首页
社区
课程
招聘
[原创]shoooo第二轮第二题
发表于: 2007-8-30 12:58 30441

[原创]shoooo第二轮第二题

2007-8-30 12:58
30441
我是2000, 驱动起不来
这道题的规则定义的很不明确
请裁判跟贴指明一下哪些算哪些不算, 不算请告诉我原因

第一种方法

#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
	HWND	hWnd;
	hWnd = FindWindow("#32770", "CrackMeApp");
	SendMessage(hWnd, WM_CLOSE, 0, 0);
}

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 0
支持
分享
最新回复 (24)
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
2
第二种

#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
	HWND	hWnd;
	hWnd = FindWindow("#32770", "CrackMeApp");
	PostMessage(hWnd, WM_CLOSE, 0, 0);
}
上传的附件:
2007-8-30 13:00
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
3
第三种

#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
	HWND	hWnd;
	hWnd = FindWindow("#32770", "CrackMeApp");
	SendMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0);
}
上传的附件:
2007-8-30 13:01
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
4
第四种

#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
	HWND	hWnd;
	hWnd = FindWindow("#32770", "CrackMeApp");
	PostMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0);
}
上传的附件:
2007-8-30 13:02
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
5
第五种

#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
	HWND	hWnd;
	hWnd = FindWindow("#32770", "CrackMeApp");
	SendMessageTimeout(hWnd, WM_CLOSE, 0, 0, 0, 1000, NULL);
}
上传的附件:
2007-8-30 13:05
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
6
第六种

#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
	HWND	hWnd;
	hWnd = FindWindow("#32770", "CrackMeApp");
	SendMessageTimeout(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0, 0, 1000, NULL);
}
上传的附件:
2007-8-30 13:06
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
7
第七种

#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
	HWND	hWnd;
	DWORD	Tid;
	DWORD	Pid;
	DWORD	OpenThread;
	HANDLE	hThread;

	hWnd = FindWindow("#32770", "CrackMeApp");
	Tid = GetWindowThreadProcessId(hWnd, &Pid);

	OpenThread = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenThread");

	__asm
	{
		push Tid
		push 0
		push THREAD_TERMINATE
		call OpenThread
		mov hThread, eax
	}
	TerminateThread(hThread, 0);
}
上传的附件:
2007-8-30 13:22
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
8
第八种

#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
	HWND	hWnd;
	hWnd = FindWindow("#32770", "CrackMeApp");

	SetActiveWindow(hWnd);
	SetForegroundWindow(hWnd);

	keybd_event(VK_MENU,0,0,0); 
	keybd_event(VK_F4,0,0,0); 
	keybd_event(VK_MENU,0,KEYEVENTF_KEYUP,0); 
	keybd_event(VK_F4,0,KEYEVENTF_KEYUP,0); 
}
上传的附件:
2007-8-30 13:37
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
9
第九种

#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
	HWND	hWnd;
	RECT	rc;

	hWnd = FindWindow("#32770", "CrackMeApp");
	GetWindowRect(hWnd, &rc);

	SetCursorPos(rc.right-10, rc.top+10);
	SetActiveWindow(hWnd);
	SetForegroundWindow(hWnd);
	Sleep(500);
	mouse_event(MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0);
	Sleep(10);
	mouse_event(MOUSEEVENTF_LEFTUP,0,0,0,0);
	Sleep(10);
}
上传的附件:
2007-8-30 13:53
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
10
第十种

#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
  HWND  hWnd;
  hWnd = FindWindow("#32770", "CrackMeApp");

  SetActiveWindow(hWnd);
  SetForegroundWindow(hWnd);

  Sleep(200);

  keybd_event(VK_ESCAPE,0,0,0); 
  keybd_event(VK_ESCAPE,0,KEYEVENTF_KEYUP,0); 
}
上传的附件:
2007-8-30 13:55
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
11
第十一种方法
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
HWND hWnd;
DWORD Tid;
DWORD Pid;
DWORD OpenThread;
DWORD EP;
HANDLE hThread;
CONTEXT context;

hWnd = FindWindow("#32770", "CrackMeApp");
Tid = GetWindowThreadProcessId(hWnd, &Pid);

OpenThread = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenThread");

__asm
{
mov eax, dword ptr [ExitProcess]
mov EP, eax
push Tid
push 0
push THREAD_SUSPEND_RESUME | THREAD_GET_CONTEXT | THREAD_SET_CONTEXT
call OpenThread
mov hThread, eax
}
SuspendThread(hThread);

context.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(hThread, &context);
context.Eip = EP;
context.ContextFlags = CONTEXT_CONTROL;
SetThreadContext(hThread, &context);
ResumeThread(hThread);

SetActiveWindow(hWnd);
SetForegroundWindow(hWnd);
}
上传的附件:
2007-8-30 14:17
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
12
裁判检查完上面的我再继续
2007-8-30 14:49
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
13
第十二种方法

#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
	HWND	hWnd = NULL;
	DWORD	Tid = 0;
	DWORD	Pid = 0;
	HANDLE	hProcess = NULL;
	
	hWnd = FindWindow("#32770", "CrackMeApp");
	Tid = GetWindowThreadProcessId(hWnd, &Pid);

	hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION, FALSE, Pid);
	if (hProcess)
	{
		CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)&ExitProcess, NULL, 0, NULL);
	}
}
上传的附件:
2007-8-31 10:19
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
14
第十三种

//cpp
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")


void start()
{
	HWND	hWnd;
	DWORD	a;
	DWORD	b;

	hWnd = FindWindow("#32770", "CrackMeApp");
	a = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "hook");
	b = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "unhook");

	__asm call a
	Sleep(100);
	SetForegroundWindow(hWnd);
	Sleep(100);
	__asm call b
}


//dll
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:dllmain")
#pragma comment (linker, "/filealign:0x200")

HHOOK	h = NULL;
HMODULE b = NULL;

void fk()
{
	HWND	hWnd = NULL;
	DWORD	Tid = 0;
	DWORD	Pid = 0;
	
	hWnd = FindWindow("#32770", "CrackMeApp");
	Tid = GetWindowThreadProcessId(hWnd, &Pid);

	if (Pid == GetCurrentProcessId())
		ExitProcess(0);

	return ;
}

LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam)
{
	fk();
	return NULL; 
}

extern "C" void __declspec(dllexport) hook()
{
	h = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, b, 0);
}

extern "C" void _declspec(dllexport) unhook()
{
	UnhookWindowsHookEx(h);
	h = NULL;
}

BOOL __stdcall dllmain(HMODULE hModule, DWORD ud, LPVOID a)
{
	if (DLL_PROCESS_ATTACH == ud)
		b = hModule;

	return TRUE;
}
上传的附件:
2007-8-31 11:34
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
15
第十四种

//cpp
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")


void start()
{
	HWND	hWnd;
	DWORD	a;
	DWORD	b;

	hWnd = FindWindow("#32770", "CrackMeApp");
	a = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "hook");
	b = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "unhook");

	__asm call a
	Sleep(100);
	SetForegroundWindow(hWnd);
	Sleep(100);
	__asm call b
}


//dll
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:dllmain")
#pragma comment (linker, "/filealign:0x200")

HHOOK	h = NULL;
HMODULE b = NULL;

void fk()
{
	HWND	hWnd = NULL;
	DWORD	Tid = 0;
	DWORD	Pid = 0;
	
	hWnd = FindWindow("#32770", "CrackMeApp");
	Tid = GetWindowThreadProcessId(hWnd, &Pid);

	if (Pid == GetCurrentProcessId())
		PostQuitMessage(0);

	return ;
}

LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam)
{
	fk();
	return NULL; 
}

extern "C" void __declspec(dllexport) hook()
{
	h = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, b, 0);
}

extern "C" void _declspec(dllexport) unhook()
{
	UnhookWindowsHookEx(h);
	h = NULL;
}

BOOL __stdcall dllmain(HMODULE hModule, DWORD ud, LPVOID a)
{
	if (DLL_PROCESS_ATTACH == ud)
		b = hModule;

	return TRUE;
}
上传的附件:
2007-8-31 11:36
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
16
第十五种

//cpp
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")


void start()
{
	HWND	hWnd;
	DWORD	a;
	DWORD	b;

	hWnd = FindWindow("#32770", "CrackMeApp");
	a = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "hook");
	b = (DWORD)GetProcAddress(LoadLibrary("dll.dll"), "unhook");

	__asm call a
	Sleep(100);
	SetForegroundWindow(hWnd);
	Sleep(100);
	__asm call b
}


//dll
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:dllmain")
#pragma comment (linker, "/filealign:0x200")

HHOOK	h = NULL;
HMODULE b = NULL;

void fk()
{
	HWND	hWnd = NULL;
	DWORD	Tid = 0;
	DWORD	Pid = 0;
	
	hWnd = FindWindow("#32770", "CrackMeApp");
	Tid = GetWindowThreadProcessId(hWnd, &Pid);

	if (Pid == GetCurrentProcessId())
		EndDialog(hWnd, 0);

	return ;
}

LRESULT CALLBACK GetMsgProc(int code, WPARAM wParam, LPARAM lParam)
{
	fk();
	return NULL; 
}

extern "C" void __declspec(dllexport) hook()
{
	h = SetWindowsHookEx(WH_GETMESSAGE, GetMsgProc, b, 0);
}

extern "C" void _declspec(dllexport) unhook()
{
	UnhookWindowsHookEx(h);
	h = NULL;
}

BOOL __stdcall dllmain(HMODULE hModule, DWORD ud, LPVOID a)
{
	if (DLL_PROCESS_ATTACH == ud)
		b = hModule;

	return TRUE;
}
上传的附件:
2007-8-31 11:37
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
17
第十六种

sys
//shoooo22.c
#include <ntddk.h>
#pragma warning(disable:4047)

NTKERNELAPI                                                    
NTSTATUS                                                      
ObOpenObjectByPointer(                                       
    IN PVOID Object,                                          
    IN ULONG HandleAttributes,                                 
    IN PACCESS_STATE PassedAccessState OPTIONAL,               
    IN ACCESS_MASK DesiredAccess OPTIONAL,                    
    IN POBJECT_TYPE ObjectType OPTIONAL,                       
    IN KPROCESSOR_MODE AccessMode,                           
    OUT PHANDLE Handle                                          
    );       

NTKERNELAPI
NTSTATUS 
PsLookupProcessByProcessId(
     IN ULONG ulProcId, 
     OUT PEPROCESS * pEProcess
     );

NTSTATUS MyOpenProcess(ULONG PID, PHANDLE pHandle)
{
	NTSTATUS	status;
	PEPROCESS	EProcess = NULL;
	HANDLE		handle = NULL;
	UNICODE_STRING y;
	PULONG		PsProcessType;

	status = PsLookupProcessByProcessId(PID, &EProcess);
	if (NT_SUCCESS(status))
	{
		handle = 0;
		RtlInitUnicodeString(&y, L"PsProcessType");
		PsProcessType = MmGetSystemRoutineAddress(&y);
		if (PsProcessType)
		{
			status = ObOpenObjectByPointer(EProcess, 0, 0, PROCESS_ALL_ACCESS, (PVOID)*PsProcessType, UserMode, &handle);
			if (NT_SUCCESS(status))
			{
				*pHandle = handle;
			}
		}
		ObfDereferenceObject(EProcess);
	}
	return status;

}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	PDEVICE_OBJECT	pDeviceObject;
	UNICODE_STRING	strSymbolicName;

	RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo22");
	IoDeleteSymbolicLink(&strSymbolicName);
	pDeviceObject = pDriverObject->DeviceObject;
	IoDeleteDevice(pDeviceObject);

	return ;
}

NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
	NTSTATUS	status;

	status = STATUS_SUCCESS;
	pIrp->IoStatus.Status = status;
	pIrp->IoStatus.Information = 0;
	IoCompleteRequest(pIrp, IO_NO_INCREMENT);

	return status;
}

NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
	NTSTATUS	status;

	status = STATUS_SUCCESS;
	pIrp->IoStatus.Status = status;
	pIrp->IoStatus.Information = 0;
	IoCompleteRequest(pIrp,IO_NO_INCREMENT);

	return status;
}

NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
	NTSTATUS			status;
	PVOID				DeviceExtension;
	PIO_STACK_LOCATION	pIrpSp;
	PVOID				SystemBufferIn;
	PVOID				SystemBufferOut;
	ULONG				InBufferLength;
	ULONG				OutBufferLength;
	ULONG				IoControlCode;

	DeviceExtension = pDeviceObject->DeviceExtension;
	pIrpSp          = IoGetCurrentIrpStackLocation(pIrp);
	SystemBufferIn  = pIrp->AssociatedIrp.SystemBuffer;
	SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer;
	InBufferLength  = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
	OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
	IoControlCode   = pIrpSp->Parameters.DeviceIoControl.IoControlCode;

	switch (IoControlCode)
	{
	case 0x100: 
		if (InBufferLength != 4 || OutBufferLength != 4)
		{
			pIrp->IoStatus.Information = 0;
			pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
			status = STATUS_SUCCESS;
		}
		else
		{
			status = MyOpenProcess(*(PULONG)SystemBufferIn, SystemBufferOut);
			if (NT_SUCCESS(status))
			{
				pIrp->IoStatus.Information = 4;
				pIrp->IoStatus.Status = STATUS_SUCCESS;
			}
			else
			{
				pIrp->IoStatus.Information = 0;
				pIrp->IoStatus.Status = status;
			}
			status = STATUS_SUCCESS;
		}

		break ;

	default:
		status = STATUS_INVALID_DEVICE_REQUEST;
		pIrp->IoStatus.Information = 0;
		break ;
 	}

	IoCompleteRequest(pIrp, IO_NO_INCREMENT);
	return status;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	NTSTATUS		status;
	UNICODE_STRING	strDeviceName;
	UNICODE_STRING	strSymbolicName;
	PDEVICE_OBJECT	pDeviceObject;

	RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo22");

	status = IoCreateDevice(pDriverObject, 0, &strDeviceName,
			         		0x220000, 0, 0, &pDeviceObject);

	if (!NT_SUCCESS(status))
	{
		return status;
	}
	RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo22");
	status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName);

	if (!NT_SUCCESS(status))
	{
		IoDeleteDevice(pDeviceObject);
		return status;
	}

	pDriverObject->MajorFunction[IRP_MJ_CREATE]         = DispatchCreate;
	pDriverObject->MajorFunction[IRP_MJ_CLOSE]          = DispatchClose;
	pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl;
	pDriverObject->DriverUnload = DriverUnload;

	return STATUS_SUCCESS;
}


EXE
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
	HWND	hWnd;
	DWORD	Tid = 0;
	DWORD	Pid = 0;
	HANDLE	hFile = NULL;
	HANDLE	hProcess = NULL;
	DWORD	temp = 0;

	hWnd = FindWindow("#32770", "CrackMeApp");
	Tid = GetWindowThreadProcessId(hWnd, &Pid);
	if (hWnd == NULL)
		return ;

	hFile = CreateFile("\\\\.\\shoooo22", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
	if (hFile == INVALID_HANDLE_VALUE)
		return ;

	DeviceIoControl(hFile, 0x100, &Pid, 4, &hProcess, 4, &temp, NULL);

	TerminateProcess(hProcess, 0);

	CloseHandle(hFile);
	
}
上传的附件:
2007-8-31 14:05
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
18
第十七种

sys
//shoooo23.c
#include <ntddk.h>
#pragma warning(disable:4047)

typedef struct _KAPC_STATE {
    LIST_ENTRY  ApcListHead[2];
    PEPROCESS   Process;
    BOOLEAN     KernelApcInProgress;
    BOOLEAN     KernelApcPending;
    BOOLEAN     UserApcPending;
} KAPC_STATE, *PKAPC_STATE;

NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(ULONG ulProcId, PEPROCESS * pEProcess);
NTKERNELAPI void KeStackAttachProcess(PVOID Process, PKAPC_STATE ApcState);
NTKERNELAPI void KeUnstackDetachProcess(PKAPC_STATE ApcState);


//404198 4031BC
NTSTATUS MyWriteProcessMemory(ULONG PID)
{
	NTSTATUS	status;
	PEPROCESS	EProcess = NULL;
	KAPC_STATE apc_state;
	ULONG			i;
	ULONG		Address = 0x404198;

	status = PsLookupProcessByProcessId(PID, &EProcess);
	if (NT_SUCCESS(status))
	{
		RtlZeroMemory(&apc_state,sizeof(apc_state));
		KeStackAttachProcess(EProcess, &apc_state);
		__try
		{
			*(PULONG)Address = 0x4031BC;
		}
		__except(1)
		{

		}
		KeUnstackDetachProcess(&apc_state);
		ObDereferenceObject(EProcess);
	}
	return status;

}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	PDEVICE_OBJECT	pDeviceObject;
	UNICODE_STRING	strSymbolicName;

	RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo23");
	IoDeleteSymbolicLink(&strSymbolicName);
	pDeviceObject = pDriverObject->DeviceObject;
	IoDeleteDevice(pDeviceObject);

	return ;
}

NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
	NTSTATUS	status;

	status = STATUS_SUCCESS;
	pIrp->IoStatus.Status = status;
	pIrp->IoStatus.Information = 0;
	IoCompleteRequest(pIrp, IO_NO_INCREMENT);

	return status;
}

NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
	NTSTATUS	status;

	status = STATUS_SUCCESS;
	pIrp->IoStatus.Status = status;
	pIrp->IoStatus.Information = 0;
	IoCompleteRequest(pIrp,IO_NO_INCREMENT);

	return status;
}

NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
	NTSTATUS			status;
	PVOID				DeviceExtension;
	PIO_STACK_LOCATION	pIrpSp;
	char*				SystemBufferIn;
	PVOID				SystemBufferOut;
	ULONG				InBufferLength;
	ULONG				OutBufferLength;
	ULONG				IoControlCode;

	DeviceExtension = pDeviceObject->DeviceExtension;
	pIrpSp          = IoGetCurrentIrpStackLocation(pIrp);
	SystemBufferIn  = pIrp->AssociatedIrp.SystemBuffer;
	SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer;
	InBufferLength  = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
	OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
	IoControlCode   = pIrpSp->Parameters.DeviceIoControl.IoControlCode;

	switch (IoControlCode)
	{
	case 0x104: 
		if (InBufferLength != 4)
		{
			pIrp->IoStatus.Information = 0;
			pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
			status = STATUS_SUCCESS;
		}
		else
		{
			status = MyWriteProcessMemory(*(PULONG)SystemBufferIn);
			pIrp->IoStatus.Information = 0;
			pIrp->IoStatus.Status = status;
			status = STATUS_SUCCESS;
		}

		break ;

	default:
		status = STATUS_INVALID_DEVICE_REQUEST;
		pIrp->IoStatus.Information = 0;
		break ;
 	}

	IoCompleteRequest(pIrp, IO_NO_INCREMENT);
	return status;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	NTSTATUS		status;
	UNICODE_STRING	strDeviceName;
	UNICODE_STRING	strSymbolicName;
	PDEVICE_OBJECT	pDeviceObject;
	ULONG cr4reg;

	RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo23");

	status = IoCreateDevice(pDriverObject, 0, &strDeviceName,
			         		0x220000, 0, 0, &pDeviceObject);

	if (!NT_SUCCESS(status))
	{
		return status;
	}
	RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo23");
	status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName);

	if (!NT_SUCCESS(status))
	{
		IoDeleteDevice(pDeviceObject);
		return status;
	}

	pDriverObject->MajorFunction[IRP_MJ_CREATE]         = DispatchCreate;
	pDriverObject->MajorFunction[IRP_MJ_CLOSE]          = DispatchClose;
	pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl;
	pDriverObject->DriverUnload = DriverUnload;

	
	return STATUS_SUCCESS;
}


exe
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
	HWND	hWnd;
	DWORD	Tid = 0;
	DWORD	Pid = 0;
	HANDLE	hFile = NULL;
	DWORD	temp = 0;


	hWnd = FindWindow("#32770", "CrackMeApp");
	Tid = GetWindowThreadProcessId(hWnd, &Pid);
	if (hWnd == NULL)
		return ;

	hFile = CreateFile("\\\\.\\shoooo23", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
	if (hFile == INVALID_HANDLE_VALUE)
		return ;

	DeviceIoControl(hFile, 0x104, &Pid, 4, NULL, 0, &temp, NULL);

	SetForegroundWindow(hWnd);
	CloseHandle(hFile);
}
上传的附件:
2007-8-31 16:19
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
19
第十八种

驱动同17楼的

exe
#define _WIN32_WINNT 0x500
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")

void start()
{
	HWND	hWnd;
	DWORD	Tid = 0;
	DWORD	Pid = 0;
	HANDLE	hFile = NULL;
	HANDLE	hProcess = NULL;
	HANDLE	hJob;
	DWORD	temp = 0;

	hWnd = FindWindow("#32770", "CrackMeApp");
	Tid = GetWindowThreadProcessId(hWnd, &Pid);
	if (hWnd == NULL)
		return ;

	hFile = CreateFile("\\\\.\\shoooo22", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
	if (hFile == INVALID_HANDLE_VALUE)
		return ;

	DeviceIoControl(hFile, 0x100, &Pid, 4, &hProcess, 4, &temp, NULL);

	hJob = CreateJobObject(NULL, NULL);
	AssignProcessToJobObject(hJob, hProcess);
	TerminateJobObject(hJob, 0);

	CloseHandle(hFile);
	
}
上传的附件:
2007-8-31 17:01
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
20
第十九种

sys
//shoooo24.c
#include <ntddk.h>
#pragma warning(disable:4047)

typedef struct _KAPC_STATE {
    LIST_ENTRY  ApcListHead[2];
    PEPROCESS   Process;
    BOOLEAN     KernelApcInProgress;
    BOOLEAN     KernelApcPending;
    BOOLEAN     UserApcPending;
} KAPC_STATE, *PKAPC_STATE;

NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(ULONG ulProcId, PEPROCESS * pEProcess);
NTKERNELAPI void KeStackAttachProcess(PVOID Process, PKAPC_STATE ApcState);
NTKERNELAPI void KeUnstackDetachProcess(PKAPC_STATE ApcState);


NTSTATUS FuckPID(ULONG Base)
{
	*(PULONG)(Base+0x3074) = 0;
	return STATUS_SUCCESS;
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	PDEVICE_OBJECT	pDeviceObject;
	UNICODE_STRING	strSymbolicName;

	RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo24");
	IoDeleteSymbolicLink(&strSymbolicName);
	pDeviceObject = pDriverObject->DeviceObject;
	IoDeleteDevice(pDeviceObject);

	return ;
}

NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
	NTSTATUS	status;

	status = STATUS_SUCCESS;
	pIrp->IoStatus.Status = status;
	pIrp->IoStatus.Information = 0;
	IoCompleteRequest(pIrp, IO_NO_INCREMENT);

	return status;
}

NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
	NTSTATUS	status;

	status = STATUS_SUCCESS;
	pIrp->IoStatus.Status = status;
	pIrp->IoStatus.Information = 0;
	IoCompleteRequest(pIrp,IO_NO_INCREMENT);

	return status;
}

NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
	NTSTATUS			status;
	PVOID				DeviceExtension;
	PIO_STACK_LOCATION	pIrpSp;
	char*				SystemBufferIn;
	PVOID				SystemBufferOut;
	ULONG				InBufferLength;
	ULONG				OutBufferLength;
	ULONG				IoControlCode;

	DeviceExtension = pDeviceObject->DeviceExtension;
	pIrpSp          = IoGetCurrentIrpStackLocation(pIrp);
	SystemBufferIn  = pIrp->AssociatedIrp.SystemBuffer;
	SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer;
	InBufferLength  = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
	OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
	IoControlCode   = pIrpSp->Parameters.DeviceIoControl.IoControlCode;

	switch (IoControlCode)
	{
	case 0x108: 
		if (InBufferLength != 4)
		{
			pIrp->IoStatus.Information = 0;
			pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
			status = STATUS_SUCCESS;
		}
		else
		{
			status = FuckPID(*(PULONG)SystemBufferIn);
			pIrp->IoStatus.Information = 0;
			pIrp->IoStatus.Status = status;
			status = STATUS_SUCCESS;
		}

		break ;

	default:
		status = STATUS_INVALID_DEVICE_REQUEST;
		pIrp->IoStatus.Information = 0;
		break ;
 	}

	IoCompleteRequest(pIrp, IO_NO_INCREMENT);
	return status;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	NTSTATUS		status;
	UNICODE_STRING	strDeviceName;
	UNICODE_STRING	strSymbolicName;
	PDEVICE_OBJECT	pDeviceObject;
	ULONG cr4reg;

	RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo24");

	status = IoCreateDevice(pDriverObject, 0, &strDeviceName,
			         		0x220000, 0, 0, &pDeviceObject);

	if (!NT_SUCCESS(status))
	{
		return status;
	}
	RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo24");
	status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName);

	if (!NT_SUCCESS(status))
	{
		IoDeleteDevice(pDeviceObject);
		return status;
	}

	pDriverObject->MajorFunction[IRP_MJ_CREATE]         = DispatchCreate;
	pDriverObject->MajorFunction[IRP_MJ_CLOSE]          = DispatchClose;
	pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl;
	pDriverObject->DriverUnload = DriverUnload;

	
	return STATUS_SUCCESS;
}


exe
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")


DWORD GetSysBase()
{
	DWORD		ZwQuerySystemInformation;
	DWORD		status;
	ULONG		PoolSize;
	char*		Pool;
	char*		ModuleStart;
	ULONG		i;
	char*		Name;

	ZwQuerySystemInformation = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");

	PoolSize = 0x1000;
	Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
	do
	{
		__asm
		{
			push 0
			push PoolSize
			push Pool
			push 0x0B
			call ZwQuerySystemInformation
			mov status, eax
		}
		if (status == 0xC0000004)
		{
			VirtualFree(Pool, 0, MEM_RELEASE);
			PoolSize = PoolSize * 2;
			Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
			continue ;
		}
		break ;
	}while(1);

	ModuleStart = Pool+4; 
	for (i=0; i<*(LPDWORD)Pool; i++)
	{
		Name = strrchr(ModuleStart+0x1C+i*0x11C, '\\');
		if (Name != NULL)
			Name = Name + 1;
		else
			Name = ModuleStart+0x1C+i*0x11C;
		if (Name != NULL)
		{
			if (stricmp(Name, "CrackMe.sys") == 0)
			{
				return *(LPDWORD)(ModuleStart + i*0x11C + 0x08);
			}
		}
	}
	return 0;
}

void start()
{
	HWND	hWnd;
	DWORD	Tid = 0;
	DWORD	Pid = 0;
	HANDLE	hFile;
	DWORD	base;
	DWORD	temp;
	HANDLE	hProcess;
	
	hWnd = FindWindow("#32770", "CrackMeApp");
	Tid = GetWindowThreadProcessId(hWnd, &Pid);
	if (Pid == 0)
		return ;

	base = GetSysBase();
	if (base == 0)
		return ;
	
	hFile = CreateFile("\\\\.\\shoooo24", GENERIC_READ | GENERIC_WRITE , 0 , FALSE, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
	if (hFile == INVALID_HANDLE_VALUE)
		return ;

	DeviceIoControl(hFile, 0x108, &base, 4, NULL, 0, &temp, NULL);
	CloseHandle(hFile);

	hProcess = OpenProcess(PROCESS_TERMINATE, 0, Pid);
	TerminateProcess(hProcess, 0);
}
上传的附件:
2007-9-1 20:48
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
21
第二十种

驱动和第十九种shoooo24.sys一样

exe
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")


DWORD GetSysBase()
{
	DWORD		ZwQuerySystemInformation;
	DWORD		status;
	ULONG		PoolSize;
	char*		Pool;
	char*		ModuleStart;
	ULONG		i;
	char*		Name;

	ZwQuerySystemInformation = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");

	PoolSize = 0x1000;
	Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
	do
	{
		__asm
		{
			push 0
			push PoolSize
			push Pool
			push 0x0B
			call ZwQuerySystemInformation
			mov status, eax
		}
		if (status == 0xC0000004)
		{
			VirtualFree(Pool, 0, MEM_RELEASE);
			PoolSize = PoolSize * 2;
			Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
			continue ;
		}
		break ;
	}while(1);

	ModuleStart = Pool+4; 
	for (i=0; i<*(LPDWORD)Pool; i++)
	{
		Name = strrchr(ModuleStart+0x1C+i*0x11C, '\\');
		if (Name != NULL)
			Name = Name + 1;
		else
			Name = ModuleStart+0x1C+i*0x11C;
		if (Name != NULL)
		{
			if (stricmp(Name, "CrackMe.sys") == 0)
			{
				return *(LPDWORD)(ModuleStart + i*0x11C + 0x08);
			}
		}
	}
	return 0;
}

void start()
{
	HWND	hWnd;
	DWORD	Tid = 0;
	DWORD	Pid = 0;
	HANDLE	hFile;
	DWORD	base;
	DWORD	temp;
	HANDLE	hProcess;
	
	hWnd = FindWindow("#32770", "CrackMeApp");
	Tid = GetWindowThreadProcessId(hWnd, &Pid);
	if (Pid == 0)
		return ;

	base = GetSysBase();
	if (base == 0)
		return ;
	
	hFile = CreateFile("\\\\.\\shoooo24", GENERIC_READ | GENERIC_WRITE , 0 , FALSE, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
	if (hFile == INVALID_HANDLE_VALUE)
		return ;

	DeviceIoControl(hFile, 0x108, &base, 4, NULL, 0, &temp, NULL);
	CloseHandle(hFile);

	DebugActiveProcess(Pid);
	ExitProcess(0);
}
上传的附件:
2007-9-1 20:53
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
22
第二十一种

sys
//shoooo25.c
#include <ntddk.h>
#pragma warning(disable:4047)

typedef struct _KAPC_STATE {
    LIST_ENTRY  ApcListHead[2];
    PEPROCESS   Process;
    BOOLEAN     KernelApcInProgress;
    BOOLEAN     KernelApcPending;
    BOOLEAN     UserApcPending;
} KAPC_STATE, *PKAPC_STATE;

NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(ULONG ulProcId, PEPROCESS * pEProcess);
NTKERNELAPI void KeStackAttachProcess(PVOID Process, PKAPC_STATE ApcState);
NTKERNELAPI void KeUnstackDetachProcess(PKAPC_STATE ApcState);


NTSTATUS UnhookSSDT(ULONG Base)
{
	ULONG		Address;
	
	Address = Base + 0x1810;
	__asm call Address
	return STATUS_SUCCESS;
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	PDEVICE_OBJECT	pDeviceObject;
	UNICODE_STRING	strSymbolicName;

	RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo25");
	IoDeleteSymbolicLink(&strSymbolicName);
	pDeviceObject = pDriverObject->DeviceObject;
	IoDeleteDevice(pDeviceObject);

	return ;
}

NTSTATUS DispatchCreate(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
	NTSTATUS	status;

	status = STATUS_SUCCESS;
	pIrp->IoStatus.Status = status;
	pIrp->IoStatus.Information = 0;
	IoCompleteRequest(pIrp, IO_NO_INCREMENT);

	return status;
}

NTSTATUS DispatchClose(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
	NTSTATUS	status;

	status = STATUS_SUCCESS;
	pIrp->IoStatus.Status = status;
	pIrp->IoStatus.Information = 0;
	IoCompleteRequest(pIrp,IO_NO_INCREMENT);

	return status;
}

NTSTATUS DispatchControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
	NTSTATUS			status;
	PVOID				DeviceExtension;
	PIO_STACK_LOCATION	pIrpSp;
	char*				SystemBufferIn;
	PVOID				SystemBufferOut;
	ULONG				InBufferLength;
	ULONG				OutBufferLength;
	ULONG				IoControlCode;

	DeviceExtension = pDeviceObject->DeviceExtension;
	pIrpSp          = IoGetCurrentIrpStackLocation(pIrp);
	SystemBufferIn  = pIrp->AssociatedIrp.SystemBuffer;
	SystemBufferOut = pIrp->AssociatedIrp.SystemBuffer;
	InBufferLength  = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
	OutBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
	IoControlCode   = pIrpSp->Parameters.DeviceIoControl.IoControlCode;

	switch (IoControlCode)
	{
	case 0x10C: 
		if (InBufferLength != 4)
		{
			pIrp->IoStatus.Information = 0;
			pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
			status = STATUS_SUCCESS;
		}
		else
		{
			status = UnhookSSDT(*(PULONG)SystemBufferIn);
			pIrp->IoStatus.Information = 0;
			pIrp->IoStatus.Status = status;
			status = STATUS_SUCCESS;
		}

		break ;

	default:
		status = STATUS_INVALID_DEVICE_REQUEST;
		pIrp->IoStatus.Information = 0;
		break ;
 	}

	IoCompleteRequest(pIrp, IO_NO_INCREMENT);
	return status;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	NTSTATUS		status;
	UNICODE_STRING	strDeviceName;
	UNICODE_STRING	strSymbolicName;
	PDEVICE_OBJECT	pDeviceObject;
	ULONG cr4reg;

	RtlInitUnicodeString(&strDeviceName, L"\\Device\\shoooo25");

	status = IoCreateDevice(pDriverObject, 0, &strDeviceName,
			         		0x220000, 0, 0, &pDeviceObject);

	if (!NT_SUCCESS(status))
	{
		return status;
	}
	RtlInitUnicodeString(&strSymbolicName, L"\\??\\shoooo25");
	status = IoCreateSymbolicLink(&strSymbolicName, &strDeviceName);

	if (!NT_SUCCESS(status))
	{
		IoDeleteDevice(pDeviceObject);
		return status;
	}

	pDriverObject->MajorFunction[IRP_MJ_CREATE]         = DispatchCreate;
	pDriverObject->MajorFunction[IRP_MJ_CLOSE]          = DispatchClose;
	pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl;
	pDriverObject->DriverUnload = DriverUnload;

	
	return STATUS_SUCCESS;
}


exe
#include <windows.h>
#pragma comment (linker, "/subsystem:windows")
#pragma comment (linker, "/entry:start")
#pragma comment (linker, "/filealign:0x200")


DWORD GetSysBase()
{
	DWORD		ZwQuerySystemInformation;
	DWORD		status;
	ULONG		PoolSize;
	char*		Pool;
	char*		ModuleStart;
	ULONG		i;
	char*		Name;

	ZwQuerySystemInformation = (DWORD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");

	PoolSize = 0x1000;
	Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
	do
	{
		__asm
		{
			push 0
			push PoolSize
			push Pool
			push 0x0B
			call ZwQuerySystemInformation
			mov status, eax
		}
		if (status == 0xC0000004)
		{
			VirtualFree(Pool, 0, MEM_RELEASE);
			PoolSize = PoolSize * 2;
			Pool = (char *)VirtualAlloc(NULL, PoolSize, MEM_COMMIT, PAGE_READWRITE);
			continue ;
		}
		break ;
	}while(1);

	ModuleStart = Pool+4; 
	for (i=0; i<*(LPDWORD)Pool; i++)
	{
		Name = strrchr(ModuleStart+0x1C+i*0x11C, '\\');
		if (Name != NULL)
			Name = Name + 1;
		else
			Name = ModuleStart+0x1C+i*0x11C;
		if (Name != NULL)
		{
			if (stricmp(Name, "CrackMe.sys") == 0)
			{
				return *(LPDWORD)(ModuleStart + i*0x11C + 0x08);
			}
		}
	}
	return 0;
}

void start()
{
	HWND	hWnd;
	DWORD	Tid = 0;
	DWORD	Pid = 0;
	HANDLE	hFile;
	DWORD	base;
	DWORD	temp;
	HANDLE	hProcess;
	
	hWnd = FindWindow("#32770", "CrackMeApp");
	Tid = GetWindowThreadProcessId(hWnd, &Pid);
	if (Pid == 0)
		return ;

	base = GetSysBase();
	if (base == 0)
		return ;
	
	hFile = CreateFile("\\\\.\\shoooo25", GENERIC_READ | GENERIC_WRITE , 0 , FALSE, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
	if (hFile == INVALID_HANDLE_VALUE)
		return ;

	DeviceIoControl(hFile, 0x10C, &base, 4, NULL, 0, &temp, NULL);
	CloseHandle(hFile);
	hProcess = OpenProcess(PROCESS_TERMINATE, 0, Pid);
	TerminateProcess(hProcess, 0);
}
上传的附件:
2007-9-1 21:05
0
雪    币: 242
活跃值: (473)
能力值: ( LV11,RANK:188 )
在线值:
发帖
回帖
粉丝
23
膜拜LZ
顶礼膜拜发帖时间。
2010-5-29 01:58
0
雪    币: 132
活跃值: (30)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
24
KeAttachProcess
2010-10-27 14:10
0
雪    币: 1262
活跃值: (760)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
25
只能膜拜,无法学习。
2010-10-27 15:45
0
游客
登录 | 注册 方可回帖
返回
//