ÔÎÄÁ´½Ó£ºhttp://bbs.pediy.com/showthread.php?s=&threadid=5876
×òÌìÖÕÓÚ°ÑAsprotect 1.23RC4¼ÓÃܵÄNotepadÍÑ¿ÇÁË,Ì«¼¤¶¯ÁË!ÕâÊÇÎÒµÚÒ»´Îƾ×Ô¼ºµÄÄÜÁ¦ÍѵÄ!
ËäÈ»ÒÔÇ°¾ÍÍѹýÕâ¸ö¿Ç,²»¹ýÒÔÇ°½ö½öÖ»ÖªµÀTrace N´ÎºóDumpºó¿ªAsprDbgrÐÞ¸´IAT....ΪʲôҪÕâÑù×öÈ´ÍêÈ«²»¶®,ÏÖÔÚ²»½öÖªµÀHOW¶øÇÒÖªµÀWHYÁË!
ÏÂÃæÊÇÍѿǹý³Ì,¾ÍËãÊÇÎҵĵÚһƪÍÑÎÄ°É
ÎÒÍÑÕâ¸ö¿ÇÓÃÁË8¸öСʱ(Íø°ÉÉÏÍøºÃ¹ó....),×ßÁËNÌõÍä·,ÄÇЩÍä·ÎҾͲ»Ð´ÁË,Ö»¼ÇÏÂÔõÑùÕÒµ½ÕýÈ·µÄ·½·¨µÄ
Ä¿±ê:Asprotect 1.23RC4¼ÓÃܵÄNotepad:µã»÷´Ë´¦ÏÂÔØ»òÊó±êÓÒ¼üÁí´æΪ¡£
²Ù×÷ϵͳÊÇWin98
¶ÔÕâ¸ö¿ÇÎÒÒѾ֪µÀһЩÇé¿ö,Asprotect»áÓÃ20¶à´ÎSEH,È»ºó°Ñ³ÌÐòÈë¿ÚµÄһЩ´úÂëÒƶ¯±ðµÄµØ·½(StolenCode),²¢ÇÒIAT±íûÓÐÖ¸ÏòÕýÈ·µÄAPI,¶øÊÇÖ¸µ½ÁË¿ÇHookAPIµÄ´úÂë
ÎÒµÄ˼·ÊÇÕÒµ½Èë¿Úµã,È»ºóDump,ÔÙÐÞ¸´IAT,ÖÁÓÚStolenCodeµ½Ê±ºòÔÙ¿¼ÂÇ
Ê×ÏÈÓÃOD¼ÓÔØNotepady.exe
ÔÚ Ñ¡Ïî->µ÷ÊÔÑ¡Ïî Àï°Ñ"ºöÂÔ(´«µÝµ½³ÌÐò)ÒÔϵÄÒì³£"µÄ6¸ö¹³È¥µô
±íʾµ±ÕâЩÒì³£·¢Éúʱ¾ÍÖжÏÏÂÀ´,ÕâÑù¾Í¿ÉÒÔ¸ú×Ùµ½¿Ç¼¤»îSEHµÄµØ·½
Õâô×öµÄÔÒòÊÇÒ»¸öûÓдíÎóµÄ³ÌÐò²»»á¼¤»îSEH,¼ÙÉè¼Çʱ¾¾ÍÊÇÕâô¸ö³ÌÐò
ÕâÑùSEH¾ÍÒ»°ãÖ»»áÔڿǵĴúÂëÀï±»¼¤»îÁË,ËùÒÔ¸úµ½×îºóÒ»¸öSEHʱ±íʾÒѾ½Ó½ü³ÌÐòÈë¿ÚµãÁË
(¿´µ½ºÜ¶àƪÍÑÎÄÀﶼֻÀ¹½ØÄÚ´æÒì³£,¶ø²»ÊÇËùÓÐÒì³£¶¼À¹½Ø,һֱûÓÐÏëͬÕâÊÇΪʲô,Ë¿ÉÒÔÌáʾһÏÂÂð?)
È»ºó°´F9ÔËÐгÌÐò,»áÖжÏÏÂÀ´,ÒòΪ¿ÇÖÆÔìÒì³£À´¼¤»îSEH,°´Shift+F9ºöÂÔÒì³£¼ÌÐøÖ´ÐÐ
ÔÚ14¸öSEHʱÔÙ°´Ò»ÏÂShift+F9¾Í³öÏÖ¶Ô»°¿òÌáʾ¼ì²âµ½µ÷ÊÔÆ÷(ÏÖÔÚÖªµÀÊÇIsDebugµÄHideÔÚWin98ÏÂÎÞЧ),ËùÒÔÒªÊÖ¹¤±Ü¿ª¼ì²â
°´¼¸ÏÂF8µ¥²½ÔËÐÐ,À´µ½ÏÂÃæµÄ´úÂë:
010C3EFE 74 09 je short 010C3F09
010C3F00 E8 4BD7FFFF call 010C1650
010C3F05 8BD8 mov ebx,eax
010C3F07 EB 07 jmp short 010C3F10
010C3F09 E8 B6D6FFFF call 010C15C4
010C3F0E 8BD8 mov ebx,eax
010C3F10 84DB test bl,bl
010C3F12 75 09 jnz short 010C3F1D
010C3F14 E8 3BD7FFFF call 010C1654 //¿ÉÄÜÊǼì²âº¯Êý
010C3F19 84C0 test al,al //·µ»Ø0¾ÍÌø¹ýcall 010C2678
010C3F1B 74 10 je short 010C3F2D
010C3F1D A1 A47E0C01 mov eax,dword ptr ds:[10C7EA4]
010C3F22 50 push eax //ÔËÐе½ÕâÀï·¢ÏÖeax->"Debugger detected...."
010C3F23 68 6C3F0C01 push 10C3F6C ; ASCII "Protection Error"
010C3F28 E8 4BE7FFFF call 010C2678 //ÓÉÉÏÃæµÄ×Ö·û´®²Â²âÕâÀïÓ¦¸ÃÊDzúÉú¶Ô»°¿ò²¢ÖжϳÌÐòµÄCALL
010C3F2D E8 7EE6FFFF call 010C25B0
010C3F32 33C0 xor eax,eax
·ÖÎöһϷ¢ÏÖcall 010C1654¿ÉÄÜÊǼì²âº¯Êý,µ±Õâ¸öº¯Êý·µ»Ø0ʱ¾ÍÌø¹ý"Protection Error"µÄ¶Ô»°¿ò
ÑéÖ¤Ò»ÏÂÉÏÃæµÄ²Â²â:ÖØÐÂÔËÐÐ,µ½test al,alÕâÀï¾Í°ÑeaxµÄÖµ¸ÄΪ0,È»ºó¿ñ°´Shift+F9,·¢ÏÖ¼Çʱ¾ÕýÈ·ÔËÐÐÁË
ÕâÑù¾Í±Ü¿ªÁ˼ì²â,ÒÔºóÿ´ÎÔËÐÐNotepady.exe¶¼ÒªÔÚÕâÀïÖжÏÏÂÀ´ÐÞ¸Äeax,ÏÂÃæ¾Í²»ÔÙÖظ´ËµÃ÷
ÔٴμÓÔسÌÐò,°´Shift+F9,·¢ÏÖ°´ÁË29´Î¾Í´ò¿ª¼Çʱ¾ÁË(ËùÒÔµÚ28´ÎʱÊÇ×îºóÒ»¸öSEH)
È»ºó°´F12ÔÝÍ£³ÌÐò,ÕâʱִÐеĴúÂë¾ÍÊdzÌÐòµÄ´úÂëÁË,¸ú×ÙһϷ¢ÏÖÊÇÔÚ
while(GetMessage(....))
{
TranslateMessage();
DispatchMessage();
}
Õâ¸öÑ»·Àï,´úÂëÈçÏÂ:
0040213F 50 push eax
00402140 FF15 98644000 call dword ptr ds:[406498] //TranslateMessage
00402146 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00402149 50 push eax
0040214A FF15 9C644000 call dword ptr ds:[40649C] //DispatchMessage
00402150 56 push esi
00402151 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00402154 56 push esi
00402155 56 push esi
00402156 50 push eax
00402157 FF15 A0644000 call dword ptr ds:[4064A0] //GetMessage
0040215D 85C0 test eax,eax
0040215F ^ 75 A5 jnz short NOTEPADY.00402106
TranslateMessage,DispatchMessage,GetMessage¶¼±»ODʶ±ð³öÀ´,˵Ã÷¿ÇûÓмÓÃÜÕâ3¸öº¯Êý
´ÓÖл¹¿ÉÒÔ¿´³ö³ÌÐòµÄ´úÂë¶ÎµØÖ·´ó¸ÅÊÇÔÚ402000×óÓÒ(²Â²â¿ÉÄܾÍÊÇVCÉú³ÉµÄ.text¶Î,´Ó401000¿ªÊ¼)
ÁíÍâ,IATÓ¦¸ÃÔÚ406400¸½½ü
ÖØмÓÔسÌÐò,ÔÚ×îºóÒ»¸öSEHʱ°´F7¸ú×Ù
Èç¹ûEIP´Ó010*****Ìøµ½0040****¾Í˵Ã÷¿ÇÒѾ°Ñ¿ØÖÆȨ½»¸øÁ˳ÌÐòµÄ´úÂë
010C39EC 3100 xor dword ptr ds:[eax],eax //×îºóÒ»¸öÒì³£,°´Shfit+F8µ¥²½Ö´ÐÐ
010C39EE 64:8F05 00000000 pop dword ptr fs:[0]
010C39F5 58 pop eax
010C39F6 833D B07E0C01 00 cmp dword ptr ds:[10C7EB0],0
010C39FD 74 14 je short 010C3A13
010C39FF 6A 0C push 0C
010C3A01 B9 B07E0C01 mov ecx,10C7EB0
010C3A06 8D45 F8 lea eax,dword ptr ss:[ebp-8]
010C3A09 BA 04000000 mov edx,4
010C3A0E E8 2DD1FFFF call 010C0B40 //µ½ÕâÀï°´F8Ìø¹ýÈ¥,ÒòΪÌø¹ýÕâ¸öCALL²¢Ã»ÓÐÏÔʾ¼Çʱ¾µÄ´°¿Ú,˵Ã÷³ÌÐòÈë¿Úµã»¹ÔÚÏÂÃæ
010C3A13 FF75 FC push dword ptr ss:[ebp-4] //´ÓÕâÀïÒÔºó°´F7µ¥²½¸ú×Ù
010C3A16 FF75 F8 push dword ptr ss:[ebp-8]
010C3A19 8B45 F4 mov eax,dword ptr ss:[ebp-C]
010C3A1C 8338 00 cmp dword ptr ds:[eax],0
010C3A1F 74 02 je short 010C3A23
010C3A21 FF30 push dword ptr ds:[eax]
010C3A23 FF75 F0 push dword ptr ss:[ebp-10]
010C3A26 FF75 EC push dword ptr ss:[ebp-14]
010C3A29 C3 retn
°´ÏÂF7²»·Å,¹ýÁËÒ»¶Îʱ¼ä·¢ÏÖËƺõÊÇÔÚÒ»¸ö¸´ÔÓµÄÑ»·Àï,¼¸¸öCALLÏ໥µ÷ÓÃ×ÅÑ»·
¼ÈÈ»ÎÒÃÇÒѾ֪µÀ³ÌÐò´úÂë´ó¸ÅÊÇ402000¸½½ü
¾Í¿ÉÒÔÓà µ÷ÊÔ->¸ú×Ù½øÈë À´ÈÃOD×Ô¶¯¸ú×Ù
¾ßÌåÕâÑù²Ù×÷:
µã µ÷ÊÔ->ÉèÖÃÌõ¼þ ÔÚ"EIP λÓÚ·¶Î§ÄÚ"´òÉϹ³,ºóÃæÌîÈë00400000,00403000(ÕâÑùµ±EIPÔÚÕâÀïÃæ¾Í»áÖжÏÏÂÀ´)µãÈ·¶¨
µã µ÷ÊÔ->¿ªÊ¼»òÇå³ýÔËÐиú×Ù È»ºóµã µ÷ÊÔ->¸ú×Ù½øÈë (ÎÒÔõô֪µÀÕâÑù²Ù×÷? N´Î³¢ÊÔºó·¢ÏÖµÄ...)
µÈ´ý¼¸ÃëÖÓ,ODÖжÏÏÂÀ´:
004010C5 0000 add byte ptr ds:[eax],al
004010C7 000D 0A000000 add byte ptr ds:[A],cl
004010CD 0000 add byte ptr ds:[eax],al
004010CF 0000 add byte ptr ds:[eax],al
004010D1 0000 add byte ptr ds:[eax],al
004010D3 FF15 E4634000 call dword ptr ds:[4063E4] //ODÖжÏÔÚÕâÀï,¿ÉÒÔ¿´³öÉÏÃæµÄ´úÂëÏÔȻûÓÐÒâÒå
004010D9 8BF0 mov esi,eax
004010DB 8A00 mov al,byte ptr ds:[eax]
004010DD 3C 22 cmp al,22
004010DF 75 1B jnz short NOTEPADY.004010FC
004010E1 56 push esi
004010E2 FF15 F4644000 call dword ptr ds:[4064F4]
004010E8 8BF0 mov esi,eax
004010EA 8A00 mov al,byte ptr ds:[eax]
004010EC 84C0 test al,al
004010EE 74 04 je short NOTEPADY.004010F4
004010F0 3C 22 cmp al,22
µã ²é¿´->ÔËÐиú×Ù ¿ÉÒԲ鿴¸Õ²ÅOD¼Ç¼µÄÈ«²¿ÔËÐйý³Ì,Àµ½×îÏÂÃæ¿´µ½¿ÇÊÇÔÚ010D3A88 retnÕâÀïÌøµ½ÉÏÃæµÄ´úÂë(004010D3)
µã µ÷ÊÔ->¹Ø±ÕÔËÐиú×Ù
ÕâʱÎÒÃÇÒѾÕÒµ½Á˳ÌÐòÈë¿ÚµãOEP=004010D3
²»¹ýÕýÈ·µÄÈë¿ÚµãÓ¦¸ÃÊÇÔÚ0x401000(VCĬÈÏÉú³ÉµÄÈë¿Úµã)
¶øÇÒÓ¦¸ÃÊÇpush ebp;mov ebp,esp¿ªÍ·µÄ
ËùÒÔOEP=004010D3Ç°Ãæ¿Ï¶¨ÓÐÒ»²¿·Ö´úÂë±»¿Ç°áµ½±ðµÄµØ·½È¥Ö´ÐÐÁË
´Ó¸ú×ÙÔËÐÐÀï¿ÉÒÔ¿´µ½ÕâЩ±»°áµôµÄ´úÂë(Èç¹û°´ÉÏÃæ˵µÄÖ´ÐÐ,ÄÇôÒѾ¹Ø±ÕÔËÐиú×Ù,û¹Øϵ,ÔÙTraceÒ»±é...)
ËùÒÔÕýÈ·µÄOEPÓ¦¸ÃÊÇ010D3A75(ͼÖлƵÄÄÇÐÐ),ÒòΪÏÂÃæÓкܶàrep stos,¸ú×ÙÒ»¸öVC6³ÌÐò»á·¢ÏÖVC×ÜÊÇÔÚÿ¸öº¯Êý¿ªÍ·¶¼¼ÓÉÏÒ»¾ärep stosÀ´³õʼ»¯Õ»Çø,ËùÒԲ²â010D3A75ÊÇÔÀ´µÄOEP
ÕâʱӦ¸Ã¿ÉÒÔ°Ñ010D3A75ÕâÀïµÄ´úÂë°áµ½0401000À´¾ÍÐÐÁË,²»¹ýÎÒ²»ÊÇÕâô×ö
¼ÈÈ»NotepadÊÇVCдµÄ,ÄÇôӦ¸ÃÓÐÒ»¶ÎVCÉú³ÉµÄÈë¿Ú´úÂëÀ´µ÷ÓÃWinMain
ÎÒµÄÏë·¨ÊDz»È¥ÐÞ²¹Èë¿Ú´úÂë,¶øÊÇ×Ô¼ºÐ´Ò»¶Î´úÂëÀ´call WinMain,¾ÍÏóÕâÑù:
WinMain(GetModuleHandle(NULL), NULL, GetCommandLine(), SW_SHOWNORMAL);
Óûã±à¾ÍÊÇ
push 0A
call GetCommandLineA
push eax
push 0
push 0
call GetModuleHandle
push eax
call WinMain
ËùÒÔÖ»ÒªÔÚÏÂÃæÕÒWinMain¾ÍÐÐ(²»¹ýÎÒ×îºó·¢ÏÖÕâÑùʵ¼ÊÉÏÈÆÁËÍä·)
´Ó004010D3Õâ¸öOEP¿ªÊ¼F8¸ú×Ù:
004010D3 FF15 E4634000 call dword ptr ds:[4063E4]
004010D9 8BF0 mov esi,eax
0x4010D3Õâ¸öCALLµÄµØÖ·Ó¦¸ÃÊÇÔÚIATÀï(ÏëÏë¸Õ²Å¿´µ½µÄGetMessageµÄµØÖ·)
µ«ÊÇODûÓÐʶ±ð³öÀ´,¿ÉÄÜÊDZ»¿Ç¼ÓÁËÃܵÄAPI,ÏȲ»¸ú×ÙËü,µÈÐÞ¸´IATʱÔÙÑо¿
²»¹ýÕâ¸öcall·µ»ØÁËeax=81D6DB44,(ASCII ""E:\Crack\NOTEPADy.EXE"")
Óɴ˲²âÕâ¸öAPI¿ÉÄÜÊÇCommandLineA,µÈÐÞ¸´IATʱÔÙ¼ìÑéÊDz»ÊÇ
F8¼¸²½ÒÔºó½øÈëÒ»¸öÑ»·,´Ó¼Ä´æÆ÷´°¿Ú¿´³öÕâ¸öÑ»·ºÃÏóÔÚ´¦ÀíÃüÁîÐвÎÊý
¹ýÁËÕâ¸öÑ»·¾ÍÀ´µ½ÕâÀï:
00401146 50 push eax
00401147 56 push esi
00401148 6A 00 push 0
0040114A 6A 00 push 0
0040114C FF15 9C634000 call dword ptr ds:[40639C] //´Ó40639CÀ´¿´Ó¦¸ÃÊÇAPI
00401152 50 push eax
00401153 E8 760F0000 call NOTEPADY.004020CE //¿ÉÄÜÊÇWinMain
00401158 50 push eax
00401159 8BF0 mov esi,eax
0040115B FF15 A0634000 call dword ptr ds:[4063A0] //KERNEL32.ExitProcess
00401161 8BC6 mov eax,esi
00401163 5E pop esi
00401164 8BE5 mov esp,ebp
00401166 5D pop ebp
00401167 C3 retn
Ìø¹ýcall dword ptr ds:[4063A0]Õâ¸öcall,½á¹û¿´µ½¼Çʱ¾µÄ´°¿Úµ¯³öÀ´ÁË!WinMainÓпÉÄܾÍÊÇÕâÀï!
ÖØиú×Ùµ½ÕâÀï,×¢Òâcall NOTEPADY.004020CEµÄ²ÎÊý,×îºóÒ»¸öÊÇ40000,¾ÍÊǵ±Ç°µÄÄ£¿é!
¶øÏÂÃæcall dword ptr ds:[4063A0]Ö¸ÏòKERNEL32.ExitProcess
˵Ã÷¹ýÁËcall NOTEPADY.004020CE³ÌÐò¾Í½áÊøÁË!
ÏÖÔÚÍêÈ«ÓÐÀíÓɲ²âÕâÀï¾ÍÊÇWinMain(×îºó·¢Ïֲ´íÁË....)
ÏÖÔÚÔÚEIP=00401153ÕâÀ↑LordPE°Ñnotepady.exeÍêÈ«ÍѿDZ£´æ³Édumped.exe
(Ææ¹Ö,µãOllyDumpÌáʾ"ûÓпÉÒÔÍѿǵĽø³Ì",ËÖªµÀÕâÊÇÔõô»ØÊÂ?ÊDz»ÊÇOllyDumpÔÚwin98Ï»áʧЧ?)
ÏÖÔÚdump½áÊø,½ÓÏÂÀ´ÒªÐÞ¸´IAT,»¹Òª×Ô¼ºÐ´¶Î´úÂëÀ´jmpµ½
ÏÈÐÞ¸´IAT,¸Ð¾õÐÞ¸´IATºÃÏóÊǸöÏà¶Ô¶ÀÁ¢µÄ¹ý³Ì
¹Ø±ÕOD,°Ñnotepady.exe¸´Öƺó¸ÄÃûΪnotepady_bak.exe
ÔËÐÐnotepady_bak.exe(×¢ÒâÕâÀïÊÇÖ±½ÓÔÚä¯ÀÀÆ÷ÀïË«»÷ÔËÐÐ,²»ÊÇÓÃOD¼ÓÔØ)
È»ºóÔÙÓÃOD¼ÓÔØnotepady.exe,¸ú×Ùµ½³ÌÐò´úÂëÀï
(ÒòΪODµ÷ÊÔnotepady.exeʱÎÞ·¨¸´ÖÆnotepady.exe)
´ò¿ªRecImport,Ñ¡Ôñnotepady_bak.exe
(Èç¹ûÑ¡ÔñÕýÔÚµ÷ÊԵĽø³Ì½«ÎÞ·¨¶ÁÈ¡Êý¾Ý)
ÒÔÇ°·¢ÏÖµÄGetMessageµÄµØÖ·ÊÇds:[4064A0]
Çл»µ½OD¿´4064A0µÄÄÚ´æ:
ÏòÉÏÀÄÚ´æ,À´µ½406000¶¼Ò»Ö±ÓÐÊý¾Ý,ÔÙÍùÉϾͲ»ÔÙÕâ¸öÄ£¿éÀïÁË
ËùÒÔIATµÄ¿ªÊ¼µØÖ·¿Ï¶¨²»¿ÉÄÜÔÚ406000Ç°Ãæ
ÔÚRecImportÀïÌîÈë006000×÷ΪIATµÄ¿ªÊ¼µØÖ·RAV(ÏÈÕâôÌî)
(·¢ÏÖÕâÀïRecImportºÃÏóÆ´´íÁË,Ó¦¸ÃÊÇRVA°É?)
ÏòÏÂÀ·¢ÏÖµ½406E00¾ÍûÓÐÊý¾ÝÁË,ËùÒÔIAT´óСÌîÈëE00(=406E00-406000)
µã »ñµÃÊäÈë±í ,µÃµ½µÄIATÊý¾ÝÈçÏÂ(±£´æÊ÷ÎļþµÄÊý¾Ý):
0 00006000 ? 0000 ECEDF09B //ÕâÀïÊÇ×ʼ
0 00006004 ? 0000 DCCFDDBC
0 00006008 ? 0000 6FFA3DDF //Ò»Ö±ÍùÏÂÀ
.....
0 000062D4 ? 0000 F8F71C33
0 000062D8 ? 0000 CAD26836
0 000062DC ? 0000 A0569B26
0 000062E0 ? 0000 CDDA23E0 //ÕâÀïÒÔÉϵÄÏÔÈ»ÎÞЧ
1 000062E4 advapi32.dll 00F7 RegQueryValueExA
1 000062E8 advapi32.dll 00D8 RegCloseKey
1 000062EC advapi32.dll 0103 RegSetValueExA
.....
1 00006518 comdlg32.dll 0070 GetSaveFileNameA
1 0000651C comdlg32.dll 0069 CommDlgExtendedError
1 00006520 comdlg32.dll 006C GetFileTitleA
0 00006524 ? 0000 5188AEDE //ÏÂÃæµÄҲûÓÐÒâÒå
0 00006528 ? 0000 D10692B9
0 0000652C ? 0000 21413DDA
.....
·ÖÎöÒ»ÏÂÕâЩÊý¾Ý,ÏÔÈ»000062E0(ÕâÀïÊÇRVAµØÖ·)Õâ¸öÖ¸ÕëÒÔÇ°µÄ¶¼ÊÇûÓÐÒâÒåµÄÊý¾Ý(²»ÊÇÓÐЧµÄÄÚ´æµØÖ·)
ËùÒÔIATµÄ¿ªÊ¼µØÖ·Ó¦¸ÃÊÇ000062E4
00006524ÒÔºóµÄÊý¾ÝҲûÓÐÒâÒå,ËùÒÔ00006524ÊÇIAT½áÊøµØÖ·
¼ÆËãÒ»ÏÂ,´óС=00006524-000062E4=240
µã Çå³ýÊäÈë±í ,È»ºóÖØÐÂÌîÈë RAV=000062E4 ´óС=240 ,µã »ñµÃÊäÈë±í
·¢ÏÖ»¹ÓкܶຯÊýûÓб»Ê¶±ð³öÀ´
ÁíÍâ·¢ÏÖÁ½¸ödllÖ®¼ä»áÓÐÒ»¸öÎÞЧָÕë:
1 000062F0 advapi32.dll 00EE RegOpenKeyA
1 000062F4 advapi32.dll 00DB RegCreateKeyA
0 000062F8 ? 0000 A32F18E7 //Õâ¸öµØÖ·ÏÔÈ»ÊÇÎÞЧµÄÄÚ´æµØÖ·
1 000062FC gdi32.dll 011A GetObjectA
1 00006300 gdi32.dll 00FA GetDeviceCaps
ÎҲ²â¿ÉÄÜÿÁ½¸öDLLµÄIAT±íÖ®¼äÓÐ4¸ö×ֽڵĿÕ϶°É
ÕÒµ½µÚÒ»¸öÎÞ·¨Ê¶±ðµÄÖ¸Õë:
1 0000634C gdi32.dll 012F GetTextCharset
1 00006350 gdi32.dll 00B0 DeleteObject
1 00006354 gdi32.dll 0129 GetStockObject
0 00006358 ? 0000 C6AFBA7C //¿Õ϶
0 0000635C ? 0000 010D0334 //µÚÒ»¸öÎÞ·¨Ê¶±ðµÄÖ¸Õë
0 00006360 ? 0000 010D04F0
0 00006364 ? 0000 010D6F3C
ÕâÀïÓиöÎÊÌâ,ÎÒÒ²²»ÖªµÀÔõô»ØÊÂ:
ÔÚODÀïAlt+GÌøµ½010D0334ÕâÀïµÄ´úÂë,·¢ÏÖÍêȫûÓÐÒâÒå:
010D0334 3003 xor byte ptr ds:[ebx],al
010D0336 0D 01240000 or eax,2401
010D033B 0010 add byte ptr ds:[eax],dl
010D033D 0000 add byte ptr ds:[eax],al
010D033F 0017 add byte ptr ds:[edi],dl
¶øÔÚODÀï²é¿´0040635C(0000635C+»ùÖ·00400000),·¢ÏÖÖµÊÇ010D6F3C,²»ÊÇ010D0334!
(ÕâʱOD¼ÓÔصÄnotepadyÒ²ÊÇÔÚÔËÐÐ״̬,¼Çʱ¾ÒѾ´ò¿ªÁË)
ÎÒÒ²Ï벻ͨΪʲôÕâÑù?ÄѵÀÊÇRecImport³ö´íÁË?
ÔÝʱ²»¹ÜËüÁË,·´Õý¼ÈÈ»010D0334µÄµØÖ·ÊÇ´íµÄ,¾ÍÒÔODµÄΪ׼ºÃÁË
ÔÚODÀïAlt+GÌøµ½010D6F3C:
010D6F3C 68 3B0CFABF push KERNEL32._lwrite
010D6F41 68 DD4F158E push 8E154FDD
010D6F46 C3 retn //ÕâÀïÊDZäÐÎCALLµ½8E154FDD
ÔÚODÀïAlt+GÌøµ½8E154FDD:
8E154FDD - E9 250BE431 jmp KERNEL32.BFF95B07
ÔÚÉÏÃæÕâÒ»Ðа´»Ø³µ¾ÍÌøµ½BFF95B07:
BFF95B07 9C pushfd //ѹÈë±êÖ¾
BFF95B08 FC cld
BFF95B09 50 push eax
BFF95B0A 53 push ebx
BFF95B0B 52 push edx // 3´Îѹջ
BFF95B0C 64:8B15 20000000 mov edx,dword ptr fs:[20] //¼ì²éµ÷ÊÔÆ÷
BFF95B13 0BD2 or edx,edx
BFF95B15 74 09 je short KERNEL32.BFF95B20
BFF95B17 8B42 04 mov eax,dword ptr ds:[edx+4]
BFF95B1A 0BC0 or eax,eax
BFF95B1C 74 07 je short KERNEL32.BFF95B25
BFF95B1E EB 42 jmp short KERNEL32.BFF95B62
BFF95B20 5A pop edx
BFF95B21 5B pop ebx
BFF95B22 58 pop eax //3´Îµ¯Õ»
BFF95B23 9D popfd //µ¯³ö±êÖ¾
BFF95B24 C3 retn
´ÓÉÏÃæ¿ÉÒÔ¿´³ö¶ÑÕ»×îºó»¹ÊDz»±ä,ËùÒÔ
push XXXXXXXX
push 8E154FDD
retn
×îÖÕ»¹ÊÇÈ¥Ö´ÐÐXXXXXXXX
8E154FDDÊÇÔÚϵͳ¿Õ¼äÀï,¿ÉÄÜÊÇAsprotectÔÚKERNEL32µÄij¸ö´úÂë¿Õ϶ÀïÔìÁËÄǶδúÂë,ÓÃÀ´¼ì²éµ÷ÊÔÆ÷
(Ææ¹ÖµÄÊÇAsprotect¼ì²éµ÷ÊÔÆ÷ʱΪʲôûÓз¢ÏÖOD?)
ºÃÁË,ÏÖÔÚÒѾ֪µÀds:[40635C]ÕâÀïÊÇKERNEL32._lwrite
ÔÚRecImportÀïË«»÷ RVA:0000635C ptr:010D0334 ,DLLÄÇÀïÑ¡Ôñkernel32.dll,º¯ÊýÑ¡Ôñ_lwrite
ºÃÁË,µÚÒ»¸öº¯ÊýÐÞ²¹Íê³É,½Ó×ÅÀ´ÏÂÒ»¸ö:
0 00006360 ? 0000 010D04F0
²é¿´010D04F0:
010D04F0 68 591EFABF push KERNEL32.DeleteFileA
010D04F5 - E9 F34A088D jmp 8E154FED
Ìøµ½8E154FED:
8E154FED - E9 150BE431 jmp KERNEL32.BFF95B07
ÓÖÊÇKERNEL32.BFF95B07,ÉÏÃæ·ÖÎö¹ýÁË,ËùÒÔ00006360ÊÇKERNEL32.DeleteFileA,ÐÞ¸´Ëü
È»ºóÊÇÏÂÒ»¸ö....¼á³Öס!ʤÀûÊôÓÚÎÒÃÇ!
0 00006364 ? 0000 010D6F3C
010D6F3C 68 3B0CFABF push KERNEL32._lwrite
010D6F41 68 DD4F158E push 8E154FDD
010D6F46 C3 retn
8E154FDD - E9 250BE431 jmp KERNEL32.BFF95B07
¶¼ÊÇһģһÑùµÄ×ö·¨,ÐÞ¸´00006364=KERNEL32._lwrite,È»ºóÊÇÏÂÒ»¸ö.....
(¼¸ºõRecImport²»ÄÜʶ±ðµÄº¯Êý¶¼ÊÇͨ¹ýBFF95B07À´ÌøתµÄ)
ÕâÑù¾¹ýÂþ³¤µÄÐÞ¸´....................ÖÕÓÚÐÞ¸´ÁËBFF95B07±£»¤µÄÈ«²¿º¯Êý
(ÎÒÊÇÈ«²¿ÊÖ¹¤ÐÞ¸´µÄ,ËÖªµÀÕâÀïÓÐʲô¼ò±ãµÄ·½·¨Âð???)
²»¹ý»¹ÓÐÁ½¸öÀýÍâµÄº¯Êý:
0 0000639C ? 0000 010C1C64
²é¿´010C1C64
010C1C64 55 push ebp
010C1C65 8BEC mov ebp,esp
010C1C67 8B45 08 mov eax,dword ptr ss:[ebp+8] //µÚÒ»¸ö²ÎÊý
010C1C6A 85C0 test eax,eax
010C1C6C 75 13 jnz short 010C1C81 //²»Îª0¾ÍѹÈëÕâ¸ö²ÎÊýÈ»ºócall 010B51B8
010C1C6E 813D A47A0C01 00004>cmp dword ptr ds:[10C7AA4],400000 //Ϊ0¾ÍÅжÏds:[10C7AA4]ÊDz»ÊÇ400000
010C1C78 75 07 jnz short 010C1C81 //Èç¹ûÊǾͷµ»Ø400000,·ñÔò¾Íµ÷ÓÃ010B51B8
010C1C7A A1 A47A0C01 mov eax,dword ptr ds:[10C7AA4]
010C1C7F EB 06 jmp short 010C1C87
010C1C81 50 push eax
010C1C82 E8 3135FFFF call 010B51B8
010C1C87 5D pop ebp
010C1C88 C2 0400 retn 4 //˵Ã÷Ö»ÓÐÒ»¸ö²ÎÊý
²é¿´010B51B8:
010B51B8 - FF25 08820C01 jmp dword ptr ds:[10C8208]
²é¿´ds:[10C8208]=8E154E68
²é¿´8E154E68:
8E154E68 68 9677F7BF push KERNEL32.GetModuleHandleA
8E154E6D - E9 950CE431 jmp KERNEL32.BFF95B07 //ÓÖÊÇÕâ¸ö
ºÜÃ÷ÏÔ,0000639CÕâÀï¾ÍÊÇKERNEL32.GetModuleHandleA
Èç¹û²ÎÊýÊÇNULL(±íʾµ±Ç°Ä£¿é),Ëû¾ÍÅжÏÒ»ÏÂds:[10C7AA4],È»ºó·µ»Ø40000
Èç¹û²»ÊÇNULL¾Í¹Ô¹ÔµÄµ÷ÓÃGetModuleHandleA
ºÃÁË,ÐÞ¸´Ëü
ÁíÒ»¸öº¯ÊýÊÇ:
0 000063E4 ? 0000 010C1CD8
µÈµÈ!»¹¼ÇµÃÄǸö͵µôÒ»²¿·Ö´úÂëºóµÄOEPÂð?
004010D3 FF15 E4634000 call dword ptr ds:[4063E4]
ÉÏÃæµ÷ÊÔµÄʱºòÒѾ·¢ÏÖÕâÀï·µ»ØµÄ¾ÍÊÇÃüÁîÐÐ
²é¿´010C1CD8:
010C1CD8 6A 00 push 0
010C1CDA E8 D934FFFF call 010B51B8
010C1CDF FF35 147E0C01 push dword ptr ds:[10C7E14]
010C1CE5 58 pop eax
010C1CE6 8B05 247E0C01 mov eax,dword ptr ds:[10C7E24]
010C1CEC C3 retn
×îºóµÄ·µ»ØÖµ=ds:[10C7E24],ºÍcall 010B51B8,ÏÂÃæÒ²ÑéÖ¤ÁËÕâÒ»µã:
²é¿´010B51B8:
010B51B8 - FF25 08820C01 jmp dword ptr ds:[10C8208]
²é¿´ds:[010C8208]=8E154E68, (Thunk to KERNEL32.GetModuleHandleA)
¿ÇÓбØÒªµ÷ÓÃGetModuleHandleA(NULL)Âð?
ÔÙ¿´Ò»ÏÂÒѾÐÞ¸´µÄº¯Êý,ÀïÃæûÓÐGetCommandLineA
ËùÒÔÏÖÔÚÖ»ÄÜÈÏΪ010C1CD8ÊÇÃüÁîÐÐ
(ÓÃOD¼ÓÔØʱÊäÈëÃüÁîÐÐÒ²ÄÜÑÏÕûÕâÒ»µã)
ÔÚRecImportÀïÐÞ¸´010C1CD8=kernel32.GetCommandLineA
×îºó,»¹ÓÐÁ½¸öDLLÖ®¼äµÄ¼ä϶ÊÇÎÞЧµÄ,ÓÒ»÷ËüÃÇ,µã ¼õÇÐÖ¸ÕëÊý¾Ý ,ÕâÑù¾ÍÈ«²¿ÓÐЧÁË
´ò¿ªLordPE,ÉèÖÃÑ¡ÏîÀïµÄÖؽ¨,Ñ¡"״̬´°¿Ú","ÍÑ¿ÇÐÞ¸´","ÖØ×éÎļþ","ÑéÖ¤ PE Îļþ",È»ºóÖؽ¨dumped.exe
(ÎÒÒ²²»ÖªµÀÕâô×ö¶Ô²»¶Ô,²»¹ýÉÏÃæ˵µÄ¶¼ÊÇĬÈÏÑ¡Ïî,ĬÈÏÑ¡µÄ»¹ÓÐ"Öؽ¨ÊäÈë±í",ÎÒ¾õµÃ¼ÈÈ»ÊÖ¹¤Öؽ¨Á˾ÍÓ¦¸Ã¿ÉÒÔ°ÑËüÈ¡ÏûÁË)
È»ºóÓÃRecImportµã ÐÞ¸´×¥È¡Îļþ,ÕâÑù¾ÍÐÞ¸´ºÃIATÁË,ÖÕÓÚ....
ÏÖÔÚ×¼±¸ÊÖ¹¤¹¹ÔìÈë¿Úµã
ÏÈÓÃLordPE°ÑÈë¿Úµã¸ÃΪ1000,ÒòΪ²é¿´0x401000ûÓз¢ÏÖÓÐÒâÒåµÄ´úÂë,¾ÍÔÚÕâÀï¼ÓÈëÐÞ²¹µÄÈë¿Ú
ÏÖÔÚÔÙ¿´Ò»ÏÂ00401153 call NOTEPADY.004020CE¸½½üµÄ´úÂë:
0040113B B8 0A000000 mov eax,0A
00401140 74 04 je short NOTEPADY.00401146
00401142 0FB745 EC movzx eax,word ptr ss:[ebp-14]
00401146 50 push eax //eax=0A
00401147 56 push esi
00401148 6A 00 push 0
0040114A 6A 00 push 0
0040114C FF15 9C634000 call dword ptr ds:[40639C]
00401152 50 push eax
00401153 E8 760F0000 call NOTEPADY.004020CE
µÚÒ»¸ö²ÎÊý¾ÍÊÇ0A,µÚ¶þ¸öÊÇesi,µÚÈý¸öÊÇ0,µÚËĸöÊÇGetModuleHandle(0)
ΪÁËÈ·¶¨esiÊDz»ÊÇGetCommandLineA,ÓÃOD´ò¿ª¼Ó¿ÇµÄ³ÌÐò,²ÎÊýÄÇÀïÊäÈëa.txt
ÔËÐе½00401147 push esiÕâÒ»ÐÐ,½á¹û·¢ÏÖesi->"a.txt"!
ËùÒÔesi²»ÄÜÓÃGetCommandLineAÀ´´úÌæ!
ÔÙ¿´Ò»ÏÂÇ°ÃæµÄ´úÂë:
004010D3 FF15 E4634000 call dword ptr ds:[4063E4] //ÕâÊÇ͵ÁË´úÂëºóµÄOEP,=GetCommandLineA
004010D9 8BF0 mov esi,eax //esi=char*ptr;
004010DB 8A00 mov al,byte ptr ds:[eax]
004010DD 3C 22 cmp al,22 //ÅжϵÚÒ»¸ö×Ö·ûÊDz»ÊÇ"ºÅ("ASCÂë22)
004010DF 75 1B jnz short NOTEPADY.004010FC
004010E1 56 push esi
004010E2 FF15 F4644000 call dword ptr ds:[4064F4] //CharNext,»ñÈ¡ÏÂÒ»¸ö×Ö·û
004010E8 8BF0 mov esi,eax
004010EA 8A00 mov al,byte ptr ds:[eax]
004010EC 84C0 test al,al //ÅжÏÏÂÒ»¸ö×Ö·ûÊDz»ÊÇ\0
004010EE 74 04 je short NOTEPADY.004010F4
004010F0 3C 22 cmp al,22 //ÅжÏÏÂÒ»¸ö×Ö·ûÊDz»ÊÇ"
004010F2 ^ 75 ED jnz short NOTEPADY.004010E1 //²»ÊǾÍÌøת,ÅжÏÔÙÏÂÒ»¸ö
004010F4 803E 22 cmp byte ptr ds:[esi],22
004010F7 75 15 jnz short NOTEPADY.0040110E //Ö±µ½ÕÒµ½ÁË"
004010F9 46 inc esi //¼Ó1,Ö¸Ïò"ºÅÏÂÒ»¸ö×Ö·û
004010FA EB 12 jmp short NOTEPADY.0040110E
004010FC 3C 20 cmp al,20
004010FE 7E 0E jle short NOTEPADY.0040110E
00401100 56 push esi
00401101 FF15 F4644000 call dword ptr ds:[4064F4]
00401107 8038 20 cmp byte ptr ds:[eax],20
0040110A 8BF0 mov esi,eax
0040110C ^ 7F F2 jg short NOTEPADY.00401100
0040110E 803E 00 cmp byte ptr ds:[esi],0 //ÅжÏÊDz»ÊÇ\0,Èç¹ûÊǾÍÌøµ½ÏÂÒ»¶Î³ÌÐò
00401111 74 13 je short NOTEPADY.00401126
00401113 803E 20 cmp byte ptr ds:[esi],20 //ÅжϿոñ
00401116 77 0E ja short NOTEPADY.00401126
00401118 56 push esi
00401119 FF15 F4644000 call dword ptr ds:[4064F4]
0040111F 8038 00 cmp byte ptr ds:[eax],0
00401122 8BF0 mov esi,eax
00401124 ^ 75 ED jnz short NOTEPADY.00401113
¾¹ýÕâÒ»¶Î´úÂëºóeax¾ÍÖ¸ÏòÃüÁîÐеIJÎÊý
±ÈÈçGetCommandLineAµÄ½á¹ûÊÇ"E:\Crack\Notepady.exe" a.txt
ÄÇôµ½ÁËÕâÀïesi->a.txt,ËùÒÔ»¹ÒªÔÚÈë¿Úµã¼ÓÉÏÕâ¶Î´úÂë
ÀïÃæÈ«²¿¶¼ÊǶÌÌøת(Ïà¶ÔÌøת),Ö»Òª°ÑÕâЩ×Ö½ÚÔÑù¸´ÖƹýÈ¥¾Í¿ÉÒÔÁË
ÓÃHIEWÌøµ½400(401000µÄÎļþÆ«ÒÆ),ÊäÈëÏÂÃæµÄ´úÂë:
push 0A
call d,[4063E4] //ÕâÀïµ÷ÓÃGetCommandLineA
È»ºóÔÚODÀﰴסShiftÑ¡ÖдÓ004010D9µ½00401124µÄ´úÂë,ÓÒ»÷,Ñ¡ ÔÚת´æÖиúËæ->Ñ¡Ôñ²¿·Ö
ÕâʱÄÚ´æÀïÏÔʾÁËÉÏÃæÕâ¶Î´úÂëµÄÊý¾Ý:
8B F0 8A 00 3C 22 75 1B 56 FF 15 F4 64 40 00 8B F0 8A 00 84 C0 74 04 3C 22 75 ED 80 3E 22 75 15
46 EB 12 3C 20 7E 0E 56 FF 15 F4 64 40 00 80 38 20 8B F0 7F F2 80 3E 00 74 13 80 3E 20 77 0E 56
FF 15 F4 64 40 00 80 38 00 8B F0 75 ED
ÏÖÔÚÒª°ÑÕⲿ·Ö°áµ½ÐÞ²¹ÁËIATµÄ³ÌÐòÀï,µ«ÊÇ·¢ÏÖLordPEÀïµÄ16½øÖƱà¼Æ÷²»ÄÜÕ³Ìù!
ÎÒ×îºóÊÇ°ÑÕⲿ·ÖÊÖ¹¤ÊäÈëµÄ(¾Íµ±ÊÇÁ·Ï°´ò×ÖºÃÁË,ÎÒÃǵÄÉÏ»ú¿Î¾ÍÌìÌìÁ·Ï°Õâ¸ö....)
ËÖªµÀÓÐʲôºÃµãµÄ·½·¨Âð?(²»¹ýÎÒ¹À¼ÆËÒªÊÇÓÐÄÍÐÄ¿´µ½ÕâÀï¿Ï¶¨»áÓÐЩ¾«Éñ±ÀÀ£...)
×¢Òâpush 0A;call d,[4063E4];ÕâÁ½¾äÒѾռÁË8¸ö×Ö½Ú,ËùÒÔÒª´Ó401008¿ªÊ¼ÊäÈë
ºÃÁË,ÏÖÔÚ´ò¿ªHIEW,Àµ½401055ÕâÀï,¼ÓÉÏÒ»¾ä:
push esi
push 0
push 0
call d,[0040639C] //KERNEL32.GetModuleHandleA
push eax
jmp 553
ÕâÀïѹÈë²ÎÊý,È»ºóÌøתµ½WinMainÄÇÀï(553=00401153-401000+400,HIEWÀïÒªÊäÈëÎļþÆ«ÒÆ)
ÏÖÔÚÖÕÓÚÐÞ²¹ºÃÁË,ÔËÐÐÐ޸ĺóµÄdumped_.exe.......
ûÓÐÏÔʾ¼Çʱ¾!!!¿É¶ñ!!!
ÖØÐÂÓÃOD¼ÓÔØdumped_.exe,ÔÚ¿ªÒ»¸öOD¼ÓÔؼӿǵÄnotepady.exe,¶Ô±ÈÔËÐÐ,¿´ÄÇÀï²»Ò»Ñù
·¢ÏÖ½øÈëWinMainºóµÄµÚÒ»¸öCALL¾Í²»Í¬:
004020CE /$ 55 push ebp
004020CF |. 8BEC mov ebp,esp
004020D1 |. 83EC 1C sub esp,1C
004020D4 |. 56 push esi
004020D5 |. FF75 14 push dword ptr ss:[ebp+14] ; /Arg4
004020D8 |. FF75 10 push dword ptr ss:[ebp+10] ; |Arg3 = 81D60F0E
004020DB |. FF75 0C push dword ptr ss:[ebp+C] ; |Arg2
004020DE |. FF75 08 push dword ptr ss:[ebp+8] ; |Arg1
004020E1 |. E8 BB0B0000 call DUMPED_.00402CA1 ; \DUMPED_.00402CA1
004020E6 |. 85C0 test eax,eax //dumped_.exeÕâÀïÊÇeax=0,notepady.exeÊÇ1
¸ú½ø00402CA1,·¢ÏÖ¼Çʱ¾¼ÓÔØÁ˺ܶà×ÊÔ´Îļþ,È»ºóµ÷ÓÃCreateWindowsExA,µ½ÕâÀïÁ½¸ö³ÌÐò¶¼ÊÇÒ»ÑùµÄ
ÔÙÍùÏÂ,ÓÖµ½ÁËÒ»¸öCreateWindowsExA:
00402DC3 |. 50 push eax ; |Style
00402DC4 |. 68 00104000 push DUMPED_.<ModuleEntryPoint> ; |WindowName = "j
ÿäc@"
00402DC9 |. 68 54104000 push DUMPED_.00401054 ; |Class = "íVj"
00402DCE |. 68 00020000 push 200 ; |ExtStyle = WS_EX_CLIENTEDGE
00402DD3 |. FF15 3C644000 call dword ptr ds:[<&user32.Creat>; \CreateWindowExA
¶ø¼Ó¿ÇµÄnotepady.exeÔËÐе½ÕâÀïpush DUMPED_.00401054->"Edit"!!!!
ÔÀ´¿Ç°Ñ"Edit\0"±£´æÔÚ00401054ÁË,¸Õ²ÅÐÞ²¹Èë¿ÚµãʱռÓÃÁË00401054
ËùÒÔûÓÐÕýÈ·µÄClass,µ¼ÖÂÕâ¸öCreateWindowExAʧ°ÜÁË!
»¹ÓÐWindowNameÒ²ÊÇ´íÎóµÄ,¿ÇÀïWindowNameÖ¸Ïò->"\0"
ÖØÐÂÓÃHIEW´ò¿ªdumped_.exe,Ìøµ½401070 (F5 470),»»³É16½øÖƱà¼
ÔÚ401070ÊäÈë 00 00 (ÕâÀïÊÇWindowName="\0")
ÔÚ401080ÊäÈë 45 64 69 74 00 (ÕâÀïÊÇclass="Edit\0")
F5µ½21C4(21C4=00402DC4-401000+400),Ð޸ĴúÂëΪ
push 401070
push 401080
F9±£´æ
ÔËÐÐdumped_.exe,ÕýÈ·µ¯³öÁ˼Çʱ¾!!!Íѿdzɹ¦ÁË!!!!
Õû¸öÍѿǹý³ÌºÜÂé·³,µ«Ë¼Â·ºÜÇåÎú,¾ÍÊÇ Òþ²ØOD,ÕÒµ½OEP,ÐÞ¸´IAT,ÕÒ¸öÊʺϵĵصãDUMP,ÐÞ¸´Èë¿Úµã,×îºó¼ì²é´íÎó
²»¹ýÕâ¸ö°æ±¾µÄAsprotectºÜ¾ÉÁË,¶øÇÒÒѾÓÐÍÑ¿Ç»úºÍNƪÍÑÎÄÁË,ËùÒÔÎÒдµÄÕâƪҲûʲô¼ÛÖµ,¾ÍËãÊǼÍÄîһϵÚÒ»´ÎÕæÕýµÄÍѿdzɹ¦°É!