[原创]某 PDF 文档处理软件注册/激活文件格式及加密过程-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]某 PDF 文档处理软件注册/激活文件格式及加密过程

发表于: 2008-5-5 14:46 7048

[原创]某 PDF 文档处理软件注册/激活文件格式及加密过程

AZMC

2008-5-5 14:46

7048

一、引言

国产某PDF文档处理软件，提供二次开发接口组件，对PDF文档的安全性有较大的帮助。该软件的购买/使用流程如下：
0）网站下载
1）使用附带工具，填写购买信息（自动提取硬盘ID）
2）软件开发者返回序列号（长度：32字节）/注册文件（长度：1024字节）
3）使用附带工具，填写序列号/加载注册文件
4）注册后，在60天之内，正常使用；60天之后，转变为 [已注册/需激活] 版本，处理的PDF文档打有水印
5）使用附带工具，请求激活，形成一个 1024字节的文本文件，发送出去；开发者把文件处理后，返回一个加密的激活文件

二、软件加壳

ASPack 2.12 -> Alexey Solodovnikov

三、调试(代码爆破) ==> 免注册/免激活

  a) 编译安装包附带 VB sample: x.exe
b) 用 OllyDebug 加载 x.exe
c) 断点: RegOpenKeyA
d) 反复跟踪,发现注册验证代码:

; ===============================
; 检查注册信息:
; EAX = 1,注册失败/已注册但未激活
; EAX = 0,已注册/已激活
; ===============================
1000175F  /$  55          push ebp
10001760  |.  8BEC       mov    ebp, esp
10001762  |.  81EC 7C0C0000 sub    esp, 0C7C
10001768  |.  53          push ebx
10001769  |.  57          push edi
1000176A  |.  33DB       xor    ebx, ebx
1000176C  |.  B9 01010000 mov    ecx, 101
10001771  |.  33C0       xor    eax, eax
10001773  |.  8DBD 9DF8FFFF lea    edi, dword ptr [ebp-763]
10001779  |.  889D 9CF8FFFF mov    byte ptr [ebp-764], bl
1000177F  |.  68 06040000 push 406
10001784  |.  F3:AB       rep    stos dword ptr es:[edi]
10001786  |.  AA          stos byte ptr es:[edi]
10001787  |.  8D85 9CF8FFFF lea    eax, dword ptr [ebp-764]
1000178D  |.  53          push ebx
1000178E  |.  50          push eax
1000178F  |.  E8 FC400100 call 10015890
10001794  |.  6A 3F       push 3F
10001796  |.  33C0       xor    eax, eax
10001798  |.  59          pop    ecx
10001799  |.  8DBD F5FEFFFF lea    edi, dword ptr [ebp-10B]
1000179F  |.  889D F4FEFFFF mov    byte ptr [ebp-10C], bl
100017A5  |.  68 B8B30310 push 1003B3B8                      ;  software\???\???
100017AA  |.  F3:AB       rep    stos dword ptr es:[edi]
100017AC  |.  66:AB       stos word ptr es:[edi]
100017AE  |.  AA          stos byte ptr es:[edi]
100017AF  |.  8D85 F4FEFFFF lea    eax, dword ptr [ebp-10C]
100017B5  |.  895D FC    mov    dword ptr [ebp-4], ebx
100017B8  |.  50          push eax
100017B9  |.  E8 E2460100 call 10015EA0
100017BE  |.  8D85 F4FEFFFF lea    eax, dword ptr [ebp-10C]
100017C4  |.  68 B0B30310 push 1003B3B0                      ;  \pinfo
100017C9  |.  50          push eax
100017CA  |.  E8 E1460100 call 10015EB0
100017CF  |.  83C4 1C    add    esp, 1C
100017D2  |.  8D45 FC    lea    eax, dword ptr [ebp-4]
100017D5  |.  50          push eax                            ; /pHandle
100017D6  |.  68 19000200 push 20019                         ; |Access = KEY_READ
100017DB  |.  8D85 F4FEFFFF lea    eax, dword ptr [ebp-10C]       ; |
100017E1  |.  53          push ebx                            ; |Reserved
100017E2  |.  50          push eax                            ; |Subkey
100017E3  |.  68 02000080 push 80000002                      ; |hKey = HKEY_LOCAL_MACHINE
100017E8  |.  FF15 04300310 call dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
100017EE  |.  85C0       test eax, eax
100017F0  |.  0F85 F7000000 jnz    100018ED
100017F6  |.  8D45 F8    lea    eax, dword ptr [ebp-8]
100017F9  |.  C745 F8 01040>mov    dword ptr [ebp-8], 401
10001800  |.  50          push eax                            ; /pBufSize
10001801  |.  8D85 9CF8FFFF lea    eax, dword ptr [ebp-764]       ; |
10001807  |.  50          push eax                            ; |Buffer
10001808  |.  8D45 F4    lea    eax, dword ptr [ebp-C]          ; |
1000180B  |.  50          push eax                            ; |pValueType
1000180C  |.  53          push ebx                            ; |Reserved
1000180D  |.  68 A8B30310 push 1003B3A8                      ; |pinfo
10001812  |.  FF75 FC    push dword ptr [ebp-4]             ; |hKey
10001815  |.  FF15 18300310 call dword ptr [<&ADVAPI32.RegQueryVa>; \RegQueryValueExA
1000181B  |.  FF75 FC    push dword ptr [ebp-4]             ; /hKey
1000181E  |.  FF15 00300310 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
10001824  |.  8D85 9CF8FFFF lea    eax, dword ptr [ebp-764]
1000182A  |.  50          push eax                            ;  PINFO:注册表内容
1000182B  |.  E8 D0490100 call 10016200
10001830  |.  3D 00040000 cmp    eax, 400                      ;  长度检查
10001835  |.  59          pop    ecx
10001836  |.  0F85 B1000000 jnz    100018ED
1000183C  |.  B9 93000000 mov    ecx, 93
10001841  |.  33C0       xor    eax, eax
10001843  |.  8DBD A8FCFFFF lea    edi, dword ptr [ebp-358]
10001849  |.  899D A4FCFFFF mov    dword ptr [ebp-35C], ebx
1000184F  |.  56          push esi
10001850  |.  68 50020000 push 250
10001855  |.  F3:AB       rep    stos dword ptr es:[edi]
10001857  |.  8D85 A4FCFFFF lea    eax, dword ptr [ebp-35C]
1000185D  |.  53          push ebx
1000185E  |.  50          push eax
1000185F  |.  E8 2C400100 call 10015890
10001864  |.  68 18050000 push 518
10001869  |.  8D85 84F3FFFF lea    eax, dword ptr [ebp-C7C]
1000186F  |.  53          push ebx
10001870  |.  50          push eax
10001871  |.  E8 1A400100 call 10015890
10001876  |.  8D85 9CF8FFFF lea    eax, dword ptr [ebp-764]
1000187C  |.  68 98B30310 push 1003B398                      ;  ???
10001881  |.  8985 84F3FFFF mov    dword ptr [ebp-C7C], eax
10001887  |.  8D85 A4FCFFFF lea    eax, dword ptr [ebp-35C]
1000188D  |.  8985 8CF3FFFF mov    dword ptr [ebp-C74], eax
10001893  |.  8D85 9AF7FFFF lea    eax, dword ptr [ebp-866]
10001899  |.  50          push eax
1000189A  |.  C785 88F3FFFF>mov    dword ptr [ebp-C78], 810
100018A4  |.  E8 F7450100 call 10015EA0
100018A9  |.  83C4 20    add    esp, 20
100018AC  |.  8D85 84F3FFFF lea    eax, dword ptr [ebp-C7C]
100018B2  |.  50          push eax
100018B3  |.  E8 08080200 call 100220C0
100018B8  |.  8BC8       mov    ecx, eax
100018BA  |.  8B85 B0FCFFFF mov    eax, dword ptr [ebp-350]
100018C0  |.  6A 64       push 64
100018C2  |.  99          cdq
100018C3  |.  5E          pop    esi
100018C4  |.  F7FE       idiv esi
100018C6  |.  5E          pop    esi
100018C7  |.  83F8 05    cmp    eax, 5
100018CA  |.  75 21       jnz    short 100018ED
100018CC  |.  83BD A4FCFFFF>cmp    dword ptr [ebp-35C], 4
100018D3  |.  75 18       jnz    short 100018ED
100018D5  |.  83F9 02    cmp    ecx, 2
100018D8  |.  74 05       je    short 100018DF
100018DA  |.  83F9 04    cmp    ecx, 4                   ; 这里也是爆破点,如果成功注册 ecx = 3; 如果激活,ecx = 4
100018DD  |.  75 0E       jnz    short 100018ED
100018DF  |>  33C0       xor    eax, eax
100018E1  |.  83BD A8FCFFFF>cmp    dword ptr [ebp-358], 3
100018E8  |.  0F95C0       setne al
100018EB  |.  EB 03       jmp    short 100018F0          ; 爆破点: 33 C0 xor eax,eax
100018ED  |>  6A 01       push 1                         ;       6A 00 push 0
100018EF  |.  58          pop    eax
100018F0  |>  5F          pop    edi
100018F1  |.  5B          pop    ebx
100018F2  |.  C9          leave
100018F3  \.  C3          retn

上述子过程调用入口为:

1000163F  /.  55          push ebp
10001640  |.  8BEC       mov    ebp, esp
10001642  |.  83EC 10    sub    esp, 10
10001645  |.  56          push esi
10001646  |.  57          push edi
10001647  |.  8BF9       mov    edi, ecx
10001649  |.  E8 A6020000 call 100018F4
1000164E  |.  A3 8CB30310 mov    dword ptr [1003B38C], eax       ;  (initial cpu selection)
10001653  |.  E8 07010000 call 1000175F
10001658  |.  A3 90B30310 mov    dword ptr [1003B390], eax       ;  设标志: EAX = 0/1
1000165D  |.  E8 92020000 call 100018F4
10001662  |.  33F6       xor    esi, esi
10001664  |.  A3 94B30310 mov    dword ptr [1003B394], eax
10001669  |.  56          push esi
1000166A  |.  FF15 E4350310 call dword ptr [<&ole32.CoInitialize>>;  ole32.CoInitialize
10001670  |.  8D45 F0    lea    eax, dword ptr [ebp-10]
10001673  |.  56          push esi
10001674  |.  50          push eax
10001675  |.  68 48190410 push 10041948
1000167A  |.  C745 F0 01000>mov    dword ptr [ebp-10], 1
10001681  |.  8975 F4    mov    dword ptr [ebp-C], esi
10001684  |.  8975 F8    mov    dword ptr [ebp-8], esi
10001687  |.  8975 FC    mov    dword ptr [ebp-4], esi
1000168A  |.  E8 9B350100 call <jmp.&gdiplus.GdiplusStartup>
1000168F  |.  8B4F 68    mov    ecx, dword ptr [edi+68]
10001692  |.  B8 101A0410 mov    eax, 10041A10
10001697  |.  51          push ecx
10001698  |.  68 D8B20310 push 1003B2D8
1000169D  |.  50          push eax
1000169E  |.  C705 801A0410>mov    dword ptr [10041A80], 1003B280
100016A8  |.  A3 F8180410 mov    dword ptr [100418F8], eax
100016AD  |.  C705 101A0410>mov    dword ptr [10041A10], 84
100016B7  |.  C705 741A0410>mov    dword ptr [10041A74], 300
100016C1  |.  E8 9E260000 call 10003D64
100016C6  |.  B8 E0360310 mov    eax, 100336E0
100016CB  |.  8BC8       mov    ecx, eax
100016CD  |.  85C9       test ecx, ecx
100016CF  |.  74 10       je    short 100016E1
100016D1  |.  6A 10       push 10
100016D3  |.  50          push eax
100016D4  |.  68 38190410 push 10041938
100016D9  |.  E8 723E0100 call 10015550
100016DE  |.  83C4 0C    add    esp, 0C
100016E1  |>  8BCF       mov    ecx, edi
100016E3  |.  E8 60E00200 call 1002F748
100016E8  |.  5F          pop    edi
100016E9  |.  5E          pop    esi
100016EA  |.  C9          leave
100016EB  \.  C3          retn
100016EC .  56          push esi
100016ED .  8BF1       mov    esi, ecx
100016EF .  68 101A0410 push 10041A10
100016F4 .  E8 C1270000 call 10003EBA
100016F9 .  8BCE       mov    ecx, esi
100016FB .  E8 B2E10200 call 1002F8B2
10001700 .  5E          pop    esi
10001701 .  C3          retn
10001702 >/$  FF35 48190410 push dword ptr [10041948]
10001708  |.  E8 23350100 call <jmp.&gdiplus.GdiplusShutdown>
1000170D  |.  FF15 E8350310 call dword ptr [<&ole32.CoUninitializ>;  ole32.CoUninitialize
10001713  |.  E8 7FF80200 call 10030F97
10001718  |.  85C0       test eax, eax
1000171A  |.  75 08       jnz    short 10001724
1000171C  |.  3905 241A0410 cmp    dword ptr [10041A24], eax
10001722  |.  74 03       je    short 10001727
10001724  |>  6A 01       push 1
10001726  |.  58          pop    eax
10001727  \>  C3          retn

e) 用 W32Dsm 打开 xxx.dll,查找爆破点代码,找到文件中的偏移量,用 UE 修改,保存
f) 用 PEditor 修复,即可.

四、数据爆破(须注册/免激活)

a) 经调试,发现以下代码段,添加水印

.............................................................
数据地址                         水印字符串
.............................................................
1003C558                      ; "??? trial"
1003B86C                      ; "www.???.com"
.............................................................

1000FA4C E8 4F640000    call 10015EA0
1000FA51 8D85 D0FDFFFF lea    eax, dword ptr [ebp-230]
1000FA57 68 58C50310    push 1003C558                      ; ???-- 水印标志
1000FA5C 50             push eax
1000FA5D E8 3E640000    call 10015EA0
1000FA62 83C4 10       add    esp, 10
1000FA65 8D4D E0       lea    ecx, dword ptr [ebp-20]
1000FA68 E8 C8170000    call 10011235
1000FA6D 8D85 18FDFFFF lea    eax, dword ptr [ebp-2E8]
1000FA73 53             push ebx
1000FA74 50             push eax
1000FA75 8D4D E0       lea    ecx, dword ptr [ebp-20]
1000FA78 FF75 08       push dword ptr [ebp+8]
1000FA7B 895D FC       mov    dword ptr [ebp-4], ebx
1000FA7E 8975 E4       mov    dword ptr [ebp-1C], esi
1000FA81 895D E8       mov    dword ptr [ebp-18], ebx
1000FA84 E8 14400000    call 10013A9D
1000FA89 D9EE          fldz
1000FA8B 8D85 D0FDFFFF lea    eax, dword ptr [ebp-230]
1000FA91 68 6CB80310    push 1003B86C                      ; www.???.com -- 水印标志
1000FA96 DD9D C0FDFFFF fstp qword ptr [ebp-240]
1000FA9C D9EE          fldz
1000FA9E 50             push eax
1000FA9F 8975 E8       mov    dword ptr [ebp-18], esi
1000FAA2 DD9D B8FDFFFF fstp qword ptr [ebp-248]
1000FAA8 E8 F3630000    call 10015EA0
1000FAAD 8D85 50FEFFFF lea    eax, dword ptr [ebp-1B0]
1000FAB3 57             push edi
1000FAB4 50             push eax
1000FAB5 E8 E6630000    call 10015EA0
1000FABA 83C4 10       add    esp, 10
1000FABD 8D85 18FDFFFF lea    eax, dword ptr [ebp-2E8]
1000FAC3 8D4D E0       lea    ecx, dword ptr [ebp-20]
1000FAC6 53             push ebx
1000FAC7 50             push eax
1000FAC8 FF75 08       push dword ptr [ebp+8]
1000FACB E8 CD3F0000    call 10013A9D
1000FAD0 834D FC FF    or    dword ptr [ebp-4], FFFFFFFF
1000FAD4 8D4D E0       lea    ecx, dword ptr [ebp-20]
1000FAD7 E8 B7170000    call 10011293
1000FADC 8B4D F4       mov    ecx, dword ptr [ebp-C]
1000FADF 8BC6          mov    eax, esi
1000FAE1 5F             pop    edi
1000FAE2 5E             pop    esi
1000FAE3 5B             pop    ebx
1000FAE4 64:890D 0000000>mov    dword ptr fs:[0], ecx
1000FAEB C9             leave
1000FAEC C2 0400       retn 4

b) 找到水印字符串在文件中的偏移量,用 UE 打开,用" "代替原来的水印字符串

.............................................................
数据地址       偏移             水印字符串
.............................................................
1003C558       3A158H          ; "??? trial"
1003B86C       3946CH          ; "www.???.com"
.............................................................

c) 用 PEditor 修复即可.

五、调试(代码爆破) ==> 须注册/免激活

a) 代码

10027677  |> \33C0       xor    eax, eax
10027679  |.  33C9       xor    ecx, ecx
1002767B  |.  894424 10    mov    dword ptr [esp+10], eax
1002767F  |.  66:894C24 2C  mov    word ptr [esp+2C], cx
10027684  |.  884424 14    mov    byte ptr [esp+14], al
10027688  |.  884C24 2E    mov    byte ptr [esp+2E], cl
1002768C  |.  8B0A       mov    ecx, dword ptr [edx]
1002768E  |.  66:894424 0C  mov    word ptr [esp+C], ax
10027693  |.  884424 0E    mov    byte ptr [esp+E], al
10027697  |.  66:8B42 04 mov    ax, word ptr [edx+4]
1002769B  |.  894C24 10    mov    dword ptr [esp+10], ecx
1002769F  |.  66:8B4A 06 mov    cx, word ptr [edx+6]
100276A3  |.  8D5424 10    lea    edx, dword ptr [esp+10]
100276A7  |.  66:894424 2C  mov    word ptr [esp+2C], ax
100276AC  |.  52          push edx
100276AD  |.  66:894C24 10  mov    word ptr [esp+10], cx
100276B2  |.  E8 5E05FFFF call 10017C15                                     ;  "2008" -> 7D8h
100276B7  |.  8BF0       mov    esi, eax                                     ;  ESI: Year
100276B9  |.  8D4424 30    lea    eax, dword ptr [esp+30]
100276BD  |.  50          push eax
100276BE  |.  E8 5205FFFF call 10017C15
100276C3  |.  8D4C24 14    lea    ecx, dword ptr [esp+14]
100276C7  |.  8BF8       mov    edi, eax                                     ;  EDI: Month
100276C9  |.  51          push ecx
100276CA  |.  E8 4605FFFF call 10017C15
100276CF  |.  83C4 0C    add    esp, 0C                                        ;  EAX: Day
100276D2  |.  8D5424 18    lea    edx, dword ptr [esp+18]
100276D6  |.  8BD8       mov    ebx, eax
100276D8  |.  52          push edx                                           ; /pLocaltime
100276D9  |.  FF15 C8310310 call dword ptr [<&KERNEL32.GetLocalTime>]          ; \GetLocalTime
100276DF  |.  8B4C24 18    mov    ecx, dword ptr [esp+18]                      ;  当前日期
100276E3  |.  81E1 FFFF0000 and    ecx, 0FFFF
100276E9  |.  3BCE       cmp    ecx, esi                                     ; 年份比较,注册日期和当前日期
100276EB  |.  7D 0C       jge    short 100276F9                               ; 注册之后，使用天数检查
100276ED  |.  5F          pop    edi
100276EE  |.  5E          pop    esi
100276EF  |.  83C8 FF    or    eax, FFFFFFFF
100276F2  |.  5B          pop    ebx
100276F3  |.  83C4 1C    add    esp, 1C
100276F6  |.  C2 0800    retn 8

100276F9  |> \8B4424 1A    mov    eax, dword ptr [esp+1A]
100276FD  |.  2BCE       sub    ecx, esi
100276FF  |.  25 FFFF0000 and    eax, 0FFFF
10027704  |.  2BC7       sub    eax, edi
10027706  |.  8D0440       lea    eax, dword ptr [eax+eax*2]
10027709  |.  8D1480       lea    edx, dword ptr [eax+eax*4]
1002770C  |.  8D04C9       lea    eax, dword ptr [ecx+ecx*8]
1002770F  |.  8D04C1       lea    eax, dword ptr [ecx+eax*8]
10027712  |.  8D0C80       lea    ecx, dword ptr [eax+eax*4]
10027715  |.  8D0451       lea    eax, dword ptr [ecx+edx*2]
10027718  |.  8B5424 1E    mov    edx, dword ptr [esp+1E]
1002771C  |.  81E2 FFFF0000 and    edx, 0FFFF
10027722  |.  03C2       add    eax, edx
10027724  |.  2BC3       sub    eax, ebx
10027726  |.  83F8 3C    cmp    eax, 3C                         ;  60天？如果注册，没激活，60天之后，转为测试版
10027729  |.  7E 0C       jle    short 10027737
1002772B  |.  5F          pop    edi
1002772C  |.  5E          pop    esi
1002772D  |.  83C8 FF    or    eax, FFFFFFFF
10027730  |.  5B          pop    ebx
10027731  |.  83C4 1C    add    esp, 1C
10027734  |.  C2 0800    retn 8
10027737  |>  33C9       xor    ecx, ecx
10027739  |.  5F          pop    edi
1002773A  |.  85C0       test eax, eax
1002773C  |.  0F9DC1       setge cl
1002773F  |.  49          dec    ecx
10027740  |.  5E          pop    esi
10027741  |.  83E1 FD    and    ecx, FFFFFFFD
10027744  |.  5B          pop    ebx
10027745  |.  41          inc    ecx
10027746  |.  8BC1       mov    eax, ecx
10027748  |.  83C4 1C    add    esp, 1C
1002774B  \.  C2 0800    retn 8

b) 将下述代码修改：偏移量 2b622h

10027722  |.  03C2       add    eax, edx
10027724  |.  2BC3       sub    eax, ebx
10027726  |.  83F8 3C    cmp    eax, 3C                         ;  60天？如果注册，没激活，60天之后，转为测试版
10027729  |.  7E 0C       jle    short 10027737

   让 cmp eax,3C 比较中，eax 永远小于 3Ch

10027722    6A 08       push 8
10027724    58          pop    eax
10027725    90          nop
10027726  |.  83F8 3C    cmp    eax, 3C                         ;  60天？
10027729  |.  7E 0C       jle    short 10027737

c) 用 PEditor 修复即可.

六、明文加密程序

// ============================================================================
// xXXX.cpp
// ----------------------------------------------------------------------------
// ??? 加密过程 - Azithromycin.13 - 2008.05.05
// ============================================================================

#include "stdafx.h"

#include <windows.h>

// ****************************************************************************

BYTE _ACAFB0[] = {
0x0F, 0x0A, 0x0D, 0x02, 0x09, 0x08, 0x00, 0x0E, 0x06, 0x0B, 0x01, 0x0C, 0x07, 0x04, 0x05, 0x03
};

BYTE _ACAFC0[] = {
0x0E, 0x0B, 0x04, 0x0C, 0x06, 0x0D, 0x0F, 0x0A, 0x02, 0x03, 0x08, 0x01, 0x00, 0x07, 0x05, 0x09
};

BYTE _ACAFD0[] = {
0x0A, 0x08, 0x01, 0x0D, 0x05, 0x03, 0x04, 0x02, 0x0E, 0x0F, 0x0C, 0x07, 0x06, 0x00, 0x09, 0x0B
};

BYTE _ACAFE0[] = {
0x07, 0x0A, 0x0D, 0x01, 0x00, 0x06, 0x09, 0x0F, 0x0E, 0x04, 0x08, 0x0C, 0x0B, 0x02, 0x05, 0x03
};

BYTE _ACAFF0[] = {
0x06, 0x01, 0x07, 0x0C, 0x05, 0x0F, 0x0D, 0x08, 0x04, 0x0A, 0x09, 0x0E, 0x00, 0x03, 0x0B, 0x02
};

BYTE _ACB000[] = {
0x04, 0x0C, 0x0A, 0x00, 0x07, 0x0F, 0x01, 0x0D, 0x03, 0x06, 0x08, 0x05, 0x09, 0x0B, 0x02, 0x0E
};

BYTE _ACB010[] = {
0x0D, 0x0B, 0x04, 0x01, 0x03, 0x09, 0x05, 0x0F, 0x00, 0x0A, 0x0E, 0x07, 0x06, 0x08, 0x02, 0x0C
};

BYTE _ACB020[] = {
0x01, 0x0F, 0x0D, 0x00, 0x05, 0x08, 0x0A, 0x04, 0x09, 0x02, 0x03, 0x0E, 0x06, 0x0B, 0x07, 0x0C
};

DWORD _ACABCC[] = {
0xFBCBC739, 0x774FF7ED, 0x4753E635, 0x21D517B8, 0x8ECDDAEE, 0x67D0628D, 0xB34F3D4A, 0x83CAE89A,
0xD98C3818, 0x9F8B3D2F, 0x9CC9B00B, 0x3A431DCA, 0x358B6145, 0x1350E381, 0xE86AE393, 0xB4F4E3EE,
0x29ECF2FA, 0x4934F9F3, 0x3BDC9609, 0x51281272, 0x25D65286, 0x671479AB, 0x2D3E2FA7, 0x98E80FC4,
0xE699431E, 0xB5C821AC, 0x01063BB3, 0x990C8151, 0xFC3557C6, 0x07F5FE58, 0xF5F5D9B6, 0x19D4FBA6,
0x5937C871, 0xD173B93C, 0xE1CA6DED, 0x9A68B7F3, 0x87CA46B3, 0xD2A43A32, 0xB60DC53D, 0x5C60DFD7,
0xB6654878, 0x400A825B, 0x0330F62F, 0x192B346C, 0x9F2207D9, 0x9E0177E3, 0x2F16ACB1, 0x7EC46E27,
0x78CEFE4D, 0x38F2BD47, 0x8EC3CA71, 0xA1EDB12E, 0x35AF9AF9, 0x7D0EA442, 0x20E0D8BC, 0xBFF84D07,
0x1C63C1EA, 0x7969B1E4, 0xDAF43A89, 0x28EEEEC1, 0x834F1FE3, 0x90FC183D, 0x7A1C3D16, 0x9A8559B5
};

DWORD _ACB030[] = {
0x00000004, 0x00000003, 0x00000007, 0x00000000, 0x00000002, 0x00000001, 0x00000006, 0x00000005,
0x00000004, 0x00000005, 0x00000003, 0x00000000, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
0x00000005, 0x00000001, 0x00000002, 0x00000007, 0x00000000, 0x00000004, 0x00000003, 0x00000006,
0x00000000, 0x00000006, 0x00000003, 0x00000002, 0x00000004, 0x00000007, 0x00000005, 0x00000001
};

BYTE _ACADB0[] = {
0x6E, 0x67, 0xB3, 0x85, 0xC7, 0x3D, 0x7C, 0x27,
0x20, 0x19, 0x76, 0x20, 0xD0, 0x1E, 0x98, 0x8D,
0x09, 0x93, 0x11, 0x60, 0x9F, 0x23, 0x3F, 0x0E,
0x1C, 0xAB, 0xFF, 0x8E, 0x27, 0xC0, 0xF9, 0xBB,
0x89, 0x34, 0xD5, 0xFA, 0xDD, 0x03, 0x3E, 0x4F,
0x98, 0xBC, 0xC8, 0x6C, 0x17, 0x0B, 0x1A, 0x07,
0x7E, 0xE9, 0xD3, 0x67, 0x77, 0x70, 0x31, 0xE6,
0xDC, 0xA9, 0xBF, 0x7B, 0x0E, 0x89, 0x8A, 0xB1,
0xFC, 0x54, 0x01, 0x9A, 0x52, 0x3B, 0x65, 0xFD,
0xA9, 0xAD, 0x62, 0x32, 0xC7, 0xF8, 0x29, 0x29,
0x37, 0x5D, 0x5A, 0xDD, 0xED, 0x43, 0x31, 0x77,
0x87, 0xE6, 0x2E, 0x47, 0xB8, 0x61, 0xD6, 0x21,
0xED, 0xDA, 0xCF, 0x8E, 0x8D, 0x62, 0xD0, 0x67,
0x61, 0x3D, 0x4F, 0xB3, 0x9A, 0xE8, 0xCA, 0x83,
0x18, 0x38, 0x8C, 0xD9, 0x2F, 0x40, 0x8B, 0x9F,
0x0B, 0xB0, 0xC9, 0x9C, 0xCA, 0x1D, 0x43, 0x3A,
0x45, 0x61, 0x8B, 0x32, 0x81, 0xE3, 0x50, 0x13,
0x93, 0xE3, 0x6A, 0xE8, 0xEE, 0xE3, 0xF4, 0xB4,
0xFA, 0xF2, 0xEC, 0x29, 0xF3, 0xF9, 0x34, 0x49,
0x09, 0x96, 0xDC, 0x3B, 0x72, 0x12, 0x28, 0x51,
0x86, 0x52, 0xD6, 0x27, 0xAB, 0x79, 0x14, 0x67,
0xA7, 0x2F, 0x3E, 0x2D, 0xC4, 0x0F, 0xE8, 0x98,
0x1E, 0x43, 0x99, 0xE6, 0xAC, 0x21, 0xC8, 0xB5,
0xB3, 0x3B, 0x06, 0x01, 0x51, 0x81, 0x0C, 0x99,
0xC6, 0x57, 0x35, 0xFC, 0x58, 0xFE, 0xF5, 0x07,
0xB6, 0xD9, 0xF5, 0xF5, 0xA6, 0xFB, 0xD4, 0x19,
0x71, 0xC8, 0x37, 0x59, 0x3C, 0xB9, 0x73, 0xD1,
0xED, 0x6D, 0xCA, 0xE1, 0xF3, 0xB7, 0x68, 0x9A,
0xB3, 0x46, 0xCA, 0x87, 0x32, 0x3A, 0xA4, 0xD2,
0x3D, 0xC5, 0x0D, 0xB6, 0xD7, 0xDF, 0x60, 0x5C,
0x78, 0x48, 0x65, 0xB6, 0x5B, 0x82, 0x0A, 0x40,
0x2F, 0xF6, 0x30, 0x03, 0x6C, 0x34, 0x2B, 0x19,
0xD9, 0x08, 0x22, 0x9F, 0xE3, 0x77, 0x01, 0x9E,
0xB1, 0xB9, 0x16, 0x2F, 0x27, 0x6E, 0xC4, 0x7E,
0x4D, 0xFE, 0xCE, 0x78, 0x47, 0xBD, 0xF2, 0x38,
0x71, 0xCA, 0xC3, 0x8E, 0x2E, 0xB1, 0xED, 0xA1,
0xF9, 0x9A, 0xAF, 0x35, 0x42, 0xA4, 0x0E, 0x7D,
0xBC, 0xD8, 0xE0, 0x20, 0x07, 0x4D, 0xF8, 0xBF,
0xEA, 0xC1, 0x63, 0x1C, 0xE4, 0xB1, 0x69, 0x79,
0x89, 0x3A, 0xF4, 0xDA, 0xC1, 0xEE, 0xEE, 0x28,
0xE3, 0x24, 0x4F, 0x82, 0x3D, 0x18, 0xFC, 0x90,
0x16, 0x40, 0x1C, 0x7A, 0xB9, 0x59, 0x85, 0x9E,
0xAD, 0xD9, 0x20, 0x99, 0x9F, 0xAB, 0xF3, 0xB3,
0xB2, 0x61, 0x87, 0x71, 0xF2, 0xCB, 0x17, 0xCB,
0xB6, 0xF9, 0x7D, 0xAA, 0xEF, 0x62, 0xEC, 0x1A,
0xDF, 0x81, 0xE8, 0x30, 0xDB, 0x8C, 0x9C, 0xA5,
0x8D, 0xBC, 0x15, 0x70, 0xCD, 0x1B, 0xEF, 0xBF,
0x06, 0xB4, 0x0C, 0xF7, 0x5F, 0x5F, 0xE2, 0x6D,
0x6D, 0x7F, 0x97, 0x49, 0x5B, 0xFD, 0x92, 0x87,
0xCB, 0xC8, 0x30, 0x95, 0xC5, 0x00, 0xFD, 0x86,
0x5C, 0xC2, 0xC0, 0xC8, 0xF1, 0xBD, 0x7B, 0x82,
0xEE, 0x8F, 0xC9, 0x0F, 0x02, 0xAF, 0x3E, 0x75,
0x55, 0x2F, 0x39, 0xB6, 0x28, 0x89, 0xFE, 0x67,
0x3E, 0xB5, 0x7A, 0xE6, 0x70, 0xD7, 0x29, 0xFE,
0x55, 0x9D, 0x20, 0xB4, 0xA6, 0x25, 0xE5, 0x05,
0xAF, 0xBE, 0x56, 0xA7, 0xD5, 0x28, 0x26, 0x3F,
0xC6, 0xC7, 0x10, 0x8E, 0x6F, 0xD7, 0x4C, 0x55,
0x62, 0x10, 0xB9, 0x7A, 0x79, 0x6A, 0x1B, 0x21,
0x60, 0xFC, 0x04, 0x49, 0xB1, 0x67, 0x9B, 0xC1,
0x3F, 0xF1, 0x30, 0x97, 0x2E, 0xF7, 0xDA, 0x35,
0x4F, 0x16, 0xF2, 0xBA, 0x02, 0xDC, 0xDD, 0x15,
0xAD, 0xA1, 0xC6, 0xF0, 0x1E, 0x31, 0x8B, 0xDF,
0x13, 0xA1, 0xD5, 0xE2, 0xF3, 0x3E, 0x55, 0xC3,
0xE1, 0x1B, 0x72, 0x2E, 0x1C, 0xDF, 0x46, 0xFE
};

DWORD _12D1E0[ 8192 ] = { 0x009E73B4 };

DWORD xdata[] = {
0x303A4E53, 0x31303233, 0x35343332, 0x39383736, 0x44434241, 0x31304645, 0x35343332, 0x39383736,
0x44434241, 0x4E444645, 0x3830303A, 0x32574B33, 0x4B365A37, 0x303A4154, 0x30323830, 0x35303830,
0x20203530, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020,
0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020,
0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020,
0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020,
0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020,
0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020,
0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020,
0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020,
0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020,
0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020,
0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020,
0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020,
0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020,
0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020, 0x20202020
};

DWORD xdataout[ 128 ] = { 0 };
char xout[ 2048 ] = { 0 };

// ----------------------------------------------------------------------------

DWORD Sub_A97EF0( DWORD p1 )
{
DWORD tmp1,tmp2;

tmp1 = _ACB010[ ( p1 >> 0x18 ) & 0x0000000F ];
tmp2 = _ACB020[ p1 >> 0x1C ];
tmp1 = tmp1 | ( tmp2 << 0x04 );
tmp2 = _ACB000[ (p1 >> 0x14) & 0x00000F ];
tmp1 = ( tmp1 << 0x04 ) | tmp2;
tmp2 = _ACAFF0[ ( p1 >> 0x10 ) & 0x0000000F ];
tmp1 = ( tmp1 << 0x04 ) | tmp2;
tmp2 = _ACAFE0[ ( p1 >> 0x0C ) & 0x0000000F ];
tmp1 = ( tmp1 << 0x04 ) | tmp2;
tmp2 = _ACAFD0[ ( p1 >> 0x08 ) & 0x0000000F ];
tmp1 = ( tmp1 << 0x04 ) | tmp2;
tmp2 = _ACAFC0[ ( p1 >> 0x04 ) & 0x0000000F ];
tmp1 = ( tmp1 << 0x04 ) | tmp2;
tmp2 = _ACAFB0[ p1 & 0x0000000F ];
tmp1 = ( tmp1 << 0x04 ) | tmp2;
tmp2 = tmp1;
tmp1 = ( tmp1 << 0x0B ) | ( tmp2 >> 0x15 );

return tmp1;
}

DWORD Sub_A7D1C0( DWORD* in,DWORD* innext )
{
DWORD tmp1,tmp2;

tmp1 = *in;
tmp2 = *innext;

*in = tmp2;
*innext = tmp1;

return 1;
}

DWORD Sub_A98050( DWORD* in,DWORD* innext )
{
DWORD tmp1,tmp2;
DWORD index = 0;

tmp2 = *in;
do {
      tmp1 = _ACB030[ index ];
      tmp1 = _ACABCC[ tmp1 ];
      tmp1 += tmp2;
      tmp1 = Sub_A97EF0( tmp1 );
      tmp2 = *innext;
      tmp2 ^= tmp1;
      *innext = tmp2;
      Sub_A7D1C0( in,innext );
      index ++;
} while( index < 0x20 );

Sub_A7D1C0( in,innext );

return 1;
}

DWORD Sub_A98030( DWORD* in )
{
DWORD* pin = in;
DWORD* pinnext = in + 1;

Sub_A98050( pin,pinnext );

return 1;
}

DWORD Sub_A980B0( DWORD* in )
{
DWORD* pin = in;
DWORD index = 0;

do {
      Sub_A98030( pin+index );
      index += 2;
} while( index < 64 );

return 1;
}

DWORD Sub_A97B50( DWORD p )
{
DWORD* ptable = &_12D1E0[ 0 ];
BYTE b0,b1,b2,b3;
DWORD tmp1,tmp2,tmp3,tmp4;

b0 = ( BYTE )( p & 0x000000FF );
b1 = ( BYTE )( ( p & 0x0000FF00 ) >> 8 );
b2 = ( BYTE )( ( p & 0x00FF0000 ) >> 16 );
b3 =  ( BYTE )( ( p & 0xFF000000 ) >> 24 );

tmp1 = *( ptable + b2 + 275 );
tmp1 &= 0x0000001F;

tmp2 = *( ptable + b3 + 19 );
tmp2 += tmp1;

tmp3 = *( ptable + b1 + 531 );
tmp4 = *( ptable + b0 + 787 );

tmp2 ^= tmp3;
tmp4 &= 0x0000001F;

tmp2 += tmp4;

return tmp2;
}

DWORD Sub_A7CEB0( DWORD* p1,DWORD* p2 )
{
DWORD* ptable = &_12D1E0[ 0 ] + 1;
DWORD tmp1,tmp2,tmp3,tmp4;
DWORD index;

index = 0;
tmp1 = *p1;
tmp2 = 0;
tmp3 = *p2;

for( index = 0; index < 0x20; index ++ ) {
      tmp2 = *( ptable + index );
      tmp1 ^= tmp2;
      tmp2 = tmp1;
      tmp4 = Sub_A97B50( tmp1 );
      tmp1 = tmp4;
      tmp1 ^= tmp3;
      tmp3 = tmp2;
}

tmp2 = *( ptable + 33 - 1 );
tmp4 = *( ptable + 34 - 1 );
tmp2 ^= tmp1;
tmp4 ^= tmp3;

*p1 = tmp4;
*p2 = tmp2;

return 1;
}

DWORD Sub_A97A50()
{
DWORD index = 0;
DWORD index1 = 0;
DWORD index2 = 0;
DWORD index3 = 0;

BYTE* pin = &_ACADB0[ 0 ];
DWORD* pout = &_12D1E0[ 0 ] + 1;
DWORD tmp;

do {
      tmp = ( DWORD )*( pin + index );
      *( pout + index ) = tmp;
      index ++;
} while( index < 0x22 );

pout = &_12D1E0[ 0 ] + 19;
for( index = 0; index < 0x04; index ++ ) {
      for( index1 = 0; index1 < 0x100; index1 ++ ) {
         tmp = ( DWORD )*( pin + index3 );
         *( pout + index2 ) = tmp;
         index2 ++;
         index3 ++;
         if( index3 == 512 ) index3 = 0;
      }
}

pin = &_ACADB0[ 0 ];
index = 0;
pout = &_12D1E0[ 0 ] + 1;
for( index1 = 0; index1 < 0x12; index1 ++ ) {
      tmp = ( *( pin + index + 0 ) << 24 ) | ( *( pin + index + 1 ) << 16 ) | ( *( pin + index + 2 ) << 0x08 ) | ( *( pin + index + 3 ) );
      index += 4;
      *( pout + index1 ) ^= tmp;
}

DWORD tmp1,tmp2;
tmp1 = 0;
tmp2 = 0;
index1 = 0;
pout = &_12D1E0[ 0 ] + 1;
for( index = 0; index < 0x09; index ++ ) {
      Sub_A7CEB0( &tmp1,&tmp2 );
      *( pout + index1 ) = tmp1;
      *( pout + index1 + 1 ) = tmp2;
      index1 += 2;
}

return 1;
}

DWORD Sub_A9CF20( DWORD* pbuf )
{
DWORD* ptable = &_12D1E0[ 0 ] + 1;
DWORD index1;
DWORD tmp1,tmp2,tmp3,tmp4;

index1 = 0;
tmp1 = *pbuf;
tmp2 = *( pbuf + 1 );

for( index1 = 0; index1 < 0x20; index1 ++ ) {
tmp3 = *( ptable + index1 );
tmp1 ^= tmp3;
tmp3 = tmp1;
tmp4 = Sub_A97B50( tmp1 );
tmp4 ^= tmp2;
tmp1 = tmp4;
tmp2 = tmp3;
}

tmp1 = *( ptable + 33 - 1 );
tmp3 = *( ptable + 34 - 1 );
tmp1 ^= tmp4;
tmp3 ^= tmp2;

*pbuf = tmp3;
*( pbuf + 1 ) = tmp1;

return 1;
}

DWORD Sub_A9CF80( DWORD* pbuf1,DWORD len )
{
DWORD index1,index2;
DWORD* pout = pbuf1;

index1 = 0;

while( 1 ) {
index2 = index1;
if( ( index2 + 2 ) <= 128 ) {
Sub_A9CF20( pbuf1 + index2 );
index1 += 2;
}
else {
if( index1 >= 128 ) return 1;
}
}

return 1;
}

DWORD Sub_A97C30( DWORD* in,DWORD len )
{
BYTE* pbuf1 = new BYTE[ len + 1 ];
BYTE* pbuf2 = new BYTE[ len + 1 ];
BYTE b;

memset( ( void* )pbuf1,0,len + 1 );
memset( ( void* )pbuf2,0,len + 1 );

memcpy( ( void* )pbuf1,( void* )in,len );

DWORD index1 = 0;

do {
Sub_A9CF80( ( DWORD* )pbuf1,len );
if( index1 == 0x1FF ) break;
memcpy( ( void* )pbuf2,( void* )( pbuf1 + 1 ),0x1FF );
b = *pbuf1;
*( pbuf2 + 0x1FF ) = b;
memcpy( ( void* )pbuf1,( void* )pbuf2,0x200 );
index1 ++;
} while( index1 < 0x200 );
memcpy( ( void* )in,( void* )pbuf1,0x200 );

delete[] pbuf1;
delete[] pbuf2;

return 1;
}

DWORD Sub_A97E30( DWORD* in,DWORD len,DWORD* out )
{
Sub_A97A50();

memcpy( ( void* )out,( void* )in,len );
Sub_A97C30( out,len );

return 1;
}

DWORD Sub_MakeText( BYTE* pin,char* pout )
{
DWORD index1;
BYTE b;
char tmp[ 3 ];

memset( ( void* )pout,0,2048 );
for( index1 = 0; index1 < 0x200; index1 ++ ) {
b = *( pin + index1 );
wsprintf( tmp,"%02X",b );
lstrcat( pout,tmp );
}

return 1;
}

DWORD Sub_Entry( DWORD* in,DWORD* out )
{
DWORD* pin = in;
DWORD* pout = out;

Sub_A980B0( pin );
Sub_A97E30( in,0x200,out );

return 1;
}

// ****************************************************************************

int _tmain(int argc, _TCHAR* argv[])
{
char str[] = "UD:22PI:4PE:3LO:2VE:576LA:2SY:3OD:2043OL:2043OU:2043LD:-1CP:1PT:1CU:1CL:1UN:015Azithromycin.13EM:019Solomon1988@163.comTL:013(010)88888888FX:013(010)88999999AD:017Xie Tong BuildingPC:006710075AF:0325392FAD6BEE373074DBD3EDFAE6506F2DN:0083KW27Z6KSN:0320123456789ABCDEF0123456789ABCDEFTB:00820080101TA:00820080101PR:015ViewTimerServerDS:0324E349F18F0867F1D9F462B9FED720BBD";
BYTE* pdata = ( BYTE* )&xdata[ 0 ];
for( int i = 0; i < lstrlen( str ); i ++ ) {
*( pdata + i ) = str[ i ];
}
Sub_Entry( &xdata[ 0 ],&xdataout[ 0 ] );
Sub_MakeText( ( BYTE* )&xdataout[ 0 ],&xout[ 0 ] );

return 0;
}

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

#调试逆向

收藏・0

免费・0

支持

最新回复 (5)
AZMC 雪币： 305 活跃值： (36) 能力值： ( LV12，RANK：250 ) 在线值：发帖 12 回帖 129 粉丝 0 关注私信	AZMC 6 2 楼这么好的帖子，都没人顶？ 2008-5-7 15:14 0
kanxue 雪币： 47147 活跃值： (20415) 能力值： (RANK：350 ) 在线值：发帖 2375 回帖 17045 粉丝 539 关注私信	kanxue 8 3 楼文章很不错，如果按以前标准应设精华了。不过，由于现在形式不一样，对于国产软件涉及到版权的分析就不设置精华了，这样做也是鼓励大家尽可能不要拿国产软件来做研究。公告: 看雪论坛对于所涉及到目标软件的管理2007.10.15 2008-5-7 15:17 0
AZMC 雪币： 305 活跃值： (36) 能力值： ( LV12，RANK：250 ) 在线值：发帖 12 回帖 129 粉丝 0 关注私信	AZMC 6 4 楼多谢提醒！ 2008-5-8 17:49 0
amour 雪币： 250 活跃值： (16) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 102 粉丝 0 关注私信	amour 5 楼强悍的F5 顶之 2008-5-9 22:07 0
yingyue 雪币： 1844 活跃值： (35) 能力值： ( LV3，RANK：30 ) 在线值：发帖 16 回帖 2595 粉丝 3 关注私信	yingyue 6 楼都是 F5 惹得祸 2008-5-10 15:45 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

AZMC

发帖

129

回帖

250

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (5)
AZMC 雪币： 305 活跃值： (36) 能力值： ( LV12，RANK：250 ) 在线值：发帖 12 回帖 129 粉丝 0 关注私信	AZMC 6 2 楼这么好的帖子，都没人顶？ 2008-5-7 15:14 0
kanxue 雪币： 47147 活跃值： (20415) 能力值： (RANK：350 ) 在线值：发帖 2375 回帖 17045 粉丝 539 关注私信	kanxue 8 3 楼文章很不错，如果按以前标准应设精华了。不过，由于现在形式不一样，对于国产软件涉及到版权的分析就不设置精华了，这样做也是鼓励大家尽可能不要拿国产软件来做研究。公告: 看雪论坛对于所涉及到目标软件的管理2007.10.15 2008-5-7 15:17 0
AZMC 雪币： 305 活跃值： (36) 能力值： ( LV12，RANK：250 ) 在线值：发帖 12 回帖 129 粉丝 0 关注私信	AZMC 6 4 楼多谢提醒！ 2008-5-8 17:49 0
amour 雪币： 250 活跃值： (16) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 102 粉丝 0 关注私信	amour 5 楼强悍的F5 顶之 2008-5-9 22:07 0
yingyue 雪币： 1844 活跃值： (35) 能力值： ( LV3，RANK：30 ) 在线值：发帖 16 回帖 2595 粉丝 3 关注私信	yingyue 6 楼都是 F5 惹得祸 2008-5-10 15:45 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复