Sandsifter software finds hidden instructions inside processors.

Hello,

I just watched this video, it's pretty interesting and somewhat amazing, this guy find a way to find hidden instructions inside processors:

https://www.youtube.com/watch?v=KrksBdWcZgQ

The software which finds these hidden instructions is available too:

https://github.com/xoreaxeaxeax/sandsifter

Apperently it's open source python and a little bit of C.

It will probably require some kind of python interpreter/executor and probably admin rights to run.

I am not yet sure how to run this software it will require installing some additional capstone disassembler.

I am curious what would be found on my AMD X2 3800+ from almost 12 years ago... if it will run at all... I think it will run.

I would be curious to also here results of other people !

So if you curious as to what secret instructions exist inside your computer give this a run.

Later today or in the coming days when I have some time for this I will return to
this subject.

For now I may have other things to do or maybe not :P

Bye,
Skybuck =D

wrote:
Hello,

I just watched this video, it's pretty interesting and somewhat amazing, this guy find a way to find hidden instructions inside processors:

https://www.youtube.com/watch?v=KrksBdWcZgQ

The software which finds these hidden instructions is available too:

https://github.com/xoreaxeaxeax/sandsifter

Apperently it's open source python and a little bit of C.

It will probably require some kind of python interpreter/executor and probably admin rights to run.

I am not yet sure how to run this software it will require installing some additional capstone disassembler.

I am curious what would be found on my AMD X2 3800+ from almost 12 years ago... if it will run at all... I think it will run.

I would be curious to also here results of other people !

So if you curious as to what secret instructions exist inside your computer give this a run.

Later today or in the coming days when I have some time for this I will return to
this subject.

For now I may have other things to do or maybe not :P

Bye,
Skybuck =D

There is a PDF on the github page.

It was a slide presentation at a Black Hat 2017 presentation.

https://raw.githubusercontent.com/xo...he_x86_isa.pdf

Perhaps, in time, some of the (nonsense) code sequences will
be included in AV software.

Paul

On Saturday, October 21, 2017 at 9:08:56 PM UTC+2, Paul wrote:
wrote:
Hello,

I just watched this video, it's pretty interesting and somewhat amazing, this guy find a way to find hidden instructions inside processors:

https://www.youtube.com/watch?v=KrksBdWcZgQ

The software which finds these hidden instructions is available too:

https://github.com/xoreaxeaxeax/sandsifter

Apperently it's open source python and a little bit of C.

It will probably require some kind of python interpreter/executor and probably admin rights to run.

I am not yet sure how to run this software it will require installing some additional capstone disassembler.

I am curious what would be found on my AMD X2 3800+ from almost 12 years ago... if it will run at all... I think it will run.

I would be curious to also here results of other people !

So if you curious as to what secret instructions exist inside your computer give this a run.

Later today or in the coming days when I have some time for this I will return to
this subject.

For now I may have other things to do or maybe not :P

Bye,
Skybuck =D

There is a PDF on the github page.

It was a slide presentation at a Black Hat 2017 presentation.

https://raw.githubusercontent.com/xo...he_x86_isa.pdf

Perhaps, in time, some of the (nonsense) code sequences will
be included in AV software.

Paul

Even better Paul, there is another PDF which describes the research that was done:

https://github.com/xoreaxeaxeax/sand...x86_isa_wp.pdf

Basically same story as in video but now in text...

Today I installed python 3.6.3 by downloading this file from some python.org website or something: python-3.6.3-amd64.exe

I already checked... AMD64 instruction set has the no-execution bit for page entry tables... this means for this sandsifter tool I do not have to supply the no nx available flag... I wonder if this tool is capable of detecting hidden instructions on systems that don't have this feature ? and if so how ? There is no further information about that... so I am a bit fuzy about that.

I still have to install capstone dissassembler... and then I wonder what will happen with the C code... will it be compiled somehow ? Not sure what will happen.

So far I also read the document for 90%

Going to continue with this cause I like finding secrets and the mystery..

So far I think the dbe is probably some "debug engine" instruction.

Taking it easy for now

Bye,
Skybuck

Skybuck Flying's Cybernauting adventure into Linux Mint 18.2 and SandSifter..

After examining the SandSifter software on my Windows 7 Dream PC of 2006 I realized this software is probably not going to run on Windows 7. It was written for Linux as far as I can tell.

So I decided to download and burn Linux Mint 18.2 to a DVD and then boot it and proceed from there.

The SandSifter software requires a Python interpreter and a Capstone library. However as usual with this kind of software it has all kinds of dependencies which can lead to problems as is with this software. Fortunately by entering the problem/error messages into google I was able to quickly diagnose the problem and find a solution, which has led to me creating a "batch file" or "script file" if you will which automates the process of installing the necessary software/dependencies. I also wrote a "manual installation" manual as well as the "automatic installation" manual, more on this later. I also wrote a run.sh bash script which does everything automatically except for the user having to answer "yes" here and there.

Bash is the default script processor/command line scripting facility on linux.

It works like a batchfile on windows, except the first line of a script must contain a specific marker to indicate it's a bash script. Apperently on linux any file can be executed... as long as the first line indicates what it is ?

So I managed to get everything working and SandSifter did it's thing. It found hundreds of thousands of undocumented instructions ! Mostly of these belong together to a certain group. This has me worried a bit.

What are these instructions doing ? Why do some appear to exist on Intel, AMD and Transmeta ? My gut feeling says... "watery issue". Could be debugging feature for production machines could also be a "conspiracy" to "backdoor" all consumer processor products, thus further investigation into this matter is definetly warrented.

I was fortunate enough for Linux Mint 18.2 to work well and Fortunate enough for all software to be able to function together. The software outputs all kinds of message to indicate "versions" and such. This output has been captured by me for future/backwards reference in case problems occur with future versions of these software packages. The output was captured to a file called: ExampleOutputOfScriptRunSh.txt

I have uploaded everything/all data that I collected to my webdrive more on that in a moment.

First some further information about this file. The output is kinda annoying it's apperently not Unicode but some kind of obscure character set. This might make it hard to read this file with windows-based text editors. However textpad seems to handle it a little bit and some information can be read from it.

To view all collected and produced text files perfectly it is recommended to use Linux Mint 18.2 for now, specifically it's "text editor" not the Office packet, the Office packet malfunctions and is not capable of opening large files, for example 191 MB was too much for it to chew on.

Even the text editor of Linux Mint 18.2 is poor to say the least. It apperently tries to read all text into memory, instead of reading purely from disk for as far as needed. Unfortunately Textpad is no better in this regards.

I did write my own "file viewer" which is capable of seeking into a file and only reading a screen worth of data to prevent accessive memory usage. The tool is rather crude and is not a full fledged editor, perhaps I will upload it next to some folder I will think about this.

Hopefully there exist some text editor somewhere on the internet which can read a "screen worth of data" from a large file to prevent accessive memory usage.
I will search for one myself, if I can't find one freely available I may upload my tool just in case nobody can find a decent one for Windows. My tool will not work on Linux except if wine is used, though I could probably cross compile/build it. But enough about text editors and (my) tools for now. I did wish I had my tool on Linux Mint though... or an even better version of it since I found the default text editor to be quite junky... quite surprising to see such a "touted" and "much" used platform by open source developers to be so lacking in it's default features. It feels very amaturistic.... almost beyond believe. Though somehow I am not too surprised. Testing is apperently not a favorite time passing for Linux Mint developers. They seem to care more about "good looks of GUI" instead of usefull and superior functionality. I cannot recommend this software platform for any serious worked based of working from DVD... it's completely apperent that it will totally malfunction and hang system, for example during out of memory situation the DVD drive started to read/write lots of times... at least I believe it was an out of memory situation because of the sand sifter summarization script, more on this perhaps later... the system has 4 GB in total and 2 GB were free for memory usage. Very maybe the system might have worked better if it was installed on a harddisk... though this is doubtfull.

Now enough about my unpleasent surprises with Linux Mint and it's appaling/lack-luster software though it did get the job done... not bad for freeby.

On with the "show".

I was very pleasently surprised once the SandDrifter started working... first I had to fiddle around with installing capstone... I am not sure but apperently it requires three installs: one binary, one dev source and python binding install.
So I incorporated this in the final run.sh bash script to make sure it works... perhaps it installs more than necessary or perhaps not... I am not sure about that.

Anyway watching the instruction fly by was very addicting to watch and pretty fascinating... especially when it goes "red" probably meaning that it has found "undocumented/hidden" instructions inside the processor more on this later.

The SandSifter tool ran apperently for 7 hours and some... after I woke up I went to take a looksy and noticed this... it also shows the time vertically when it runs.

The terminal window is a bit small on Linux Mint 18.2 it should be resized to make sure all of the "beautifull textual" GUI of SandSifter is shown/visible.

Also it's not only for "beauty" it is actually "required" otherwise the "summarization" script will fail/crash. Apperently the problem is it tries to display something outside of the terminal window if it's too small and apperently this makes it crash ?! Almost unbelievable but true.

So by resizing the terminal window and making it large it will actually work better and not crash... at least not immediately.

After the summarization tool is ready processing the collected data and confiding/binning it it brings up a textual menu to navigate through the instruction groups.

This is where a problem occured during usage. As I tried to inspect the instruction groups the program crashed. I watched the built-in system monitor of Linux Mint to watch the memory usage rise as the program processes the data.
During this watching I screenshotted some screens by pressing the print screen key on the keyboard this will automatically make screenshots in linux mint to files which is kinda nice/cool, it does require pressing a save button but that's ok.

So I also collected screenshots to illustrate the memory usage of the final analysis stage of this SandSifter software.

Strangely enough when trying to inspect a large undocumented instruction group the analysis tool crashes. It seems like there is still enough memory available, so I am unsure at this point why it actually crashes. Perhaps it tries to allocate a large block all at once and it's too large to allocate at once because of lack of free memory and thus it crashes or perhaps there is another bug in this script.

This is basically how far I got with the analysis part so far. I have not yet tried to run this analysis/summarize script on windows on my main system installation. Perhaps there it will run better or perhaps it will crash there as well, not sure... at least on windows I have an 8 GB pagefile/swap file available for additional virtual memory if so required.

The Linux Mint 18.2 did not have "swap file" available. This might have contributed to the crashing script. An idea could be to somehow enable a temporarely swap file on an existing harddisk for additional virtual memory this might prevent the script from crashing.

Anyway my main reason for writing this message to you is to:

1. First of all share my experience with you as an interesting story to read, and perhaps even fascinating.

2. Second of all for future reference for myself.

3. But third of all and this is actually the real primary reason:

Make it as easy for you as possible to run this software as well.

(However this objective will be forfilled in a seperate message, since this message is already way too long, let's consider this a "story" message, the "tutorial" message will follow shortly)

My hypothesis is that: "The more people collect data, the easier it might be to statistically analyze it".

Perhaps this is bull****, but it's great fun anyway.

Who knows what you people might discover... each processor/chip might be different.

Also I will take this message as an oppertunity to ask questions/hypotheses..

1. The undocumented/hidden instructions ? Where are they coming from ? Are they truely located inside the processor ?

or

2. Are these undocumented/hidden instructions some kind of result of "bios manipulation" ? I have heard of "bios patches" or "processor patches" to fix broken instructions. Could it be possible that my winfast motherboard has an "infected bios" perhaps done by Chinese to spy on my system ?


Who is really to blame for these undocumented/hidden instructions ? AMD/Processor manufacturer ? or Motherboard manufacturer ? Or bios chip manufacturer ?

Perhaps it's not the Chinese... but Award Bios or Phoenix Bios manufacturer/programmers that injected "extension functionality" to processors.

I have heard of such a story before... perhaps now it will come to a revelation/beginning of a conclusion...

Could there finally be some proof that this manipulation is real ? I wonder....

I highly applaud, recommend, charish, stimulate and approve of this Research !

Much much much more should be done into it ! To finally get some interesting answers to all of these questions and shed some light on these undocumented instructions.

For all we know... this could be a house with the doors and windows wide open !

Could be a scandalous situation.

I am worried ? Yes... slightly... and this is not good.

Could it be something ? Definetly ? Could it be nothing ? Yes... Could it be a waste of time to dive deeper into this ? Maybe... Is it worth it ? Definetly yes...

The thought/idea of a system wide open to espionage is not a good thing... it must be investigated. It does feel like Watching The X-Files in progress right in front of your screen ! Great fun... but once you start to think about it... that it could be real... the implications it could have... it does get a bit scary !

Therefore this matter is not for the easily scared. Let this be a warning for those that get scared easily ! =D

With these legendaries words I write goodbye to you for now.

But there is a very good chance I will return.

The question is now:

How to proceed with the enormous ammounts of data collected ? The enormous ammounts of "undocumented instructions".

For starters, starting with one little instruction and encoding/embbeding it into a Delphi console application would already be interesting to see what happens to the registers and flags of the CPU and perhaps even certain memory locations. Perhaps nothing will happens, perhaps something will happen..

This could be a first next step, to analyze all collected undocumented instructions and observe the state of the CPU registers to see if and how they change.

I also suspect there might be further "state" involved somewhere deep inside the processor. This "state" might not be accessible to us mere mortals.

One technique which comes to mind to shed some light on this possible existence of "deeper/hidden state" is with "thermal imaging" of the processor/chip.

Perhaps first produce "thermal imaging" pictures of "normal operation" of the chip. Normal operation being "documented instructions".

Next proceed by executing "undocumented instructions" and then "thermal imaging" the chip/processor to see if different eras of the chip light up.

If so this could indicate hidden/deeper/secret state of the chip.

I will leave it at that for now, my next message in this thread will include tutorial information how to get this software running yourself as easily as possible.

Bye,
Skybuck.

As promised in my previous message I will now write something about the tutorial I have created and the files/data/logs and software I have uploaded to my webdrive.

For starters the root of the files is located at this web location:

http://www.skybuck.org/SandSifter/

It contains two folders

unzipped and zipped.

The zipped folder will be used to occasionally zip everything up for easy download for you. The unzipped folder will be usefull for your viewing pleasure and downloading individual files.

http://www.skybuck.org/SandSifter/unzipped/

It's a little bit cumbersome but not too bad and could be handy sometime.

Let's dive into the unzipped folder (I have not zipped the unzipped folder yet but will do so after writing these messages, since I will include those as well... just in case/for the fun of it and for "story logging" purposes)

Let's start with the most important files.

1. The automatic installation manual:

http://www.skybuck.org/SandSifter/un...SandSifter.txt

2. The manual installation manual:

http://www.skybuck.org/SandSifter/un...SandSifter.txt

(In case you don't trust the automatic installation)

3. The run.sh script I wrote specially for this SandSifter program to get it working on Linux Mint 18.2:

http://www.skybuck.org/SandSifter/un...manuals/run.sh

And in case anything goes wrong in the future when software changes:

The original output of my session so that you can at least figure out which versions of the software packages was used. At least for the die-hards out there you could then try to use those versions to see if that might work in case future versions fail.

http://www.skybuck.org/SandSifter/un...criptRunSh.txt

Now in case my webdrive goes offline or is destroyed I will post the automatic installation plus the run.sh contents in this message so that this message can also be used for you to get you started to run SandSifter softwa

The contents of the automatic installation.txt is as follows:

Step 1. Download Linux Mint ISO (Successfully tested on Linux Mint 18.2 Sonya)

https://www.linuxmint.com/

Step 2. Burn Linux Mint ISO to DVD (Windows 7: Right click on file and choose burn to disc).

Step 3. Boot Linux Mint ISO from DVD (Restart computer, if needed go into bios and change boot order, or press F8 to bring up boot menu or something like that)

Step 4. Start FireFox Web Browser

Step 5. Download SandSifter software and extract to a folder.

https://github.com/xoreaxeaxeax/sandsifter

(Click "clone or download", then click "download zip", then click "open with archive manager", then click "extract" (top left icon), click "other locations", choose a harddisk or other storage
medium which is persistent, click on the storage medium, click create new folder (top right icon), name for folder could be "test", click "extract", click "show the files")

Enter the folder "sandsifter-master" by left clicking on it.

Step 6. Download Skybuck's Flying run.sh script file

Download and save the "run.sh" script file to/inside the "sandsifter-master" folder.

http://www.skybuck.org/SandSifter/unzipped/run.sh

Step 7. Open terminal window and resize it to make it bigger

Right click in the empty space and choose "open in terminal"

A window and a prompt/blinking cursor should now come up looking similar to:

mint@mint /media/mint/Windows 7 System (New)/test/sandsifter-master $

Make the window bigger so that the summarize script at the end doesn't crash !

Drag and Drop the window at the bottom right corner to make it bigger (Hold the left mouse button to drag and make it bigger then let mouse button go)

Step 8. Run Skybuck's Flying Bash Script to install software and run SandSifter

type the following command:

bash ./run.sh

Step 9. Guide the software installation and upgrade process

Sometimes it will ask if you want to continue ? Press the Y key.

Once it's done installing SandSifter will automatically run and finally a summary will be created.

Step 10. Wait for the analysis to complete

Once you see instructions scrolling/flying over the screen go take a sleep and wait many hours until it is completely done.

Once it is done it will show something like: "May the Force be with you ! Always !" then you know the script is done !

Step 11. Do not open the log files !

The log files (in data folder) may be to big for the Linux Mint 18.2 text and office editors to handle ! This will probably crash/hang the system !

Step 12. Go into the data folder and send the files to the e-mail address:




The contents of the run.sh bash script file is as follows:

echo "Step 1. Install standard C library software"
sudo apt-get install libc6-dev

echo "Step 2. Install python pip"
sudo apt install python-pip

echo "Step 3. Update python pip"
sudo pip install --upgrade pip

echo "Step 4. Install setuptools"
sudo pip install setuptools

echo "Step 5. Install capstone binaries"
sudo apt-get install libcapstone3

echo "Step 6. Install capstone dev source"
sudo apt-get install libcapstone-dev

echo "Step 7. Install capstone python bindings (this will take a while)"
sudo pip install capstone

echo "Step 8. Make sandsifter"
make

echo "Step 9. Run sandsifter"
sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

echo "Step 10. Summarize"
../summarize.py data/log

echo ""
echo "Bash script"
echo "Version 0.01 created on 22 october 2017 by Skybuck Flying"
echo "To Install, Make, Run, Summarize SandSifter Software and Software Dependencies"
echo "Successfully tested on Linux Mint 18.2 Sonya on AMD Dual Core X2 3800+ processor"
echo "May the Force be with you ! Always ! =D"
echo "Have fun analyzing undocumented instructions !!!!"
echo "E-mail results to or contact: "
echo "^^^ !!! Author of SandSifter Software and interested in log files !!! ^^^"
echo ""


This should be enough to get you up and running.

In the next messsage in this thread I will also post the original output so in the future you can see how it was done, how it ran and with what software versions of the packages.

Perhaps it could also be examined by experts to see if anything was perhaps done unnecessary/duplicate or in wrong order or perhaps it can be done slightly more efficient or more robust. I did try to automate the "yes" prompts but that did not work and was unreliable so I left the scripts to require user interaction for maximum reliability of the scripts. All in all I think the script is pretty good and little could be improved upon it. Though I am certainly not a Linux expert and can barely get around with it Not too bad/shabby for a Linux noob =D Thanks google, thanks internet for the help getting this too work/done ! =D

Bye and enjoy,
Skybuck ! =D

Hello,

I just investigated how Linux Mint 18.2 stores text files. Apperently it's stored as UTF-8.

Textpad on Windows apperently recgonizes it wrongly as latin-1 or some crap like that.

Delphi XE7 however can open these files just fine. Funny enough if I copy & paste the text from Delphi to Textpad, then apperently Windows or Textpad not sure who does what... converts to text to "best fit"... this is kinda sneaky... never noticed this before.

So now I face a bit of a dilemma... first of all I don't know what webbrowsers can handle. But my best guess is "unicode" and probably UTF-8.

However some people out there might be using esoteric browser software (LOL).

And just for kicks I will make two seperate messages to also get around message size limitations on servers.

So let's start with the assumption and mother of all **** ups that webbrowser can actually handle UTF8 well.... so here ya go: UTF8 output from Linux Mint 18.2 run.sh bash script:

(Copy & pasted from Delphi XE7 to FireFox 56.0.1):
(The textual GUI down below is probably a bit too big for usenet readers to handle... hmm... but it's better than nothing... must important information is the software versions though, thats why I am posting this... the GUI is just a slight little taste/teaser of what you may expect to see ! )

mint@mint /media/mint/Windows 7 System (New)/test/sandsifter-master $ bash ../run.sh
Step 1. Install standard C library software
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libc-dev-bin
Suggested packages:
glibc-doc
The following NEW packages will be installed:
libc-dev-bin libc6-dev
0 upgraded, 2 newly installed, 0 to remove and 1 not upgraded.
Need to get 0 B/2,148 kB of archives.
After this operation, 13.9 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 cdrom://Linux Mint 18.2 _Sonya_ - Release amd64 20170628 xenial/main amd64 libc-dev-bin amd64 2.23-0ubuntu7 [68.6 kB]
Get:2 cdrom://Linux Mint 18.2 _Sonya_ - Release amd64 20170628 xenial/main amd64 libc6-dev amd64 2.23-0ubuntu7 [2,080 kB]
Selecting previously unselected package libc-dev-bin.
(Reading database ... 197487 files and directories currently installed.)
Preparing to unpack .../libc-dev-bin_2.23-0ubuntu7_amd64.deb ...
Unpacking libc-dev-bin (2.23-0ubuntu7) ...
Selecting previously unselected package libc6-dev:amd64.
Preparing to unpack .../libc6-dev_2.23-0ubuntu7_amd64.deb ...
Unpacking libc6-dev:amd64 (2.23-0ubuntu7) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up libc-dev-bin (2.23-0ubuntu7) ...
Setting up libc6-dev:amd64 (2.23-0ubuntu7) ...
Step 2. Install python pip
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
python-pip-whl
Recommended packages:
build-essential python-all-dev python-setuptools python-wheel
The following NEW packages will be installed:
python-pip python-pip-whl
0 upgraded, 2 newly installed, 0 to remove and 1 not upgraded.
Need to get 1,218 kB of archives.
After this operation, 1,814 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu xenial/universe amd64 python-pip-whl all 8.1.1-2 [1,074 kB]
Get:2 http://archive.ubuntu.com/ubuntu xenial/universe amd64 python-pip all 8.1.1-2 [144 kB]
Fetched 1,218 kB in 0s (5,331 kB/s)
Selecting previously unselected package python-pip-whl.
(Reading database ... 197994 files and directories currently installed.)
Preparing to unpack .../python-pip-whl_8.1.1-2_all.deb ...
Unpacking python-pip-whl (8.1.1-2) ...
Selecting previously unselected package python-pip.
Preparing to unpack .../python-pip_8.1.1-2_all.deb ...
Unpacking python-pip (8.1.1-2) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up python-pip-whl (8.1.1-2) ...
Setting up python-pip (8.1.1-2) ...
Step 3. Update python pip
The directory '/home/mint/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/mint/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting pip
Downloading pip-9.0.1-py2.py3-none-any.whl (1.3MB)
100% |████████████████⠖ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆ| 1.3MB 441kB/s
Installing collected packages: pip
Found existing installation: pip 8.1.1
Not uninstalling pip at /usr/lib/python2.7/dist-packages, outside environment /usr
Successfully installed pip-9.0.1
Step 4. Install setuptools
The directory '/home/mint/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/mint/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting setuptools
Downloading setuptools-36.6.0-py2.py3-none-any.whl (481kB)
100% |████████████████⠖ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆ| 481kB 956kB/s
Installing collected packages: setuptools
Successfully installed setuptools-36.6.0
Step 5. Install capstone binaries
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
libcapstone3
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 438 kB of archives.
After this operation, 2,815 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu xenial/universe amd64 libcapstone3 amd64 3.0.4-0.2 [438 kB]
Fetched 438 kB in 0s (2,764 kB/s)
Selecting previously unselected package libcapstone3.
(Reading database ... 198119 files and directories currently installed.)
Preparing to unpack .../libcapstone3_3.0.4-0.2_amd64.deb ...
Unpacking libcapstone3 (3.0.4-0.2) ...
Processing triggers for libc-bin (2.23-0ubuntu7) ...
Setting up libcapstone3 (3.0.4-0.2) ...
Processing triggers for libc-bin (2.23-0ubuntu7) ...
Step 6. Install capstone dev source
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
libcapstone-dev
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 495 kB of archives.
After this operation, 4,177 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu xenial/universe amd64 libcapstone-dev amd64 3.0.4-0.2 [495 kB]
Fetched 495 kB in 0s (3,018 kB/s)
Selecting previously unselected package libcapstone-dev.
(Reading database ... 198123 files and directories currently installed.)
Preparing to unpack .../libcapstone-dev_3.0.4-0.2_amd64.deb ...
Unpacking libcapstone-dev (3.0.4-0.2) ...
Setting up libcapstone-dev (3.0.4-0.2) ...
Step 7. Install capstone python bindings (this will take a while)
The directory '/home/mint/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/mint/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting capstone
Downloading capstone-3.0.4.tar.gz (3.2MB)
100% |████████████████⠖ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆâ–ˆ| 3.2MB 201kB/s
Installing collected packages: capstone
Running setup.py install for capstone ... done
Successfully installed capstone-3.0.4
Step 8. Make sandsifter
cc -c injector.c -o injector.o -Wall
injector.c:321:93: warning: excess elements in array initializer
00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x 00,0x00,0x00,0x00,0x00}, .len
^
injector.c:321:93: note: (near initialization for ‘total_range.start.bytes’)
injector.c:322:91: warning: excess elements in array initializer
ff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x ff,0xff,0xff,0xff,0xff}, .len
^
injector.c:322:91: note: (near initialization for ‘total_range.end.bytes’)
cc injector.o -O3 -Wall -l:libcapstone.a -o injector -pthread
Step 9. Run sandsifter

┌
164 t │ (unk) 0f0f0cc7510000000000000000000000 0
│ (unk) 0f0f0cc8760000000000000000000000 0
│ (unk) 0f0f0ccb510000000000000000000000 :
│ (unk) 0f0f0ccda10000000000000000000000 0
s │ (unk) 0f0f0ccf1b0000000000000000000000 2
a │ (unk) 0f0f0cd1610000000000000000000000 :
n │ (unk) 0f0f0cd3510000000000000000000000 2
d │ pswapd mm1, qword ptr [rsp + rdx*8] 0f0f0cd4bb0000000000000000000000 3
│ (unk) 0f0f0cd6c10000000000000000000000 .
v: 1 │ (unk) 0f0f0cd8d10000000000000000000000 8
l: 9 │ (unk) 0f0f0cd9fb0000000000000000000000 1
s: 4 │ pfnacc mm1, qword ptr [rsp + rbx*8] 0f0f0cdc8a0000000000000000000000
c: 2 │ pfmin mm1, qword ptr [rsi + rbx*8] 0f0f0cde940000000000000000000000
│ femms 0f0f0ce00e0000000000000000000000
s │ (unk) 0f0f0ce34e0000000000000000000000
i │ (unk) 0f0f0ce5310000000000000000000000
f │ (unk) 0f0f0ce7c10000000000000000000000
t │ (unk) 0f0f0ce9c70000000000000000000000
e │ (unk) 0f0f0ceb510000000000000000000000
r │ (unk) 0f0f0cede10000000000000000000000
â””
# 1,047,280
37484/s
# 89,418
┌
│40f0dbfff000000000000000000000000f4f4f4f4f4f4f4 f4f4f4f4f4f4f
│00f0dbffe000000000000000000000000c0c0c0c0c0c0c0 c0c0c0c0c0c0c
│40f0dbffd00000000000000000000000024242424242424 2424242424242
│20f0dbffc00000000000000000000000022222222222222 2222222222222
│20f0dbffb00000000000000000000000062626262626262 6262626262626
│10f0dbffa00000000000000000000000091919191919191 9191919191919
│50f0dbff9000000000000000000000000d5d5d5d5d5d5d5 d5d5d5d5d5d5d
│00f0dbff800000000000000000000000050505050505050 5050505050505
│00f0dbff700000000000000000000000050505050505050 5050505050505
│40f0dbff600000000000000000000000044444444444444 4444444444444
â””

#
# ./sifter.py --unk --dis --len --sync --tick -- -P1 -t
# ./injector -P1 -t -t -R -0 -s 4293486582
#
# insn tested: 129563
# artf found: 0
# runtime: 00:00:04.23
# seed: 4293486582
# arch: 64
# date: 2017-10-22 16:10:51
#
# cpu:
# processor : 0
# vendor_id : AuthenticAMD
# cpu family : 15
# model : 43
# model name : AMD Athlon(tm) 64 X2 Dual Core Processor 3800+
# stepping : 1
# microcode : 0x4d
# v l s c
0f0d00 1 3 5 2 (0f0d0000000000000000000000000000)
0f0d01 1 3 5 2 (0f0d0100000000000000000000000000)
0f0d02 1 3 5 2 (0f0d0200000000000000000000000000)
0f0d03 1 3 5 2 (0f0d0300000000000000000000000000)
0f0d0400 1 4 5 2 (0f0d0400000000000000000000000000)
0f0d0401 1 4 5 2 (0f0d0401000000000000000000000000)
0f0d0402 1 4 5 2 (0f0d0402000000000000000000000000)
0f0d0403 1 4 5 2 (0f0d0403000000000000000000000000)
0f0d0404 1 4 5 2 (0f0d0404000000000000000000000000)
0f0d040500000000 1 8 5 2 (0f0d0405000000000000000000000000)
0f0d040501000000 1 8 5 2 (0f0d0405010000000000000000000000)
0f0d040502000000 1 8 5 2 (0f0d0405020000000000000000000000)
0f0d040503000000 1 8 5 2 (0f0d0405030000000000000000000000)
0f0d040504000000 1 8 5 2 (0f0d0405040000000000000000000000)

snip

Step 10. Summarize

beginning summarization.
note: this process may take up to an hour to complete, please be patient.

loading sifter log:
[========================================] 100.0%
condensing prefixes:
[========================================] 100.0%
binning results:
[== ] 6.7%



AMD Athlon(tm) 64 X2 Dual Core Processor 3800+
arch: 64 / processor: 0 / vendor: AuthenticAMD / family: 15 / model: n/a / stepping: 1 / ucode: n/a
┌───────────────┠€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â ”€â”�-┌───────────────┠€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€ ─────────â”�
│ .... .............. │|│ instruction group: │
│ 0f.. .............. │ │ (all) │
│ 0f0d.. .......... │ │ │
│ 0f0f...... ........ │ │ instructions found in this group: │
│ 0f18.. │ │ 168179 │
│ 0f1a.. │ │ │
│ 0f1b.. │ │ example instruction from this group: │
│ 0f1c.. │ │ 0f0f0ccc4d │
│ 0f1d.. │ │ │
│ 0f1e.. │ │ group attribute summary: │
│ 0f1f.. │ │ valid: (1) │
│ 0f38 │ │ length: (2-9) │
│ 0f78 │ │ signum: (4-5,11) │
│ 0f79 │ │ signal: (sigsegv,sigill,sigtrap) │
│ 0fae.. │ │ sicode: (1-2) │
│ c4.... ...... │ │ prefixes: (__,26,2e,36,3e,40-4f,64-66) │
│ c5.... ........ │ │ │
│ db.. │ │ │
│ df.. │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
└───────────────┠€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â ”€â”˜-└───────────────┠€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€ ─────────┘
j: down, J: DOWN
k: up, K: UP
l: expand L: all
h: collapse H: all
g: start G: end
{: previous }: next
q: quit and print


Bash script
Version 0.01 created on 22 october 2017 by Skybuck Flying
To Install, Make, Run, Summarize SandSifter Software and Software Dependencies
Successfully tested on Linux Mint 18.2 Sonya on AMD Dual Core X2 3800+ processor
May the Force be with you ! Always ! =D
Have fun analyzing undocumented instructions !!!!
E-mail results to or contact:
^^^ !!! Author of SandSifter Software and interested in log files !!! ^^^

mint@mint /media/mint/Windows 7 System (New)/test/sandsifter-master $

Bye,
Skybuck.

Now as a possible exercise in futile or perhaps not I will post the ****ed up delphi to text copy & paste and some ****ed up replace text algorithm, no idea who is the converter but let's admire it for what it's worth for now:

(Notice how the text gui corners are replaced by +'s in the corners ?! )

mint@mint /media/mint/Windows 7 System (New)/test/sandsifter-master $ bash ../run.sh
Step 1. Install standard C library software
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libc-dev-bin
Suggested packages:
glibc-doc
The following NEW packages will be installed:
libc-dev-bin libc6-dev
0 upgraded, 2 newly installed, 0 to remove and 1 not upgraded.
Need to get 0 B/2,148 kB of archives.
After this operation, 13.9 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 cdrom://Linux Mint 18.2 _Sonya_ - Release amd64 20170628 xenial/main amd64 libc-dev-bin amd64 2.23-0ubuntu7 [68.6 kB]
Get:2 cdrom://Linux Mint 18.2 _Sonya_ - Release amd64 20170628 xenial/main amd64 libc6-dev amd64 2.23-0ubuntu7 [2,080 kB]
Selecting previously unselected package libc-dev-bin.
(Reading database ... 197487 files and directories currently installed.)
Preparing to unpack .../libc-dev-bin_2.23-0ubuntu7_amd64.deb ...
Unpacking libc-dev-bin (2.23-0ubuntu7) ...
Selecting previously unselected package libc6-dev:amd64.
Preparing to unpack .../libc6-dev_2.23-0ubuntu7_amd64.deb ...
Unpacking libc6-dev:amd64 (2.23-0ubuntu7) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up libc-dev-bin (2.23-0ubuntu7) ...
Setting up libc6-dev:amd64 (2.23-0ubuntu7) ...
Step 2. Install python pip
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
python-pip-whl
Recommended packages:
build-essential python-all-dev python-setuptools python-wheel
The following NEW packages will be installed:
python-pip python-pip-whl
0 upgraded, 2 newly installed, 0 to remove and 1 not upgraded.
Need to get 1,218 kB of archives.
After this operation, 1,814 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu xenial/universe amd64 python-pip-whl all 8.1.1-2 [1,074 kB]
Get:2 http://archive.ubuntu.com/ubuntu xenial/universe amd64 python-pip all 8.1.1-2 [144 kB]
Fetched 1,218 kB in 0s (5,331 kB/s)
Selecting previously unselected package python-pip-whl.
(Reading database ... 197994 files and directories currently installed.)
Preparing to unpack .../python-pip-whl_8.1.1-2_all.deb ...
Unpacking python-pip-whl (8.1.1-2) ...
Selecting previously unselected package python-pip.
Preparing to unpack .../python-pip_8.1.1-2_all.deb ...
Unpacking python-pip (8.1.1-2) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up python-pip-whl (8.1.1-2) ...
Setting up python-pip (8.1.1-2) ...
Step 3. Update python pip
The directory '/home/mint/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/mint/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting pip
Downloading pip-9.0.1-py2.py3-none-any.whl (1.3MB)
100% |¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ ¦Â¦Â¦Â¦Â¦Â¦Â¦Â¦| 1.3MB 441kB/s
Installing collected packages: pip
Found existing installation: pip 8.1.1
Not uninstalling pip at /usr/lib/python2.7/dist-packages, outside environment /usr
Successfully installed pip-9.0.1
Step 4. Install setuptools
The directory '/home/mint/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/mint/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting setuptools
Downloading setuptools-36.6.0-py2.py3-none-any.whl (481kB)
100% |¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ ¦Â¦Â¦Â¦Â¦Â¦Â¦Â¦| 481kB 956kB/s
Installing collected packages: setuptools
Successfully installed setuptools-36.6.0
Step 5. Install capstone binaries
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
libcapstone3
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 438 kB of archives.
After this operation, 2,815 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu xenial/universe amd64 libcapstone3 amd64 3.0.4-0.2 [438 kB]
Fetched 438 kB in 0s (2,764 kB/s)
Selecting previously unselected package libcapstone3.
(Reading database ... 198119 files and directories currently installed.)
Preparing to unpack .../libcapstone3_3.0.4-0.2_amd64.deb ...
Unpacking libcapstone3 (3.0.4-0.2) ...
Processing triggers for libc-bin (2.23-0ubuntu7) ...
Setting up libcapstone3 (3.0.4-0.2) ...
Processing triggers for libc-bin (2.23-0ubuntu7) ...
Step 6. Install capstone dev source
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
libcapstone-dev
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 495 kB of archives.
After this operation, 4,177 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu xenial/universe amd64 libcapstone-dev amd64 3.0.4-0.2 [495 kB]
Fetched 495 kB in 0s (3,018 kB/s)
Selecting previously unselected package libcapstone-dev.
(Reading database ... 198123 files and directories currently installed.)
Preparing to unpack .../libcapstone-dev_3.0.4-0.2_amd64.deb ...
Unpacking libcapstone-dev (3.0.4-0.2) ...
Setting up libcapstone-dev (3.0.4-0.2) ...
Step 7. Install capstone python bindings (this will take a while)
The directory '/home/mint/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/mint/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting capstone
Downloading capstone-3.0.4.tar.gz (3.2MB)
100% |¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ ¦Â¦Â¦Â¦Â¦Â¦Â¦Â¦| 3.2MB 201kB/s
Installing collected packages: capstone
Running setup.py install for capstone ... done
Successfully installed capstone-3.0.4
Step 8. Make sandsifter
cc -c injector.c -o injector.o -Wall
injector.c:321:93: warning: excess elements in array initializer
00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x 00,0x00,0x00,0x00,0x00}, .len
^
injector.c:321:93: note: (near initialization for ‘total_range.start.bytes’)
injector.c:322:91: warning: excess elements in array initializer
ff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x ff,0xff,0xff,0xff,0xff}, .len
^
injector.c:322:91: note: (near initialization for ‘total_range.end.bytes’)
cc injector.o -O3 -Wall -l:libcapstone.a -o injector -pthread
Step 9. Run sandsifter

+
164 t ¦ (unk) 0f0f0cc7510000000000000000000000 0
¦ (unk) 0f0f0cc8760000000000000000000000 0
¦ (unk) 0f0f0ccb510000000000000000000000 :
¦ (unk) 0f0f0ccda10000000000000000000000 0
s ¦ (unk) 0f0f0ccf1b0000000000000000000000 2
a ¦ (unk) 0f0f0cd1610000000000000000000000 :
n ¦ (unk) 0f0f0cd3510000000000000000000000 2
d ¦ pswapd mm1, qword ptr [rsp + rdx*8] 0f0f0cd4bb0000000000000000000000 3
¦ (unk) 0f0f0cd6c10000000000000000000000 .
v: 1 ¦ (unk) 0f0f0cd8d10000000000000000000000 8
l: 9 ¦ (unk) 0f0f0cd9fb0000000000000000000000 1
s: 4 ¦ pfnacc mm1, qword ptr [rsp + rbx*8] 0f0f0cdc8a0000000000000000000000
c: 2 ¦ pfmin mm1, qword ptr [rsi + rbx*8] 0f0f0cde940000000000000000000000
¦ femms 0f0f0ce00e0000000000000000000000
s ¦ (unk) 0f0f0ce34e0000000000000000000000
i ¦ (unk) 0f0f0ce5310000000000000000000000
f ¦ (unk) 0f0f0ce7c10000000000000000000000
t ¦ (unk) 0f0f0ce9c70000000000000000000000
e ¦ (unk) 0f0f0ceb510000000000000000000000
r ¦ (unk) 0f0f0cede10000000000000000000000
+
# 1,047,280
37484/s
# 89,418
+
¦40f0dbfff000000000000000000000000f4f4f4f4f4f4f4f 4f4f4f4f4f4f
¦00f0dbffe000000000000000000000000c0c0c0c0c0c0c0c 0c0c0c0c0c0c
¦40f0dbffd000000000000000000000000242424242424242 424242424242
¦20f0dbffc000000000000000000000000222222222222222 222222222222
¦20f0dbffb000000000000000000000000626262626262626 262626262626
¦10f0dbffa000000000000000000000000919191919191919 191919191919
¦50f0dbff9000000000000000000000000d5d5d5d5d5d5d5d 5d5d5d5d5d5d
¦00f0dbff8000000000000000000000000505050505050505 050505050505
¦00f0dbff7000000000000000000000000505050505050505 050505050505
¦40f0dbff6000000000000000000000000444444444444444 444444444444
+

#
# ./sifter.py --unk --dis --len --sync --tick -- -P1 -t
# ./injector -P1 -t -t -R -0 -s 4293486582
#
# insn tested: 129563
# artf found: 0
# runtime: 00:00:04.23
# seed: 4293486582
# arch: 64
# date: 2017-10-22 16:10:51
#
# cpu:
# processor : 0
# vendor_id : AuthenticAMD
# cpu family : 15
# model : 43
# model name : AMD Athlon(tm) 64 X2 Dual Core Processor 3800+
# stepping : 1
# microcode : 0x4d
# v l s c
0f0d00 1 3 5 2 (0f0d0000000000000000000000000000)
0f0d01 1 3 5 2 (0f0d0100000000000000000000000000)
0f0d02 1 3 5 2 (0f0d0200000000000000000000000000)
0f0d03 1 3 5 2 (0f0d0300000000000000000000000000)
0f0d0400 1 4 5 2 (0f0d0400000000000000000000000000)
0f0d0401 1 4 5 2 (0f0d0401000000000000000000000000)
0f0d0402 1 4 5 2 (0f0d0402000000000000000000000000)
0f0d0403 1 4 5 2 (0f0d0403000000000000000000000000)
0f0d0404 1 4 5 2 (0f0d0404000000000000000000000000)
0f0d040500000000 1 8 5 2 (0f0d0405000000000000000000000000)
0f0d040501000000 1 8 5 2 (0f0d0405010000000000000000000000)
0f0d040502000000 1 8 5 2 (0f0d0405020000000000000000000000)
0f0d040503000000 1 8 5 2 (0f0d0405030000000000000000000000)
0f0d040504000000 1 8 5 2 (0f0d0405040000000000000000000000)

snip

Step 10. Summarize

beginning summarization.
note: this process may take up to an hour to complete, please be patient.

loading sifter log:
[========================================] 100.0%
condensing prefixes:
[========================================] 100.0%
binning results:
[== ] 6.7%



AMD Athlon(tm) 64 X2 Dual Core Processor 3800+
arch: 64 / processor: 0 / vendor: AuthenticAMD / family: 15 / model: n/a / stepping: 1 / ucode: n/a
+---------------------------------+-+----------------------------------------------------------+
¦ .... .............. ¦|¦ instruction group: ¦
¦ 0f.. .............. ¦ ¦ (all) ¦
¦ 0f0d.. .......... ¦ ¦ ¦
¦ 0f0f...... ........ ¦ ¦ instructions found in this group: ¦
¦ 0f18.. ¦ ¦ 168179 ¦
¦ 0f1a.. ¦ ¦ ¦
¦ 0f1b.. ¦ ¦ example instruction from this group: ¦
¦ 0f1c.. ¦ ¦ 0f0f0ccc4d ¦
¦ 0f1d.. ¦ ¦ ¦
¦ 0f1e.. ¦ ¦ group attribute summary: ¦
¦ 0f1f.. ¦ ¦ valid: (1) ¦
¦ 0f38 ¦ ¦ length: (2-9) ¦
¦ 0f78 ¦ ¦ signum: (4-5,11) ¦
¦ 0f79 ¦ ¦ signal: (sigsegv,sigill,sigtrap) ¦
¦ 0fae.. ¦ ¦ sicode: (1-2) ¦
¦ c4.... ...... ¦ ¦ prefixes: (__,26,2e,36,3e,40-4f,64-66) ¦
¦ c5.... ........ ¦ ¦ ¦
¦ db.. ¦ ¦ ¦
¦ df.. ¦ ¦ ¦
¦ ¦ ¦ ¦
¦ ¦ ¦ ¦
¦ ¦ ¦ ¦
¦ ¦ ¦ ¦
¦ ¦ ¦ ¦
¦ ¦ ¦ ¦
¦ ¦ ¦ ¦
¦ ¦ ¦ ¦
¦ ¦ ¦ ¦
+---------------------------------+-+----------------------------------------------------------+
j: down, J: DOWN
k: up, K: UP
l: expand L: all
h: collapse H: all
g: start G: end
{: previous }: next
q: quit and print


Bash script
Version 0.01 created on 22 october 2017 by Skybuck Flying
To Install, Make, Run, Summarize SandSifter Software and Software Dependencies
Successfully tested on Linux Mint 18.2 Sonya on AMD Dual Core X2 3800+ processor
May the Force be with you ! Always ! =D
Have fun analyzing undocumented instructions !!!!
E-mail results to or contact:
^^^ !!! Author of SandSifter Software and interested in log files !!! ^^^

mint@mint /media/mint/Windows 7 System (New)/test/sandsifter-master $

All in all... not too shabby conversion.

Have fun examining software versions in case you need it in the future !

Bye,
Skybuck,
From the past ! =D

Just to be somewhat complete I will post this here too:

Hi,

I hope you have the following newsgroup in case you are highly interested in knowing every last detail and every thought I have on this subject matter:

https://groups.google.com/forum/#!fo...e.pc-homebuilt

There I have written some detailed postings.

In the other newsgroups I will constrain myself to the most important matter/summary of my activities, findings and productions for your usage.

The most important information I want to share with you is the following:

1. I was successfull in running SandSifter software with Linux Mint 18.2 booteable DVD, downloaded ISO from the internet and undocumented instructions have been found for AMD X2 3800+ Dual Core processor.

2. All files are available on my webdrive:

www.skybuck.org/SandSifter/

Explore the "unzipped folder" to see what it's all about.

3. I have written two tutorials how you can also run this software on your computer in case you have a DVD drive and DVD disc to burn this software onto.
One manual tutorial and one automatic tutorial. The automatic tutorial is the easiest one which I will post here, the automatic tutorial includes a run.sh script which I will also post here, this is to help you run this software on your machine, at the end of this posting I will discuss any possible risks to doing so in case you are worried.

Automatic tutorial:

Step 1. Download Linux Mint ISO (Successfully tested on Linux Mint 18.2 Sonya)

https://www.linuxmint.com/

Step 2. Burn Linux Mint ISO to DVD (Windows 7: Right click on file and choose burn to disc).

Step 3. Boot Linux Mint ISO from DVD (Restart computer, if needed go into bios and change boot order, or press F8 to bring up boot menu or something like that)

Step 4. Start FireFox Web Browser

Step 5. Download SandSifter software and extract to a folder.

https://github.com/xoreaxeaxeax/sandsifter

(Click "clone or download", then click "download zip", then click "open with archive manager", then click "extract" (top left icon), click "other locations", choose a harddisk or other storage
medium which is persistent, click on the storage medium, click create new folder (top right icon), name for folder could be "test", click "extract", click "show the files")

Enter the folder "sandsifter-master" by left clicking on it.

Step 6. Download Skybuck's Flying run.sh script file

Download and save the "run.sh" script file to/inside the "sandsifter-master" folder.

http://www.skybuck.org/SandSifter/unzipped/run.sh

Step 7. Open terminal window and resize it to make it bigger

Right click in the empty space and choose "open in terminal"

A window and a prompt/blinking cursor should now come up looking similar to:

mint@mint /media/mint/Windows 7 System (New)/test/sandsifter-master $

Make the window bigger so that the summarize script at the end doesn't crash !

Drag and Drop the window at the bottom right corner to make it bigger (Hold the left mouse button to drag and make it bigger then let mouse button go)

Step 8. Run Skybuck's Flying Bash Script to install software and run SandSifter

type the following command:

bash ./run.sh

Step 9. Guide the software installation and upgrade process

Sometimes it will ask if you want to continue ? Press the Y key.

Once it's done installing SandSifter will automatically run and finally a summary will be created.

Step 10. Wait for the analysis to complete

Once you see instructions scrolling/flying over the screen go take a sleep and wait many hours until it is completely done.

Once it is done it will show something like: "May the Force be with you ! Always !" then you know the script is done !

Step 11. Do not open the log files !

The log files (in data folder) may be to big for the Linux Mint 18.2 text and office editors to handle ! This will probably crash/hang the system !

Step 12. Go into the data folder and send the files to the e-mail address:




The run.sh script:

echo "Step 1. Install standard C library software"
sudo apt-get install libc6-dev

echo "Step 2. Install python pip"
sudo apt install python-pip

echo "Step 3. Update python pip"
sudo pip install --upgrade pip

echo "Step 4. Install setuptools"
sudo pip install setuptools

echo "Step 5. Install capstone binaries"
sudo apt-get install libcapstone3

echo "Step 6. Install capstone dev source"
sudo apt-get install libcapstone-dev

echo "Step 7. Install capstone python bindings (this will take a while)"
sudo pip install capstone

echo "Step 8. Make sandsifter"
make

echo "Step 9. Run sandsifter"
sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

echo "Step 10. Summarize"
../summarize.py data/log

echo ""
echo "Bash script"
echo "Version 0.01 created on 22 october 2017 by Skybuck Flying"
echo "To Install, Make, Run, Summarize SandSifter Software and Software Dependencies"
echo "Successfully tested on Linux Mint 18.2 Sonya on AMD Dual Core X2 3800+ processor"
echo "May the Force be with you ! Always ! =D"
echo "Have fun analyzing undocumented instructions !!!!"
echo "E-mail results to or contact: "
echo "^^^ !!! Author of SandSifter Software and interested in log files !!! ^^^"
echo ""

For now I will not discuss the collected data, this will have to be further analyzed, however I will say that the collected data is in this folder:

http://www.skybuck.org/SandSifter/unzipped/data/

The log file contains discovered undocumented instruction byte code sequences for further investigation.

(Lastly I will try and collect the messages I write on this subject matter in the messages folder so you don't have to scavenge the usenet/web for all info a bit tricky but I will try at least )

Bye,
Skybuck.

Now for some further/fun information I have not yet discussed:

Let's start with the most important part/results which this endeavor produced, the data collected:

http://www.skybuck.org/SandSifter/unzipped/data/

This folder contains two log files which are similar/identical. One was captured in real time and then other one at the end I guess.. in case something went wrong.

I have not yet compared them byte by byte but they should be identical.

In that case let's look at the log file.

This log file contains "undocumented instruction byte code sequences".

These byte code sequences can be fed into an AMD X2 3800+ Dual Core processor and it will happily execute them apperently !

What it will do is *unknown*.

This will have to be further investigated.

Furthermore now for the extra fun part, some screenshots were taken which can also be seen as further prove that this is a real exercise I did 1 :

This folder contains screenshots of the "summmary" stage of the SandSifter software... here it shows the "undocumented instructions groups"... however it also shows this "summary script" crashing which was the reason for me to capture these screenshots in the first place:

http://www.skybuck.org/SandSifter/unzipped/problem/

I actually also recorded a video as I ran the software, I haven't watched it yet... not sure if it's any good or fun to watch but it will probably be somewhat interesting.

However the SSD unfortunately was a bit full because of my video of some bitch ! LOL

BUUUUTTTTTTTTTTTTTT... maybe I will upload it... or maybe I will make a new video... so that youtubers might get interested in this too and see how easy it is to:

1. Run this software

2. Help out in "catching" the "predators" in the "act".

Yes.... who knows.... what this is all about... ?!

Why are there these unknown instructions ?!

If this bothers you... consider analyzing your own processor and then mailing the results to the specified e-mail address.

I am not sure if the author of this software wants to be spammed... but perhaps he wants too...

Maybe first contact him if he is still interested in additional logs... for now I would assume yes... since not that many people yet know how to run this stuff...

Hmmm I think I forgot to mention risks involved with this software. I will get back to this shortly in a moment.... hmmm much to write about.

Special posting about "risks" involved with running this software and also "observed" behaviour of these undocumented instructions.

Let me first start with the simple observed behaviour:

The behaviour is pretty easy to describe:

As some of these undocumented instructions were executed the "instructions per second" as indicated by the SandSifter software (at least that is what I think it is; the white bar that fluctuates left/right horizontal as a speed indicator) started to go down... way down.

Usually the "instructions per second" was about 30.000+ per second.

The AMD X2 3800+ dual core processor has 2.0 GHz per core. The SandSifter software seems to run on one core.

Therefore 30.000 instructions per second seems somewhat lowish, on the low side.

The theory behind it is perhaps setting trap flags, running interrupt handlers and perhaps running the disassembler to tell if it's a "documented" or "undocumented" instructions.

Thus 30.000 instructions seems reasonable assuming that this disassembler has to running many additional instructions per instruction to analyze.

At first I was a bit worried that the outputting to the console itself might be the limiting factor. For now it's seems safe to assume that this is actually not the case. However implementing a feature into SandSifter software to "disable all output to console" might easy some of my concern.. and might also be nice if this is ever a concern in the future on faster CPUs.

Anyway with that out of the way... let's get back to my observation:

The speed dropped from 30.000 all the way down to just 1000 instructions per second.

Now the big questions is why ?

Perhaps the drop is not that big ? Then again... maybe it is.. seems like 30 clock ticks per instruction ? Seems like not that much if my reasoning is correct which is somehow doubt a bit... Perhaps the disassembler doesn't require that much instructions per instruction and thus maybe there is a lot of head room being used up here.

Anyway I will share with you my initial thought which might be wrong:

I thought that this might be a sign that this instruction is actually executed by "bios patches".

Therefore I was concerned that my bios might be "infected" or "injected" with some kind of backdoors.

Now that I look at the numbers again... Assuming that other instructions take about 1 or 2 clock ticks... then falling down 30 clock ticks is not that much and might not be enough to warrent the "bios infected" theory/hypothesis.

Thus for now I conclude that the "instruction must be doing something" but not that much.... It's probably not executing an entire backdoor.

But the instruction could be part of an entire set of "backdoor instructions".

So still anything is possible.

For now I will assume these are some kind of "experimental instructions" doing some kind of "work" about 30 times slower than the usual instructions ?!

What instruction profile would fit this bill ??? Hmmm.

Anyway... let's also discuss "risks" of this software.


1. First of for most there is ofcourse the risk of "Linux Mint ISO" download infection. This has happened before with hackers getting access to "web servers".

Evaluating hashes is not enough, hash collisions could be used to fake hash results.

Therefore there is no real way to known if the "software is safe". Only a bit by bit and byte by byte comparision can garantuee that it is safe.

However since you do not posses any original/trust worthy binary this comparision is not possible to do.

Perhaps a "blockchain" of Linux Mint ISOs might offer some help.

Currently all hosting servers are isolated from each other and do not verify each others distribution as far as I know.

Were these isolated hosting services connected via some blockchain software there would be more verification of each others files.

This is not to say that a hacker could not add a contaminated ISO to the blockchain. Once such a contaminated ISO would be added it would stay there forever which is less ideal. Needless to say there would need to be additional provisions to warn people if such an event occured and somehow mark certain blocks in the blockchain as "untrustworthy" or "contaminated" in future blocks to warn users retro actively of the dangerous of such added iso.

Conclusion if only the blockchain was partially downloaded it might be unsafe for users, plus downloading such a blockchain would require way more bandwidth and storage capacity, on the other hand it does offer some interesting "evolution path" of software and previous versions could be found.

If the hosters would be interested in keeping track of older versions is questionable seeing the pretty big sizes of these distributions... perhaps they might only be interested in latest versions which might be a bit risky in the case of contamination. Thus blockchain even for ISOs has some merit.

For now consider using such an ISO an all or nothing situation, either you trust that it is good, or you believe it is bad and then don't use it.

Verifieing hashes I do not believe in that... if that makes you feel any better go ahead and do it

That concludes my analyses of ISO usage risks.

Let's now proceed with other risks

2. The SandSifter software was not thoroughly reviewed by me, for now I have little reason to believe it is infectious software... it does come from BlackHat though a hacker conference. The software does low level things to your computer/hardware/software. However since a Linux ISO/Boot DVD is used there is little reason to be concerned... I do not believe it modifies critical harddisk files or bios images or anything like that. Once the computer is restarted all traces of it are mostly gone, except for any stored files on the harddisk, like perhaps the software you stored yourself like sandsifter and the data/log files, these are important to store on harddisk or other persistent media in case the computer crashes during "Sand sifting"

There is a real possibility of the computer crashing especially on new or older buggy processors, on my computer it did not crash or hang... at least not during sand sifting... there is a real possibility that certain processors have bugs that will make the system hang.

The Sand Sifter software has a resume option to resume from were it was during a crash... I think it stores it's "check point" in the "tick" file... apperently some sort of instruction were it was busy with, it will probably continue from that point onwards, I could be wrong about that though.

3. Other risks include ofcourse the downloads down by "apt install" and "pip" and that kind of thing.

In case of "untrustworthy" software harddisks could be physically disconnected and perhaps SSDs could be used as storage mediums instead or... usb sticks.

Though these storage mediums should probably at least have 1 gigabyte of free space, just to make sure the data logs can be collected/saved to them.

4. Finally is there a real risk to hardware damage ?

This risk is always present in todays "hot" chips.

The software does run an immense ammount of instructions. Very close to at least
1.000.000.000 instructions just to be analyzed plus additional instructions to actually analyze it.

Total number of instructions could exceed 1.000.000.000.000. These are all run as fast as possible for many many many hours on a single core of the processor.

This could heat up the processor. In case of badly ventilated or clogged up systems this could create "heat" and "erosion" issues.

I have not observed what it did to the temperatures of my system since I have been running this system for almost 12 years now and especially the last few years with same hardware, fans and cooling solutions so I know what my system is capable of and that it is fairly stable heatwise and that I don't have to worry for overheat scenerios.

Still running a system for 7 hours straight without supervision of a human at night is slightly risky... especially with unknown/untrusted and untested software.

4. This leads me to the last risk, "hacker/virus" attack against Linux Mint 18.2.

This is a real risk and probably a very big risk. However let's hope Linux Mint 18.2 is safe enough to afford running a system for 7 hours at night.

This is a risk you will have to take if you do not feel comfortable with doing so then it is advisible to disconnect important harddisks to prevent data loss or data theft.

Further more if attacker does take over system there is also risk of "persistent firmware" injection in all kinds of hardware like graphics cards, soundcards, harddisk chips/firmware and ofcourse the bios.

Therefore running this software is not without risk.

For me personally it was worth the risk.

Seeing a processor constantly embedded with "hardware wise undocumented instructions" which might be a gigant back/open door vs "potential software abuse".

Now the question is:

Which is the bigger elephant in the room ? The software ? or the hardware ?

This question remains to be answered.

Goodbye,
I hope to have informed you well,
Skybuck.