NTUSTxTDOH - Pwn基礎

Transcript

1. PWN BASIC 6&1*Z06756羝峫瞗瓴⫛䯯㕡绮テ∽⨫ $[CCCFFTGUU

2. #$176/' ➤ ⾺聖豪 (aaaddress1) ➤ 義守⼤學資訊⼯程⼆年級 ➤ Reverse Engineering Skills

   ➤ Windows / Mac OS /Android ➤ TDoHacker Core Member ➤ HITCON 2015 CMT: ➤ AIDS ➤ x86靜態⼿花詐欺術 ➤ Wooyun WhiteHat: x86⼿花詐欺 ➤ 逢甲2015⾏動計算研討會: AIDS ➤ 成功⼤學2015⾏動APP競賽

3. #$176/' ➤ Hack BOT ➤ CrackShield / MapleHack ➤ Tower

   Of Savior ➤ FaceBook: Adr’s FB ➤ Isu Hack ➤ 競時通防爆PING
 ➤ CSharp,VB,C/CPlus,
 x86,Python,Smali,Swift

4. 聅㤐⃡⋬⻰瞰⼍䥥磢桴苌 㓲㧪⑊⋬⻰磢⛐⇆㙩嶓 猺竅砒⃬禈JT猻

5. 㔡⇆㓲㽛⹻ㄗ≧⃡ⅼ痙䚊䥥 9KPFQYU⃫$WHHGT1XGTHNQY䚊㾶

6. ⛭磢⛐⇆假⛥∮㔴⋬⫛䯯 ⛐⇆㇗六厷䰿Ń6CUK䥥.KPWZ2YP

7. ⛇⯷苌 聅⫣嶓⛐叞㧤㧪熿䭍

8. 㓲⼒䡗⛥∮ 䒀㍪Z+&#肪㧪&GDWIIGT䥥≠䠉Ⅷ苌 伂⬒嶓砒㧤䥝假⛥∮苌 ℬ砒⦿⺗哋ヒ䚊⃮ⓛ≧⛐⇆⨉咪㧙㡓㓲

9. 肪峹㉸≁⋲⭌⻌⚤▁嶓粕䥥欭䧏不⃪欭⢯獑 #   %  痞∶⛋⇆RWUJ哨TGV⻇∽⢯獑

10. 汷␩ #   RWUJ RWUJ RWUJ ECNN #

11. 汷␩ #   RWUJ RWUJ RWUJ RWUJTGVPACFFT LWOR #

12. 汷␩ #   RWUJ RWUJ RWUJ RWUJTGVPACFFT RWUJ #

    TGV

13. 汷␩ #  %  RWUJ RWUJ RWUJ RWUJ %

    RWUJ # TGV

14. RWUJ RWUJ RWUJ RWUJ % RWUJ # TGV 痞㩽≁缙412%JCKP槡缙聅⋬缨㋖:&

15. PWN, What?

16. PWN = MAGIC!

17. PWN = MAGIC!

18. PWN = P & Own

19. PWN = P & Own 22GPGVTCVKQP⑆璲

20. PWN = P & Own 1YP㞢㧪

21. PWN 
 pOWN 
 PWN 2 OWN

22. 哔㢝290⢏崿 ㋯熝勜幐ℎ㡨⣼Ŏ

23. None

24. 哔㢝290⢏崿 ㋯熝勜幐ℎ㡨⣼Ŏ

25. 哔㢝290⢏崿 ㋯熝勜幐ℎ㡨⣼Ŏ 厷獑

26. PWN = 未經擁有者同意下 獲取或者拿下特定/部分權限

27. PWN = 未經擁有者同意下 獲取或者拿下特定/部分權限 Ⰸ㱣✈珯猺⡣

28. PWN = Input to Script

29. PWN, When?

30. Today you’re on the NET

31. 䘣఺翕ᒊ殷ᶎ USER GET BROWSER RESPONSE

32. OUTPUT RESULT BROWSER Html,JS,VBScript(IE)…etc RESPONSE

33. OUTPUT RESULT BROWSER Html,JS,VBScript(IE)…etc RESPONSE BOF, Heap Overflow, SEH …blabla

34. None
35. None

36. 螐纷Ԇ秚 㮆Ո襎脲 礓犚๐率 Socket/HTTP

37. 螐纷Ԇ秚 㮆Ո襎脲 礓犚๐率 RESPONSE&薹ຉ Socket/HTTP

38. 螐纷Ԇ秚 㮆Ո襎脲 礓犚๐率 RESPONSE&薹ຉ Socket/HTTP BOF, Heap Overflow, SEH …blabla

39. 螐纷Ԇ秚 㮆Ո襎脲 礓犚๐率 RESPONSE&薹ຉ Socket/HTTP BOF, Heap Overflow, SEH …blabla

    /+6/㐀㪴QT嵓RQTV㨍憌㠐硺↷↛+0276
40. None

41. 螐纷Ԇ秚 IOT 5QEMGV*662繷喞

42. 螐纷Ԇ秚 IOT RESPONSE&薹ຉ 5QEMGV*662繷喞

43. 螐纷Ԇ秚 IOT RESPONSE&薹ຉ 5QEMGV*662繷喞 BOF

44. None
45. None
46. None
47. None

48. PWN in CTF?

49. PWN in CTF?  䄍嵇肞㔬㕟㈒熿珮䇰㿿䥥叞╼

50. PWN in CTF?  䄍嵇肞㔬㕟㈒熿珮䇰㿿䥥叞╼  䄍嵇肞㔬┊䠉㈒熿珮䇰㿿䥥叞╼

51. PWN in CTF?  䄍嵇肞㔬㕟㈒熿珮䇰㿿䥥叞╼  䄍嵇肞㔬┊䠉㈒熿珮䇰㿿䥥叞╼ 㕟叞┊䠉

52. CTF PWN Type?

53. 埈搴氂ፓԆ秚 㷢搴ᘏ 0%珮55*

54. 埈搴氂ፓԆ秚 㷢搴ᘏ 0%珮55* 4'52105'
 *GNNQ9QTNF9JCVņU[QWTPCOG!

55. 埈搴氂ፓԆ秚 㷢搴ᘏ 5'0& 65A*EMGT

56. 埈搴氂ፓԆ秚 㷢搴ᘏ 5'0& 65A*EMGT 4'52105'
 1M65A*EMGT0KEGVQOGGV[QW

57. Find a exploit?

58. None

59. 㽳㧪㿿苌㡕≁⋲FGT

60. None

61. 㧪䇰㿿苌⛐$WHHGT1XGTHNQY

62. ∧㽳抇㾶┊䠉

63. None

64. 㧪䇰㿿苌⛐┊䠉猳

65. Use the exploit?

66. Use the exploit? -> Control RIP (BOF,Heap,SEH,Sigreturn…)

67. Use the exploit? -> RIP (BOF,Heap, SEH, Sigreturn…) -> Shellcode

68. Use the exploit? -> RIP (BOF,Heap, SEH, Sigreturn…) -> Shellcode

    9KPFQYU1PN[

69. Use the exploit? -> RIP (BOF,Heap, SEH, Sigreturn…) -> Shellcode

    .KPWZ1PN[

70. 㧪㠜㞫⼒㧪椓䲇猺椓䲇⅀㤐勤熿猻

71. 聆䠉椓䲇獌 &'2Ń羝㡺☡㺖⃮⛐⫘嬭珮⫘嬭☡㺖⃮⛐⻌ #.54Ń腠祚甙㴂倥⨑⨡ 猺⃡緈勭峡勤熿⼒㤐聅⑊⋬猻

72. 9KPFQYU⃫㠜㞫㔬㺖獌 $WHHGT1XGTHNQY $1(  5VTWEVWTGF'ZEGRVKQP*CPFNKPI 5'*  *GCR5RTC[

73. 9KPFQYU⃫椓䲇獌 &'2Ń羝㡺⃮⛐⫘嬭珮⫘嬭⃮⛐⻌ #.54Ń腠祚甙㴂倥⨑⨡ 5CHG5'*Ń㶃䄍*CPFNGT⛩㾶㌈ 5'*12Ń洸帪5'*孉完缛垬㎦㾢 5GEWTKV[%QQMKGŃTGV┮㶃䄍5VCEM㤐✇箊㙪

74. 㨍㣆嚽⢏獌  $WHHGT1XGTHNQYTGVQP9KPFQYU  5GEWTKV[%QQMKG!  $WHHGT1XGTHNQY5'*QP9KPFQYU

75. :%#..+0)%108'06+10
  4'674014+'06'&241)4#//+0)

76. None
77. None
78. None
79. None
80. None

81. [EBP+0 ] = Pointer to old EBP [EBP+4 ] =

    Return Address [EBP+8 ] = First Parameter [EBP+C ] = Second Parameter [EBP+10 ] = Third Parameter …etc [EBP+8 + 4*index] = Parameter[index]

82. VOID FUNC() { INT A = 0; INT B =

    1; INT C = 2; } [EBP - 4] =0 [EBP - 8] =1 [EBP - C] =2 push EBP mov EBP,ESP SUB ESP, LEN

83. VOID FUNC() { NFUNC(ARG1,ARG2,ARG3…) } push ebp mov ebp,esp .

    . push arg3 push arg2 push arg1 call nFunc
84. None
85. None
86. None
87. None

88. 9*;!

89. Stack ESP + 0 ESP + 4 ESP + 8

    ESP + C ESP + 10 ESP + 14

90. Stack ESP + 0 Old EBP ESP + 4 ESP

    + 8 ESP + C ESP + 10 ESP + 14 _______EIP

91. Stack EBP + 0 =ESP Old EBP EBP + 4

    EBP + 8 EBP + C EBP + 10 EBP + 14 _______EIP

92. Stack EBP - 8 =ESP Buffer EBP - 4 Buffer

    EBP + 0 Old EBP EBP + 4 EBP + 8 EBP + C _______EIP

93. Stack EBP - 8 =ESP 1 EBP - 4 Buffer

    EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C _______EIP

94. Stack EBP - 8 =ESP return Address EBP - 4

    1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP

95. Stack EBP - 8 =ESP return Address EBP - 4

    1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C

96. Stack EBP - 8 =ESP EBP EBP - 4 return

    Address EBP + 0 1 EBP + 4 Buffer EBP + 8 Buffer EBP + C Old EBP _______EIP

97. Stack EBP + 0 =ESP EBP EBP + 4 return

    Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP

98. Stack EBP + 0 =ESP EBP EBP + 4 return

    Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP

99. _______EIP Stack EBP - 8 =ESP return Address EBP -

    4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C

100. _______EIP Stack EBP - 8 =ESP return Address EBP -

     4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C

101. Stack EBP - 4 =ESP 1 EBP + 0 Buffer

     EBP + 4 Buffer EBP + 8 Old EBP EBP + C EBP + 10 _______EIP

102. Stack EBP + 0 = ESP Buffer EBP + 4

     Buffer EBP + 8 Old EBP EBP + C EBP + 10 _______EIP

103. EBP+n EBP+8 EBP+4 EBP+0 EBP-X EBP-Y ⚤磕⊾⸹☡ ☡⫀幫磕⊾⸹☡

104. EBP+4+4*k EBP+8 EBP+4 EBP+0 EBP-X EBP-Y Ń⊾⸹綹䥥'$2 ⇆ 䎛ⓧ甌 Ń耋⦿⨑⨡

     䡗⽅ⓞ磕TGV惔耋⦿⟋ Ń不⃡⋬⚤磕⊾⸹熿 Ń不M⋬⚤磕⊾⸹熿 Ń☡⫀$WHHGT Ń☡⫀$WHHGT

105. $CUKE$WHHGT1XGTHNQY

106. [EBP-8] [EBP-0x10]

107. None
108. None
109. None
110. None
111. None

112. How to let data == “admin”?

113. [EBP-8] [EBP-0x10]

114. Buffer overflow Stack

115. Buffer overflow Stack ESP Old EBP _______EIP

116. Buffer overflow Stack EBP =ESP Old EBP _______EIP

117. Buffer overflow Stack EBP - 10 Buffer EBP - C

     Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP

118. Buffer overflow Stack EBP - 10 Buffer EBP - C

     Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP Variable “name”

119. Buffer overflow Stack EBP - 10 Buffer EBP - C

     Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP Variable “data”

120. Buffer overflow Stack EBP - 10 Buffer EBP - C

     Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP

121. Buffer overflow Stack EBP - 10 Buffer EBP - C

     Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaa”

122. Buffer overflow Stack EBP - 10 aaaa EBP - C

     Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaa”

123. Buffer overflow Stack EBP - 10 aaaa EBP - C

     BBBB EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaaBBBB”

124. Buffer overflow Stack EBP - 10 REVO EBP - C

     WOLF EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “OVERFLOW” Little Endian

125. if we input more words…? Magic!

126. Buffer overflow Stack EBP - 10 REVO EBP - C

     WOLF EBP - 8 revo EBP - 4 wolf EBP =ESP Old EBP _______EIP If you input “OVERFLOWoverflow”

127. Buffer overflow Stack EBP - 10 AAAA EBP - C

     AAAA EBP - 8 imda EBP - 4 \x00\x00\x00n EBP =ESP Old EBP _______EIP SO, We can input “AAAAAAAAadmin”
128. None

129. 姅獑 ≁嶋$WHHGT1XGTHNQY ⛋叞䚊┑聅㴄畆獑

130. None

131. Ⅼ⻇⃫⧁䎛㧪⇜㏰⻌⑆ 猺㽳㧪椱┗⸸崿桘ㆇ猻 㓲⋲⛐⇆⌻┑垬'+24+2 ㏰❔圸㓲⋲⛐⇆䚊㚳5JGNNEQFG ⌻⇜∶㏔⌻䥥Ⅼ 猺砒橃䷁亡㧤.KXG&GOQ猻

132. Danger function #include <iostream> printf, fprintf, snprintf, vprintf, …etc

133. DEMO

134. 5GEWTKV[%QQMKG

135. None
136. None

137. 痞㩽⃮ㅙ桬䥝勦桬界Ⅷ聅⋬

138. None

139. 紉幐⥉㧤哋▶⺄✫⃡⋬幫磕 㠟%QQMKG苌ℇ⃵䎛ׅ不⃡⋬׆ 幫磕

140. 幫磕 瓴⫀5GEWTKV[%QQMKG @'$2

141. 幫磕 瓴⫀5GEWTKV[%QQMKG @'$2 ⨉ⓞ磕缙TGV┮␩㕫 幫磕@'$2 ℀假獌 UGEWTKV[AEJGEMAEQQMKGⓞ磕㶃㫆 痞㩽 幫磕@'$2 ⃮䎛瓴⫀5GEWTKV[%QQMKG粕ㇰ⼒哋禕

142. ㏰❔圸⃡緈≧嶋$WHHGT㧤⨉='$20? 勭㓲⋲㏔㚈┗TGV耋⦿熿⊾⸹⨉='$2 ? 痞㩽㏔墪䠒$WHHGT1XGTHNQY㠚幫粕ㇰ禵粕 ◃㊦㧤㕫幫磕哨'$2假垬職⚜

143. ))

144. ㉿㹅⇆砒泎⺃⼒))Ⅷ $WHHGT1XGTHNQY⃮叞䚊Ⅷ

145. ㉿㹅⇆砒泎⺃⼒))Ⅷ $WHHGT1XGTHNQY⃮叞䚊Ⅷ

146. 泎⺃⅀⃮㤐䧢㾚䥥筀 㢝㤐⼒㏔

147. $WHHGT1XGTHNQY砒⫘嬭┑厐⹻㧤 ))

148. ⃮職痞㩽粕ㇰ䮝㧪⠰欭苌 ⛐⇆完$WHHGT1XGHNQY苌 ⨉ⓞ磕耋⦿┮䥥$WHHGT肪㤐㓲⋲⛐㚈䥥

149. ⌨痞㓲⋲$WHHGT1XGTHNQY砒叞⨉耋⦿┮苌 腩桬嵓⽅⛐完$WHHGT1XGTHNQYⓞ磕
 ⼒⃮㧤罋䥝┑ⓞ磕㨌䥥UGEWTKV[AEQQMKGAEJGEM

150. 桬䥝勦⃮㤐㉩砵稐䠉 ⃡⋬▀叞6T[⢯獑

151. 5'* 5VTWEVWTGF'ZEGRVKQP*CPFNKPI

152. 9JCVņU5'*!

153. None
154. None

155. ⡵⃮苌≁䨀䥥⇆䎛⹤㧤⦿⎔獑 㓲⻰磢⋺䨀䥥瓗瓗完膾痙Ω

156. *QYKVYQTM!

157. None

158. /GOQT[9TKVKPI(CKN #EEGUU8KQNCVKQP

159. 碉圸⼒㧤㠟礙⫘嬭嵓䥝䠀⠰欭䥥㗨⇅ 竅砒惔哔⻮㒪䥥ECVEJ⑈猺Ⅼ⻇⃫㤐*CPFNGT猻

160. None

161. 崜⑫5'*䡑ㄙ夶䛧*CPFNGT

162. ⊾⸹䡗┮㦌⸹⥉䖡㐬
 聅㴄VT[倱㩀⼒⛐⇆砥砕㦌⸹⥉

163. %CVEJ寂橃㩒屠㧤完⛇⯷ ◦㓱⃡⋬㢑䥥ⓞ磕 ∽䎛*CPFNGT

164. ⸹甩⃮⸹⨉䥥峹㒗臶ㇶ䥝GTTQT苌 㹅磢6JTGCF⼒㧤㕟ⓛ*CPFNGTㅌ㊺夶䛧⠰欭

165. 㔡⇆聅嬭⼒⃮㧤⫘嬭苌 ℇ⃵惔⑆%CVEJ完◦㓱䥥ⓞ磕 ⅀⼒㤐OCKPA5'*ⓞ磕⑈揉

166. 缙腩桬VT[Ⅷ苌 甩䁩聅禈VT[崜⑫䥥*CPFNGT

167. 㬚㞻⃮⛭紉幐⥉苌 *CPFNGT⻇∽㢚ㇰ惀甩䁩崜⑫ 揞㧪矦䡑苌⃮職⃡⹻㧤㧪聅嬭獌 OQXHU=?ZZZ

168. 㔴桬+OOWPKV[&GDWIIGT懪⑆㓲⋲⻌䥥粕ㇰ苌 懪⑆砒⃮缙⫘嬭苌㢘熿㢘⨉⑆⛄熿 ≁㧤䥝䛟㺰⋬傻粕完╖㇛⓾瘟甙ℬ砒苌 㧤␩ⓧ搮⃡⋬5'**CPFNGT假⹤

169. 㔡⇆6JTGCF⨉⫘嬭粕ㇰ䮝磢⋺痞㩽聰┑⇜∶⠰欭苌 ∧桬䥝勦⚩㽳⌻VT[ℬ欿䥥ECVEJ苌⨉《䉑䥥磢⋺ ⼒㤐嶠䠉┑俜糺ⓧ搮假≁䥥5'**CPFNGT

170. 㢘熿㢘⨉㓲⋲哋ヒ⻌䥥OCKP ⑆⛄苌 聅磢⋺≁㧤䧬┑/58%46⨉⌻%465VCTV7R砒 ㅌ㓲⋲㢑⭿Ⅷ⃡⋬*CPFNGT
 猺哔㢝䠉聁⃮㣯䮛苌䫆聼䥥↛禎者惀㓲嶋⃬⃡:&猻

171. 㢑⭿*CPFNGT㧤䠒⃫㉡⃬㠟苌 恫⃫橃䥥*CPFNGT㤐恫㢑䥥*CPFNGT苌 綹䥥*CPFNGT㧤完㉡⃬㟁

172. 崜⑫*CPFNGT䥥梽晖⨉聅⃡嬭 OQXHU=?GUR 㓲⋲⌻⫘嬭聅嬭㗨⇅䧬䧬

173. ⛐⇆䧬┑㓲⋲OCKP寂橃⻌䥥VT[崜⑫䥥*CPFNGT苌 完㟛┑Ⅷ不⃡∮苌痞㩽⫘嬭䥝䠀⠰欭 6JTGCF⼒㧤⌽㹃ℬ嬭䡗⃬䖡㾢苌ℇ⃵惔⑆ %QPUQNG#$

174. ∧痞㩽%QPUQNG#$㽳抇㾶ㅌ㓲⋲缷㽛⠰欭 掄熝⼒㧤㕟⃬⃡⋬*CPFNGT獌%QPUQNG#AGZEGRVAJCPFNGT⌻⫘嬭

175. ⧁㹅痞㩽㺰⋬*CPFNGT揞䐂㾶缷㽛⠰欭磢苌 ⼒㧤⫘嬭┑俜糺⨉╖㇛6JTGCF磢ㅌ≁崜⑫䥥*CPFNGT獌 PVFNN&'& 猺竅砒⼒㧤㈩ⓛ《䉑䥥㚱䰛屷苬竅砒禕楅2TQEGUU猻

176. 哔㢝俜糺㋯熝㕟⃬⃡⋬*CPFNGT䥥獑 㬚㞻5'*%JCKP䥥孉苌≁⛐⇆䧬┑Z(( 征徍␓⸹*CPFNGT 勭䡗┮聅⃡⓸䥥5'*CPFNGT⫘嬭砒䐂㾶缷㽛⠰欭苌 ⼒㧤碫ⓛ聅⃡⓸䥥#FFTGUU猺≬痞Z((%猻 㚱甩ⓛ⹤䥥⊾⸹⌝猺Z((猻 ↷㗨⛲⃬⃡⓸䥥群熿

177. 椠㓲巼聅熝⯻ㅚ⣼獑

178. ⃮䫆聼≁㧪㽳㧪㿉㏰┑苌*CPFNGT崜⑫㢚ㇰ䎛獌

179. 聅㏰❔圸*CPFNGT䥥⊾⸹孉㤐㠟⨉5VCEM⑈䥥 ㏰❔圸㓲⋲$WHHGT1XGTHNQY䥝䠀磢 *CPFNGT㤐⛐⇆缛垬㙪䥥

180. 0GZV $WHHGT *CPFNGT +PRWV5VCTV

181. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI 㓲⋲䧏㳺㇛㲬䥥㠜㞫2C[NQCF

182. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI 㓲⋲䧏㳺㇛㲬䥥㠜㞫2C[NQCF O[0GZV 4+2

183. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 ⛇⯷⃡⇗㉩⟎䔙䥥Ⅼ㎦㤐 䡗俜糺㕫㚈┗禆截䳜假*CPFNGT磢苌 '52㧤㡕⋬Ⰸ瓄䳜

184. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 ㏰㋾㤐苌 痞㩽㓲⋲㏔惔耋⦿UJGNNEQFG苌 ⫛㨍⃫㉩⧑槄

185. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 ㏰㋾㤐苌 痞㩽㓲⋲㏔惔耋⦿哋峣䥥UJGNNEQFG苌 ⫛㨍⃫㉩⧑槄

186. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 ∧痞㩽聅禈*CPFNGT㽳抇㾶缷㽛⠰欭苌 俜糺㉸㕟㫆⃬⃡⋬*CPFNGT㤐嶑 㔡⇆榷竅'52㧤橃䧏瓴樿苌

     ∧㤐='52 ?⧛⹻㧤㗨⛲0GZV

187. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 0GZV䵛桴㤐⠐⃡㓲⋲⛐⇆┊䠉 耋⦿⚀瘟5VCEM䥥㗨㳺苌缙痙痙┊䠉

188. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 RQRRQRTGV

189. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 RQRRQRTGV UJQTVLWOR

190. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 RQRRQRTGV UJQTVLWOR UGE,WOR

     NQPILWOR

191. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 RQRRQRTGV UJQTVLWOR UGE,WOR

     NQPILWOR 5JGNNEQFG

192. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 RQRRQRTGV UJQTVLWOR UGE,WOR

     NQPILWOR 5JGNNEQFG ⃮職聅䴏⌻㾶⻮㢝Ⅽ禈惔慮 NQPILWOR  缙㼣㉸峩乸㉩侟䅷Ŏ 㓲聅⋬↛磕⹙㺵懤矦⃡熿 揞䠉⛇䴏㢚㾶

193. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 RQRRQRTGV UJQTVLWOR UGE,WOR

     NQPILWOR 5JGNNEQFG ⛋缙⨉2CFFKPI⑈宽⃫⃡⫧PQR Z  掄熝㚈┗禆截䳜┑2CFFKPI⃫⇜∶⃡⋬PQR苌 ⼒⛐⇆⃡惐秠┑5JGNNEQFG⃫ 勭⃮䠉侟䅷䥥峩乸5JGNNEQFG惀NQPILWOR䥥瓄䳜
194. None

195. 㧪6T[⼒㉩瞗瓴⢯獑

196. None
197. None

198. DEMO

199. UECPH俜⓸䥥箞㹫$7)

200. UECPH俜⓸䥥箞㹫$7)

201. UECPH俜⓸䥥箞㹫(GCVWTG

202. None
203. None
204. None

205. UECPH俜⓸聰┑ 䵛䥞 Z  㓷勦 碍嬭>P ZC 珮>T>P ZC ZF

206. 㔡⇆┮橃㓲⋲㔮叞㚳⑆*CPFNGT✌ 㧪PWNN苌砒橃♜⛐⇆硺六⬿Ⰸ撰⸸ 万≧㕫5VCEM⬿箊ㇶ䥝5'*欿⩬昐罠

207. 䰾⛥∮⇆砒揞㤐$Q(䥥Ⰸ䰿苌 ↫Ⰺ⫛䯯磐⹙┑㹅倱㩀⡇玐

208. UECPH俜⓸䥥箞㹫$7)

209. UECPH俜⓸䥥箞㹫(GCVWTG

210. None
211. None
212. None

213. UECPH俜⓸聰┑ 䵛䥞 Z  㓷勦 碍嬭>P ZC 珮>T>P ZC ZF

214. 㔡⇆┮橃㓲⋲㔮叞㚳⑆*CPFNGT✌ 㧪PWNN苌砒橃♜⛐⇆硺六⬿Ⰸ撰⸸ 万≧㕫5VCEM⬿箊ㇶ䥝5'*欿⩬昐罠

215. 3# CCCFFTGUU"IOCKNEQO