idb2pat sigmake FATAL: Bad xdigit: error

[KulaGGin]

I get the FATAL: Bad xdigit: error error when trying to use sigmake on a file with long lines, such as this one: https://slexy.org/view/s2UyxIhZQR

Here's the .pat file with quite a few problem lines like that if you want to try it yourself: https://www.dropbox.com/s/ym8mfm0k037gbd4/S05_TestingGrounds-Win64-Shipping.pat?dl=0

It's a pat file generated from a compiled executable with Unreal Engine 4 for Win64 with .pdb supplied. And UE4 uses MSBuild, iirc, if that helps in any way.

I use updated idb2pat from #105 but I get the exact same issue on non-updated idb2pat on IDA 7.2 with all the default settings.

I think the problem is here: 48894C2408B808160100E8D11A2A02482BE0C78424D086000002000000488B84 FF ABF9 60247. Fourth member with numbers - 60247. Usually there are 4 digits in most lines but on the lines with that exact error it's always more than 4 digits for the fourth member. I don't know how to fix that, I think I'll go try a version from #98 with fixes, they might have fixed exactly this?

Removing all the lines with more than 4 digits on the fourth member does let sigmake tool finish generating .sig file.

[williballenthin]

interesting.

coincidentally, i had also discovered that the fields that look like 16bit numbers do in fact accept numbers larger than 16bits. so, this probably does lead to an issue in idb2pat.

thanks for providing a test file - i'll use that to help diagnose the bug and develop a fix.

[KulaGGin]

@williballenthin Awesome, big thanks.

I created another issue which I have with the same project: https://github.com/fireeye/flare-ida/issues/107

So when you'll work on it, you might want to look into that one as well.

They might be related, but doesn't really look like it, they look like different issues.

[ZehMatt]

If anyone stumbles into this, you can resolve the issue by 8 digits, sigmake seems to only accept 0000 or 00000000, so if you have 11960 turn that into 00011960