"IDA2PAT Reloaded" 
An IDA Pro 5.xx plug-in to generate a pattern file.
By Sirmabus  V: 1.0B

You've probably seen or more of the different variants of this plug-in: 
"ida2sig", "ida2pat", etc.
We want to create a pattern (".pat") file to assemble a FLIRT
signature file (".sig"), using the FLAIR utility "sigmake.exe".
This will allow one to apply these sigs to help port updats, etc.

I had preferred TQN's "ida2sig" version since it fastest (see below) I could
find. But it had the same problems as the pervious version.  And I wanted to
make a build I could updated with the latest FLAIR lib, etc.


[Install]
Copy the plug-in to your IDA Pro 5.xx "plugins" directory. 
Edit your "plugins.cfg" with a hotkey to run it, etc.
(See the IDA docs for more help on this..)

Example:
"IDA2PAT IDA2PAT-Reloaded.plw F11 0"

[How to run it]
1. Invoke it using your selected IDA hot-key or from "Edit->Plugins".
2. Select the destination ".pat" file.
3. After it is done, convert your pattern file into a signature file using
   "sigmake.exe",.

[Design & Outstanding issues]
There are zero options, the assumption is you want to save only, and all
function names that are not autogenerated.
That is for the most part, all functions that are not "sub_69B470", and
"unknown_libname_228".

There are unfortunately ambiguities, and errors using function name flags like
"pFunc->flags & FUNC_LIB", "is_public_name()", "dummy_name_ea()", etc.,  to
determine what is a library, public, etc., function.

Biggest hurdle, consider this.. You go do your RE work, you rename some
functions with a name that makes sense to you; or you just rename it 
specifically so you can come back to it later using a custom sig, etc.
Maybe all is well on the first time because IDA will see it as a user function
and thus traditional IDA2PAT will create a pattern for it.
But next time after update, etc., you apply the sig. It is no longer a 
"user function", IDA marks it as a library, or worse as autogenerated.
Don't like this. We want to be able to apply a sig, work on the DB rename some
functions with better fitting names as my understanding grows, etc., then
create a new patterns and not have name collisions, etc.

AFAIK there is no solid way to determine what is "autogenerated", "user
-generated" or otherwise, using the stock IDA SDK functions.

What "IDA2PAT Reloaded" does is solely rely on function name patterns instead.
It simply rejects functions that start with ""sub_..", "unknown_libname_..",
or that start with the characters '$', '@', '?', and '_', etc.

This will be a problem if you intentionally use using something like 
"sub_MyFunction", or "unknown_libname_MyFunction", etc., as your naming
convention.  This design assumes IDA is setup to display autogenerated function
names as "sub_xxxxxx", etc., in the defaults.

Speed:
TQN's version was definitely faster then others, he replaced the file streaming
"qfprintf()" with a very large buffer, then saved the buffer at the end.
The real issue was a single "qflush()" call after each pattern create in 
Quine's original code.  FYI, a file "flush" causes the OS to flush it's write
cache causing a file performance hit.

As a baseline, just iterating through around 100k functions (with zero
processing) takes ~12seconds on my machine on average.
Thus, any processing on top of that is just additive. 
IDA2PAT-Reloaded only adds ~3 seconds to the base line on a modern machine.


[Credits & Appreciation]
Quine & Darko - For the original design. http://surf.to/quine_ida
J.C. Roberts - Yet another version.
TQN - For the large pattern buffer design.


-Sirmabus


Terms of Use
------------
This software is provided "as is", without any guarantee made as to its
suitability, or fitness for any particular use. It may contain bugs, so use
this software is at your own risk.  The author takes no responsibly for 
any damage that might be caused through its use et al.