search

skelsec / pypykatz

Mimikatz implementation in pure Python
MIT License
2.81k stars 371 forks source link

Memory address is not in process memory space #103

Closed forensenellanebbia closed 2 years ago

forensenellanebbia commented 2 years ago

Hi, I've got an LSASS memory dump (~140 MB) that I'm unable to parse with pypykatz. Unfortunately I can't share the file, but I can try to provide additional details if needed.

I installed the latest version available through cloning the repo and I'm running it on Ubuntu 20.04.3 LTS w/ Python 3.8.10. This is the message I get:

pypykatz lsa minidump /mnt/hgfs/DMP/error/lsass.dmp 
INFO:pypykatz:===== BASIC INFO. SUBMIT THIS IF THERE IS AN ISSUE =====
INFO:pypykatz:pypyKatz version: 0.5.8
INFO:pypykatz:CPU arch: X64
INFO:pypykatz:OS: Windows Server 2012
INFO:pypykatz:BuildNumber: 9200
INFO:pypykatz:MajorVersion: 6 
INFO:pypykatz:MSV timestamp: 1641006912
INFO:pypykatz:===== BASIC INFO END =====
ERROR:root:Error while parsing file /mnt/hgfs/DMP/error/lsass.dmp
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/pypykatz.py", line 261, in get_lsa
    lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo)
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose
    return LsaDecryptor_NT6(reader, decryptor_template, sysinfo)
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 21, in __init__
    self.acquire_crypto_material()
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 29, in acquire_crypto_material
    self.iv = self.get_IV(sigpos)
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 57, in get_IV
    self.reader.move(ptr_iv)
  File "/usr/local/lib/python3.8/dist-packages/minidump/minidumpreader.py", line 136, in move
    self._select_segment(address)
  File "/usr/local/lib/python3.8/dist-packages/minidump/minidumpreader.py", line 104, in _select_segment
    raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x7fe7f9c8165 is not in process memory space

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/lsadecryptor/cmdhelper.py", line 241, in run
    mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages)
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/pypykatz.py", line 150, in parse_minidump_file
    raise e
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/pypykatz.py", line 146, in parse_minidump_file
    mimi.start(packages)
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/pypykatz.py", line 350, in start
    self.lsa_decryptor = self.get_lsa()
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/pypykatz.py", line 267, in get_lsa
    raise Exception('All detection methods failed.')
Exception: All detection methods failed.
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/pypykatz.py", line 261, in get_lsa
    lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo)
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose
    return LsaDecryptor_NT6(reader, decryptor_template, sysinfo)
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 21, in __init__
    self.acquire_crypto_material()
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 29, in acquire_crypto_material
    self.iv = self.get_IV(sigpos)
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 57, in get_IV
    self.reader.move(ptr_iv)
  File "/usr/local/lib/python3.8/dist-packages/minidump/minidumpreader.py", line 136, in move
    self._select_segment(address)
  File "/usr/local/lib/python3.8/dist-packages/minidump/minidumpreader.py", line 104, in _select_segment
    raise Exception('Memory address 0x%08x is not in process memory space' % requested_position)
Exception: Memory address 0x7fe7f9c8165 is not in process memory space

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/lsadecryptor/cmdhelper.py", line 241, in run
    mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages)
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/pypykatz.py", line 150, in parse_minidump_file
    raise e
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/pypykatz.py", line 146, in parse_minidump_file
    mimi.start(packages)
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/pypykatz.py", line 350, in start
    self.lsa_decryptor = self.get_lsa()
  File "/usr/local/lib/python3.8/dist-packages/pypykatz-0.5.8-py3.8.egg/pypykatz/pypykatz.py", line 267, in get_lsa
    raise Exception('All detection methods failed.')
Exception: All detection methods failed.

If I run minidump against the file, I get this output:

minidump --all /mnt/hgfs/DMP/error/lsass.dmp 

# minidump 0.0.21 
# Author: Tamas Jos @skelsec (skelsecprojects@gmail.com)

ThreadList
ThreadId | SuspendCount | PriorityClass | Priority | Teb          
------------------------------------------------------------------
0x344    | 0            | 32            | 0        | 0x7f6cd40c000
0x34c    | 0            | 32            | 0        | 0x7f6cd40a000
0x354    | 0            | 32            | 0        | 0x7f6cd405000
0x7fc    | 0            | 32            | 0        | 0x7f6cd2da000
0x55c    | 0            | 32            | 0        | 0x7f6cd2d6000
0x139c   | 0            | 32            | 0        | 0x7f6cd2d8000
0xa844   | 0            | 32            | 0        | 0x7f6cd2d0000
0x3904   | 0            | 32            | 0        | 0x7f6cd403000
0x3380   | 0            | 32            | 0        | 0x7f6cd2cc000
0x99d0   | 0            | 32            | 0        | 0x7f6cd40e000
0x78bc   | 0            | 32            | 0        | 0x7f6cd2de000
0x9e6c   | 0            | 32            | 0        | 0x7f6cd407000
0xb0d8   | 0            | 32            | 0        | 0x7f6cd2dc000
0x88d4   | 0            | 32            | 0        | 0x7f6cd2d2000

== ModuleList ==
Module name                              | BaseAddress   | Size     | Endaddress    | Timestamp 
------------------------------------------------------------------------------------------------
C:\Windows\System32\lsass.exe            | 0x7f6cdcd0000 | 0xd000   | 0x7f6cdcdd000 | 0x60ac6b91
C:\Windows\System32\ntdll.dll            | 0x7fe4f3d0000 | 0x184000 | 0x7fe4f554000 | 0x6160ff55
C:\Windows\System32\kernel32.dll         | 0x7fe4efa0000 | 0x126000 | 0x7fe4f0c6000 | 0x61ca8c4a
C:\Windows\System32\KERNELBASE.dll       | 0x7fe4c2c0000 | 0xc8000  | 0x7fe4c388000 | 0x61933f10
C:\Windows\System32\rpcrt4.dll           | 0x7fe4cc80000 | 0xf9000  | 0x7fe4cd79000 | 0x61ca8536
C:\Windows\System32\sspisrv.dll          | 0x7fe4be80000 | 0xb000   | 0x7fe4be8b000 | 0x60ac7312
C:\Windows\System32\lsasrv.dll           | 0x7fe4bd20000 | 0x121000 | 0x7fe4be41000 | 0x61cfc740
C:\Windows\System32\msvcrt.dll           | 0x7fe4c880000 | 0xa5000  | 0x7fe4c925000 | 0x5010ac20
C:\Windows\System32\sspicli.dll          | 0x7fe4be50000 | 0x23000  | 0x7fe4be73000 | 0x60ac6b97
C:\Windows\System32\sechost.dll          | 0x7fe4ef50000 | 0x42000  | 0x7fe4ef92000 | 0x61c3ee65
C:\Windows\System32\msasn1.dll           | 0x7fe4c1c0000 | 0x16000  | 0x7fe4c1d6000 | 0x50108afc
C:\Windows\System32\samsrv.dll           | 0x7fe4bc50000 | 0xb1000  | 0x7fe4bd01000 | 0x61cd24c1
C:\Windows\System32\bcrypt.dll           | 0x7fe4c140000 | 0x21000  | 0x7fe4c161000 | 0x60ac6b9b
C:\Windows\System32\ncrypt.dll           | 0x7fe4bbb0000 | 0x1f000  | 0x7fe4bbcf000 | 0x61cfc785
C:\Windows\System32\ntasn1.dll           | 0x7fe4bb70000 | 0x35000  | 0x7fe4bba5000 | 0x50108a88
C:\Windows\System32\msprivs.dll          | 0x7fe4bb60000 | 0x2000   | 0x7fe4bb62000 | 0x5010acc1
C:\Windows\System32\netjoin.dll          | 0x7fe4bb20000 | 0x39000  | 0x7fe4bb59000 | 0x50108985
C:\Windows\System32\bcryptprimitives.dll | 0x7fe4be90000 | 0x5c000  | 0x7fe4beec000 | 0x57a9dd74
C:\Windows\System32\negoexts.dll         | 0x7fe4baf0000 | 0x24000  | 0x7fe4bb14000 | 0x50108948
C:\Windows\System32\CRYPTBASE.dll        | 0x7fe4bef0000 | 0xa000   | 0x7fe4befa000 | 0x5010ab50
C:\Windows\System32\cryptdll.dll         | 0x7fe4bad0000 | 0x14000  | 0x7fe4bae4000 | 0x5ca6165d
C:\Windows\System32\kerberos.dll         | 0x7fe4ba00000 | 0xcc000  | 0x7fe4bacc000 | 0x61e8d550
C:\Windows\System32\cryptsp.dll          | 0x7fe4b9e0000 | 0x1a000  | 0x7fe4b9fa000 | 0x50108ad9
C:\Windows\System32\ws2_32.dll           | 0x7fe4d630000 | 0x58000  | 0x7fe4d688000 | 0x572e9048
C:\Windows\System32\nsi.dll              | 0x7fe4cc70000 | 0x9000   | 0x7fe4cc79000 | 0x5010ac24
C:\Windows\System32\mswsock.dll          | 0x7fe4b980000 | 0x5c000  | 0x7fe4b9dc000 | 0x572e9031
C:\Windows\System32\msv1_0.dll           | 0x7fe4b930000 | 0x4f000  | 0x7fe4b97f000 | 0x61e22960
C:\Windows\System32\netlogon.dll         | 0x7fe4b870000 | 0xbe000  | 0x7fe4b92e000 | 0x61e2295e
C:\Windows\System32\dnsapi.dll           | 0x7fe4b7d0000 | 0x98000  | 0x7fe4b868000 | 0x604db914
C:\Windows\System32\logoncli.dll         | 0x7fe4b790000 | 0x34000  | 0x7fe4b7c4000 | 0x5eda5879
C:\Windows\System32\powrprof.dll         | 0x7fe4c060000 | 0x43000  | 0x7fe4c0a3000 | 0x501089e8
C:\Windows\System32\userenv.dll          | 0x7fe4c610000 | 0x1f000  | 0x7fe4c62f000 | 0x5f729b73
C:\Windows\System32\advapi32.dll         | 0x7fe4c770000 | 0xd5000  | 0x7fe4c845000 | 0x61cfce81
C:\Windows\System32\profapi.dll          | 0x7fe4c170000 | 0x15000  | 0x7fe4c185000 | 0x50108ab9
C:\Windows\System32\schannel.dll         | 0x7fe4b730000 | 0x5b000  | 0x7fe4b78b000 | 0x61cfc744
C:\Windows\System32\crypt32.dll          | 0x7fe4c3c0000 | 0x20c000 | 0x7fe4c5cc000 | 0x6164f563
C:\Windows\System32\wdigest.dll          | 0x7fe4b6f0000 | 0x35000  | 0x7fe4b725000 | 0x61cfc783
C:\Windows\System32\rsaenh.dll           | 0x7fe4b6a0000 | 0x48000  | 0x7fe4b6e8000 | 0x608a12a5
C:\Windows\System32\TSpkg.dll            | 0x7fe4b680000 | 0x1c000  | 0x7fe4b69c000 | 0x61cfc745
C:\Windows\System32\pku2u.dll            | 0x7fe4b630000 | 0x43000  | 0x7fe4b673000 | 0x60064e33
C:\Windows\System32\efslsaext.dll        | 0x7fe4b610000 | 0x12000  | 0x7fe4b622000 | 0x61aac2e7
C:\Windows\System32\dpapisrv.dll         | 0x7fe4b5e0000 | 0x2e000  | 0x7fe4b60e000 | 0x61cfc6ed
C:\Windows\System32\scecli.dll           | 0x7fe4b5a0000 | 0x3c000  | 0x7fe4b5dc000 | 0x5e607322
C:\Windows\System32\rassfm.dll           | 0x7fe4b590000 | 0xb000   | 0x7fe4b59b000 | 0x5010a600
C:\Windows\System32\winsta.dll           | 0x7fe4bff0000 | 0x4d000  | 0x7fe4c03d000 | 0x53b9fb69
C:\Windows\System32\wkscli.dll           | 0x7fe4c1a0000 | 0x16000  | 0x7fe4c1b6000 | 0x61cfc764
C:\Windows\System32\netutils.dll         | 0x7fe4c190000 | 0xe000   | 0x7fe4c19e000 | 0x50108a19
C:\Windows\System32\wevtapi.dll          | 0x7fe48b30000 | 0x6c000  | 0x7fe48b9c000 | 0x50108995
C:\Windows\System32\pcwum.dll            | 0x7fe4b450000 | 0xe000   | 0x7fe4b45e000 | 0x5010ac3a
C:\Windows\System32\secur32.dll          | 0x7fe46c00000 | 0xb000   | 0x7fe46c0b000 | 0x50108ad5
C:\Windows\System32\authz.dll            | 0x7fe4b4d0000 | 0x47000  | 0x7fe4b517000 | 0x501089d5
C:\Windows\System32\IPHLPAPI.DLL         | 0x7fe48350000 | 0x2a000  | 0x7fe4837a000 | 0x505a9be8
C:\Windows\System32\winnsi.dll           | 0x7fe483c0000 | 0xa000   | 0x7fe483ca000 | 0x50108ad1
C:\Windows\System32\Wldap32.dll          | 0x7fe4d320000 | 0x5e000  | 0x7fe4d37e000 | 0x593ae6b2
C:\Windows\System32\rasadhlp.dll         | 0x7fe46b50000 | 0x8000   | 0x7fe46b58000 | 0x50108a13
C:\Windows\System32\FWPUCLNT.DLL         | 0x7fe482a0000 | 0x63000  | 0x7fe48303000 | 0x617769a2
C:\Windows\System32\winbrand.dll         | 0x7fe499a0000 | 0xc000   | 0x7fe499ac000 | 0x5010893d
C:\Windows\System32\gpapi.dll            | 0x7fe4b420000 | 0x1f000  | 0x7fe4b43f000 | 0x5f729bd0
C:\Windows\System32\dsparse.dll          | 0x7fe46b80000 | 0xb000   | 0x7fe46b8b000 | 0x501089ff
C:\Windows\System32\ntdsapi.dll          | 0x7fe48850000 | 0x24000  | 0x7fe48874000 | 0x501089b3
C:\Windows\System32\keyiso.dll           | 0x7fe44360000 | 0x13000  | 0x7fe44373000 | 0x5ee822d8
C:\Windows\System32\NCRYPTPROV.DLL       | 0x7fe44320000 | 0x39000  | 0x7fe44359000 | 0x61b16f19
C:\Windows\System32\combase.dll          | 0x7fe4d050000 | 0x157000 | 0x7fe4d1a7000 | 0x6160f4dd
C:\Windows\System32\dpapi.dll            | 0x7fe4af60000 | 0x8000   | 0x7fe4af68000 | 0x50108aef
C:\Windows\System32\ncryptsslp.dll       | 0x7fe453e0000 | 0x1a000  | 0x7fe453fa000 | 0x566087a1
C:\Windows\System32\dssenh.dll           | 0x7fe44040000 | 0x31000  | 0x7fe44071000 | 0x6088bd9c
C:\Windows\System32\mpr.dll              | 0x7fe4af70000 | 0x17000  | 0x7fe4af87000 | 0x50108aeb
C:\Windows\System32\cryptnet.dll         | 0x7fe34f50000 | 0x27000  | 0x7fe34f77000 | 0x5171ed63
C:\Windows\System32\ClusAuthMgr.DLL      | 0x7fe28330000 | 0x10000  | 0x7fe28340000 | 0x5010a424
C:\Windows\System32\certpoleng.dll       | 0x7fe21b00000 | 0x23000  | 0x7fe21b23000 | 0x5010a4fc
C:\Windows\System32\winbio.dll           | 0x7fe479f0000 | 0x1c000  | 0x7fe47a0c000 | 0x50108952
C:\Windows\System32\winhttp.dll          | 0x7fe48d90000 | 0xb2000  | 0x7fe48e42000 | 0x5c2b881c
C:\Windows\System32\webio.dll            | 0x7fe31b10000 | 0x92000  | 0x7fe31ba2000 | 0x56dee16b
C:\Windows\System32\samlib.dll           | 0x7fe48280000 | 0x1e000  | 0x7fe4829e000 | 0x60d690f2

== MinidumpMemory64List ==
VA Start      | RVA       | Size    
------------------------------------
0x7ffe0000    | 0xb82c    | 0x1000  
0x438f830000  | 0xc82c    | 0x10000 
0x438f840000  | 0x1c82c   | 0x1000  
0x438f850000  | 0x1d82c   | 0x9000  
0x438f8c5000  | 0x2682c   | 0x1b000 
0x438f8e0000  | 0x4182c   | 0x4000  
0x438f8f0000  | 0x4582c   | 0x1000  
0x438f900000  | 0x4682c   | 0x2000  
0x438f910000  | 0x4882c   | 0x1000  
0x438f920000  | 0x4982c   | 0x10000 
0x438f930000  | 0x5982c   | 0x2000  
0x438f940000  | 0x5b82c   | 0xf000  
0x438f950000  | 0x6a82c   | 0x1000  
0x438f960000  | 0x6b82c   | 0x1000  
0x438f970000  | 0x6c82c   | 0x1000  
0x438f980000  | 0x6d82c   | 0xff000 
0x438fa80000  | 0x16c82c  | 0x75000 
0x438fb74000  | 0x1e182c  | 0xc000  
0x438fb80000  | 0x1ed82c  | 0x10000 
0x438fcb0000  | 0x1fd82c  | 0x7f000 
0x438fd30000  | 0x27c82c  | 0x55000 
0x438fd86000  | 0x2d182c  | 0x29000 
0x438fdb0000  | 0x2fa82c  | 0x11000 
0x438fdd0000  | 0x30b82c  | 0xa000  
0x438fde0000  | 0x31582c  | 0x1000  
0x438fdf0000  | 0x31682c  | 0x1000  
0x438fe00000  | 0x31782c  | 0x1000  
0x438fe10000  | 0x31882c  | 0x7f000 
0x438fe90000  | 0x39782c  | 0x1000  
0x438fea0000  | 0x39882c  | 0x1000  
0x438feb0000  | 0x39982c  | 0x1000  
0x438fec0000  | 0x39a82c  | 0x1000  
0x438fed0000  | 0x39b82c  | 0x1000  
0x438fee0000  | 0x39c82c  | 0x7f000 
0x438ffd4000  | 0x41b82c  | 0xc000  
0x438ffe0000  | 0x42782c  | 0x1000  
0x438fff0000  | 0x42882c  | 0x1000  
0x4390000000  | 0x42982c  | 0x7f000 
0x4390080000  | 0x4a882c  | 0xbc000 
0x43901b0000  | 0x56482c  | 0x12000 
0x43901f0000  | 0x57682c  | 0x7f000 
0x43902c0000  | 0x5f582c  | 0x7f000 
0x4390380000  | 0x67482c  | 0x15000 
0x4390396000  | 0x68982c  | 0x17000 
0x43903b2000  | 0x6a082c  | 0xa000  
0x43903bd000  | 0x6aa82c  | 0x6000  
0x43903c6000  | 0x6b082c  | 0x13000 
0x43903da000  | 0x6c382c  | 0xd000  
0x43903ec000  | 0x6d082c  | 0x2000  
0x43903f4000  | 0x6d282c  | 0x3000  
0x43903fa000  | 0x6d582c  | 0x5000  
0x4390466000  | 0x6da82c  | 0x1a000 
0x43904b0000  | 0x6f482c  | 0x7f000 
0x4390590000  | 0x77382c  | 0x7f000 
0x4390650000  | 0x7f282c  | 0x1f000 
0x4390670000  | 0x81182c  | 0x4000  
0x439067b000  | 0x81582c  | 0x48000 
0x43906c6000  | 0x85d82c  | 0x9000  
0x4390710000  | 0x86682c  | 0x7f000 
0x43907e0000  | 0x8e582c  | 0x2d000 
0x4390814000  | 0x91282c  | 0x4000  
0x439081b000  | 0x91682c  | 0x11000 
0x439082d000  | 0x92782c  | 0x8000  
0x4390837000  | 0x92f82c  | 0x4000  
0x439083c000  | 0x93382c  | 0x8000  
0x4390845000  | 0x93b82c  | 0x6000  
0x439084d000  | 0x94182c  | 0x12000 
0x43908b0000  | 0x95382c  | 0x25000 
0x43908df000  | 0x97882c  | 0xe000  
0x43908f1000  | 0x98682c  | 0x3e000 
0x43909a2000  | 0x9c482c  | 0xe000  
0x4390a00000  | 0x9d282c  | 0x7f000 
0x4390ae5000  | 0xa5182c  | 0x1b000 
0x4390b10000  | 0xa6c82c  | 0x6d000 
0x4390b81000  | 0xad982c  | 0xe000  
0x4390bc0000  | 0xae782c  | 0x7f000 
0x4390c40000  | 0xb6682c  | 0x55000 
0x4390c98000  | 0xbbb82c  | 0x2000  
0x4390c9c000  | 0xbbd82c  | 0x23000 
0x4390d25000  | 0xbe082c  | 0x1b000 
0x4390d90000  | 0xbfb82c  | 0x7f000 
0x4390e76000  | 0xc7a82c  | 0x1a000 
0x4390ee0000  | 0xc9482c  | 0x29000 
0x4390f0c000  | 0xcbd82c  | 0x38000 
0x4390f46000  | 0xcf582c  | 0x19000 
0x4390f70000  | 0xd0e82c  | 0x2e000 
0x4390f9f000  | 0xd3c82c  | 0x30000 
0x4390fd3000  | 0xd6c82c  | 0x3000  
0x4390fd9000  | 0xd6f82c  | 0x16000 
0x4391000000  | 0xd8582c  | 0x7f000 
0x4391080000  | 0xe0482c  | 0x19000 
0x439121f000  | 0xe1d82c  | 0x11000 
0x4391240000  | 0xe2e82c  | 0x3e000 
0x439127f000  | 0xe6c82c  | 0xe000  
0x4391290000  | 0xe7a82c  | 0x3000  
0x4391294000  | 0xe7d82c  | 0x18000 
0x43912af000  | 0xe9582c  | 0x10000 
0x43912c0000  | 0xea582c  | 0x19000 
0x4391450000  | 0xebe82c  | 0x7f000 
0x43914d0000  | 0xf3d82c  | 0x400000
0x43918d0000  | 0x133d82c | 0x2d5000
0x4391c22000  | 0x161282c | 0xe000  
0x4391c60000  | 0x162082c | 0x4000  
0x4391ce0000  | 0x162482c | 0x1b000 
0x4391e10000  | 0x163f82c | 0x22000 
0x4391f40000  | 0x166182c | 0x19000 
0x4392070000  | 0x167a82c | 0x1000  
0x4392170000  | 0x167b82c | 0x12000 
0x43922a0000  | 0x168d82c | 0x19000 
0x4392435000  | 0x16a682c | 0x1b000 
0x4392450000  | 0x16c182c | 0x1b000 
0x43925c0000  | 0x16dc82c | 0xf000  
0x4392650000  | 0x16eb82c | 0x83000 
0x4392750000  | 0x176e82c | 0x19000 
0x4392880000  | 0x178782c | 0xff000 
0x4392980000  | 0x188682c | 0x14000 
0x4392ab0000  | 0x189a82c | 0xff000 
0x4392bb0000  | 0x199982c | 0x47000 
0x4392ce0000  | 0x19e082c | 0x3d000 
0x4392d20000  | 0x1a1d82c | 0x2a000 
0x4392d4d000  | 0x1a4782c | 0x2000  
0x4392d5f000  | 0x1a4982c | 0x5000  
0x4392d68000  | 0x1a4e82c | 0x6000  
0x4392d6f000  | 0x1a5482c | 0x29000 
0x4392d99000  | 0x1a7d82c | 0xb000  
0x4392da9000  | 0x1a8882c | 0x12000 
0x4392dbe000  | 0x1a9a82c | 0xd000  
0x4392dcc000  | 0x1aa782c | 0x13000 
0x4392e54000  | 0x1aba82c | 0xc000  
0x4392e60000  | 0x1ac682c | 0x14000 
0x4392ff5000  | 0x1ada82c | 0x1b000 
0x4393010000  | 0x1af582c | 0x17000 
0x4393140000  | 0x1b0c82c | 0x1ff000
0x4393340000  | 0x1d0b82c | 0x67000 
0x43933ab000  | 0x1d7282c | 0xd000  
0x43933bd000  | 0x1d7f82c | 0x4000  
0x43933c8000  | 0x1d8382c | 0x3000  
0x43933cd000  | 0x1d8682c | 0x9000  
0x43933d7000  | 0x1d8f82c | 0x9000  
0x43933e5000  | 0x1d9882c | 0x16000 
0x43933fc000  | 0x1dae82c | 0x18000 
0x4393417000  | 0x1dc682c | 0x6000  
0x439342c000  | 0x1dcc82c | 0x7000  
0x439343b000  | 0x1dd382c | 0x4000  
0x4393440000  | 0x1dd782c | 0x17000 
0x4393570000  | 0x1dee82c | 0x36000 
0x43935a8000  | 0x1e2482c | 0x4000  
0x43935b2000  | 0x1e2882c | 0x5000  
0x43935bc000  | 0x1e2d82c | 0x3b000 
0x43935fa000  | 0x1e6882c | 0x1000  
0x43935fe000  | 0x1e6982c | 0x1f000 
0x439362c000  | 0x1e8882c | 0x11000 
0x4393642000  | 0x1e9982c | 0x2000  
0x439364b000  | 0x1e9b82c | 0x11000 
0x4393662000  | 0x1eac82c | 0xd000  
0x4393670000  | 0x1eb982c | 0x1f000 
0x4393820000  | 0x1ed882c | 0x17000 
0x43939b5000  | 0x1eef82c | 0x1b000 
0x43939d0000  | 0x1f0a82c | 0x1b000 
0x4393b00000  | 0x1f2582c | 0x14000 
0x4393cb0000  | 0x1f3982c | 0x10000 
0x4393de0000  | 0x1f4982c | 0x14000 
0x4393f90000  | 0x1f5d82c | 0x17000 
0x43940c0000  | 0x1f7482c | 0x3000  
0x43940c6000  | 0x1f7782c | 0xb000  
0x43940d5000  | 0x1f8282c | 0x8d000 
0x4394165000  | 0x200f82c | 0xd000  
0x4394187000  | 0x201c82c | 0x2e000 
0x43941ba000  | 0x204a82c | 0x5000  
0x43941c0000  | 0x204f82c | 0x19000 
0x4394370000  | 0x206882c | 0x12000 
0x43944a0000  | 0x207a82c | 0x1b000 
0x4394650000  | 0x209582c | 0xc8000 
0x439471c000  | 0x215d82c | 0x13000 
0x439474b000  | 0x217082c | 0x4000  
0x4394750000  | 0x217482c | 0x1e000 
0x4394771000  | 0x219282c | 0x81000 
0x43947f4000  | 0x221382c | 0xf000  
0x4394809000  | 0x222282c | 0x12000 
0x4394821000  | 0x223482c | 0x2e000 
0x43948d0000  | 0x226282c | 0xd4000 
0x43949c7000  | 0x233682c | 0x8000  
0x43949d0000  | 0x233e82c | 0x1ff000
0x4394bd0000  | 0x253d82c | 0x3ff000
0x4394fd0000  | 0x293c82c | 0x1b000 
0x4395100000  | 0x295782c | 0xee000 
0x43951f7000  | 0x2a4582c | 0x6000  
0x43951fe000  | 0x2a4b82c | 0x1000  
0x4395200000  | 0x2a4c82c | 0xa8000 
0x43952ad000  | 0x2af482c | 0x41000 
0x43952f4000  | 0x2b3582c | 0x1000  
0x43952fb000  | 0x2b3682c | 0x4000  
0x4395380000  | 0x2b3a82c | 0x2d000 
0x43953b0000  | 0x2b6782c | 0x9e000 
0x4395451000  | 0x2c0582c | 0x2e000 
0x4395480000  | 0x2c3382c | 0xff000 
0x4395580000  | 0x2d3282c | 0x48000 
0x43955ce000  | 0x2d7a82c | 0x3000  
0x43955d5000  | 0x2d7d82c | 0x2000  
0x43955da000  | 0x2d7f82c | 0x2c000 
0x4395609000  | 0x2dab82c | 0x5000  
0x4395611000  | 0x2db082c | 0x69000 
0x439567e000  | 0x2e1982c | 0x1000  
0x4395680000  | 0x2e1a82c | 0x7ff000
0x4395e80000  | 0x361982c | 0x202000
0x4396280000  | 0x381b82c | 0x16000 
0x4396298000  | 0x383182c | 0xe000  
0x43962aa000  | 0x383f82c | 0x8000  
0x43962c8000  | 0x384782c | 0x29000 
0x43962f2000  | 0x387082c | 0x30000 
0x4396332000  | 0x38a082c | 0x29000 
0x4396364000  | 0x38c982c | 0x16000 
0x439637d000  | 0x38df82c | 0x2000  
0x4396380000  | 0x38e182c | 0x2c000 
0x43963b1000  | 0x390d82c | 0x4000  
0x43963c1000  | 0x391182c | 0x18000 
0x43963e3000  | 0x392982c | 0x3000  
0x43963ea000  | 0x392c82c | 0x31000 
0x4396432000  | 0x395d82c | 0x25000 
0x439645b000  | 0x398282c | 0x4000  
0x4396464000  | 0x398682c | 0x1b000 
0x4396480000  | 0x39a182c | 0x1a000 
0x439649e000  | 0x39bb82c | 0x4000  
0x43964a7000  | 0x39bf82c | 0x2e000 
0x43964dc000  | 0x39ed82c | 0x65000 
0x439654b000  | 0x3a5282c | 0x23000 
0x4396579000  | 0x3a7582c | 0x6000  
0x4396580000  | 0x3a7b82c | 0x1b000 
0x43965a1000  | 0x3a9682c | 0x43000 
0x43965e7000  | 0x3ad982c | 0x57000 
0x4396659000  | 0x3b3082c | 0x26000 
0x4396680000  | 0x3b5682c | 0x17000 
0x439669b000  | 0x3b6d82c | 0x27000 
0x43966c8000  | 0x3b9482c | 0x76000 
0x4396743000  | 0x3c0a82c | 0x3c000 
0x4396780000  | 0x3c4682c | 0x24000 
0x43967b3000  | 0x3c6a82c | 0x3b000 
0x43967ef000  | 0x3ca582c | 0x23000 
0x4396815000  | 0x3cc882c | 0x5000  
0x439681d000  | 0x3ccd82c | 0x24000 
0x4396843000  | 0x3cf182c | 0x18000 
0x439685e000  | 0x3d0982c | 0x6000  
0x439687e000  | 0x3d0f82c | 0x1000  
0x4396880000  | 0x3d1082c | 0x2000  
0x43969b0000  | 0x3d1282c | 0x2a000 
0x43969dd000  | 0x3d3c82c | 0x1b000 
0x4396a00000  | 0x3d5782c | 0x1000  
0x4396a20000  | 0x3d5882c | 0x3b000 
0x4396a5e000  | 0x3d9382c | 0x51000 
0x4396ab0000  | 0x3de482c | 0x1000  
0x4396ab4000  | 0x3de582c | 0x2e000 
0x4396ae3000  | 0x3e1382c | 0x5000  
0x4396aeb000  | 0x3e1882c | 0x2e000 
0x4396b1a000  | 0x3e4682c | 0x2a000 
0x4396b46000  | 0x3e7082c | 0x69000 
0x4396bb0000  | 0x3ed982c | 0xff000 
0x4396cb0000  | 0x3fd882c | 0x2000  
0x4396cb4000  | 0x3fda82c | 0xfb000 
0x4396db0000  | 0x40d582c | 0x1000  
0x4396db4000  | 0x40d682c | 0x5000  
0x4396dba000  | 0x40db82c | 0xb000  
0x4396dc6000  | 0x40e682c | 0x1000  
0x4396dc9000  | 0x40e782c | 0x8000  
0x4396dd2000  | 0x40ef82c | 0x2a000 
0x4396e1a000  | 0x411982c | 0x13000 
0x4396e2e000  | 0x412c82c | 0x4000  
0x4396e38000  | 0x413082c | 0x1f000 
0x4396e5e000  | 0x414f82c | 0xc000  
0x4396e6d000  | 0x415b82c | 0x13000 
0x4396e88000  | 0x416e82c | 0x27000 
0x4396eb0000  | 0x419582c | 0x954000
0x4397805000  | 0x4ae982c | 0x12e000
0x4397934000  | 0x4c1782c | 0x10b000
0x4397a40000  | 0x4d2282c | 0xa8000 
0x4397ae9000  | 0x4dca82c | 0xfb000 
0x4397be5000  | 0x4ec582c | 0x6d000 
0x4397c53000  | 0x4f3282c | 0xb0000 
0x4397d04000  | 0x4fe282c | 0x89000 
0x4397d8e000  | 0x506b82c | 0xc7000 
0x4397e56000  | 0x513282c | 0x29000 
0x4397e80000  | 0x515b82c | 0x7b000 
0x4397f01000  | 0x51d682c | 0x16000 
0x4397f20000  | 0x51ec82c | 0x4000  
0x4397f3e000  | 0x51f082c | 0x9000  
0x4397f4e000  | 0x51f982c | 0xd000  
0x4397f79000  | 0x520682c | 0x6000  
0x4397f80000  | 0x520c82c | 0x1000  
0x4397f88000  | 0x520d82c | 0x11000 
0x4397f9e000  | 0x521e82c | 0x2f000 
0x4397ffc000  | 0x524d82c | 0x19000 
0x4398053000  | 0x526682c | 0x14000 
0x43980be000  | 0x527a82c | 0x1000  
0x4398180000  | 0x527b82c | 0x1f000 
0x43981a1000  | 0x529a82c | 0x7000  
0x43981b6000  | 0x52a182c | 0x2c000 
0x43981e8000  | 0x52cd82c | 0x29000 
0x4398217000  | 0x52f682c | 0x7d000 
0x43982ab000  | 0x537382c | 0x6c000 
0x4398326000  | 0x53df82c | 0x12000 
0x439833c000  | 0x53f182c | 0x6000  
0x4398343000  | 0x53f782c | 0x3c000 
0x4398380000  | 0x543382c | 0x21000 
0x43983bb000  | 0x545482c | 0x2000  
0x43983cb000  | 0x545682c | 0x1e000 
0x4398410000  | 0x547482c | 0x9000  
0x4398430000  | 0x547d82c | 0x28000 
0x4398459000  | 0x54a582c | 0x1f000 
0x43984bb000  | 0x54c482c | 0x3000  
0x43984dc000  | 0x54c782c | 0x32000 
0x4398580000  | 0x54f982c | 0x19000 
0x439859a000  | 0x551282c | 0x107000
0x43986a2000  | 0x561982c | 0x14000 
0x43986b7000  | 0x562d82c | 0x1e2000
0x439889a000  | 0x580f82c | 0x1e9000
0x4398a84000  | 0x59f882c | 0x2fe000
0x4398d83000  | 0x5cf682c | 0x7cc000
0x4399550000  | 0x64c282c | 0x11000 
0x4399562000  | 0x64d382c | 0x4000  
0x4399588000  | 0x64d782c | 0x1f000 
0x43995b7000  | 0x64f682c | 0x1e000 
0x43995dc000  | 0x651482c | 0xd000  
0x43995f0000  | 0x652182c | 0x31000 
0x4399627000  | 0x655282c | 0xb000  
0x4399634000  | 0x655d82c | 0x37000 
0x439966c000  | 0x659482c | 0xa000  
0x43996f2000  | 0x659e82c | 0x1000  
0x4399750000  | 0x659f82c | 0x61000 
0x43997b2000  | 0x660082c | 0x7000  
0x4399800000  | 0x660782c | 0xa5000 
0x43998d6000  | 0x66ac82c | 0x1000  
0x4399950000  | 0x66ad82c | 0x10000 
0x4399977000  | 0x66bd82c | 0x2000  
0x4399993000  | 0x66bf82c | 0x11000 
0x4399a00000  | 0x66d082c | 0x11000 
0x4399b50000  | 0x66e182c | 0x1000  
0x4399b60000  | 0x66e282c | 0x18000 
0x4399b7e000  | 0x66fa82c | 0x23000 
0x4399bb0000  | 0x671d82c | 0x8c000 
0x4399c63000  | 0x67a982c | 0x16000 
0x4399cad000  | 0x67bf82c | 0x1000  
0x4399d50000  | 0x67c082c | 0x5f000 
0x4399db5000  | 0x681f82c | 0x1000  
0x4399db7000  | 0x682082c | 0x42000 
0x4399e96000  | 0x686282c | 0x11000 
0x4399ea8000  | 0x687382c | 0x1000  
0x4399f50000  | 0x687482c | 0x12000 
0x4399f7b000  | 0x688682c | 0x2000  
0x4399f80000  | 0x688882c | 0x24000 
0x4399ff3000  | 0x68ac82c | 0x20000 
0x439a150000  | 0x68cc82c | 0x41000 
0x439a1a6000  | 0x690d82c | 0x3000  
0x439a209000  | 0x691082c | 0x2a000 
0x439a238000  | 0x693a82c | 0x3000  
0x439a350000  | 0x693d82c | 0x11000 
0x439a378000  | 0x694e82c | 0x7f000 
0x439a3fc000  | 0x69cd82c | 0x57000 
0x439a4ce000  | 0x6a2482c | 0x11000 
0x439a540000  | 0x6a3582c | 0xf000  
0x439a550000  | 0x6a4482c | 0xa1000 
0x439a750000  | 0x6ae582c | 0x47000 
0x439a7ae000  | 0x6b2c82c | 0x25000 
0x439a838000  | 0x6b5182c | 0x5000  
0x439a864000  | 0x6b5682c | 0x31000 
0x439a8b3000  | 0x6b8782c | 0x2a000 
0x439a950000  | 0x6bb182c | 0x15000 
0x439a9b6000  | 0x6bc682c | 0x1000  
0x439ab50000  | 0x6bc782c | 0x9d000 
0x439ac7c000  | 0x6c6482c | 0x1000  
0x439ad50000  | 0x6c6582c | 0x4c000 
0x439ada2000  | 0x6cb182c | 0x1000  
0x439adb6000  | 0x6cb282c | 0x5f000 
0x439ae22000  | 0x6d1182c | 0x3000  
0x439ae29000  | 0x6d1482c | 0x2000  
0x439ae86000  | 0x6d1682c | 0xd000  
0x439aead000  | 0x6d2382c | 0x59000 
0x439b150000  | 0x6d7c82c | 0x1000  
0x439b162000  | 0x6d7d82c | 0x7000  
0x439b16b000  | 0x6d8482c | 0x5000  
0x439b19f000  | 0x6d8982c | 0x18000 
0x439b1d6000  | 0x6da182c | 0x29000 
0x439b203000  | 0x6dca82c | 0x2000  
0x439b23b000  | 0x6dcc82c | 0x21000 
0x439b350000  | 0x6ded82c | 0x1000  
0x439b368000  | 0x6dee82c | 0x29000 
0x439b397000  | 0x6e1782c | 0x29000 
0x439b3e1000  | 0x6e4082c | 0x5000  
0x439b410000  | 0x6e4582c | 0x21000 
0x439b438000  | 0x6e6682c | 0x9000  
0x439b444000  | 0x6e6f82c | 0x29000 
0x439b47b000  | 0x6e9882c | 0x15000 
0x439b49b000  | 0x6ead82c | 0x1000  
0x439b550000  | 0x6eae82c | 0xff000 
0x439b750000  | 0x6fad82c | 0x75000 
0x439b7ca000  | 0x702282c | 0x14000 
0x439b805000  | 0x703682c | 0x2e000 
0x439b846000  | 0x706482c | 0x73000 
0x439b950000  | 0x70d782c | 0x43000 
0x439b996000  | 0x711a82c | 0x3000  
0x439b9a6000  | 0x711d82c | 0x9000  
0x439ba08000  | 0x712682c | 0x1000  
0x439bb50000  | 0x712782c | 0x1000  
0x439bb53000  | 0x712882c | 0xe000  
0x439bb98000  | 0x713682c | 0x19000 
0x439bbb6000  | 0x714f82c | 0x1000  
0x439bd50000  | 0x715082c | 0x10000 
0x439bd7f000  | 0x716082c | 0x11000 
0x439be3c000  | 0x717182c | 0x1000  
0x439bf50000  | 0x717282c | 0x1000  
0x439bf60000  | 0x717382c | 0x1000  
0x439bf70000  | 0x717482c | 0x2000  
0x439bf79000  | 0x717682c | 0x2a000 
0x439bfd6000  | 0x71a082c | 0x9000  
0x439bfee000  | 0x71a982c | 0x21000 
0x439c065000  | 0x71ca82c | 0x3000  
0x439c080000  | 0x71cd82c | 0x25000 
0x439c0d3000  | 0x71f282c | 0x1000  
0x439c150000  | 0x71f382c | 0x1000  
0x439c180000  | 0x71f482c | 0x11000 
0x439c1f0000  | 0x720582c | 0x21000 
0x439c218000  | 0x722682c | 0x1000  
0x439c350000  | 0x722782c | 0x85b000
0x439d320000  | 0x7a8282c | 0x1000  
0x439d341000  | 0x7a8382c | 0x1000  
0x7f6cd2cc000 | 0x7a8482c | 0x2000  
0x7f6cd2d0000 | 0x7a8682c | 0x2000  
0x7f6cd2d2000 | 0x7a8882c | 0x2000  
0x7f6cd2d6000 | 0x7a8a82c | 0x2000  
0x7f6cd2d8000 | 0x7a8c82c | 0x2000  
0x7f6cd2da000 | 0x7a8e82c | 0x2000  
0x7f6cd2dc000 | 0x7a9082c | 0x2000  
0x7f6cd2de000 | 0x7a9282c | 0x2000  
0x7f6cd2e0000 | 0x7a9482c | 0x5000  
0x7f6cd3e0000 | 0x7a9982c | 0x23000 
0x7f6cd403000 | 0x7abc82c | 0x2000  
0x7f6cd405000 | 0x7abe82c | 0x2000  
0x7f6cd407000 | 0x7ac082c | 0x2000  
0x7f6cd409000 | 0x7ac282c | 0x1000  
0x7f6cd40a000 | 0x7ac382c | 0x2000  
0x7f6cd40c000 | 0x7ac582c | 0x2000  
0x7f6cd40e000 | 0x7ac782c | 0x2000  
0x7f6cdcd0000 | 0x7ac982c | 0x1000  
0x7f6cdcd1000 | 0x7aca82c | 0x6000  
0x7f6cdcd7000 | 0x7ad082c | 0x1000  
0x7f6cdcd8000 | 0x7ad182c | 0x5000  
0x7fe21b00000 | 0x7ad682c | 0x1000  
0x7fe21b01000 | 0x7ad782c | 0x1b000 
0x7fe21b1c000 | 0x7af282c | 0x1000  
0x7fe21b1d000 | 0x7af382c | 0x6000  
0x7fe28330000 | 0x7af982c | 0x1000  
0x7fe28331000 | 0x7afa82c | 0xa000  
0x7fe2833b000 | 0x7b0482c | 0x1000  
0x7fe2833c000 | 0x7b0582c | 0x4000  
0x7fe31b10000 | 0x7b0982c | 0x1000  
0x7fe31b11000 | 0x7b0a82c | 0x68000 
0x7fe31b79000 | 0x7b7282c | 0xf000  
0x7fe31b88000 | 0x7b8182c | 0x1a000 
0x7fe34f50000 | 0x7b9b82c | 0x1000  
0x7fe34f51000 | 0x7b9c82c | 0x1e000 
0x7fe34f6f000 | 0x7bba82c | 0x1000  
0x7fe34f70000 | 0x7bbb82c | 0x7000  
0x7fe44040000 | 0x7bc282c | 0x1000  
0x7fe44041000 | 0x7bc382c | 0x27000 
0x7fe44068000 | 0x7bea82c | 0x2000  
0x7fe4406a000 | 0x7bec82c | 0x1000  
0x7fe4406b000 | 0x7bed82c | 0x2000  
0x7fe4406d000 | 0x7bef82c | 0x1000  
0x7fe4406e000 | 0x7bf082c | 0x1000  
0x7fe4406f000 | 0x7bf182c | 0x2000  
0x7fe44320000 | 0x7bf382c | 0x1000  
0x7fe44321000 | 0x7bf482c | 0x31000 
0x7fe44352000 | 0x7c2582c | 0x1000  
0x7fe44353000 | 0x7c2682c | 0x6000  
0x7fe44360000 | 0x7c2c82c | 0x1000  
0x7fe44361000 | 0x7c2d82c | 0xd000  
0x7fe4436e000 | 0x7c3a82c | 0x1000  
0x7fe4436f000 | 0x7c3b82c | 0x4000  
0x7fe453e0000 | 0x7c3f82c | 0x1000  
0x7fe453e1000 | 0x7c4082c | 0x14000 
0x7fe453f5000 | 0x7c5482c | 0x1000  
0x7fe453f6000 | 0x7c5582c | 0x4000  
0x7fe46b50000 | 0x7c5982c | 0x1000  
0x7fe46b51000 | 0x7c5a82c | 0x2000  
0x7fe46b53000 | 0x7c5c82c | 0x1000  
0x7fe46b54000 | 0x7c5d82c | 0x4000  
0x7fe46b80000 | 0x7c6182c | 0x1000  
0x7fe46b81000 | 0x7c6282c | 0x5000  
0x7fe46b86000 | 0x7c6782c | 0x1000  
0x7fe46b87000 | 0x7c6882c | 0x4000  
0x7fe46c00000 | 0x7c6c82c | 0x1000  
0x7fe46c01000 | 0x7c6d82c | 0x5000  
0x7fe46c06000 | 0x7c7282c | 0x1000  
0x7fe46c07000 | 0x7c7382c | 0x4000  
0x7fe479f0000 | 0x7c7782c | 0x1000  
0x7fe479f1000 | 0x7c7882c | 0x15000 
0x7fe47a06000 | 0x7c8d82c | 0x1000  
0x7fe47a07000 | 0x7c8e82c | 0x5000  
0x7fe48280000 | 0x7c9382c | 0x1000  
0x7fe48281000 | 0x7c9482c | 0x17000 
0x7fe48298000 | 0x7cab82c | 0x1000  
0x7fe48299000 | 0x7cac82c | 0x5000  
0x7fe482a0000 | 0x7cb182c | 0x1000  
0x7fe482a1000 | 0x7cb282c | 0x59000 
0x7fe482fa000 | 0x7d0b82c | 0x1000  
0x7fe482fb000 | 0x7d0c82c | 0x8000  
0x7fe48350000 | 0x7d1482c | 0x1000  
0x7fe48351000 | 0x7d1582c | 0x21000 
0x7fe48372000 | 0x7d3682c | 0x1000  
0x7fe48373000 | 0x7d3782c | 0x7000  
0x7fe483c0000 | 0x7d3e82c | 0x1000  
0x7fe483c1000 | 0x7d3f82c | 0x4000  
0x7fe483c5000 | 0x7d4382c | 0x1000  
0x7fe483c6000 | 0x7d4482c | 0x4000  
0x7fe48850000 | 0x7d4882c | 0x1000  
0x7fe48851000 | 0x7d4982c | 0x1d000 
0x7fe4886e000 | 0x7d6682c | 0x1000  
0x7fe4886f000 | 0x7d6782c | 0x5000  
0x7fe48b30000 | 0x7d6c82c | 0x1000  
0x7fe48b31000 | 0x7d6d82c | 0x5e000 
0x7fe48b8f000 | 0x7dcb82c | 0x1000  
0x7fe48b90000 | 0x7dcc82c | 0x2000  
0x7fe48b92000 | 0x7dce82c | 0xa000  
0x7fe48d90000 | 0x7dd882c | 0x1000  
0x7fe48d91000 | 0x7dd982c | 0x98000 
0x7fe48e29000 | 0x7e7182c | 0x2000  
0x7fe48e2b000 | 0x7e7382c | 0x1000  
0x7fe48e2c000 | 0x7e7482c | 0x16000 
0x7fe499a0000 | 0x7e8a82c | 0x1000  
0x7fe499a1000 | 0x7e8b82c | 0x6000  
0x7fe499a7000 | 0x7e9182c | 0x1000  
0x7fe499a8000 | 0x7e9282c | 0x4000  
0x7fe4af60000 | 0x7e9682c | 0x1000  
0x7fe4af61000 | 0x7e9782c | 0x2000  
0x7fe4af63000 | 0x7e9982c | 0x1000  
0x7fe4af64000 | 0x7e9a82c | 0x4000  
0x7fe4af70000 | 0x7e9e82c | 0x1000  
0x7fe4af71000 | 0x7e9f82c | 0x10000 
0x7fe4af81000 | 0x7eaf82c | 0x1000  
0x7fe4af82000 | 0x7eb082c | 0x5000  
0x7fe4b420000 | 0x7eb582c | 0x1000  
0x7fe4b421000 | 0x7eb682c | 0x16000 
0x7fe4b437000 | 0x7ecc82c | 0x1000  
0x7fe4b438000 | 0x7ecd82c | 0x1000  
0x7fe4b439000 | 0x7ece82c | 0x3000  
0x7fe4b43c000 | 0x7ed182c | 0x1000  
0x7fe4b43d000 | 0x7ed282c | 0x2000  
0x7fe4b450000 | 0x7ed482c | 0x1000  
0x7fe4b451000 | 0x7ed582c | 0x6000  
0x7fe4b457000 | 0x7edb82c | 0x1000  
0x7fe4b458000 | 0x7edc82c | 0x6000  
0x7fe4b4d0000 | 0x7ee282c | 0x1000  
0x7fe4b4d1000 | 0x7ee382c | 0x3d000 
0x7fe4b50e000 | 0x7f2082c | 0x2000  
0x7fe4b510000 | 0x7f2282c | 0x7000  
0x7fe4b590000 | 0x7f2982c | 0x1000  
0x7fe4b591000 | 0x7f2a82c | 0x5000  
0x7fe4b596000 | 0x7f2f82c | 0x1000  
0x7fe4b597000 | 0x7f3082c | 0x4000  
0x7fe4b5a0000 | 0x7f3482c | 0x1000  
0x7fe4b5a1000 | 0x7f3582c | 0x31000 
0x7fe4b5d2000 | 0x7f6682c | 0x1000  
0x7fe4b5d3000 | 0x7f6782c | 0x2000  
0x7fe4b5d5000 | 0x7f6982c | 0x7000  
0x7fe4b5e0000 | 0x7f7082c | 0x1000  
0x7fe4b5e1000 | 0x7f7182c | 0x25000 
0x7fe4b606000 | 0x7f9682c | 0x1000  
0x7fe4b607000 | 0x7f9782c | 0x7000  
0x7fe4b610000 | 0x7f9e82c | 0x1000  
0x7fe4b611000 | 0x7f9f82c | 0xc000  
0x7fe4b61d000 | 0x7fab82c | 0x1000  
0x7fe4b61e000 | 0x7fac82c | 0x4000  
0x7fe4b630000 | 0x7fb082c | 0x1000  
0x7fe4b631000 | 0x7fb182c | 0x34000 
0x7fe4b665000 | 0x7fe582c | 0x2000  
0x7fe4b667000 | 0x7fe782c | 0x1000  
0x7fe4b668000 | 0x7fe882c | 0x1000  
0x7fe4b669000 | 0x7fe982c | 0x2000  
0x7fe4b66b000 | 0x7feb82c | 0x1000  
0x7fe4b66c000 | 0x7fec82c | 0x7000  
0x7fe4b680000 | 0x7ff382c | 0x1000  
0x7fe4b681000 | 0x7ff482c | 0x14000 
0x7fe4b695000 | 0x800882c | 0x1000  
0x7fe4b696000 | 0x800982c | 0x6000  
0x7fe4b6a0000 | 0x800f82c | 0x1000  
0x7fe4b6a1000 | 0x801082c | 0x3c000 
0x7fe4b6dd000 | 0x804c82c | 0x1000  
0x7fe4b6de000 | 0x804d82c | 0x1000  
0x7fe4b6df000 | 0x804e82c | 0x1000  
0x7fe4b6e0000 | 0x804f82c | 0x1000  
0x7fe4b6e1000 | 0x805082c | 0x3000  
0x7fe4b6e4000 | 0x805382c | 0x1000  
0x7fe4b6e5000 | 0x805482c | 0x1000  
0x7fe4b6e6000 | 0x805582c | 0x2000  
0x7fe4b6f0000 | 0x805782c | 0x1000  
0x7fe4b6f1000 | 0x805882c | 0x2d000 
0x7fe4b71e000 | 0x808582c | 0x2000  
0x7fe4b720000 | 0x808782c | 0x5000  
0x7fe4b730000 | 0x808c82c | 0x1000  
0x7fe4b731000 | 0x808d82c | 0x50000 
0x7fe4b781000 | 0x80dd82c | 0x2000  
0x7fe4b783000 | 0x80df82c | 0x8000  
0x7fe4b790000 | 0x80e782c | 0x1000  
0x7fe4b791000 | 0x80e882c | 0x2b000 
0x7fe4b7bc000 | 0x811382c | 0x1000  
0x7fe4b7bd000 | 0x811482c | 0x1000  
0x7fe4b7be000 | 0x811582c | 0x6000  
0x7fe4b7d0000 | 0x811b82c | 0x1000  
0x7fe4b7d1000 | 0x811c82c | 0x7e000 
0x7fe4b84f000 | 0x819a82c | 0x3000  
0x7fe4b852000 | 0x819d82c | 0x3000  
0x7fe4b855000 | 0x81a082c | 0x13000 
0x7fe4b870000 | 0x81b382c | 0x1000  
0x7fe4b871000 | 0x81b482c | 0xad000 
0x7fe4b91e000 | 0x826182c | 0x4000  
0x7fe4b922000 | 0x826582c | 0xc000  
0x7fe4b930000 | 0x827182c | 0x1000  
0x7fe4b931000 | 0x827282c | 0x41000 
0x7fe4b972000 | 0x82b382c | 0x5000  
0x7fe4b977000 | 0x82b882c | 0x8000  
0x7fe4b980000 | 0x82c082c | 0x1000  
0x7fe4b981000 | 0x82c182c | 0x4f000 
0x7fe4b9d0000 | 0x831082c | 0x1000  
0x7fe4b9d1000 | 0x831182c | 0x2000  
0x7fe4b9d3000 | 0x831382c | 0x9000  
0x7fe4b9e0000 | 0x831c82c | 0x1000  
0x7fe4b9e1000 | 0x831d82c | 0x14000 
0x7fe4b9f5000 | 0x833182c | 0x1000  
0x7fe4b9f6000 | 0x833282c | 0x4000  
0x7fe4ba00000 | 0x833682c | 0x1000  
0x7fe4ba01000 | 0x833782c | 0xb1000 
0x7fe4bab2000 | 0x83e882c | 0x7000  
0x7fe4bab9000 | 0x83ef82c | 0x1000  
0x7fe4baba000 | 0x83f082c | 0x3000  
0x7fe4babd000 | 0x83f382c | 0xf000  
0x7fe4bad0000 | 0x840282c | 0x1000  
0x7fe4bad1000 | 0x840382c | 0xc000  
0x7fe4badd000 | 0x840f82c | 0x2000  
0x7fe4badf000 | 0x841182c | 0x1000  
0x7fe4bae0000 | 0x841282c | 0x4000  
0x7fe4baf0000 | 0x841682c | 0x1000  
0x7fe4baf1000 | 0x841782c | 0x19000 
0x7fe4bb0a000 | 0x843082c | 0x1000  
0x7fe4bb0b000 | 0x843182c | 0x3000  
0x7fe4bb0e000 | 0x843482c | 0x1000  
0x7fe4bb0f000 | 0x843582c | 0x5000  
0x7fe4bb20000 | 0x843a82c | 0x1000  
0x7fe4bb21000 | 0x843b82c | 0x32000 
0x7fe4bb53000 | 0x846d82c | 0x1000  
0x7fe4bb54000 | 0x846e82c | 0x5000  
0x7fe4bb60000 | 0x847382c | 0x2000  
0x7fe4bb70000 | 0x847582c | 0x1000  
0x7fe4bb71000 | 0x847682c | 0x2e000 
0x7fe4bb9f000 | 0x84a482c | 0x1000  
0x7fe4bba0000 | 0x84a582c | 0x5000  
0x7fe4bbb0000 | 0x84aa82c | 0x1000  
0x7fe4bbb1000 | 0x84ab82c | 0x16000 
0x7fe4bbc7000 | 0x84c182c | 0x1000  
0x7fe4bbc8000 | 0x84c282c | 0x7000  
0x7fe4bc50000 | 0x84c982c | 0x1000  
0x7fe4bc51000 | 0x84ca82c | 0x95000 
0x7fe4bce6000 | 0x855f82c | 0x4000  
0x7fe4bcea000 | 0x856382c | 0x1000  
0x7fe4bceb000 | 0x856482c | 0x1000  
0x7fe4bcec000 | 0x856582c | 0x1000  
0x7fe4bced000 | 0x856682c | 0x14000 
0x7fe4bd20000 | 0x857a82c | 0x1000  
0x7fe4bd21000 | 0x857b82c | 0x100000
0x7fe4be21000 | 0x867b82c | 0x9000  
0x7fe4be2a000 | 0x868482c | 0x17000 
0x7fe4be50000 | 0x869b82c | 0x1000  
0x7fe4be51000 | 0x869c82c | 0x1b000 
0x7fe4be6c000 | 0x86b782c | 0x1000  
0x7fe4be6d000 | 0x86b882c | 0x1000  
0x7fe4be6e000 | 0x86b982c | 0x5000  
0x7fe4be80000 | 0x86be82c | 0x1000  
0x7fe4be81000 | 0x86bf82c | 0x5000  
0x7fe4be86000 | 0x86c482c | 0x1000  
0x7fe4be87000 | 0x86c582c | 0x4000  
0x7fe4be90000 | 0x86c982c | 0x1000  
0x7fe4be91000 | 0x86ca82c | 0x53000 
0x7fe4bee4000 | 0x871d82c | 0x1000  
0x7fe4bee5000 | 0x871e82c | 0x4000  
0x7fe4bee9000 | 0x872282c | 0x1000  
0x7fe4beea000 | 0x872382c | 0x2000  
0x7fe4bef0000 | 0x872582c | 0x1000  
0x7fe4bef1000 | 0x872682c | 0x4000  
0x7fe4bef5000 | 0x872a82c | 0x1000  
0x7fe4bef6000 | 0x872b82c | 0x4000  
0x7fe4bff0000 | 0x872f82c | 0x1000  
0x7fe4bff1000 | 0x873082c | 0x41000 
0x7fe4c032000 | 0x877182c | 0x1000  
0x7fe4c033000 | 0x877282c | 0x3000  
0x7fe4c036000 | 0x877582c | 0x7000  
0x7fe4c060000 | 0x877c82c | 0x1000  
0x7fe4c061000 | 0x877d82c | 0x16000 
0x7fe4c077000 | 0x879382c | 0x1000  
0x7fe4c078000 | 0x879482c | 0x2b000 
0x7fe4c140000 | 0x87bf82c | 0x1000  
0x7fe4c141000 | 0x87c082c | 0x1b000 
0x7fe4c15c000 | 0x87db82c | 0x1000  
0x7fe4c15d000 | 0x87dc82c | 0x4000  
0x7fe4c170000 | 0x87e082c | 0x1000  
0x7fe4c171000 | 0x87e182c | 0xe000  
0x7fe4c17f000 | 0x87ef82c | 0x1000  
0x7fe4c180000 | 0x87f082c | 0x5000  
0x7fe4c190000 | 0x87f582c | 0x1000  
0x7fe4c191000 | 0x87f682c | 0x8000  
0x7fe4c199000 | 0x87fe82c | 0x1000  
0x7fe4c19a000 | 0x87ff82c | 0x4000  
0x7fe4c1a0000 | 0x880382c | 0x1000  
0x7fe4c1a1000 | 0x880482c | 0x10000 
0x7fe4c1b1000 | 0x881482c | 0x1000  
0x7fe4c1b2000 | 0x881582c | 0x4000  
0x7fe4c1c0000 | 0x881982c | 0x1000  
0x7fe4c1c1000 | 0x881a82c | 0xf000  
0x7fe4c1d0000 | 0x882982c | 0x1000  
0x7fe4c1d1000 | 0x882a82c | 0x5000  
0x7fe4c2c0000 | 0x882f82c | 0x1000  
0x7fe4c2c1000 | 0x883082c | 0xb2000 
0x7fe4c373000 | 0x88e282c | 0x4000  
0x7fe4c377000 | 0x88e682c | 0x11000 
0x7fe4c3c0000 | 0x88f782c | 0x1000  
0x7fe4c3c1000 | 0x88f882c | 0xef000 
0x7fe4c4b0000 | 0x89e782c | 0x7000  
0x7fe4c4b7000 | 0x89ee82c | 0x115000
0x7fe4c610000 | 0x8b0382c | 0x1000  
0x7fe4c611000 | 0x8b0482c | 0x16000 
0x7fe4c627000 | 0x8b1a82c | 0x1000  
0x7fe4c628000 | 0x8b1b82c | 0x7000  
0x7fe4c770000 | 0x8b2282c | 0x1000  
0x7fe4c771000 | 0x8b2382c | 0x8f000 
0x7fe4c800000 | 0x8bb282c | 0x1000  
0x7fe4c801000 | 0x8bb382c | 0x2000  
0x7fe4c803000 | 0x8bb582c | 0x2000  
0x7fe4c805000 | 0x8bb782c | 0x40000 
0x7fe4c880000 | 0x8bf782c | 0x1000  
0x7fe4c881000 | 0x8bf882c | 0x8d000 
0x7fe4c90e000 | 0x8c8582c | 0x2000  
0x7fe4c910000 | 0x8c8782c | 0x3000  
0x7fe4c913000 | 0x8c8a82c | 0xa000  
0x7fe4c91d000 | 0x8c9482c | 0x2000  
0x7fe4c91f000 | 0x8c9682c | 0x6000  
0x7fe4cc70000 | 0x8c9c82c | 0x1000  
0x7fe4cc71000 | 0x8c9d82c | 0x3000  
0x7fe4cc74000 | 0x8ca082c | 0x1000  
0x7fe4cc75000 | 0x8ca182c | 0x4000  
0x7fe4cc80000 | 0x8ca582c | 0x1000  
0x7fe4cc81000 | 0x8ca682c | 0xe2000 
0x7fe4cd63000 | 0x8d8882c | 0x2000  
0x7fe4cd65000 | 0x8d8a82c | 0x14000 
0x7fe4d050000 | 0x8d9e82c | 0x1000  
0x7fe4d051000 | 0x8d9f82c | 0x12b000
0x7fe4d17c000 | 0x8eca82c | 0x1000  
0x7fe4d17d000 | 0x8ecb82c | 0x1000  
0x7fe4d17e000 | 0x8ecc82c | 0x5000  
0x7fe4d183000 | 0x8ed182c | 0x24000 
0x7fe4d320000 | 0x8ef582c | 0x1000  
0x7fe4d321000 | 0x8ef682c | 0x54000 
0x7fe4d375000 | 0x8f4a82c | 0x1000  
0x7fe4d376000 | 0x8f4b82c | 0x1000  
0x7fe4d377000 | 0x8f4c82c | 0x7000  
0x7fe4d630000 | 0x8f5382c | 0x1000  
0x7fe4d631000 | 0x8f5482c | 0x3e000 
0x7fe4d66f000 | 0x8f9282c | 0x1000  
0x7fe4d670000 | 0x8f9382c | 0x18000 
0x7fe4ef50000 | 0x8fab82c | 0x1000  
0x7fe4ef51000 | 0x8fac82c | 0x36000 
0x7fe4ef87000 | 0x8fe282c | 0x3000  
0x7fe4ef8a000 | 0x8fe582c | 0x8000  
0x7fe4efa0000 | 0x8fed82c | 0x1000  
0x7fe4efa1000 | 0x8fee82c | 0x103000
0x7fe4f0a4000 | 0x90f182c | 0x3000  
0x7fe4f0a7000 | 0x90f482c | 0x1f000 
0x7fe4f3d0000 | 0x911382c | 0x1000  
0x7fe4f3d1000 | 0x911482c | 0xf6000 
0x7fe4f4c7000 | 0x920a82c | 0x2000  
0x7fe4f4c9000 | 0x920c82c | 0x2000  
0x7fe4f4cb000 | 0x920e82c | 0x1000  
0x7fe4f4cc000 | 0x920f82c | 0x7000  
0x7fe4f4d3000 | 0x921682c | 0x9000  
0x7fe4f4dc000 | 0x921f82c | 0x1000  
0x7fe4f4dd000 | 0x922082c | 0x77000 

== System Info ==
ProcessorArchitecture PROCESSOR_ARCHITECTURE.AMD64
OperatingSystem -guess- Windows Server 2012
ProcessorLevel 6
ProcessorRevision 0x2d07
NumberOfProcessors 24
ProductType PRODUCT_TYPE.VER_NT_SERVER
MajorVersion 6
MinorVersion 2
BuildNumber 9200
PlatformId PLATFORM_ID.VER_PLATFORM_WIN32_NT
CSDVersion: 
SuiteMask SUITE_MASK.VER_SUITE_SINGLEUSERTS|VER_SUITE_TERMINAL
VendorId 
VersionInformation None
FeatureInformation None
AMDExtendedCpuFeatures None
ProcessorFeatures 0x80774c 0x0

== MinidumpMiscInfo ==
ProcessId 828
ProcessCreateTime 1646223131
ProcessUserTime 36189
ProcessKernelTime 8071
ProcessorMaxMhz None
ProcessorCurrentMhz None
ProcessorMhzLimit None
ProcessorMaxIdleState None
ProcessorCurrentIdleState None

== MinidumpHeader ==
Signature: PMDM
Version: 42899
ImplementationVersion: 25328
NumberOfStreams: 9
StreamDirectoryRva: 32
CheckSum: 0
Reserved: 1646724889
TimeDateStamp: 6
Flags: MINIDUMP_TYPE.MiniDumpNormal

Is there anything else that I could check? Thanks

forensenellanebbia commented 2 years ago

I managed to create three test minidumps that I just uploaded to your storage share:

Based on what I've found, it seems pypykatz is unable to parse lsass minidumps from Windows Server 2012 (default setup with no additional settings configured) when the patches kb5003696 and kb5003697 are installed.

skelsec commented 2 years ago

Thank you for the dump files!
I checked them and it looks to me that the problem is not with the parsing code rather missing templates therefore mimikatz also can't parse them.
I managed to get the correct AES and DES structure offsets using the latest ML/AI/blockchain/web3.0 methods (read: guessed them) but currently looking for the correct IV (which is weird because it half-works?!). Also the correct MSV structure type/offset is still not found.

skelsec commented 2 years ago

Okay, I managed to construct a working template! Now I'm trying to integrate it somehow to the existing codebase

skelsec commented 2 years ago

fix is now merged to master, please let me know if it works on your end!

forensenellanebbia commented 2 years ago

I tried it against the original dump and it works even better than expected!! Awesome, thanks a lot!