC3................

At the start of the line there are function names. The rest of the line contains
information about the module (checksums, pattern and other) needed to
distinguish one module from another with the same name).
Your task is to insert '+' or '-' sign at the start of the lines to resolve
collisions.
+ means that you are sure about your selection,
- means that the name will appear as a comment in IDA.

For example, if we decide to exclude _remove from the signature and leave
_unlink, then we insert a '+' sign:

_remove                                           	00 0000 558BEC1EB441C55604CD211F720433C0EB0450E8....5DC3................
+_unlink                                           	00 0000 558BEC1EB441C55604CD211F720433C0EB0450E8....5DC3................


This way we order to exclude the _remove() function and keep the _unlink() function in the
signature.


Two directives may appear in the EXC file:

 DATA=name

note that the first character is a space character - this is common to all
directives in the EXC file. This directive means
that the specified name is a data name, not code name and IDA will not
convert bytes at this name to an instruction.

 LIBNAME=library name

has the same meaning as -n switch: specifies the name of the signature file which appears
in the window of signatures.

