TA的每日心情 | 擦汗
2019-3-20 20:06 |
|---|
签到天数: 258 天 [LV.8]以坛为家I
|
/*
Script written by VolX
version : v1.02
Test Environment : OllyDbg 1.1
ODBGScript 1.47 under WINXP
Thanks : Oleh Yuschuk - author of OllyDbg
SHaG - author of OllyScript
Epsylon3 - author of ODbgScript
*/
//support Asprotect 1.32, 1.33, ,1.35, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3
var tmp1
var tmp2
var tmp3
var tmp4
var tmp5
var tmp6
var tmp7
var tmp8
var tmp9
var imgbase
var 1stsecbase
var 1stsecsize
var dllimgbase
var count
var transit1
//for IAT fixing
var patch1
var patch2
var patch3
var ori1
var ori2
var ori3
var ori4
var iatstartaddr
var iatendaddr
var iatsize
var EBXaddr
var E8dataloc
var type3dataloc
var thunkdataloc
var thunkpt
var thunkstop
var mem1
var type3count
var E8count
var writept1
var writept2
var APIpoint1A
var APIpoint1B
var APIpoint2
var APIpoint3
var calladdr
var FF15flag
var stkdataloc
var oristk
//for stolencode after API
var SCafterAPIcount
var APIerror
var sttypedec
var cmpsrcpara
var cmpdestpara
var movsrcpara
var movdestpara
var jmptype
var cmptype
var value
var destaddr
var cmdcmp
var cmdjxx
var exitsec
var caller
dbh
BPHWCALL //clear hardware breakpoint
GMI eip, MODULEBASE //get imagebase
mov imgbase, $RESULT
log imgbase
mov tmp1, imgbase
add tmp1, 3C //40003C
mov tmp1, [tmp1]
add tmp1, imgbase //tmp1=signature VA
add tmp1, f8 //1st section
log tmp1
add tmp1, 8
mov 1stsecsize, [tmp1]
log 1stsecsize
add tmp1, 4
mov 1stsecbase, [tmp1]
add 1stsecbase, imgbase
log 1stsecbase
gpa "GetSystemTime", "kernel32.dll"
bp $RESULT
esto
bc $RESULT
rtr
sti
GMEMI eip, MEMORYOWNER
mov dllimgbase, $RESULT
cmp dllimgbase, 0
je error
log dllimgbase
find dllimgbase, #3135310D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
mov tmp1, dllimgbase
add tmp1, 010e00
find tmp1, #8B4B048BD68B45FC# //search "mov ecx,[ebx+4]" "mov edx,esi" "mov eax,[ebp-4]"
mov tmp4, $RESULT
cmp tmp4, 0
je error31
bp tmp4
eob lab3
eoe lab3
esto
lab3:
cmp eip, tmp4
je lab4
esto
lab4:
bc tmp4
find eip, #807C2408007509# //search "cmp byte[esp+8]" "jnz xxxxxxx"
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
add tmp1, 7
find tmp1, #807C2408007509# //search "cmp byte[esp+8]" "jnz xxxxxxx"
mov thunkstop, $RESULT
sub thunkstop, 6
log thunkstop
bp thunkstop
find dllimgbase, #45894500# //search "inc ebp", "mov [ebp],eax"
mov writept1, $RESULT
cmp writept1, 0
je error
add writept1, 1
log writept1
mov tmp2, writept1
sub tmp2, 28
mov APIpoint3, tmp2
log APIpoint3
find dllimgbase, #40890383C704#
mov tmp1, $RESULT
add tmp1, 1
mov thunkpt, tmp1
log thunkpt
bp thunkpt
find dllimgbase, #33C08A433?3BF0# //search "xor eax,eax", "mov al, {ebx+3?]", "cmp esi,eax"
mov patch1, $RESULT
cmp patch1, 0
je error
add patch1, 7
log patch1
mov tmp1, dllimgbase
add tmp1, 100
mov thunkdataloc, tmp1
log thunkdataloc
lab5:
mov tmp6, thunkdataloc //use tmp6 as counter
mov tmp7, 0 //use tmp7 as a flag
mov tmp8, thunkdataloc
sub tmp8, 10 //location for last thunk
mov tmp9, tmp8
sub tmp9, 10 //loaction for first thunk
lab6:
cmp eip, thunkpt
je lab7
cmp eip, thunkstop
je lab12
eob lab6
eoe lab6
esto
lab7:
cmp tmp7, 1 //check flag
je lab9
bc thunkpt //replace breakpoint type
BPHWS thunkpt, "x"
mov ori1, [patch1]
mov ori2, [patch1+4]
mov tmp1, dllimgbase
mov [tmp1], #570FB67B353BF775040FB673365F3BF00F8500000000E900000000#
add tmp1, 10
mov tmp2, patch1
add tmp2, 60
eval "jnz {tmp2}"
asm tmp1, $RESULT
add tmp1, 6
mov tmp2, patch1
add tmp2, 5
eval "jmp {tmp2}"
asm tmp1, $RESULT
eval "jmp {dllimgbase}"
asm patch1, $RESULT
find patch1, #3B432?74656AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov patch2, $RESULT
cmp patch2, 0
je lab8
add patch2, 3
log patch2
mov ori3, [patch2]
mov [patch2], #EB#
lab8:
find patch1, #3B432?741b6AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov patch3, $RESULT
cmp patch3, 0
je error
add patch3, 3
log patch3
mov ori4, [patch3]
mov [patch3], #EB#
mov tmp7, 1 //set flag
lab9:
mov tmp1, ebx
mov tmp2, [tmp1]
add tmp2, imgbase
log tmp2
mov tmp4, tmp2 //first thunk address
mov [tmp6], tmp2 //store first thunk address
mov tmp3, [tmp2-4]
cmp tmp3, 0
je lab10
mov tmp3, tmp2
sub tmp3, 4
mov [tmp3], 0 //fill 00 in btw
lab10:
add tmp6, 4
add tmp1, 0A
mov tmp5, tmp1 //dll name
log tmp5
mov [tmp6], tmp5 //store dll name
add tmp6, 4
//compare first thunk
mov tmp2, [tmp8]
cmp tmp2, tmp4
ja lab10_1
mov tmp3, tmp8
mov [tmp3], tmp4 //first thunk address
add tmp3, 4
mov [tmp3], tmp5 //dll name
add tmp3, 4
mov [tmp3], ebx
add tmp3, 4
mov tmp1, ebx
add tmp1, 4
mov tmp2, [tmp1]
log tmp2
mov [tmp3], tmp2
//find 1st thunk
lab10_1:
mov tmp1, [tmp9]
cmp tmp1, 0
je lab10_2
cmp tmp1, tmp4
jb lab11
lab10_2:
mov [tmp9], tmp4
lab11:
eob lab6
eoe lab6
esto
lab12:
bc thunkstop
bphwc thunkpt
fill dllimgbase, 20, 00
mov [patch1], ori1
mov tmp1, patch1
add tmp1, 4
mov [tmp1], ori2
cmp patch2, 0
je lab13
mov [patch2], ori3
lab13:
mov [patch3], ori4
//checking iatendaddr
cob
coe
mov tmp8, eip
mov tmp1, dllimgbase
mov [tmp1], #609C33C0B9000000008B3DF4009000F2AEFF0540009000E302EBF48B0D4000900083E902C1E102A1F000900003C1A344009000C700000000009D619090#
add tmp1, 5
mov tmp2, dllimgbase
add tmp2, FC //dllimgbase+FC
mov tmp3, [tmp2]
sub tmp3, 6
mov [tmp1], tmp3
add tmp1, 6
sub tmp2, 8 //dllimgbase+F4
mov [tmp1], tmp2
add tmp1, 8
mov tmp2, dllimgbase
add tmp2, 40 //dllimgbase+40
mov [tmp1], tmp2
add tmp1, 0A
mov [tmp1], tmp2
add tmp1, 0B
mov tmp3, tmp2
add tmp3, 0B0 //dllimgbase+F0
mov [tmp1], tmp3
add tmp1, 7
add tmp2, 4 //dllimgbase+44
mov [tmp1], tmp2
add tmp1, 0C //end point
mov eip, dllimgbase
bp tmp1
esto
bc tmp1
mov tmp3, [tmp2]
log tmp3
mov iatendaddr, tmp3
log iatendaddr
mov tmp1, dllimgbase
add tmp1, 0E0
mov iatstartaddr, [tmp1]
log iatstartaddr
fill dllimgbase, 300, 00
mov eip, tmp8
alloc 2000
mov mem1, $RESULT
log mem1
mov tmp1, mem1
add tmp1, 100
mov E8dataloc, tmp1
log E8dataloc
mov tmp1, mem1
add tmp1, 1000
mov type3dataloc, tmp1
log type3dataloc
find dllimgbase, #8B432C2BC583E805#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
mov writep2, tmp1
log writep2
bphws writep2, "x"
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #C6463401# //search "mov byte[esi+34], 1"
mov tmp2, $RESULT
cmp tmp2, 0
je error
find tmp2, #68????????68????????68#
mov transit1, $RESULT
cmp transit1, 0
je error
log transit1
bp transit1
BPHWS APIpoint3, "x"
mov tmp6, type3dataloc
mov tmp7, 0
eoe lab14
eob lab14
esto
lab14:
cmp eip, APIpoint3
je lab15
cmp eip, writep2
je lab17
cmp eip, transit1
je lab19
esto
lab15:
cmp EBXaddr, 0
jne lab16
mov EBXaddr, ebx
log EBXaddr
mov tmp1, [EBXaddr+4A]
and tmp1, 0FF
mov FF15flag, tmp1
log FF15flag
lab16:
mov tmp1, eax //store API addresss
log tmp1
add type3count, 1
mov tmp2, ebp //ebp==Address of call APi
log tmp2
mov [tmp6], tmp2 //save caller address
add tmp6, 4
mov [tmp6], tmp1 //save API address
add tmp6, 4
mov tmp2, [esp+18]
and tmp2, FF
log tmp2
mov [tmp6], tmp2 //save FF flag
add tmp6, 4
cob
coe
bp writept1
esto
bc writept1
eob lab14
eoe lab14
esto
lab17:
bphwc writep2
mov tmp2, ebp
log tmp2
sti
sti
cmp EBXaddr, 0
jne lab18
mov EBXaddr, ebx
log EBXaddr
mov tmp1, [EBXaddr+4A]
and tmp1, 0FF
mov FF15flag, tmp1
log FF15flag
lab18:
mov tmp3, tmp2
mov tmp4, [tmp3+1]
add tmp3, tmp4
add tmp3, 5
mov calladdr, tmp3
log calladdr
eob lab14
eoe lab14
esto
lab19:
log type3count
bphwc APIpoint3
bc transit1
cmp type3count, 0
je lab20
//fix type 3 API
cob
coe
mov tmp6, eip //save eip
mov tmp1, dllimgbase
mov [tmp1], #609C8B3D500090008B0783F80074418B5F04BE00004000391E740D83C60481FE000040007728EBEF#
add tmp1, 28
mov [tmp1], #BA0100000066B9FF153B570874056681C1001066890883C00289308305500090000CEBB69090EBFE9D619090#
mov tmp1, dllimgbase
mov tmp2, tmp1
add tmp1, 4
add tmp2, 60 //dllimgbase+60
mov [tmp1], tmp2
add tmp1, 0F //dllimgbase+13
mov [tmp1], iatstartaddr
add tmp1, 0D //dllimgbase+20
mov [tmp1], iatendaddr
add tmp1, 9 //dllimgbase+29
mov [tmp1], FF15flag
add tmp1, 1C //dllimgbase+45
mov [tmp1], tmp2
mov [tmp2], type3dataloc
add tmp1, 0D
mov tmp5, tmp1 //end point
mov eip, dllimgbase
bp tmp5
esto
bc tmp5
mov eip, tmp6 //restore eip
fill dllimgbase, 70, 00 //clear patch code
//get all call xxxxxxxx
lab20:
cmp calladdr, 0
je lab79
mov tmp1, dllimgbase
mov tmp2, tmp1
add tmp2, 60
mov [tmp1], #609CBE10004000803EE8751E8B460103C683C0053D00009000750F8B3D600090008937830560009000044681FE0000500072D49D619090#
add tmp1, 3 //dllimgbase+3
mov [tmp1], 1stsecbase
add tmp1, 12 //dllimgbase+15
mov [tmp1], calladdr
add tmp1, 8 //dllimgbase+1D
mov [tmp1], tmp2
add tmp1, 8 //dllimgbase+25
mov [tmp1], tmp2
add tmp1, 8 //dllimgbase+2D
mov tmp3, 1stsecbase
add tmp3, 1stsecsize
mov [tmp1], tmp3
mov [tmp2], E8dataloc
add tmp1, 8
mov tmp4, tmp1
mov tmp6, eip
mov eip, dllimgbase
bp tmp4
eob lab21
eoe lab21
run
lab21:
cmp eip, tmp4
je lab22
run
lab22:
bc tmp4
mov eip, tmp6
mov tmp1, dllimgbase
add tmp1, 60
mov tmp2, [tmp1]
mov tmp3, E8dataloc
sub tmp2, tmp3
shr tmp2, 2
mov E8count, tmp2
log E8count
fill dllimgbase, 70, 00
cmp E8count, 0
je lab79
//start to save stack data
mov stkdataloc, mem1
add stkdataloc, 1500
mov oristk, esp
mov tmp1, esp
mov tmp3, stkdataloc
mov tmp4, 100
savestk:
cmp tmp4, 0
je lab23
mov tmp2, [tmp1]
mov [tmp3], tmp2
sub tmp1, 4
sub tmp4, 4
add tmp3, 4
jmp savestk
lab23:
log tmp3
mov [tmp3], eax
add tmp3, 4
mov [tmp3], ecx
add tmp3, 4
mov [tmp3], edx
add tmp3, 4
mov [tmp3], ebx
add tmp3, 4
mov [tmp3], esp
add tmp3, 4
mov [tmp3], ebp
add tmp3, 4
mov [tmp3], esi
add tmp3, 4
mov [tmp3], edi
lab27:
find dllimgbase, #3130320D0A# //search "102"
mov tmp6, $RESULT
cmp tmp6, 0
je error
find tmp6, #8B80E00000000145FC#
mov tmp1, $RESULT
cmp tmp1, 0
je lab28
add tmp1, 9
mov APIpoint1A, tmp1
log APIpoint1A
find APIpoint1A, #8B80E00000000145FC#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 9
mov APIpoint1B, tmp1
log APIpoint1B
jmp lab29
lab28:
find tmp6, #8A404A3A45EF0F85????????#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 0C
mov APIpoint1A, tmp1
log APIpoint1A
find APIpoint1A, #8A404B3A45EF75??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
mov APIpoint1B, tmp1
log APIpoint1B
lab29:
find APIpoint1B, #0255??# //SEARCH "add dl, byte[ebp-??]"
mov tmp1, $RESULT
cmp tmp1, 0
je lab30
add tmp1, 3
mov APIpoint2, tmp1
log APIpoint2
jmp lab31
lab30:
find APIpoint1B, #02D3# //SEARCH "add dl, bl"
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 2
mov APIpoint2, tmp1
log APIpoint2
lab31:
find APIpoint1B, #837DD?FF74??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov tmp5, [tmp1]
log tmp5 //stack binary
//write patch code
mov tmp1, dllimgbase
mov [tmp1], #64FF35000000008F05D0009000A1E00090008B1883FB007402FFE3FF35D0009000648F05000000009090#
add tmp1, 2A //2A
mov [tmp1], #BFE00090008B078B18837DD4FF740F8B47048B1F8B1B891883C0048947048B5DFCE854000000C6C001#
add tmp1, 29 //53
mov [tmp1], #66B9FF153A45EF74056681C100108B078B1883C004890766890B83C3028933FF35D0009000648F0500000000E97CFFFFFF#
add tmp1, 31 //84
mov [tmp1], #9090BFE00090008B5C24E8E810000000C6C00166B9FF153AC274C2EBBB909090BE00009000391E740D83C604#
add tmp1, 2C //B0
mov [tmp1], #81FE000090007703EBEFC39090#
mov tmp1, dllimgbase
mov tmp2, tmp1
mov tmp4, tmp1
add tmp2, 0C0 //dllimgbase+C0
add tmp4, 0D0 //dllimgbase+D0
add tmp1, 9 //dllimgbase+09
mov [tmp1], tmp4
add tmp1, 5 //dllimgbase+0E
mov [tmp1], tmp2
add tmp1, 0F //dllimgbase+1D
mov [tmp1], tmp4
add tmp1, 0E //dllimgbase+2B
mov [tmp1], tmp2
mov [tmp2], E8dataloc
add tmp2, 4 //C4
mov tmp3, dllimgbase
add tmp3, 200 //dllimgbase+200 -- location of stolen code after API
mov [tmp2], tmp3
add tmp1, 8 //dllimgbase+33
mov [tmp1], tmp5 //stack binary
add tmp1, 1D //dllimgbase+50
eval "mov al, {FF15flag}"
asm tmp1, $RESULT
add tmp1, 24 //dllimgbase+74
mov [tmp1], tmp4
add tmp1, 13 //dllimgbase+87
sub tmp2, 4 //C0
mov [tmp1], tmp2
add tmp1, 0D //dllimgbase+94
eval "mov al, {FF15flag}"
asm tmp1, $RESULT
add tmp1, 11 //dllimgbase+A5
mov [tmp1], iatstartaddr
add tmp1, 0d //dllimgbase+B2
mov [tmp1], iatendaddr
lab32:
bphws APIpoint1A, "x"
bphws APIpoint1B, "x"
bphws APIpoint2, "x"
mov tmp5, dllimgbase
add tmp5, 28 //end point
bp tmp5
mov tmp6, dllimgbase
add tmp6, BB //error point
bp tmp6
mov tmp7, eip //save eip
mov eip, dllimgbase
eob lab33
eoe lab33
esto
lab33:
cmp eip, tmp5
je lab37
cmp eip, tmp6
je lab36
cmp eip, APIpoint1A
je lab34
cmp eip, APIpoint1B
je lab34
cmp eip, APIpoint2
je lab35
run
lab34:
mov tmp1, dllimgbase
add tmp1, 2A
mov eip, tmp1
run
lab35:
mov tmp1, dllimgbase
add tmp1, 86
mov eip, tmp1
run
lab36:
bc tmp5
bc tmp6
bphwc APIpoint1A
bphwc APIpoint1B
bphwc APIpoint2
msg "Unexpected termination of the process"
pause
jmp end
lab37:
bc tmp5
bc tmp6
bphwc APIpoint1A
bphwc APIpoint1B
bphwc APIpoint2
mov eip, tmp7
mov tmp1, dllimgbase
mov tmp3, tmp1
add tmp1, C4
mov tmp2, [tmp1]
add tmp3, 200
cmp tmp3, tmp2
je lab77
sub tmp2, tmp3
dm tmp3, tmp2, "SCafAPI.bin"
shr tmp2, 2
mov SCafterAPIcount, tmp2
log SCafterAPIcount
msg "There are stolen code after API and the address of the call xxxxxxxx are saved in the file named SCafAPI.bin "
pause
jmp lab77
//command=="call xxxxxxxx"
type4a:
//command=="jmp xxxxxxxx"
type4b:
//command=="cmp dest, src" "jxx xxxxxxxx"
type4c:
//command=="cmp dest, src"
type4d:
//command=="add reg1, value"
type4f:
//command=="mov reg1, reg2"
type50:
//cpmmand=="mov [value], reg "
type51:
//command=="mov [reg1+value], reg2"
type52:
//restore stack data
lab77:
mov esp, oristk //retore stack data
mov tmp1, esp
mov tmp3, stkdataloc
mov tmp4, 100
restorestk:
cmp tmp4, 0
je lab78
mov tmp2, [tmp3]
mov [tmp1], tmp2
sub tmp1, 4
sub tmp4, 4
add tmp3, 4
jmp restorestk
lab78:
mov eax, [tmp3]
add tmp3, 4
mov ecx, [tmp3]
add tmp3, 4
mov edx, [tmp3]
add tmp3, 4
mov ebx, [tmp3]
add tmp3, 4
mov esp, [tmp3]
add tmp3, 4
mov ebp, [tmp3]
add tmp3, 4
mov esi, [tmp3]
add tmp3, 4
mov edi, [tmp3] //retore stack data completed
fill dllimgbase, 500, 00
lab79:
mov tmp1, iatendaddr
sub tmp1, iatstartaddr
add tmp1, 4
mov iatsize, tmp1
log iatstartaddr
log iatsize
mov tmp1, type3count
add tmp1, E8count
mov tmp2, [EBXaddr+18]
cmp tmp1, tmp2
je lab80
msg "Warning, there are some API not resolved!"
pause
jmp lab81
lab80:
msg "Import table is fixed, you can dump the file now or later. check the address and size of IAT in log window"
pause
lab81:
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #3135330D0A# //search ASCII"153"
mov tmp2, $RESULT
sub tmp2, 40
find tmp2, #5?C3#
mov tmp3, $RESULT
cmp tmp3, 0
je error
add tmp3, 1
bp tmp3
eob lab82
eoe lab82
esto
lab82:
cmp eip, tmp3
je lab83
esto
lab83:
bc tmp3
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #3130330D0A# //search ASCII"103"
mov tmp2, $RESULT
cmp tmp2, 0
je wrongver
find tmp2, #8D00C3# //search "lea eax,[eax]" "ret"
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
bphws tmp1, "x"
eob lab84
eoe lab84
esto
lab84:
cmp eip, tmp1
je lab85
esto
lab85:
bphwc tmp1
cob
coe
mov tmp1, [esp+8]
cmp tmp1, 0
jne lab85_1
mov tmp1, [esp+C]
cmp tmp1, 0
je lab85_2
jmp lab86
lab85_1:
mov tmp1, [esp+10]
cmp tmp1, 0
jne lab86
lab85_2:
bprm 1stsecbase, 1stsecsize
esto
bpmc
msg "OEP found, no stolen code at the OEP!"
pause
jmp end
lab86:
bp tmp1
esto
bc tmp1
msg "Stolen code start, press OK button to add comments"
mov tmp5, eip
find eip, #0000000000000000#
mov tmp2, $RESULT
mov tmp1, tmp2
add tmp1, 8
mov tmp4, 10
loop16:
cmp tmp4, 0
je notfound
mov tmp2, [tmp1]
and tmp2, ff
cmp tmp2, 0
jne lab87
add tmp1, 1
sub tmp4, 1
jmp loop16
lab87:
add tmp1, 3
mov tmp2, [tmp1]
and tmp2, ff
cmp tmp2, 0
jne error
sub tmp1, b
mov tmp6, tmp1
sub tmp1, 4
mov tmp4, 200
mov count, 0
loop17:
cmp tmp4, 0
je notfound
mov tmp2, [tmp1]
cmp tmp2, 00000000
je lab88
sub tmp1, 8
sub tmp4, 8
jmp loop17
lab88:
cmp count, 1
je lab89
add count, 1
sub tmp1, 8
sub tmp4, 8
jmp loop17
lab89:
mov tmp4, tmp1
add tmp4, 4
loop18:
cmp tmp4, tmp6
jae lab90
mov tmp1, [tmp4]
add tmp1, imgbase
eval "{tmp1}"
add tmp4, 4
mov tmp2, [tmp4]
add tmp2, tmp5 //tmp2== address to put comment
cmt tmp2, $RESULT
add tmp4, 4
jmp loop18
lab90:
msg "Comments are added"
pause
jmp end
error:
msg "Error!"
pause
jmp end
wrongver:
msg "Unsupported Aspr version or it is not packed with Aspr?"
pause
jmp end
error31:
msg "Error 31!"
pause
jmp end
notfound:
msg "Not found"
pause
end:
ret |
|
IP卡
发表于 2006-4-27 12:27:00
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-4-28 11:57:27
发表于 2006-4-29 14:01:22
发表于 2006-8-12 16:27:12
发表于 2006-8-17 16:31:45
