Save 37% off PRO during our Black Friday Sale! »

NTUSTxTDOH - Pwn基礎

229b1596ce57cd0935a2bacd410d87a0?s=47 adr
December 27, 2015

NTUSTxTDOH - Pwn基礎

BOF基礎教學 & windows上SEH BOF利用 By.aaaddress1

Live Demo的檔案與相關資料:
https://github.com/aaaddress1/NTUSTXTDOH_EasyBofBasic

229b1596ce57cd0935a2bacd410d87a0?s=128

adr

December 27, 2015
Tweet

Transcript

  1. PWN BASIC 6&1*Z06756羝峫瞗瓴⫛䯯㕡绮テ∽⨫ $[CCCFFTGUU

  2. #$176/' ➤ ⾺聖豪 (aaaddress1) ➤ 義守⼤學資訊⼯程⼆年級 ➤ Reverse Engineering Skills

    ➤ Windows / Mac OS /Android ➤ TDoHacker Core Member ➤ HITCON 2015 CMT: ➤ AIDS ➤ x86靜態⼿花詐欺術 ➤ Wooyun WhiteHat: x86⼿花詐欺 ➤ 逢甲2015⾏動計算研討會: AIDS ➤ 成功⼤學2015⾏動APP競賽
  3. #$176/' ➤ Hack BOT ➤ CrackShield / MapleHack ➤ Tower

    Of Savior ➤ FaceBook: Adr’s FB ➤ Isu Hack ➤ 競時通防爆PING
 ➤ CSharp,VB,C/CPlus,
 x86,Python,Smali,Swift
  4. 聅㤐⃡⋬⻰瞰⼍䥥磢桴苌 㓲㧪⑊⋬⻰磢⛐⇆㙩嶓 猺竅砒⃬禈JT猻

  5. 㔡⇆㓲㽛⹻ㄗ≧⃡ⅼ痙䚊䥥 9KPFQYU⃫$WHHGT1XGTHNQY䚊㾶

  6. ⛭磢⛐⇆假⛥∮㔴⋬⫛䯯 ⛐⇆㇗六厷䰿Ń6CUK䥥.KPWZ2YP

  7. ⛇⯷苌 聅⫣嶓⛐叞㧤㧪熿䭍

  8. 㓲⼒䡗⛥∮ 䒀㍪Z+&#肪㧪&GDWIIGT䥥≠䠉Ⅷ苌 伂⬒嶓砒㧤䥝假⛥∮苌 ℬ砒⦿⺗哋ヒ䚊⃮ⓛ≧⛐⇆⨉咪㧙㡓㓲

  9. 肪峹㉸≁⋲⭌⻌⚤▁嶓粕䥥欭䧏不⃪欭⢯獑 #   %  痞∶⛋⇆RWUJ哨TGV⻇∽⢯獑

  10. 汷␩ #   RWUJ RWUJ RWUJ ECNN #

  11. 汷␩ #   RWUJ RWUJ RWUJ RWUJTGVPACFFT LWOR #

  12. 汷␩ #   RWUJ RWUJ RWUJ RWUJTGVPACFFT RWUJ #

    TGV
  13. 汷␩ #  %  RWUJ RWUJ RWUJ RWUJ %

    RWUJ # TGV
  14. RWUJ RWUJ RWUJ RWUJ % RWUJ # TGV 痞㩽≁缙412%JCKP槡缙聅⋬缨㋖:&

  15. PWN, What?

  16. PWN = MAGIC!

  17. PWN = MAGIC!

  18. PWN = P & Own

  19. PWN = P & Own 22GPGVTCVKQP⑆璲

  20. PWN = P & Own 1YP㞢㧪

  21. PWN 
 pOWN 
 PWN 2 OWN

  22. 哔㢝290⢏崿 ㋯熝勜幐ℎ㡨⣼Ŏ

  23. None
  24. 哔㢝290⢏崿 ㋯熝勜幐ℎ㡨⣼Ŏ

  25. 哔㢝290⢏崿 ㋯熝勜幐ℎ㡨⣼Ŏ 厷獑

  26. PWN = 未經擁有者同意下 獲取或者拿下特定/部分權限

  27. PWN = 未經擁有者同意下 獲取或者拿下特定/部分權限 Ⰸ㱣✈珯猺⡣

  28. PWN = Input to Script

  29. PWN, When?

  30. Today you’re on the NET

  31. 䘣఺翕ᒊ殷ᶎ USER GET BROWSER RESPONSE

  32. OUTPUT RESULT BROWSER Html,JS,VBScript(IE)…etc RESPONSE

  33. OUTPUT RESULT BROWSER Html,JS,VBScript(IE)…etc RESPONSE BOF, Heap Overflow, SEH …blabla

  34. None
  35. None
  36. 螐纷Ԇ秚 㮆Ո襎脲 礓犚๐率 Socket/HTTP

  37. 螐纷Ԇ秚 㮆Ո襎脲 礓犚๐率 RESPONSE&薹ຉ Socket/HTTP

  38. 螐纷Ԇ秚 㮆Ո襎脲 礓犚๐率 RESPONSE&薹ຉ Socket/HTTP BOF, Heap Overflow, SEH …blabla

  39. 螐纷Ԇ秚 㮆Ո襎脲 礓犚๐率 RESPONSE&薹ຉ Socket/HTTP BOF, Heap Overflow, SEH …blabla

    /+6/㐀㪴QT嵓RQTV㨍憌㠐硺↷↛+0276
  40. None
  41. 螐纷Ԇ秚 IOT 5QEMGV*662繷喞

  42. 螐纷Ԇ秚 IOT RESPONSE&薹ຉ 5QEMGV*662繷喞

  43. 螐纷Ԇ秚 IOT RESPONSE&薹ຉ 5QEMGV*662繷喞 BOF

  44. None
  45. None
  46. None
  47. None
  48. PWN in CTF?

  49. PWN in CTF?  䄍嵇肞㔬㕟㈒熿珮䇰㿿䥥叞╼

  50. PWN in CTF?  䄍嵇肞㔬㕟㈒熿珮䇰㿿䥥叞╼  䄍嵇肞㔬┊䠉㈒熿珮䇰㿿䥥叞╼

  51. PWN in CTF?  䄍嵇肞㔬㕟㈒熿珮䇰㿿䥥叞╼  䄍嵇肞㔬┊䠉㈒熿珮䇰㿿䥥叞╼ 㕟叞┊䠉

  52. CTF PWN Type?

  53. 埈搴氂ፓԆ秚 㷢搴ᘏ 0%珮55*

  54. 埈搴氂ፓԆ秚 㷢搴ᘏ 0%珮55* 4'52105'
 *GNNQ9QTNF9JCVņU[QWTPCOG!

  55. 埈搴氂ፓԆ秚 㷢搴ᘏ 5'0& 65A*EMGT

  56. 埈搴氂ፓԆ秚 㷢搴ᘏ 5'0& 65A*EMGT 4'52105'
 1M65A*EMGT0KEGVQOGGV[QW

  57. Find a exploit?

  58. None
  59. 㽳㧪㿿苌㡕≁⋲FGT

  60. None
  61. 㧪䇰㿿苌⛐$WHHGT1XGTHNQY

  62. ∧㽳抇㾶┊䠉

  63. None
  64. 㧪䇰㿿苌⛐┊䠉猳

  65. Use the exploit?

  66. Use the exploit? -> Control RIP (BOF,Heap,SEH,Sigreturn…)

  67. Use the exploit? -> RIP (BOF,Heap, SEH, Sigreturn…) -> Shellcode

  68. Use the exploit? -> RIP (BOF,Heap, SEH, Sigreturn…) -> Shellcode

    9KPFQYU1PN[
  69. Use the exploit? -> RIP (BOF,Heap, SEH, Sigreturn…) -> Shellcode

    .KPWZ1PN[
  70. 㧪㠜㞫⼒㧪椓䲇猺椓䲇⅀㤐勤熿猻

  71. 聆䠉椓䲇獌 &'2Ń羝㡺☡㺖⃮⛐⫘嬭珮⫘嬭☡㺖⃮⛐⻌ #.54Ń腠祚甙㴂倥⨑⨡ 猺⃡緈勭峡勤熿⼒㤐聅⑊⋬猻

  72. 9KPFQYU⃫㠜㞫㔬㺖獌 $WHHGT1XGTHNQY $1(  5VTWEVWTGF'ZEGRVKQP*CPFNKPI 5'*  *GCR5RTC[

  73. 9KPFQYU⃫椓䲇獌 &'2Ń羝㡺⃮⛐⫘嬭珮⫘嬭⃮⛐⻌ #.54Ń腠祚甙㴂倥⨑⨡ 5CHG5'*Ń㶃䄍*CPFNGT⛩㾶㌈ 5'*12Ń洸帪5'*孉完缛垬㎦㾢 5GEWTKV[%QQMKGŃTGV┮㶃䄍5VCEM㤐✇箊㙪

  74. 㨍㣆嚽⢏獌  $WHHGT1XGTHNQYTGVQP9KPFQYU  5GEWTKV[%QQMKG!  $WHHGT1XGTHNQY5'*QP9KPFQYU

  75. :%#..+0)%108'06+10
  4'674014+'06'&241)4#//+0)

  76. None
  77. None
  78. None
  79. None
  80. None
  81. [EBP+0 ] = Pointer to old EBP [EBP+4 ] =

    Return Address [EBP+8 ] = First Parameter [EBP+C ] = Second Parameter [EBP+10 ] = Third Parameter …etc [EBP+8 + 4*index] = Parameter[index]
  82. VOID FUNC() { INT A = 0; INT B =

    1; INT C = 2; } [EBP - 4] =0 [EBP - 8] =1 [EBP - C] =2 push EBP mov EBP,ESP SUB ESP, LEN
  83. VOID FUNC() { NFUNC(ARG1,ARG2,ARG3…) } push ebp mov ebp,esp .

    . push arg3 push arg2 push arg1 call nFunc
  84. None
  85. None
  86. None
  87. None
  88. 9*;!

  89. Stack ESP + 0 ESP + 4 ESP + 8

    ESP + C ESP + 10 ESP + 14
  90. Stack ESP + 0 Old EBP ESP + 4 ESP

    + 8 ESP + C ESP + 10 ESP + 14 _______EIP
  91. Stack EBP + 0 =ESP Old EBP EBP + 4

    EBP + 8 EBP + C EBP + 10 EBP + 14 _______EIP
  92. Stack EBP - 8 =ESP Buffer EBP - 4 Buffer

    EBP + 0 Old EBP EBP + 4 EBP + 8 EBP + C _______EIP
  93. Stack EBP - 8 =ESP 1 EBP - 4 Buffer

    EBP + 0 Buffer EBP + 4 Old EBP EBP + 8 EBP + C _______EIP
  94. Stack EBP - 8 =ESP return Address EBP - 4

    1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C _______EIP
  95. Stack EBP - 8 =ESP return Address EBP - 4

    1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  96. Stack EBP - 8 =ESP EBP EBP - 4 return

    Address EBP + 0 1 EBP + 4 Buffer EBP + 8 Buffer EBP + C Old EBP _______EIP
  97. Stack EBP + 0 =ESP EBP EBP + 4 return

    Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP
  98. Stack EBP + 0 =ESP EBP EBP + 4 return

    Address EBP + 8 1 EBP + C Buffer EBP + 10 Buffer EBP + 14 Old EBP _______EIP
  99. _______EIP Stack EBP - 8 =ESP return Address EBP -

    4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  100. _______EIP Stack EBP - 8 =ESP return Address EBP -

    4 1 EBP + 0 Buffer EBP + 4 Buffer EBP + 8 Old EBP EBP + C
  101. Stack EBP - 4 =ESP 1 EBP + 0 Buffer

    EBP + 4 Buffer EBP + 8 Old EBP EBP + C EBP + 10 _______EIP
  102. Stack EBP + 0 = ESP Buffer EBP + 4

    Buffer EBP + 8 Old EBP EBP + C EBP + 10 _______EIP
  103. EBP+n EBP+8 EBP+4 EBP+0 EBP-X EBP-Y ⚤磕⊾⸹☡ ☡⫀幫磕⊾⸹☡

  104. EBP+4+4*k EBP+8 EBP+4 EBP+0 EBP-X EBP-Y Ń⊾⸹綹䥥'$2 ⇆ 䎛ⓧ甌 Ń耋⦿⨑⨡

    䡗⽅ⓞ磕TGV惔耋⦿⟋ Ń不⃡⋬⚤磕⊾⸹熿 Ń不M⋬⚤磕⊾⸹熿 Ń☡⫀$WHHGT Ń☡⫀$WHHGT
  105. $CUKE$WHHGT1XGTHNQY

  106. [EBP-8] [EBP-0x10]

  107. None
  108. None
  109. None
  110. None
  111. None
  112. How to let data == “admin”?

  113. [EBP-8] [EBP-0x10]

  114. Buffer overflow Stack

  115. Buffer overflow Stack ESP Old EBP _______EIP

  116. Buffer overflow Stack EBP =ESP Old EBP _______EIP

  117. Buffer overflow Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP
  118. Buffer overflow Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP Variable “name”
  119. Buffer overflow Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP Variable “data”
  120. Buffer overflow Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP
  121. Buffer overflow Stack EBP - 10 Buffer EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaa”
  122. Buffer overflow Stack EBP - 10 aaaa EBP - C

    Buffer EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaa”
  123. Buffer overflow Stack EBP - 10 aaaa EBP - C

    BBBB EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “aaaaBBBB”
  124. Buffer overflow Stack EBP - 10 REVO EBP - C

    WOLF EBP - 8 0x6C6C6548 = lleH EBP - 4 0x0000216F =\x00\x00!o EBP =ESP Old EBP _______EIP If you input “OVERFLOW” Little Endian
  125. if we input more words…? Magic!

  126. Buffer overflow Stack EBP - 10 REVO EBP - C

    WOLF EBP - 8 revo EBP - 4 wolf EBP =ESP Old EBP _______EIP If you input “OVERFLOWoverflow”
  127. Buffer overflow Stack EBP - 10 AAAA EBP - C

    AAAA EBP - 8 imda EBP - 4 \x00\x00\x00n EBP =ESP Old EBP _______EIP SO, We can input “AAAAAAAAadmin”
  128. None
  129. 姅獑 ≁嶋$WHHGT1XGTHNQY ⛋叞䚊┑聅㴄畆獑

  130. None
  131. Ⅼ⻇⃫⧁䎛㧪⇜㏰⻌⑆ 猺㽳㧪椱┗⸸崿桘ㆇ猻 㓲⋲⛐⇆⌻┑垬'+24+2 ㏰❔圸㓲⋲⛐⇆䚊㚳5JGNNEQFG ⌻⇜∶㏔⌻䥥Ⅼ 猺砒橃䷁亡㧤.KXG&GOQ猻

  132. Danger function #include <iostream> printf, fprintf, snprintf, vprintf, …etc

  133. DEMO

  134. 5GEWTKV[%QQMKG

  135. None
  136. None
  137. 痞㩽⃮ㅙ桬䥝勦桬界Ⅷ聅⋬

  138. None
  139. 紉幐⥉㧤哋▶⺄✫⃡⋬幫磕 㠟%QQMKG苌ℇ⃵䎛ׅ不⃡⋬׆ 幫磕

  140. 幫磕 瓴⫀5GEWTKV[%QQMKG @'$2

  141. 幫磕 瓴⫀5GEWTKV[%QQMKG @'$2 ⨉ⓞ磕缙TGV┮␩㕫 幫磕@'$2 ℀假獌 UGEWTKV[AEJGEMAEQQMKGⓞ磕㶃㫆 痞㩽 幫磕@'$2 ⃮䎛瓴⫀5GEWTKV[%QQMKG粕ㇰ⼒哋禕

  142. ㏰❔圸⃡緈≧嶋$WHHGT㧤⨉='$20? 勭㓲⋲㏔㚈┗TGV耋⦿熿⊾⸹⨉='$2 ? 痞㩽㏔墪䠒$WHHGT1XGTHNQY㠚幫粕ㇰ禵粕 ◃㊦㧤㕫幫磕哨'$2假垬職⚜

  143. ))

  144. ㉿㹅⇆砒泎⺃⼒))Ⅷ $WHHGT1XGTHNQY⃮叞䚊Ⅷ

  145. ㉿㹅⇆砒泎⺃⼒))Ⅷ $WHHGT1XGTHNQY⃮叞䚊Ⅷ

  146. 泎⺃⅀⃮㤐䧢㾚䥥筀 㢝㤐⼒㏔

  147. $WHHGT1XGTHNQY砒⫘嬭┑厐⹻㧤 ))

  148. ⃮職痞㩽粕ㇰ䮝㧪⠰欭苌 ⛐⇆完$WHHGT1XGHNQY苌 ⨉ⓞ磕耋⦿┮䥥$WHHGT肪㤐㓲⋲⛐㚈䥥

  149. ⌨痞㓲⋲$WHHGT1XGTHNQY砒叞⨉耋⦿┮苌 腩桬嵓⽅⛐完$WHHGT1XGTHNQYⓞ磕
 ⼒⃮㧤罋䥝┑ⓞ磕㨌䥥UGEWTKV[AEQQMKGAEJGEM

  150. 桬䥝勦⃮㤐㉩砵稐䠉 ⃡⋬▀叞6T[⢯獑

  151. 5'* 5VTWEVWTGF'ZEGRVKQP*CPFNKPI

  152. 9JCVņU5'*!

  153. None
  154. None
  155. ⡵⃮苌≁䨀䥥⇆䎛⹤㧤⦿⎔獑 㓲⻰磢⋺䨀䥥瓗瓗完膾痙Ω

  156. *QYKVYQTM!

  157. None
  158. /GOQT[9TKVKPI(CKN #EEGUU8KQNCVKQP

  159. 碉圸⼒㧤㠟礙⫘嬭嵓䥝䠀⠰欭䥥㗨⇅ 竅砒惔哔⻮㒪䥥ECVEJ⑈猺Ⅼ⻇⃫㤐*CPFNGT猻

  160. None
  161. 崜⑫5'*䡑ㄙ夶䛧*CPFNGT

  162. ⊾⸹䡗┮㦌⸹⥉䖡㐬
 聅㴄VT[倱㩀⼒⛐⇆砥砕㦌⸹⥉

  163. %CVEJ寂橃㩒屠㧤完⛇⯷ ◦㓱⃡⋬㢑䥥ⓞ磕 ∽䎛*CPFNGT

  164. ⸹甩⃮⸹⨉䥥峹㒗臶ㇶ䥝GTTQT苌 㹅磢6JTGCF⼒㧤㕟ⓛ*CPFNGTㅌ㊺夶䛧⠰欭

  165. 㔡⇆聅嬭⼒⃮㧤⫘嬭苌 ℇ⃵惔⑆%CVEJ完◦㓱䥥ⓞ磕 ⅀⼒㤐OCKPA5'*ⓞ磕⑈揉

  166. 缙腩桬VT[Ⅷ苌 甩䁩聅禈VT[崜⑫䥥*CPFNGT

  167. 㬚㞻⃮⛭紉幐⥉苌 *CPFNGT⻇∽㢚ㇰ惀甩䁩崜⑫ 揞㧪矦䡑苌⃮職⃡⹻㧤㧪聅嬭獌 OQXHU=?ZZZ

  168. 㔴桬+OOWPKV[&GDWIIGT懪⑆㓲⋲⻌䥥粕ㇰ苌 懪⑆砒⃮缙⫘嬭苌㢘熿㢘⨉⑆⛄熿 ≁㧤䥝䛟㺰⋬傻粕完╖㇛⓾瘟甙ℬ砒苌 㧤␩ⓧ搮⃡⋬5'**CPFNGT假⹤

  169. 㔡⇆6JTGCF⨉⫘嬭粕ㇰ䮝磢⋺痞㩽聰┑⇜∶⠰欭苌 ∧桬䥝勦⚩㽳⌻VT[ℬ欿䥥ECVEJ苌⨉《䉑䥥磢⋺ ⼒㤐嶠䠉┑俜糺ⓧ搮假≁䥥5'**CPFNGT

  170. 㢘熿㢘⨉㓲⋲哋ヒ⻌䥥OCKP ⑆⛄苌 聅磢⋺≁㧤䧬┑/58%46⨉⌻%465VCTV7R砒 ㅌ㓲⋲㢑⭿Ⅷ⃡⋬*CPFNGT
 猺哔㢝䠉聁⃮㣯䮛苌䫆聼䥥↛禎者惀㓲嶋⃬⃡:&猻

  171. 㢑⭿*CPFNGT㧤䠒⃫㉡⃬㠟苌 恫⃫橃䥥*CPFNGT㤐恫㢑䥥*CPFNGT苌 綹䥥*CPFNGT㧤完㉡⃬㟁

  172. 崜⑫*CPFNGT䥥梽晖⨉聅⃡嬭 OQXHU=?GUR 㓲⋲⌻⫘嬭聅嬭㗨⇅䧬䧬

  173. ⛐⇆䧬┑㓲⋲OCKP寂橃⻌䥥VT[崜⑫䥥*CPFNGT苌 完㟛┑Ⅷ不⃡∮苌痞㩽⫘嬭䥝䠀⠰欭 6JTGCF⼒㧤⌽㹃ℬ嬭䡗⃬䖡㾢苌ℇ⃵惔⑆ %QPUQNG#$

  174. ∧痞㩽%QPUQNG#$㽳抇㾶ㅌ㓲⋲缷㽛⠰欭 掄熝⼒㧤㕟⃬⃡⋬*CPFNGT獌%QPUQNG#AGZEGRVAJCPFNGT⌻⫘嬭

  175. ⧁㹅痞㩽㺰⋬*CPFNGT揞䐂㾶缷㽛⠰欭磢苌 ⼒㧤⫘嬭┑俜糺⨉╖㇛6JTGCF磢ㅌ≁崜⑫䥥*CPFNGT獌 PVFNN&'& 猺竅砒⼒㧤㈩ⓛ《䉑䥥㚱䰛屷苬竅砒禕楅2TQEGUU猻

  176. 哔㢝俜糺㋯熝㕟⃬⃡⋬*CPFNGT䥥獑 㬚㞻5'*%JCKP䥥孉苌≁⛐⇆䧬┑Z(( 征徍␓⸹*CPFNGT 勭䡗┮聅⃡⓸䥥5'*CPFNGT⫘嬭砒䐂㾶缷㽛⠰欭苌 ⼒㧤碫ⓛ聅⃡⓸䥥#FFTGUU猺≬痞Z((%猻 㚱甩ⓛ⹤䥥⊾⸹⌝猺Z((猻 ↷㗨⛲⃬⃡⓸䥥群熿

  177. 椠㓲巼聅熝⯻ㅚ⣼獑

  178. ⃮䫆聼≁㧪㽳㧪㿉㏰┑苌*CPFNGT崜⑫㢚ㇰ䎛獌

  179. 聅㏰❔圸*CPFNGT䥥⊾⸹孉㤐㠟⨉5VCEM⑈䥥 ㏰❔圸㓲⋲$WHHGT1XGTHNQY䥝䠀磢 *CPFNGT㤐⛐⇆缛垬㙪䥥

  180. 0GZV $WHHGT *CPFNGT +PRWV5VCTV

  181. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI 㓲⋲䧏㳺㇛㲬䥥㠜㞫2C[NQCF

  182. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI 㓲⋲䧏㳺㇛㲬䥥㠜㞫2C[NQCF O[0GZV 4+2

  183. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 ⛇⯷⃡⇗㉩⟎䔙䥥Ⅼ㎦㤐 䡗俜糺㕫㚈┗禆截䳜假*CPFNGT磢苌 '52㧤㡕⋬Ⰸ瓄䳜

  184. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 ㏰㋾㤐苌 痞㩽㓲⋲㏔惔耋⦿UJGNNEQFG苌 ⫛㨍⃫㉩⧑槄

  185. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 ㏰㋾㤐苌 痞㩽㓲⋲㏔惔耋⦿哋峣䥥UJGNNEQFG苌 ⫛㨍⃫㉩⧑槄

  186. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 ∧痞㩽聅禈*CPFNGT㽳抇㾶缷㽛⠰欭苌 俜糺㉸㕟㫆⃬⃡⋬*CPFNGT㤐嶑 㔡⇆榷竅'52㧤橃䧏瓴樿苌

    ∧㤐='52 ?⧛⹻㧤㗨⛲0GZV
  187. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 0GZV䵛桴㤐⠐⃡㓲⋲⛐⇆┊䠉 耋⦿⚀瘟5VCEM䥥㗨㳺苌缙痙痙┊䠉

  188. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 RQRRQRTGV

  189. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 RQRRQRTGV UJQTVLWOR

  190. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 RQRRQRTGV UJQTVLWOR UGE,WOR

    NQPILWOR
  191. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 RQRRQRTGV UJQTVLWOR UGE,WOR

    NQPILWOR 5JGNNEQFG
  192. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 RQRRQRTGV UJQTVLWOR UGE,WOR

    NQPILWOR 5JGNNEQFG ⃮職聅䴏⌻㾶⻮㢝Ⅽ禈惔慮 NQPILWOR  缙㼣㉸峩乸㉩侟䅷Ŏ 㓲聅⋬↛磕⹙㺵懤矦⃡熿 揞䠉⛇䴏㢚㾶
  193. 0GZV $WHHGT *CPFNGT +PRWV5VCTV 2CFFKPI O[0GZV 4+2 RQRRQRTGV UJQTVLWOR UGE,WOR

    NQPILWOR 5JGNNEQFG ⛋缙⨉2CFFKPI⑈宽⃫⃡⫧PQR Z  掄熝㚈┗禆截䳜┑2CFFKPI⃫⇜∶⃡⋬PQR苌 ⼒⛐⇆⃡惐秠┑5JGNNEQFG⃫ 勭⃮䠉侟䅷䥥峩乸5JGNNEQFG惀NQPILWOR䥥瓄䳜
  194. None
  195. 㧪6T[⼒㉩瞗瓴⢯獑

  196. None
  197. None
  198. DEMO

  199. UECPH俜⓸䥥箞㹫$7)

  200. UECPH俜⓸䥥箞㹫$7)

  201. UECPH俜⓸䥥箞㹫(GCVWTG

  202. None
  203. None
  204. None
  205. UECPH俜⓸聰┑ 䵛䥞 Z  㓷勦 碍嬭>P ZC 珮>T>P ZC ZF

  206. 㔡⇆┮橃㓲⋲㔮叞㚳⑆*CPFNGT✌ 㧪PWNN苌砒橃♜⛐⇆硺六⬿Ⰸ撰⸸ 万≧㕫5VCEM⬿箊ㇶ䥝5'*欿⩬昐罠

  207. 䰾⛥∮⇆砒揞㤐$Q(䥥Ⰸ䰿苌 ↫Ⰺ⫛䯯磐⹙┑㹅倱㩀⡇玐

  208. UECPH俜⓸䥥箞㹫$7)

  209. UECPH俜⓸䥥箞㹫(GCVWTG

  210. None
  211. None
  212. None
  213. UECPH俜⓸聰┑ 䵛䥞 Z  㓷勦 碍嬭>P ZC 珮>T>P ZC ZF

  214. 㔡⇆┮橃㓲⋲㔮叞㚳⑆*CPFNGT✌ 㧪PWNN苌砒橃♜⛐⇆硺六⬿Ⰸ撰⸸ 万≧㕫5VCEM⬿箊ㇶ䥝5'*欿⩬昐罠

  215. 3# CCCFFTGUU"IOCKNEQO