stuxnet
Posted by xiaokucha in Uncategorized on October 3, 2010
Some say the Stuxnet virus is targeted at Iran nuclear, but from chart below(from wikipedia http://en.wikipedia.org/wiki/Stuxnet), we can see that China has the most targets infected…
Country Infected Computers China 6,000,000 (October 1) Iran 30,000 Indonesia 13,336 India 6,552 United States 2,913 Australia 2,436 Britain 1,038 Malaysia 1,013 Pakistan 993 Germany 5 (September)
This reminds me of the malfunction of subway line 10 in Beijing on Sep 30th, the line 10 subway control system uses the Siemens system(I can see the big Siemens logo on the yellow subway device between the rails), here is an article about Stuxnet http://www.symantec.com/connect/zh-hans/blogs/stuxnet-1 from Livian Ge in Symantec.
According to the information on internet, Stuxnet should not be called a normal virus to us, ’cause it causes no damage to us(normal pc users), it uses C, C++ in Windows host(wrapper of .dll in Step 7 dev environment), and MC7(machine code injection) on target env, mainly to control and steal infomation from industrial programs in PLC used in Siemens devices(widely used in daily industrial infrastructures, like subway, power plant, etc.). It is so complicated and big(half megabyte), can also be updated via peer to peer, which means internet update is not used, it relies on usb drives to spread and update.
So who has the knowledge and energy to build such a “tool” and what is the purpose?
ndisasm is more useful than objdump sometimes
Posted by xiaokucha in Uncategorized on September 29, 2010
First, Let’s check out the manual page for ndisasm,
NDISASM(1)
NAME
ndisasm – the Netwide Disassembler, an 80×86 binary file disassemblerSYNOPSIS
ndisasm [ -o origin ] [ -s sync-point […]] [ -a | -i ] [ -b bits ] [ -u ] [ -e hdrlen ] [ -k offset,length
[…]] infile
ndisasm -h
ndisasm -rDESCRIPTION
The ndisasm command generates a disassembly listing of the binary file infile and directs it to stdout.OPTIONS
-h Causes ndisasm to exit immediately, after giving a summary of its invocation options.-r Causes ndisasm to exit immediately, after displaying its version number.
-o origin
Specifies the notional load address for the file. This option causes ndisasm to get the addresses it lists
down the left hand margin, and the target addresses of PC-relative jumps and calls, right.-s sync-point
Manually specifies a synchronisation address, such that ndisasm will not output any machine instruction
which encompasses bytes on both sides of the address. Hence the instruction which starts at that address
will be correctly disassembled.-e hdrlen
Specifies a number of bytes to discard from the beginning of the file before starting disassembly. This
does not count towards the calculation of the disassembly offset: the first disassembled instruction will
be shown starting at the given load address.-k offset,length
Specifies that length bytes, starting from disassembly offset offset, should be skipped over without gener‐
ating any output. The skipped bytes still count towards the calculation of the disassembly offset.-a or -i
Enables automatic (or intelligent) sync mode, in which ndisasm will attempt to guess where synchronisation
should be performed, by means of examining the target addresses of the relative jumps and calls it disas‐
sembles.-b bits
Specifies 16-, 32- or 64-bit mode. The default is 16-bit mode.-u Specifies 32-bit mode, more compactly than using `-b 32′.
-p vendor
Prefers instructions as defined by vendor in case of a conflict. Known vendor names include intel, amd,
cyrix, and idt. The default is intel.RESTRICTIONS
ndisasm only disassembles binary files: it has no understanding of the header information present in object or
executable files. If you want to disassemble an object file, you should probably be using objdump(1).Auto-sync mode won’t necessarily cure all your synchronisation problems: a sync marker can only be placed automat‐
ically if a jump or call instruction is found to refer to it before ndisasm actually disassembles that part of the
code. Also, if spurious jumps or calls result from disassembling non-machine-code data, sync markers may get
placed in strange places. Feel free to turn auto-sync off and go back to doing it manually if necessary.
While I was trying to dump the content of memory maps(/proc/pid/maps) in process, I found that some codes are dumped out but cannot be analyzed using the “objdump”, using “ndisasm” can get the assembly code displayed even file is not in “ELF” format.
Let’s checkout the memory maps for “cat” on my x86_64 pc,
# cat /proc/self/maps
00400000-0040d000 r-xp 00000000 07:00 652826 /bin/cat
0060d000-0060e000 r–p 0000d000 07:00 652826 /bin/cat
0060e000-0060f000 rw-p 0000e000 07:00 652826 /bin/cat
01ba7000-01bc8000 rw-p 00000000 00:00 0 [heap]
7f151370b000-7f1513885000 r-xp 00000000 07:00 666978 /lib/libc-2.11.1.so
7f1513885000-7f1513a84000 —p 0017a000 07:00 666978 /lib/libc-2.11.1.so
7f1513a84000-7f1513a88000 r–p 00179000 07:00 666978 /lib/libc-2.11.1.so
7f1513a88000-7f1513a89000 rw-p 0017d000 07:00 666978 /lib/libc-2.11.1.so
7f1513a89000-7f1513a8e000 rw-p 00000000 00:00 0
7f1513a8e000-7f1513aae000 r-xp 00000000 07:00 661089 /lib/ld-2.11.1.so
7f1513b33000-7f1513b72000 r–p 00000000 07:00 1052479 /usr/lib/locale/en_US.utf8/LC_CTYPE
7f1513b72000-7f1513c90000 r–p 00000000 07:00 1052374 /usr/lib/locale/en_US.utf8/LC_COLLATE
7f1513c90000-7f1513c93000 rw-p 00000000 00:00 0
7f1513c9b000-7f1513c9c000 r–p 00000000 07:00 1052380 /usr/lib/locale/en_US.utf8/LC_NUMERIC
7f1513c9c000-7f1513c9d000 r–p 00000000 07:00 1065267 /usr/lib/locale/en_US.utf8/LC_TIME
7f1513c9d000-7f1513c9e000 r–p 00000000 07:00 1065268 /usr/lib/locale/en_US.utf8/LC_MONETARY
7f1513c9e000-7f1513c9f000 r–p 00000000 07:00 1065269 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
7f1513c9f000-7f1513ca0000 r–p 00000000 07:00 1052589 /usr/lib/locale/en_US.utf8/LC_PAPER
7f1513ca0000-7f1513ca1000 r–p 00000000 07:00 1052262 /usr/lib/locale/en_US.utf8/LC_NAME
7f1513ca1000-7f1513ca2000 r–p 00000000 07:00 1065270 /usr/lib/locale/en_US.utf8/LC_ADDRESS
7f1513ca2000-7f1513ca3000 r–p 00000000 07:00 1065271 /usr/lib/locale/en_US.utf8/LC_TELEPHONE
7f1513ca3000-7f1513ca4000 r–p 00000000 07:00 1052585 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
7f1513ca4000-7f1513cab000 r–s 00000000 07:00 1046975 /usr/lib/gconv/gconv-modules.cache
7f1513cab000-7f1513cac000 r–p 00000000 07:00 1065272 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
7f1513cac000-7f1513cae000 rw-p 00000000 00:00 0
7f1513cae000-7f1513caf000 r–p 00020000 07:00 661089 /lib/ld-2.11.1.so
7f1513caf000-7f1513cb0000 rw-p 00021000 07:00 661089 /lib/ld-2.11.1.so
7f1513cb0000-7f1513cb1000 rw-p 00000000 00:00 0
7fffd88a3000-7fffd88b8000 rw-p 00000000 00:00 0 [stack]
7fffd89ff000-7fffd8a00000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Here is the code I used to dump the content of memory maps(for vdso, vsyscall, etc.)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>#define MEM_MAP “/proc/self/maps”
#define OUTPUT_FILE “output.dump”
#define LINE_MAX 4096int main(int argc, char *argv[])
{
FILE *dev_maps, *out_file;
char line_buf[LINE_MAX], map_name[LINE_MAX];
char addr_string[64] = {0};
int offset, inode;
size_t ret;
char perms[4] = {0};
char dev[8] = {0};
char *lib_buf;
unsigned long start_addr, end_addr;if ((out_file = fopen(OUTPUT_FILE, “w”)) == NULL)
{
fprintf(stderr, “open output file error\n”);
return 1;
}if ((dev_maps = fopen(MEM_MAP, “r”)) == NULL)
{
fprintf(stderr, “read mem map file err!\n”);
return 1;
}while (!feof(dev_maps))
{
if (fgets(line_buf, LINE_MAX, dev_maps) != NULL)
{
if (sscanf(line_buf, “%s %s %d %s %d %s\n”,
addr_string, perms, &offset,
dev, &inode, map_name) == 6)
{
printf(“%s, %s, %d, %s, %d, %s\n”,
addr_string, perms, offset, dev, inode, map_name);start_addr = strtoul(strtok(addr_string, “-“), NULL, 16);
end_addr = strtoul(strtok(NULL, “-“), NULL, 16);
if (strcmp(map_name, argv[1]) == 0)
{
lib_buf = (char *)malloc(end_addr – start_addr);
memcpy(lib_buf, (const void *)start_addr, end_addr – start_addr);
fwrite(lib_buf, end_addr – start_addr, 1, out_file);
free(lib_buf);
}
}
}
}
fclose(dev_maps);
fclose(out_file);
return 0;
}
I used memcpy in code, we can also read /proc/self/mem device to get the memory content.
Now I compile it,
#gcc -m64 -o memcontent memcontent.c
#./memcontent [vsyscall]
#file output.dump
output.dump: data
Then we can use ndisasm to check the output.dump for vsyscall in memory map,
#ndisasm -b 64 -p amd output.dump > test.s
Now we can dump the code of the “vsyscall_64.o” which is generated during making 64 bit kernel,
#objdump -d vsyscall_64.o > test1.s
After this we can check the different between test.s and test1.s, to me, it is almost the same, which means ndisasm does a good job, and “[vsyscall]” map is a mapping for “vsyscall_64.o”.
You can also try to dump other parts like “[vdso]”, or “ld-*.so” “libc-*.so”, and check their contents, have fun!
Interesting…
Posted by xiaokucha in Uncategorized on September 29, 2010
Just switch from msn spaces to wordpress, interesting…
What Inception reminds me of?
Posted by xiaokucha in Computers and Internet on September 5, 2010
PS3 JailBreak 留文纪念
Posted by xiaokucha in Entertainment on August 25, 2010
The first PS3 modchip has arrived and PSX-SCENE is the FIRST site to CONFIRM it is 100% REAL!!!
PSX-SCENE is the first any ONLY website to CONFIRM that this product is working 100% Not by speculation but by being the only website to actually have testers with actual product in hand! We will have a video courtesy of OzModchips soon so stay tuned!!!
I have been in contact directly with the manufacturer and can confirm some things you have all been asking about…
1. FAT32 is currently supported. They are working on NTFS.
2. They recommend staying on current firmware and not updating until they have deemed it safe. The dongle is fully updatable.
3. Online play does work but they cannot guarantee that it will work with all future titles.
4. Final retail units are ready to ship.
5. Official reseller list will be on their site in the next 48 hours. You can pre-order from any of the official resellers. There are websites out there now claiming to be selling but they are not legitimate. Don’t get ripped off. Wait until the official list is posted.
MOVB *R4+,R2
SRL R2,8
TALK0 LI R1,>0003
MOV R1,@TALK2+2
TALK1 DEC @TALK2+2
TALK2 MOVB @>0000(R4),R3
MOVB R3,R1
ANDI R3,>0F00
ORI R3,>4000
MOVB R3,@>9400
ABS @TALK2+2
JEQ TALK3
SRL R1,4
ORI R1,>4000
MOVB R1,@>9400
JMP TALK1
TALK3 A @TALK0+2,R4
MOVB @HEX50,@>9400
DEC R2
JNE TALK0
RT
HEX50 BYTE >50
|
• 这个mod实际是一个从“零售机”到“开发机”的转换器,它使用了从SONY售后部门得来的“神卡”。
• 如果你看VSH(原文误为VHS?指PS3 XMB界面),它有些调试功能。
• 这个神卡(也就是那个USB狗)被开发者和Sony的技术人员用来从DEV_USB0(USB设备)上运行BOOT.INI。
• 通过一定按键序列你可以改变SYSCON(系统控制单元,用来控制PS3启动,待机等内务)的状态,把USB狗做为第一启动项。
• BOOTSTRAP(启动代码)和相关文件从USB狗中被读取到内存,并制造了一场假启动
• 整个东西就是一个SYSCON 固件模拟器。
• 让它认为我们是开发机,然后调试版内核被载入了。
• 一个调试版本的VSHMAIN(PS3的XMB主程序)(临时的)允许未签名的代码装载。
• 你就可以从USB上运行PKG文件(有个浏览器来做那事)
• 为了运行BDEMU(BD模拟器)你需要一张盘来激活BD媒体类型。
• 当你(从USB上)运行装载器时,BD光驱通道被关闭了(它们不能分享同一通道)
• 为了消灭LAYER(光驱分层?),需要一个CELLFTP(大概是某种FTP服务器)来提取解密文件(没有分层),并转化它们为调试模式(能用的)。
• 执行文件可以用SDK来创建,并被那个解压分层的装载器生成,并使用PS3GEN(大概是生成PS3光盘的工具)来生成签名后的ISO(补丁过的)。
• 同360的破解一样(使用调试版本的内核)
• 这个装载器是通过APP(应用层?)来运行的。
• Sony要做的事情只有一个,消灭USB启动功能,因为SYSCON是老板。(因为SYSCON总管PS3启动、待机等内务)
* SYSCON
The System Control microcontroller which handles everything from, controlling power to all devices (including the LCD, UMD drive, memstick, wlan, even the main cpu), keeping the date/time, sleep mode control, controls all external switches including all buttons & the analog nub as well as the headphone remote buttons/switches, LED control, main power & battery control, and even access to the PSP’s Service Mode (SYSCON is the chip responsible for detecting the 0xFFFFFFFF serial of the battery to enable service mode).
系统控制微控制器,用来控制几乎所有的东西,从控制电源到控制所有的设备(包括LCD屏幕, UMD光驱,存储棒,无线网络,甚至主cpu),保持时间和日期,睡眠模式控制,控制所有的外部开关(包括所有的按键,摇杆,耳机远程控制按钮/开关), LED屏幕控制,主电源和电池控制,甚至能介入psp的服务模式(SYSCON是负责检测电池中芯片的0xFFFFFFFF序列号,从而开启服务模式)
* VSH(Visual Shell) (可视化外壳)
Themain interface of the PSP, a user interface shell which provides the access tothe kernel. Uses Sony’s XMB (Cross Media Bar) for its GUI.
PSP的主要的界面,这个用户界面壳是用来提供核心的接入功能。
使用了sony 的 XMB 模式来作为它的GUI(Graphical User Interface图形用户界面)
|
现在的问题是不清楚SYSCON到底是位于mask ROM还是eeprom。
如果SYSCON在mask ROM中,SONY将需要更改硬件来阻止一切。
如果SYSCON在eeprom中,SONY便可以通过系统升级来屏蔽USB启动功能。
Fork 科普
Posted by xiaokucha in Computers and Internet on August 23, 2010
From Wikipedia,
In computing, when a process forks, it creates a
copy of itself. More generally, a fork in
a multithreading environment means that a thread of
execution is duplicated, creating a child thread from the parent
thread.
Under Unix and Unix-like operating systems,
the parent and the child processes can tell each other apart by
examining the return value of the fork() system call. In
the child process, the return value of fork() is 0, whereas
the return value in the parent process is the PID of the
newly-created child process.
The fork operation creates a separate address space for
the child. The child process has an exact copy of all the memory
segments of the parent process, though if copy-on-write semantics
are implemented actual physical memory may not be assigned (i.e.,
both processes may share the same physical memory segments for a
while). Both the parent and child processes possess the same code
segments, but execute independently of each other.
简单的说,
就是子进程把父进程 copy了一下,
另起门户。
那么具体是怎么实现的呢?
各位大牛可能要说了, 不就是syscall么,
id是sys_fork,
底层用do_fork实现。可是大家可曾想过,
这已经到了kernel了, 算是bottom
half了吧, 那么用户空间怎么走到内核的呢?
我们来看个简单的程序
#include <stdio.h> /* printf, stderr, fprintf */
#include <unistd.h> /* _exit, fork */
#include <stdlib.h> /* exit */
#include <errno.h> /* errno */
int main(void)
{
pid_t pid;
/* Output from both the child and the parent process
* will be written to the standard output,
* as they both run at the same time.
*/
pid = fork();
if (pid == 0)
{
/* Child process:
* When fork() returns 0, we are in
* the child process.
* Here we count up to ten, one each second.
*/
int j;
for (j = 0; j < 10; j++)
{
printf("child: %dn", j);
sleep(1);
}
_exit(0); /* Note that we do not use exit() */
}
else if (pid > 0)
{
/* Parent process:
* When fork() returns a positive number, we are in the parent process
* (the fork return value is the PID of the newly-created child process).
* Again we count up to ten.
*/
int i;
for (i = 0; i < 10; i++)
{
printf("parent: %dn", i);
sleep(1);
}
exit(0);
}
else
{
/* Error:
* When fork() returns a negative number, an error happened
* (for example, number of processes reached the limit).
*/
fprintf(stderr, "can't fork, error %dn", errno);
exit(EXIT_FAILURE);
}
}
这里可以看到fork
的定义在unistd.h中,
我们进去看看
/* Clone the calling process, creating
an exact copy.
Return -1 for errors, 0 to the new
process,
and the process ID of the new
process to the old process. */
extern __pid_t fork (void) __THROW;
#if defined __USE_BSD || defined
__USE_XOPEN_EXTENDED
/* Clone the calling process, but
without copying the whole address space.
The calling process is suspended
until the new process exits or is
replaced by a call to `execve’.
Return -1 for errors, 0 to the new process,
and the process ID of the new
process to the old process. */
extern __pid_t vfork (void) __THROW;
#endif
貌似跟到这里就跟丢了,
只好去 c库里面找找了,(鉴于我用的是Ubuntu
10 我们这里的c库也就是glibc,
虽然可称得上最操蛋的c库,
不过硬骨头啃完,还怕软的么?)
# nm /usr/lib/libc.a | grep fork
nm: udiv_qrnnd.o: no symbols
nm: old_atexit.o: no symbols
U __unregister_atfork
nm: mp_clz_tab.o: no symbols
U __fork
U __linkin_atfork
000004cc b atfork_mem
000004e8 b atfork_recursive_cntr
00002080 t free_atfork
00004dc0 t malloc_atfork
fork.o:
00000000 W __fork
00000004 C __fork_generation_pointer
00000004 C __fork_handlers
U __fork_lock
00000000 T __libc_fork
00000000 W fork
vfork.o:
00000000 T __vfork
00000000 W vfork
nm: getopt_init.o: no symbols
nm: init-posix.o: no symbols
U __fork
U __vfork
U __fork
nm: lseek64.o: no symbols
nm: oldgetrlimit64.o: no symbols
U __fork
nm: internal_accept4.o: no symbols
register-atfork.o:
U __fork_handlers
00000000 B __fork_lock
00000000 T __linkin_atfork
00000030 T __register_atfork
00000020 b fork_handler_pool
unregister-atfork.o:
U __fork_handlers
U __fork_lock
00000000 T __unregister_atfork
U __fork_generation_pointer
U __register_atfork
U __fork
U __fork
nm: getutmpx.o: no symbols
可见fork的实现还是在c库中,
在nptl/sysdeps/unix/sysv/linux/pt-fork.c中(NPTL
== Native Posix Thread Library),
#include <unistd.h>
pid_t
__fork(void)
{
return __libc_fork();
}
strong_alias(__fork, fork)
不过这个也不是fork啊,
大家可以注意一下这个宏, strong_alias(__fork, fork),
它的实现是,
__typeof(__fork) fork
__attribute__((alias("__fork")));
还有个weak
alias,
void fork()__attribute__((weak,
alias("__fork")));
简单google了一下,
貌似这个strong alias是为了防止c库符号被其他库符号覆盖掉而使用的,
如果fork()被覆盖了,
还有__fork()可以用,
不过weak和strong
alias区别没搞清楚。
好了,
回到主线, 看看__libc_fork()实现,
./nptl/sysdeps/unix/sysv/linux/fork.c
pid_t
__libc_fork (void)
{
pid_t pid;
…
/* We need to prevent the getpid()
code to update the PID field so
that, if a signal arrives in the
child very early and the signal
handler uses getpid(), the value
returned is correct. */
pid_t parentpid = THREAD_GETMEM
(THREAD_SELF, pid);
THREAD_SETMEM (THREAD_SELF, pid,
-parentpid);
#ifdef ARCH_FORK
pid = ARCH_FORK ();
#else
# error "ARCH_FORK must be defined
so that the CLONE_SETTID flag is used"
pid = INLINE_SYSCALL (fork, 0);
#endif
if (pid == 0)
{
struct pthread *self =
THREAD_SELF;
…
if (__fork_generation_pointer !=
NULL)
*__fork_generation_pointer += 4;
/* Adjust the PID field for the
new process. */
THREAD_SETMEM (self, pid,
THREAD_GETMEM (self, tid));
…
}
else
{
…
/* Restore the PID value. */
THREAD_SETMEM (THREAD_SELF, pid,
parentpid);
…
}
return pid;
}
weak_alias (__libc_fork, __fork)
libc_hidden_def (__fork)
weak_alias (__libc_fork, fork)
继续跟入i386的
ARCH_FORK, ./nptl/sysdeps/unix/sysv/linux/i386/fork.c,
#include <sched.h>
#include <signal.h>
#include <sysdep.h>
#include <tls.h>
#define ARCH_FORK()
INLINE_SYSCALL (clone, 5,
CLONE_CHILD_SETTID |
CLONE_CHILD_CLEARTID | SIGCHLD, 0,
NULL, NULL, &THREAD_SELF->tid)
#include "../fork.c"
这里的INLINE_SYSCALL实现是,
sysdeps/unix/sysv/linux/i386/sysdep.h
#define INLINE_SYSCALL(name, nr,
args…)
({
unsigned int resultvar =
INTERNAL_SYSCALL (name, , nr, args);
if (__builtin_expect
(INTERNAL_SYSCALL_ERROR_P (resultvar, ), 0))
{
__set_errno (INTERNAL_SYSCALL_ERRNO
(resultvar, ));
resultvar = 0xffffffff;
}
(int) resultvar; })
…这里又是INTERNAL_SYSCALL,
#ifdef I386_USE_SYSENTER
# ifdef SHARED
# define INTERNAL_SYSCALL(name, err,
nr, args…)
({
register unsigned int
resultvar;
EXTRAVAR_##nr
asm volatile (
LOADARGS_##nr
"movl %1, %%eaxnt"
"call *%%gs:%P2nt"
RESTOREARGS_##nr
: "=a" (resultvar)
: "i" (__NR_##name), "i"
(offsetof (tcbhead_t, sysinfo))
ASMFMT_##nr(args) : "memory",
"cc");
(int) resultvar; })
# else
# define INTERNAL_SYSCALL(name, err,
nr, args…)
({
register unsigned int
resultvar;
EXTRAVAR_##nr
asm volatile (
LOADARGS_##nr
"movl %1, %%eaxnt"
"call *_dl_sysinfont"
RESTOREARGS_##nr
: "=a" (resultvar)
: "i" (__NR_##name)
ASMFMT_##nr(args) : "memory", "cc");
(int) resultvar; })
# endif
#else
# define INTERNAL_SYSCALL(name, err,
nr, args…)
({
register unsigned int
resultvar;
EXTRAVAR_##nr
asm volatile (
LOADARGS_##nr
"movl %1, %%eaxnt"
"int $0x80nt"
RESTOREARGS_##nr
: "=a" (resultvar)
: "i" (__NR_##name)
ASMFMT_##nr(args) : "memory", "cc");
(int) resultvar; })
#endif
这里差不多就明白了,
当I386_USE_SYSENTER没有define时,
就使用了经典的intel系统调用代码int
$0x80了,这里的参数是__NR_clone.
不过I386_USE_SYSENTER是什么意思呢?
call *%%gs:%P2, call
*_dl_sysinfo又是什么意思呢? 天色不早了, 下次再说吧
milestone warranty
Posted by xiaokucha in Uncategorized on April 9, 2010
北方的狼 齐秦
走在无垠的旷野中
凄厉的北风吹过
漫漫的黄沙掠过
我是一匹来自北方的狼
走在无垠的旷野中
凄厉的北风吹过
漫漫的黄沙掠过
我只有咬着冷冷的牙
报以两声长啸
不为别的
只为那传说中美丽的草原
我是一匹来自北方的狼
走在无垠的旷野中
凄厉的北风吹过
漫漫的黄沙掠过
我是一匹来自北方的狼
走在无垠的旷野中
凄厉的北风吹过
漫漫的黄沙掠过
我只有咬着冷冷的牙
报以两声长啸
不为别的
只为那传说中美丽的草原
Page cannot be found 