☆ Win7之间的SMB认证(NTLMv2 Response) https://scz.617.cn/network/201104211146.txt net use \\10.20.3.75\ipc$ 123456 /u:WIN7CN\test 参SMB_63_0.cap的9、10号报文: -------------------------------------------------------------------------- Transmission Control Protocol Source port: 445 Destination port: 1286 NetBIOS Session Service Message Type: Session message Length: 251 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Epoch: 1 NT Status: STATUS_MORE_PROCESSING_REQUIRED (0xc0000016) Command: SessionSetup (1) Credits granted: 31 Flags: 0x00000001 ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... ...1 = Response: This is a RESPONSE Chain Offset: 0x00000000 Command Sequence Number: 2 Process Id: 0000feff Tree Id: 0x00000000 Session Id: 0x0000040000000019 Signature: 00000000000000000000000000000000 SessionSetup Response (0x01) Length: 8 .... .... .... ...1 = Dynamic Part: True Session Flags: 0x0000 .... .... .... ..0. = Null: False .... .... .... ...0 = Guest: False Security Blob: a181b03081ada0030a0101a10c060a2b0601040182370202... Offset: 0x00000048 Length: 179 GSS-API Generic Security Service Application Program Interface Simple Protected Negotiation negTokenTarg negResult: accept-incomplete (1) supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider) responseToken: 4e544c4d53535000020000000c000c003800000015828ae2... NTLM Secure Service Provider NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002) Target Name: WIN7CN Length: 12 Maxlen: 12 Offset: 56 Flags: 0xe28a8215 1... .... .... .... .... .... .... .... = Negotiate 56: Set .1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set ..1. .... .... .... .... .... .... .... = Negotiate 128: Set ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set .... ..1. .... .... .... .... .... .... = Negotiate Version: Set .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set .... .... 1... .... .... .... .... .... = Negotiate Target Info: Set .... .... .0.. .... .... .... .... .... = Request Non-NT Session: Not set .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set .... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set .... .... .... 1... .... .... .... .... = Negotiate Extended Security: Set .... .... .... .0.. .... .... .... .... = Target Type Share: Not set .... .... .... ..1. .... .... .... .... = Target Type Server: Set .... .... .... ...0 .... .... .... .... = Target Type Domain: Not set .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set .... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set .... .... .... .... ..0. .... .... .... = Negotiate OEM Workstation Supplied: Not set .... .... .... .... ...0 .... .... .... = Negotiate OEM Domain Supplied: Not set .... .... .... .... .... 0... .... .... = Negotiate 0x00000800: Not set .... .... .... .... .... .0.. .... .... = Negotiate NT Only: Not set .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set .... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set .... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set .... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set .... .... .... .... .... .... ...1 .... = Negotiate Sign: Set .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set .... .... .... .... .... .... .... .1.. = Request Target: Set .... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set NTLM Server Challenge: da7066e9e9e25242 Reserved: 0000000000000000 Address List Length: 80 Maxlen: 80 Offset: 68 Domain NetBIOS Name: WIN7CN Target item type: NetBIOS domain name (0x0002) Target item Length: 12 Target item Content: WIN7CN Server NetBIOS Name: WIN7CN Target item type: NetBIOS host name (0x0001) Target item Length: 12 Target item Content: WIN7CN Domain DNS Name: WIN7CN Target item type: DNS domain name (0x0004) Target item Length: 12 Target item Content: WIN7CN Server DNS Name: WIN7CN Target item type: DNS host name (0x0003) Target item Length: 12 Target item Content: WIN7CN Unknown type:0x0007 Target item type: Client Time (0x0007) Target item Length: 8 Target item Content: List Terminator Target item type: End of list (0x0000) Target item Length: 0 Version 6.1 (Build 7600); NTLM Current Revision 15 Major Version: 6 Minor Version: 1 Major Version: 7600 NTLM Current Revision: 15 0030 00 00 00 fb fe 53 4d 42 40 00 .....SMB@. 0040 01 00 16 00 00 c0 01 00 1f 00 01 00 00 00 00 00 ................ 0050 00 00 02 00 00 00 00 00 00 00 ff fe 00 00 00 00 ................ 0060 00 00 19 00 00 00 00 04 00 00 00 00 00 00 00 00 ................ 0070 00 00 00 00 00 00 00 00 00 00 09 00 00 00 48 00 ..............H. 0080 b3 00 a1 81 b0 30 81 ad a0 03 0a 01 01 a1 0c 06 .....0.......... 0090 0a 2b 06 01 04 01 82 37 02 02 0a a2 81 97 04 81 .+.....7........ 00a0 94 4e 54 4c 4d 53 53 50 00 02 00 00 00 0c 00 0c .NTLMSSP........ 00b0 00 38 00 00 00 15 82 8a e2 da 70 66 e9 e9 e2 52 .8........pf...R 00c0 42 00 00 00 00 00 00 00 00 50 00 50 00 44 00 00 B........P.P.D.. 00d0 00 06 01 b0 1d 00 00 00 0f 57 00 49 00 4e 00 37 .........W.I.N.7 00e0 00 43 00 4e 00 02 00 0c 00 57 00 49 00 4e 00 37 .C.N.....W.I.N.7 00f0 00 43 00 4e 00 01 00 0c 00 57 00 49 00 4e 00 37 .C.N.....W.I.N.7 0100 00 43 00 4e 00 04 00 0c 00 57 00 49 00 4e 00 37 .C.N.....W.I.N.7 0110 00 43 00 4e 00 03 00 0c 00 57 00 49 00 4e 00 37 .C.N.....W.I.N.7 0120 00 43 00 4e 00 07 00 08 00 9c 67 49 61 2f ff cb .C.N......gIa/.. 0130 01 00 00 00 00 ..... -------------------------------------------------------------------------- Transmission Control Protocol Source port: 1286 Destination port: 445 NetBIOS Session Service Message Type: Session message Length: 539 SMB2 (Server Message Block Protocol version 2) SMB2 Header Server Component: SMB2 Header Length: 64 Epoch: 1 NT Status: STATUS_SUCCESS (0x00000000) Command: SessionSetup (1) Credits requested: 1 Flags: 0x00000000 ...0 .... .... .... .... .... .... .... = DFS operation: This is a normal operation .... .... .... .... .... .... .... 0... = Signing: This pdu is NOT signed .... .... .... .... .... .... .... .0.. = Chained: This pdu is NOT a chained command .... .... .... .... .... .... .... ..0. = Async command: This is a SYNC command .... .... .... .... .... .... .... ...0 = Response: This is a REQUEST Chain Offset: 0x00000000 Command Sequence Number: 3 Process Id: 0000feff Tree Id: 0x00000000 Session Id: 0x0000040000000019 Signature: 00000000000000000000000000000000 SessionSetup Request (0x01) Length: 24 .... .... .... ...1 = Dynamic Part: True VC Num: 0 Security mode: 0x01 .... ..0. = Signing required: False .... ...1 = Signing enabled: True Capabilities: 0x00000001 .... .... .... .... .... .... .... ...1 = DFS: This host supports DFS Channel: 0 Previous Session Id: 0x0000000000000000 Security Blob: a18201bf308201bba0030a0101a282019e0482019a4e544c... Offset: 0x00000058 Length: 451 GSS-API Generic Security Service Application Program Interface Simple Protected Negotiation negTokenTarg negResult: accept-incomplete (1) responseToken: 4e544c4d5353500003000000180018007c000000f600f600... NTLM Secure Service Provider NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_AUTH (0x00000003) Lan Manager Response: 000000000000000000000000000000000000000000000000 Length: 24 Maxlen: 24 Offset: 124 NTLM Client Challenge: 0000000000000000 NTLM Response: 48c42883d2eeb392e92f00ef7de521f10101000000000000... Length: 246 Maxlen: 246 Offset: 148 NTLMv2 Response: 48c42883d2eeb392e92f00ef7de521f10101000000000000... HMAC: 48c42883d2eeb392e92f00ef7de521f1 Header: 0x00000101 Reserved: 0x00000000 Time: Apr 20, 2011 15:48:47.093750000 中国标准时间 Client challenge: eb605b18c38c170c Unknown: 0x00000000 Attribute: NetBIOS domain name, WIN7CN Attribute type: NetBIOS domain name (2) Value len: 12 Value: WIN7CN Attribute: NetBIOS host name, WIN7CN Attribute type: NetBIOS host name (1) Value len: 12 Value: WIN7CN Attribute: DNS domain name, WIN7CN Attribute type: DNS domain name (4) Value len: 12 Value: WIN7CN Attribute: DNS host name, WIN7CN Attribute type: DNS host name (3) Value len: 12 Value: WIN7CN Attribute: Client Time Attribute type: Client Time (7) Value len: 8 Client Time: Apr 20, 2011 15:48:47.093750000 中国标准时间 Attribute: Unknown Attribute type: Unknown (6) Value len: 4 Value:  Attribute: Encoding restriction Attribute type: Encoding restriction (8) Value len: 48 Encoding restrictions: 30000000000000000000000000300000afd4d76f68474d8e... Attribute: Unknown, Attribute type: Unknown (10) Value len: 16 Value: Attribute: Unknown, cifs/10.20.3.75 Attribute type: Unknown (9) Value len: 30 Value: cifs/10.20.3.75 Attribute: End of list Attribute type: End of list (0) Value len: 0 NTLM Client Challenge: eb605b18c38c170c Domain name: WIN7CN Length: 12 Maxlen: 12 Offset: 88 User name: test Length: 8 Maxlen: 8 Offset: 100 Host name: CHENQING Length: 16 Maxlen: 16 Offset: 108 Session Key: 7fd382fd96a69deb5164f373cd191b8d Length: 16 Maxlen: 16 Offset: 394 Flags: 0xe2888215 1... .... .... .... .... .... .... .... = Negotiate 56: Set .1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set ..1. .... .... .... .... .... .... .... = Negotiate 128: Set ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set .... ..1. .... .... .... .... .... .... = Negotiate Version: Set .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set .... .... 1... .... .... .... .... .... = Negotiate Target Info: Set .... .... .0.. .... .... .... .... .... = Request Non-NT Session: Not set .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set .... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set .... .... .... 1... .... .... .... .... = Negotiate Extended Security: Set .... .... .... .0.. .... .... .... .... = Target Type Share: Not set .... .... .... ..0. .... .... .... .... = Target Type Server: Not set .... .... .... ...0 .... .... .... .... = Target Type Domain: Not set .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set .... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set .... .... .... .... ..0. .... .... .... = Negotiate OEM Workstation Supplied: Not set .... .... .... .... ...0 .... .... .... = Negotiate OEM Domain Supplied: Not set .... .... .... .... .... 0... .... .... = Negotiate 0x00000800: Not set .... .... .... .... .... .0.. .... .... = Negotiate NT Only: Not set .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set .... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set .... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set .... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set .... .... .... .... .... .... ...1 .... = Negotiate Sign: Set .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set .... .... .... .... .... .... .... .1.. = Request Target: Set .... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set Version 6.1 (Build 7601); NTLM Current Revision 15 Major Version: 6 Minor Version: 1 Major Version: 7601 NTLM Current Revision: 15 MIC: a289abb3b7a9c8bbcd27901a7bfdb2ba mechListMIC: 01000000602a426320095d8500000000 NTLM Secure Service Provider NTLMSSP identifier: \001 NTLM Message Type: Unknown (0x855d0920) Unrecognized NTLMSSP Message 0030 00 00 02 1b fe 53 4d 42 40 00 .....SMB@. 0040 01 00 00 00 00 00 01 00 01 00 00 00 00 00 00 00 ................ 0050 00 00 03 00 00 00 00 00 00 00 ff fe 00 00 00 00 ................ 0060 00 00 19 00 00 00 00 04 00 00 00 00 00 00 00 00 ................ 0070 00 00 00 00 00 00 00 00 00 00 19 00 00 01 01 00 ................ 0080 00 00 00 00 00 00 58 00 c3 01 00 00 00 00 00 00 ......X......... 0090 00 00 a1 82 01 bf 30 82 01 bb a0 03 0a 01 01 a2 ......0......... 00a0 82 01 9e 04 82 01 9a 4e 54 4c 4d 53 53 50 00 03 .......NTLMSSP.. 00b0 00 00 00 18 00 18 00 7c 00 00 00 f6 00 f6 00 94 .......|........ 00c0 00 00 00 0c 00 0c 00 58 00 00 00 08 00 08 00 64 .......X.......d 00d0 00 00 00 10 00 10 00 6c 00 00 00 10 00 10 00 8a .......l........ 00e0 01 00 00 15 82 88 e2 06 01 b1 1d 00 00 00 0f a2 ................ 00f0 89 ab b3 b7 a9 c8 bb cd 27 90 1a 7b fd b2 ba 57 ........'..{...W 0100 00 49 00 4e 00 37 00 43 00 4e 00 74 00 65 00 73 .I.N.7.C.N.t.e.s 0110 00 74 00 43 00 48 00 45 00 4e 00 51 00 49 00 4e .t.C.H.E.N.Q.I.N 0120 00 47 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .G.............. 0130 00 00 00 00 00 00 00 00 00 00 00 48 c4 28 83 d2 ...........H.(.. 0140 ee b3 92 e9 2f 00 ef 7d e5 21 f1 01 01 00 00 00 ..../..}.!...... 0150 00 00 00 9c 67 49 61 2f ff cb 01 eb 60 5b 18 c3 ....gIa/....`[.. 0160 8c 17 0c 00 00 00 00 02 00 0c 00 57 00 49 00 4e ...........W.I.N 0170 00 37 00 43 00 4e 00 01 00 0c 00 57 00 49 00 4e .7.C.N.....W.I.N 0180 00 37 00 43 00 4e 00 04 00 0c 00 57 00 49 00 4e .7.C.N.....W.I.N 0190 00 37 00 43 00 4e 00 03 00 0c 00 57 00 49 00 4e .7.C.N.....W.I.N 01a0 00 37 00 43 00 4e 00 07 00 08 00 9c 67 49 61 2f .7.C.N......gIa/ 01b0 ff cb 01 06 00 04 00 02 00 00 00 08 00 30 00 30 .............0.0 01c0 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 af ............0... 01d0 d4 d7 6f 68 47 4d 8e 8a 32 f6 d7 58 a9 f8 30 53 ..ohGM..2..X..0S 01e0 d0 0a ef 26 02 38 e3 79 14 19 80 19 f3 ba 8d 0a ...&.8.y........ 01f0 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0200 00 00 00 09 00 1e 00 63 00 69 00 66 00 73 00 2f .......c.i.f.s./ 0210 00 31 00 30 00 2e 00 32 00 30 00 2e 00 33 00 2e .1.0...2.0...3.. 0220 00 37 00 35 00 00 00 00 00 00 00 00 00 00 00 00 .7.5............ 0230 00 7f d3 82 fd 96 a6 9d eb 51 64 f3 73 cd 19 1b .........Qd.s... 0240 8d a3 12 04 10 01 00 00 00 60 2a 42 63 20 09 5d .........`*Bc .] 0250 85 00 00 00 00 ..... -------------------------------------------------------------------------- 下面介绍NTLMSSP_AUTH报文里NTLMv2 Response字段的HMAC字段如何产生: -------------------------------------------------------------------------- username 来自NTLMSSP_AUTH (0x00000003)报文,参SMB_63_0.cap的10号报文,取自 User name字段。 password 未在网上明文传输,需要预先知道。 target 来自NTLMSSP_AUTH (0x00000003)报文,参SMB_63_0.cap的10号报文,取自 Domain name字段。 ServerChallenge 来自NTLMSSP_CHALLENGE (0x00000002)报文,参SMB_63_0.cap的9号报文。 blob 来自NTLMSSP_AUTH (0x00000003)报文,参SMB_63_0.cap的10号报文,取自 NTLMv2 Response字段,不包括前16字节(HMAC)。 自己构造blob的话,一定要注意Client Time字段取自NTLMSSP_CHALLENGE返回的 数据。如果该值不正确,服务端会返回"参数错误"。其它数据仍需借鉴 NTLMSSP_CHALLENGE返回的Address List字段。 -------------------------------------------------------------------------- unicode( password ) | V +-----+ | MD4 | +-----+ | | as KEY (NTLM Hash) V +----------+ unicode( uppercase( username ) + target ) -> | HMAC_MD5 | +----------+ | | as KEY (NTLMv2 Hash ) V +----------+ ServerChallenge + blob -> | HMAC_MD5 | +----------+ | V NTLMv2 Response HMAC -------------------------------------------------------------------------- NTLMv2 Response HMAC + blob -> NTLMv2 Response -------------------------------------------------------------------------- 下面是一段伪代码: -------------------------------------------------------------------------- NTLMHash = smbmd4( '\0'.join( password ) + '\0' ) NTLMv2Hash = smbhmacmd5( NTLMHash, '\0'.join( username.upper() + target ) + '\0' ) HMAC = smbhmacmd5( NTLMv2Hash, ServerChallenge + blob ) NTLMv2Response = HMAC + blob -------------------------------------------------------------------------- 下面是一组验证集: -------------------------------------------------------------------------- username [ 4 bytes ] -> 16 bytes per line 00000000 74 65 73 74 test password [ 6 bytes ] -> 16 bytes per line 00000000 31 32 33 34 35 36 123456 target [ 6 bytes ] -> 16 bytes per line 00000000 57 49 4E 37 43 4E WIN7CN ServerChallenge [ 8 bytes ] -> 16 bytes per line 00000000 DA 70 66 E9 E9 E2 52 42 ........ blob [ 230 bytes ] -> 16 bytes per line 00000000 01 01 00 00 00 00 00 00-9C 67 49 61 2F FF CB 01 ................ 00000010 EB 60 5B 18 C3 8C 17 0C-00 00 00 00 02 00 0C 00 ................ 00000020 57 00 49 00 4E 00 37 00-43 00 4E 00 01 00 0C 00 W.I.N.7.C.N..... 00000030 57 00 49 00 4E 00 37 00-43 00 4E 00 04 00 0C 00 W.I.N.7.C.N..... 00000040 57 00 49 00 4E 00 37 00-43 00 4E 00 03 00 0C 00 W.I.N.7.C.N..... 00000050 57 00 49 00 4E 00 37 00-43 00 4E 00 07 00 08 00 W.I.N.7.C.N..... 00000060 9C 67 49 61 2F FF CB 01-06 00 04 00 02 00 00 00 ................ 00000070 08 00 30 00 30 00 00 00-00 00 00 00 00 00 00 00 ..0.0........... 00000080 00 30 00 00 AF D4 D7 6F-68 47 4D 8E 8A 32 F6 D7 ................ 00000090 58 A9 F8 30 53 D0 0A EF-26 02 38 E3 79 14 19 80 ................ 000000A0 19 F3 BA 8D 0A 00 10 00-00 00 00 00 00 00 00 00 ................ 000000B0 00 00 00 00 00 00 00 00-09 00 1E 00 63 00 69 00 ............c.i. 000000C0 66 00 73 00 2F 00 31 00-30 00 2E 00 32 00 30 00 f.s./.1.0...2.0. 000000D0 2E 00 33 00 2E 00 37 00-35 00 00 00 00 00 00 00 ..3...7.5....... 000000E0 00 00 00 00 00 00 ...... NTLM Hash [ 16 bytes ] -> 16 bytes per line 00000000 32 ED 87 BD B5 FD C5 E9-CB A8 85 47 37 68 18 D4 ................ NTLMv2 Hash [ 16 bytes ] -> 16 bytes per line 00000000 79 5F 85 C5 51 93 EA 43-03 66 7B 31 49 6D CF A0 ................ HMAC [ 16 bytes ] -> 16 bytes per line 00000000 48 C4 28 83 D2 EE B3 92-E9 2F 00 EF 7D E5 21 F1 ................ NTLMv2 Response [ 246 bytes ] -> 16 bytes per line 00000000 48 C4 28 83 D2 EE B3 92-E9 2F 00 EF 7D E5 21 F1 H............... 00000010 01 01 00 00 00 00 00 00-9C 67 49 61 2F FF CB 01 ................ 00000020 EB 60 5B 18 C3 8C 17 0C-00 00 00 00 02 00 0C 00 ................ 00000030 57 00 49 00 4E 00 37 00-43 00 4E 00 01 00 0C 00 W.I.N.7.C.N..... 00000040 57 00 49 00 4E 00 37 00-43 00 4E 00 04 00 0C 00 W.I.N.7.C.N..... 00000050 57 00 49 00 4E 00 37 00-43 00 4E 00 03 00 0C 00 W.I.N.7.C.N..... 00000060 57 00 49 00 4E 00 37 00-43 00 4E 00 07 00 08 00 W.I.N.7.C.N..... 00000070 9C 67 49 61 2F FF CB 01-06 00 04 00 02 00 00 00 ................ 00000080 08 00 30 00 30 00 00 00-00 00 00 00 00 00 00 00 ..0.0........... 00000090 00 30 00 00 AF D4 D7 6F-68 47 4D 8E 8A 32 F6 D7 ................ 000000A0 58 A9 F8 30 53 D0 0A EF-26 02 38 E3 79 14 19 80 ................ 000000B0 19 F3 BA 8D 0A 00 10 00-00 00 00 00 00 00 00 00 ................ 000000C0 00 00 00 00 00 00 00 00-09 00 1E 00 63 00 69 00 ............c.i. 000000D0 66 00 73 00 2F 00 31 00-30 00 2E 00 32 00 30 00 f.s./.1.0...2.0. 000000E0 2E 00 33 00 2E 00 37 00-35 00 00 00 00 00 00 00 ..3...7.5....... 000000F0 00 00 00 00 00 00 ...... --------------------------------------------------------------------------