3 articles about SAM

xiaoxiao2021-03-06 40

http://www.opencjk.org/~scz/

A full verification set and discussion of the Syskey mechanism

See Flashsky, Nicola Cuomo's article ([11], [13]).

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

Class A: C5 1F 3D DE

: ("C51F3DDE")

: (HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA / JD)

Class B: 3F 88 75 0D

("3F88750D")

: (HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA / SKEW1)

Class C: EE F2 5F C1

: ("EEF25FC1")

: (HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA / GBG)

Class D: 31 AF 75 4B

: ("31AF754B")

: (HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA / DATA)

Class: C5 1F 3D DE 3F 88 75 0D EE F2 5F C1 31 AF 75 4B

MIX: 08 0A 03 07 02 01 09 0F 00 05 0D 04 0B 06 0C 0E

BootKey / Syskey: EE 88 3F 3D C1 F2 AF DE C5 75 1F 31 75 5F 4B 0D

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

Account_f_value: 02 00 01 00 00 00 C0 4D 55 34 10 BC C2 01

: D8 00 00 00 00 00 00 80 A6 0A FF DE FF FF

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 001

: 00 cc 1D CF FB FF FF FF 00 CC 1D CF FB FF FF FF

: 00 00 00 00 00 00 00 00 EC 03 00 00 00 00 00 00

: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

: 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

: 0e 13 6D 8F 01 17 04 DE D8 71 1A 32 43 92 8A A0

: 54 30 21 81 56 76 7B D5 D6 EC 9D Ad Fe 7a 8e 16

: 50 7D 76 53 CC A3 54 CD 33 4D 67 BD C3 F0 C6 52

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

: (HKEY_LOCAL_MACHINE / Security / SAM / DOMAINS / Account / f)

Account_f_value_a: 0e 13 6D 8F 01 17 04 de D8 71 1A 32 43 92 8A A0

Magicstringa: 21 40 23 24 25 5e 26 2A 28 29 71 77 65 72 74 79

: 55 49 4F 50 41 7A 78 63 76 62 6E 6D 51 51 51 51

: 51 51 51 51 51 51 51 51 29 28 2A 40 26 25 00

: ("! @ # $% ^ & * () qWERTYUIOPAZXCVBNMQQQQQQQQQQQQQQQQQQ) (* @ &%")

BootKey / Syskey: EE 88 3F 3D C1 F2 AF DE C5 75 1F 31 75 5F 4B 0D

Magicstrings: 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35

: 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31

: 32 33 34 35 36 37 38 39 00

: ("0123456789012345678901234567890123456789")

MD5 / RC4KEY: 83 B3 19 2F 34 41 FB 10 2D CB 8C AC 98 Fe DD 8E

Account_f_value_b / rc4 in: 54 30 21 81 56 76 7B D5 D6 EC 9D Ad Fe 7a 8e 16

: 50 7D 76 53 CC A3 54 CD 33 4D 67 BD C3 F0 C6 52

RC4: CA 7C 56 6F 36 9F 17 64 CC 30 77 3e 00 A5 67 60

: 7e DC AC CD F7 D5 01 72 E8 63 4A 26 58 28 D5 BF

SampsecretsSessionKey: CA 7C 56 6F 36 9F 17 64 CC 30 77 3e 00 A5 67 60

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

SampsecretsSessionKey: CA 7C 56 6F 36 9F 17 64 CC 30 77 3e 00 A5 67 60

RID: E8 03 00 00 (1000)

SampmagicConstantstringA: 4C 4D 50 41 53 53 57 4F 52 44 00 ("lmpassword")

MD5 / RC4key: 30 58 58 7D 01 14 0F FA BE 2C E3 99 8C F3 0D 10

Encrypted LM Hash / RC4 in: D3 B8 C2 84 97 05 50 83 B0 55 46 A3 C9 F4 5B C6

RC4 / DES Encrypted Message: ED 0E B6 92 76 8E 43 25 B1 52 28 32 18 05 43 32

E8030000E8030000E8030000E80 (Derived from Rid)

STR_TO_KEY ()

E800C0000E400C00007400600006A006 (Deskey Derived from RID)

Deskey1 Derived from Rid: E8 00 C0 00 0e 40 0C 00

Deskey2 derived from rid: 00 74 00 60 00 06 A0 06

DES / LM HASH: 42 2B 15 72 AE 4B 9C DE E2 C2 FA D4 5B 16 A0 FF

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

SampsecretsSessionKey: CA 7C 56 6F 36 9F 17 64 CC 30 77 3e 00 A5 67 60

RID: E8 03 00 00 (1000)

SampmagicConstantstringb: 4e 54 50 41 53 53 57 4F 52 44 00 ("NTPassword")

MD5 / RC4key: 96 Be 87 40 08 8B 57 18 35 A0 E9 6E 50 95 C9 E7

Encrypted NTLM HASH / RC4 in: 93 75 EE 45 2C 8D E1 FD D3 50 F6 62 FC 5B 3C 5E

RC4 / DES Encrypted Message: D3 38 99 8E 85 03 Da 20 A6 D5 09 1C 48 2A 81 4A

E8030000E8030000E8030000E80 (Derived from Rid)

STR_TO_KEY ()

E800C0000E400C00007400600006A006 (Deskey Derived from RID)

Deskey1 Derived from Rid: E8 00 C0 00 0e 40 0C 00

Deskey2 derived from rid: 00 74 00 60 00 06 A0 06

DES / NTLM HASH: 6E AB 0E A8 EB 87 C8 E9 38 22 D6 D9 E5 59 87 81

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

The purpose of providing this full verification set is to let C programmers simply figure out the encrypted Syskey mechanism.

Process. I am studying for students' gesture [11], [13], not doing any hacking, honor is the author of the second article.

It is necessary to criticize the natural language description of Flashsky, and the precise C language description is not used.

Encryption algorithm API interface is not clear enough, so that I was forced to use Softice Remote Debug GetLmhashDLL,

In order to confirm the 16-way dump form of some data (this may be the most accurate presentation method). Do not cover up,

[11] It is a high-level articles that are not much since 2003 in China, and this is a big job, thank you by the author.

Document sharing.

The cause of me tossing is a bit strange. When writing a scanning plugin, it involves an operation remote registry. General routine is first

Win32 API writes an application and uses EthereAl capture analysis. Since you want to write an application, of course I want to write

One is a bit actual. Tombkeeper has told me NLTest in Microsoft Support Tools to be remote.

Read SAM data, he is also simply analyzed, NLTEST does not use remote thread injection as PWDUMP3

And services, but directly operate remote registry. > nltest /server:192.168.7.152 / user: test

User: Test

RID: 0x3eb

LMOWFPASSWORD: BFAC2F26 7A122258 A1CA9C44 FB0029FB

NTOWFPASSWORD: 2DC1A2C8 2D82EB15 2511678A 9B5522CA

The above LM Hash, NTLM HASH is wrong because NLTEST cannot deal with the syskey mechanism, for early NT

The correct LM Hash, NTLM Hash can be obtained with NLtest. NLTEST's algorithm is the algorithm of PWDUMP.C.

In other words, nltest is a bit like a remote version of PWDUMP.C.

My idea is to write a samdump.c, similar to nltest's approach, but you can deal with the syskey mechanism, press

LC4 (.lc file) format output.

PWDUMP2 is not available in the terminal service environment, and the PWDUMP3 uses the service to continue to be available. Samdump.c is not

There is too much necessary to exist, I am just practicing. Due to LM Hash, NTLM Hash has never been directly appeared in the network.

In communication, SamDump.c does not use any encrypted transmission processing. If the target's remote registry service is not started,

Can be repaired with SC:

> SC //192.168.7.152 config remotregistry start = demand

> SC //192.168.7.152 Start RemoteRegistry

> samdump -t 192.168.7.152

> SC //192.168.7.152 Stop RemoteRegistry

> SC //192.168.7.152 config remoteregistry start = disabled

Original Samdump.c can complete the above functions of the SC themselves, but it is not interested in the streamline.

Package Analyze Network Communication.

☆ Reference resources

[11] SAM has a hash storage add-density algorithm and the calculation of syskey - Flashsky [2003-06-04]

http://www.xfocus.net/releases/200306/a550.html

[13] Windows 2K / NT / XP's Syskey Encryption - Nicola Cuomo

http://studenti.unina.it/~ncuomo/syskey/syskey.txt

☆ Hacking for "F"

HKEY_LOCAL_MACHINE / Security / SAM / DOMAINS / Account / Users / 000001F4

F Reg_binary

V reg_binary

By default, only System has the right to read, write "HKEY_LOCAL_MACHINE / SECURITY". Administrator

There are two permissions such as read_control, write_dac, so you can change the registry authority settings, and then read.

Ask.

Write a small program, a dragon completes the modification registry authority, read "F", "V", with 16-way

Dump data, restore the registry settings. Discover the "F" data fixed length 80 bytes, "V" data is uncertain.

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

0x000001F4

ByteArray [80 BYTES] ->

00000000 02 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- C3 01 ......... YL ...

00000020 FF FF FF FF FF FF 7F-60 66 EE 15 B7 D5 C3 01 ........ `f ...

00000030 F4 01 00 00 02 00 00 00 00 00 00 00 ................

00000040 00 00 F1 00 01 00 00 00 00 00 00 ..............

0x000001F5

ByteArray [80 BYTES] ->

00000000 02 00 01 00 00 00 00-70 36 52 72 C1 9D C3 01 ........ P6RR ....

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9d C3 01 ........ f -....

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00-

00000030 F5 01 00 00 02 00 00 00 00 00 00 00 ................

00000040 04 00 00 00 00 00 00 00 00 00 ..............

0x000003E8

ByteArray [80 BYTES] ->

00000000 02 00 01 00 00 00 00 00 00 6C 93 92 64 77 C3 01 ......... L. ..

00000010 00 00 00 00 00-A0 C7 04 0C CB D4 C3 01 ................

00 0.00-00 00 00 00 00 00 00 00 ..............

00000030 E8 03 00 00 01 02 00 00 00 00 00 00 00 ..............

00000040 00 00 09 00 00 00 00 00-00 00 00 00 00 84 44 00 .............. D.

0x000003EA

ByteArray [80 BYTES] ->

00000000 02 00 01 00 00 00 00 00 00 00 00 ................

00000010 00 00 00 00 00 00 00 00-70 E0 89 CB 57 BC C2 01 ........ p ... W ...

00 0.00-00 00 00 00 00 00 00 00 ..............

00000030 EA 03 00 00 00 00 00 00 00 00 ..............

0x000003EB

ByteArray [80 bytes] -> 00000000 02 00 01 00 00 00 00 00 00 00 00 00 00 01 .......N ....

000000-30 AA 02 36 CA D4 C3 01 .........6 ...

00000020 00 00 00 00 00-c0 4A 54 9F CA BF C3 01 ......... JT .....

00000030 EB 03 00 00 00 00 00 00 00 00 ..............

00000040 00 00 05 00 00 00 00 00-00 00 00 00 00 84 44 00 .............. D.

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

"SamrQueryinformationUser (36) Level 21 Query Response Packet Decoding":

http://www.opencjk.org/~scz/200312241426.txt

It is too sensitive to a series of 0x01c3 ... too sensitive, after all, is a computed data. Try to manually decode "F",

Take 0x000001F4 as an example:

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

02 00 01 00 00 00 00 00 Meaning unclear

Observe the above 5 groups of data, these 8 bytes did not change

80 05 EB 31 D6 D5 C3 01 Filetime type "Last Logon Time"

00 00 00 00 00 00 filetime unknown time

Total is 0, it seems to be "Last Logoff Time"

80 59 BA 6C CC BF C3 01 Filetime type "Password Last Set Time", pay attention is not

Ethereal decoding the "PWD Last Set", EthereAl Solution

Wrong, actually correspond to "Kickoff Time" in Ethereal decoding

FF FF FF FF FF FF FF 7F Filetime type unknown time

Start misunderstanding corresponding to "Password Must Change Time"

60 66 EE 15 B7 D5 C3 01 Filetime type unknown time

Start mistakes to correspond to "Password Can Change Time"

F4 01 00 00 DWORD type "User Rid", 500

01 00 00 00 DWORD type "User Primary Group Rid", 513

10 02 00 00 DWORD type "User Flags",

That is, "Account Control" in Ethereal decoding

00 00 00 00 不 meaning

00 00 is 0, it seems to be a USHORT type "Bad PWD Count"

F1 00 User Logged ON OK, 24101 00 00 00 For Administrator, here is 0x00000001, observed

5 groups of data, other accounts, here is 0x00000000, unclear

What is the significance, it is also possible to fill the data

00 00 unknown

0D 00 0A 00 00 00 Meaning unknown

Observe the above 5 groups of data, the other may be 00 00 00 84 44 00

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

For writing procedures, Hacking a C style structure comes out:

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

#pragma Pack (Push, 1)

/ *

* The structure obtained by Hacking is unreliable. Attention, name SAM_RID_F_VALUE, corresponding

* HKEY_LOCAL_MACHINE / Security / SAM / Domains / Account / Users / 000001F4

* "F" in the following position, "V"

* HKEY_LOCAL_MACHINE / Security / SAM / DOMAINS / Account

* /

TypedEf struct _sam_rid_f_value

{

BYTE UNKNOWN_000 [8]; // 0x000, seems to be "02 00 01 00 00 00 00"

Filetime LastLogontime; // 0x008

Filetime LastLogoffTime; // 0x010, seems to be a total 0

Filetime pwdlastsettime; // 0x018, the decoding after correction, Ethereal defective

FileTime unknown_020; // 0x020

Filetime unknown_028; // 0x028

DWORD USERRID; // 0x030, such as 0x000001F4 / 500

DWORD UserPrimaryGID; // 0x034, such as 0x00000201 / 513

DWORD Userflags; // 0x038, "Account Control" in Ethereal Decoding

DWORD UNKNOWN_03C; // 0x03C

Word Badpwdcount; // 0x040, The Number of Times the User

// Tried to log on to the account using

// an incorrect password

Word Numlogonsok; // 0x042, Num of User Logged ON OK

BYTE UNKNOWN_044 [12]; // 0x044

// 0x050} SAM_RID_F_VALUE, * PSAM_RID_F_VALUE, ** PPSAM_RID_F_VALUE

#pragma pack (POP)

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

Petter Nordahl-Hagen also hacking "F" structure in his Sam.h ([20]), several time domains

Incorrect, there have been no UserPrimaryGID. But I have a lesson here, and the document on your hand.

Be sure to turn much, stay there, don't look, it is better to collect. Preparing the Hacking "V" structure, found SAM.H

Already available, you can take a lot of detours.

☆ Reference resources

[20] OFFLINE NT Password & Registry Editor - Petter Nordahl-Hagen

Http://home.eunet.no/~pnordahl/ntpasswd/ ☆ Hacking for "V"

HKEY_LOCAL_MACHINE / Security / SAM / DOMAINS / Account / Users / 000001F4

F Reg_binary

V reg_binary

This time I didn't make stupid, on the basis of Petter Nordahl-Hagen ([20]) Hacking "V" structure, from the beginning

Wheels are not cost-effective. The same procedure dump data is as follows:

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

0x000003EB

ByteArray [548 BYTES] ->

00 00 00 00 00 00 D4 00 00 00 00 00 00 ..............

00000010 08 00 00 00 00 00 00 00 00 ..............

00000020 00 00 00 00 F0 00 00 00-16 00 00 00 00 00 00 00 ................

00000030 08 01 00 00 00 00 00 00 00 00 ..............

00000040 00000000000000 00-08 01 trillion ................

00000050 00 00 00 00 00 00 00 00 00 ................

00000060 08 01 00 00 00 00 00 00 00 00 ................

00000070 00000000000000 00-08 01 trillion ................

00000080 00 00 00 00 00 00 00 00 00 00 ..............

00000090 20 01 00 00 08 00 00 00 00 00 00 00 00 00 00_0 00 00 ...........

000000A0 14 00 00 00 00 00 00 00 00 00 ......... <.......

000000B0 00 00 00 00 50 01 00 00-04 00 00 00 00 00 00 00 .... P ........... 000000C0 54 01 00 00 04 00 00 00-00 00 00 00 01 00 14 80 T .............

000000D0 B4 00 00 00 C4 00 00 00-14 00 00 00 44 00 00 00 ............ D ...

000000E0 02 00 30 00 02 00 00 00 01 C0 14 00 44 00 05 01 ..0 ......... D ...

000000F0 01 01 00 00 00 00 00 01-00 00 00 00 02 C0 14 00 ................

00000100 FF 07 0F 00 01 01 00 00-00 00 00 05 07 00 00 00 ................

00000110 02 00 70 00 04 00 00 00-00 00 14 00 5B 03 02 00 ..p ......... [...

00.00012 million 01010000000000 01-00 00000000001800 ................

00000130 FF 07 0F 00 01 02 00 00-00 00 00 05 20 00 00 00 ............ ...

00000140 20 02 00 00 00 00 18 00-FF 07 0F 00 01 02 00 00 ...............

00.00015 million 00000005200000 00-24 02000000002400 .... ... ..... $ $.

00000160 44 00 02 00 01 05 00 00-00 00 00 05 15 00 00 00 D ...............

00000170 92 E0 3C 77 35 8A 02 1A-43 17 0A 32 EB 03 00 00 ..

00.00018 million 01020000000000 05-20 00000020020000 ........ ... ...

00.00019 million 01020000000000 05-20 00000020020000 ........ ... ...

000001a0 74 00 65 00 73 00 74 00-74 00 65 00 73 00 74 00 T.E.s.t.t.e.s.t.

000001B0 20 00 75 00 73 00 65 00-72 00 01 00 6F 00 6E 00 .u.s.e.r ... o.n.

000001C0 6C 00 79 00 20 00 61 00-20 00 74 00 65 00 73 00 L.y. .a. .T.e.s.

000001D0 74 00 38 F0 FF FF FF FF-FF FF FF FF FF FF T.8 .............

000001E0 FF FF FF FF FF FF FF FF-FF 93 38 F0 01 02 00 00 .......... 8 .....

000001F0 07 00 00 00 01 00 01 00-XX XX XX XX XX XX XX XX ................

00000200 XX XX XX XX XX XX XX XX-01 00 01 00 XX XX XX XX ................

00000210 XX XX XX XX XX XX XX XX-XX XX XX XX 01 00 01 00 .............. 00000220 01 00 01 00 ....

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

Hacking for "V" first refer to PWDUMP.C ([5]) written in Jeremy Allison in 1997, combined with [20].

Try to manually decode "V", take 0x000003EB as an example:

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

00 00 00 unknown OFFSET, 0x00000000 / 0, offset of relative 0x000000cc,

The final position is 0x000000cc

D4 00 00 00 Unknown Length, 0x000000D4 / 212

02 00 01 00 Unknown, unlike simple alignment fill field

D4 00 00 UserName Offset, 0x000000D4 / 212, relative 0x000000cc

Offset, the final position is 0x000001A0. Change an angle to understand,

The front 0xcc byte is a fixed head structure, which is the data area.

08 00 00 00 UserName Length, the number of bytes of Unicode strings, by the length ID

End, do not rely on NUL characters, 0x00000008 / 8, "test"

00 00 00 00 unknown

DC 00 00 User Full Name Offset, 0x000000DC / 220, Final Location

Set 0x000001A8

12 00 00 00 User Full Name Length, Unicode string bytes, long

Degree identification end, 0x00000012 / 18, "Test User"

00 00 00 00 unknown

F0 00 00 00 User Comment Offset, 0x000000F0 / 240, Final Location

Is 0x000001BC

16 00 00 User Comment Length, the number of bytes of Unicode strings, length

Identification end, 0x00000016 / 22, "Only A Test"

00 00 00 00 unknown