mint@mint /media/mint/Windows 7 System (New)/test/sandsifter-master $ bash ./run.sh Step 1. Install standard C library software Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: libc-dev-bin Suggested packages: glibc-doc The following NEW packages will be installed: libc-dev-bin libc6-dev 0 upgraded, 2 newly installed, 0 to remove and 1 not upgraded. Need to get 0 B/2,148 kB of archives. After this operation, 13.9 MB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 cdrom://Linux Mint 18.2 _Sonya_ - Release amd64 20170628 xenial/main amd64 libc-dev-bin amd64 2.23-0ubuntu7 [68.6 kB] Get:2 cdrom://Linux Mint 18.2 _Sonya_ - Release amd64 20170628 xenial/main amd64 libc6-dev amd64 2.23-0ubuntu7 [2,080 kB] Selecting previously unselected package libc-dev-bin. (Reading database ... 197487 files and directories currently installed.) Preparing to unpack .../libc-dev-bin_2.23-0ubuntu7_amd64.deb ... Unpacking libc-dev-bin (2.23-0ubuntu7) ... Selecting previously unselected package libc6-dev:amd64. Preparing to unpack .../libc6-dev_2.23-0ubuntu7_amd64.deb ... Unpacking libc6-dev:amd64 (2.23-0ubuntu7) ... Processing triggers for man-db (2.7.5-1) ... Setting up libc-dev-bin (2.23-0ubuntu7) ... Setting up libc6-dev:amd64 (2.23-0ubuntu7) ... Step 2. Install python pip Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: python-pip-whl Recommended packages: build-essential python-all-dev python-setuptools python-wheel The following NEW packages will be installed: python-pip python-pip-whl 0 upgraded, 2 newly installed, 0 to remove and 1 not upgraded. Need to get 1,218 kB of archives. After this operation, 1,814 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://archive.ubuntu.com/ubuntu xenial/universe amd64 python-pip-whl all 8.1.1-2 [1,074 kB] Get:2 http://archive.ubuntu.com/ubuntu xenial/universe amd64 python-pip all 8.1.1-2 [144 kB] Fetched 1,218 kB in 0s (5,331 kB/s) Selecting previously unselected package python-pip-whl. (Reading database ... 197994 files and directories currently installed.) Preparing to unpack .../python-pip-whl_8.1.1-2_all.deb ... Unpacking python-pip-whl (8.1.1-2) ... Selecting previously unselected package python-pip. Preparing to unpack .../python-pip_8.1.1-2_all.deb ... Unpacking python-pip (8.1.1-2) ... Processing triggers for man-db (2.7.5-1) ... Setting up python-pip-whl (8.1.1-2) ... Setting up python-pip (8.1.1-2) ... Step 3. Update python pip The directory '/home/mint/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. The directory '/home/mint/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. Collecting pip Downloading pip-9.0.1-py2.py3-none-any.whl (1.3MB) 100% |████████████████████████████████| 1.3MB 441kB/s Installing collected packages: pip Found existing installation: pip 8.1.1 Not uninstalling pip at /usr/lib/python2.7/dist-packages, outside environment /usr Successfully installed pip-9.0.1 Step 4. Install setuptools The directory '/home/mint/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. The directory '/home/mint/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. Collecting setuptools Downloading setuptools-36.6.0-py2.py3-none-any.whl (481kB) 100% |████████████████████████████████| 481kB 956kB/s Installing collected packages: setuptools Successfully installed setuptools-36.6.0 Step 5. Install capstone binaries Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: libcapstone3 0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded. Need to get 438 kB of archives. After this operation, 2,815 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu xenial/universe amd64 libcapstone3 amd64 3.0.4-0.2 [438 kB] Fetched 438 kB in 0s (2,764 kB/s) Selecting previously unselected package libcapstone3. (Reading database ... 198119 files and directories currently installed.) Preparing to unpack .../libcapstone3_3.0.4-0.2_amd64.deb ... Unpacking libcapstone3 (3.0.4-0.2) ... Processing triggers for libc-bin (2.23-0ubuntu7) ... Setting up libcapstone3 (3.0.4-0.2) ... Processing triggers for libc-bin (2.23-0ubuntu7) ... Step 6. Install capstone dev source Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: libcapstone-dev 0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded. Need to get 495 kB of archives. After this operation, 4,177 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu xenial/universe amd64 libcapstone-dev amd64 3.0.4-0.2 [495 kB] Fetched 495 kB in 0s (3,018 kB/s) Selecting previously unselected package libcapstone-dev. (Reading database ... 198123 files and directories currently installed.) Preparing to unpack .../libcapstone-dev_3.0.4-0.2_amd64.deb ... Unpacking libcapstone-dev (3.0.4-0.2) ... Setting up libcapstone-dev (3.0.4-0.2) ... Step 7. Install capstone python bindings (this will take a while) The directory '/home/mint/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. The directory '/home/mint/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. Collecting capstone Downloading capstone-3.0.4.tar.gz (3.2MB) 100% |████████████████████████████████| 3.2MB 201kB/s Installing collected packages: capstone Running setup.py install for capstone ... done Successfully installed capstone-3.0.4 Step 8. Make sandsifter cc -c injector.c -o injector.o -Wall injector.c:321:93: warning: excess elements in array initializer 00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, .len ^ injector.c:321:93: note: (near initialization for ‘total_range.start.bytes’) injector.c:322:91: warning: excess elements in array initializer ff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}, .len ^ injector.c:322:91: note: (near initialization for ‘total_range.end.bytes’) cc injector.o -O3 -Wall -l:libcapstone.a -o injector -pthread Step 9. Run sandsifter ┌ 164 t │ (unk) 0f0f0cc7510000000000000000000000 0 │ (unk) 0f0f0cc8760000000000000000000000 0 │ (unk) 0f0f0ccb510000000000000000000000 : │ (unk) 0f0f0ccda10000000000000000000000 0 s │ (unk) 0f0f0ccf1b0000000000000000000000 2 a │ (unk) 0f0f0cd1610000000000000000000000 : n │ (unk) 0f0f0cd3510000000000000000000000 2 d │ pswapd mm1, qword ptr [rsp + rdx*8] 0f0f0cd4bb0000000000000000000000 3 │ (unk) 0f0f0cd6c10000000000000000000000 . v: 1 │ (unk) 0f0f0cd8d10000000000000000000000 8 l: 9 │ (unk) 0f0f0cd9fb0000000000000000000000 1 s: 4 │ pfnacc mm1, qword ptr [rsp + rbx*8] 0f0f0cdc8a0000000000000000000000 c: 2 │ pfmin mm1, qword ptr [rsi + rbx*8] 0f0f0cde940000000000000000000000 │ femms 0f0f0ce00e0000000000000000000000 s │ (unk) 0f0f0ce34e0000000000000000000000 i │ (unk) 0f0f0ce5310000000000000000000000 f │ (unk) 0f0f0ce7c10000000000000000000000 t │ (unk) 0f0f0ce9c70000000000000000000000 e │ (unk) 0f0f0ceb510000000000000000000000 r │ (unk) 0f0f0cede10000000000000000000000 └ # 1,047,280 37484/s # 89,418 ┌ │40f0dbfff000000000000000000000000f4f4f4f4f4f4f4f4f4f4f4f4f4f │00f0dbffe000000000000000000000000c0c0c0c0c0c0c0c0c0c0c0c0c0c │40f0dbffd000000000000000000000000242424242424242424242424242 │20f0dbffc000000000000000000000000222222222222222222222222222 │20f0dbffb000000000000000000000000626262626262626262626262626 │10f0dbffa000000000000000000000000919191919191919191919191919 │50f0dbff9000000000000000000000000d5d5d5d5d5d5d5d5d5d5d5d5d5d │00f0dbff8000000000000000000000000505050505050505050505050505 │00f0dbff7000000000000000000000000505050505050505050505050505 │40f0dbff6000000000000000000000000444444444444444444444444444 └ # # ./sifter.py --unk --dis --len --sync --tick -- -P1 -t # ./injector -P1 -t -t -R -0 -s 4293486582 # # insn tested: 129563 # artf found: 0 # runtime: 00:00:04.23 # seed: 4293486582 # arch: 64 # date: 2017-10-22 16:10:51 # # cpu: # processor : 0 # vendor_id : AuthenticAMD # cpu family : 15 # model : 43 # model name : AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ # stepping : 1 # microcode : 0x4d # v l s c 0f0d00 1 3 5 2 (0f0d0000000000000000000000000000) 0f0d01 1 3 5 2 (0f0d0100000000000000000000000000) 0f0d02 1 3 5 2 (0f0d0200000000000000000000000000) 0f0d03 1 3 5 2 (0f0d0300000000000000000000000000) 0f0d0400 1 4 5 2 (0f0d0400000000000000000000000000) 0f0d0401 1 4 5 2 (0f0d0401000000000000000000000000) 0f0d0402 1 4 5 2 (0f0d0402000000000000000000000000) 0f0d0403 1 4 5 2 (0f0d0403000000000000000000000000) 0f0d0404 1 4 5 2 (0f0d0404000000000000000000000000) 0f0d040500000000 1 8 5 2 (0f0d0405000000000000000000000000) 0f0d040501000000 1 8 5 2 (0f0d0405010000000000000000000000) 0f0d040502000000 1 8 5 2 (0f0d0405020000000000000000000000) 0f0d040503000000 1 8 5 2 (0f0d0405030000000000000000000000) 0f0d040504000000 1 8 5 2 (0f0d0405040000000000000000000000) Step 10. Summarize beginning summarization. note: this process may take up to an hour to complete, please be patient. loading sifter log: [========================================] 100.0% condensing prefixes: [========================================] 100.0% binning results: [== ] 6.7% AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ arch: 64 / processor: 0 / vendor: AuthenticAMD / family: 15 / model: n/a / stepping: 1 / ucode: n/a ┌─────────────────────────────────┐-┌──────────────────────────────────────────────────────────┐ │> .... .............. │|│ instruction group: │ │ > 0f.. .............. │ │ (all) │ │ > 0f0d.. .......... │ │ │ │ > 0f0f...... ........ │ │ instructions found in this group: │ │ > 0f18.. │ │ 168179 │ │ > 0f1a.. │ │ │ │ > 0f1b.. │ │ example instruction from this group: │ │ > 0f1c.. │ │ 0f0f0ccc4d │ │ > 0f1d.. │ │ │ │ > 0f1e.. │ │ group attribute summary: │ │ > 0f1f.. │ │ valid: (1) │ │ 0f38 │ │ length: (2-9) │ │ 0f78 │ │ signum: (4-5,11) │ │ 0f79 │ │ signal: (sigsegv,sigill,sigtrap) │ │ > 0fae.. │ │ sicode: (1-2) │ │ > c4.... ...... │ │ prefixes: (__,26,2e,36,3e,40-4f,64-66) │ │ > c5.... ........ │ │ │ │ > db.. │ │ │ │ > df.. │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └─────────────────────────────────┘-└──────────────────────────────────────────────────────────┘ j: down, J: DOWN k: up, K: UP l: expand L: all h: collapse H: all g: start G: end {: previous }: next q: quit and print Bash script Version 0.01 created on 22 october 2017 by Skybuck Flying To Install, Make, Run, Summarize SandSifter Software and Software Dependencies Successfully tested on Linux Mint 18.2 Sonya on AMD Dual Core X2 3800+ processor May the Force be with you ! Always ! =D Have fun analyzing undocumented instructions !!!! E-mail results to or contact: xoreaxeaxeax@gmail.com ^^^ !!! Author of SandSifter Software and interested in log files !!! ^^^ mint@mint /media/mint/Windows 7 System (New)/test/sandsifter-master $