Yundun Anti-DDOS Firewall (Bingdun Anti-DDOS Firewall) is from the world-class IT technology in Silicon Valley, United States, by Chinese students Mr. bingle Wang and Mr. buick Zhang is designed and developed. It uses the world's leading biometric identification technology to intelligently identify various DDOS attacks and hacker intrusions. The Firewall uses the MicroKernel and ActiveDefense active defense engine technology, working at the lowest level of the system, the CPU performance is fully utilized, and the processing efficiency is amazing when only a little memory is consumed. The test results show that the 0.25 million m Nic yundun can defend against SYN Packet attacks per second, working on 1.6 million m Nic, ice shield can defend against SYN Attack Packets. In terms of hacker intrusion prevention, alibaba Cloud ice security can intelligently identify Port scans, Unicode malicious code, SQL injection attacks, Trojan uploads, Exploit vulnerabilities, and more than 2000 types of hacker intrusions and automatically stop them, it is one of the most powerful Firewall Products in the anti-DDOS field so far.
[Protection method]: registration code + continued protection 2-hour trial limit
[Encryption protection]: UltraProtect 1.x-> RISCO Software Inc
[Compilation language]: Microsoft Visual C ++ 7.0
[Debugging environment]: WinXP-sp2, PEiD, Ollydbg, LordPE, ImportREC
[Objective]: To promote the use of Ollydbg for manual shelling
[Author's statement]: Crack beginners are only interested and have no other purpose. For errors, please enlighten us!
---------------------------------
[Shelling Process ]:
Shell Detection: PEiD shell check, UltraProtect 1.x-> RISCO Software Inc shelling (formerly called ACProtect)
Set Ollydbg to ignore all other exception options. Old rule: Use the IsDebug 1.4 plug-in to remove the Ollydbg debugger flag.
Ollydbg load main program:
004F3000> 60 pushad; after loading the main program, stop here
004F3001 7C 03 jl short bdf0000004f3006; F8 here, view the register ESP Value
004F3003 7D 01 jge short bdf0000004f3006
004F3005 E8 81D00873 call 7358008B
004F300A E5 4D in eax, 4D
004F300C F9 stc
004F300D 50 push eax
004F300E E8 01000000 call bdf0000004f3014
004F3013-74 83 je short bdf0000004f2f98
004F3015 C40458 les eax, fword ptr ds: [eax + ebx * 2]
........
Command Line Disconnection: hr esp press enter, F9 run
0050A106/EB 01 jmp short bdf00000050a109; the first interruption is here, F8 continues
0050A108 | E8 FF254BA1 call A19BC70C
0050A10D 50 push eax
0050A10E 0060 E8 add byte ptr ds: [eax-18], ah
0050A111 0000 add byte ptr ds: [eax], al
0050A113 0000 add byte ptr ds: [eax], al
0050A115 5E pop esi
0050A116 83EE 06 sub esi, 6
0050A119 B9 66000000 mov ecx, 66
0050A11E 29CE sub esi, ecx
0050A120 BA EEFDF861 mov edx, 61F8FDEE
0050A125 C1E9 02 shr ecx, 2
0050A128 83E9 02 sub ecx, 2
0050A12B 83F9 00 cmp ecx, 0
0050A12E 7C 1A jl short bdf00000050a14a
0050A130 8B048E mov eax, dword ptr ds: [esi + ecx * 4]
........
0050A109-FF25 4BA15000 jmp dword ptr ds: [50A14B]; The second interruption ends here, F8 continues
0050A10F 60 pushad
0050A110 E8 00000000 call bdf00000050a115
0050A115 5E pop esi
0050A116 83EE 06 sub esi, 6
0050A119 B9 66000000 mov ecx, 66
0050A11E 29CE sub esi, ecx
0050A120 BA EEFDF861 mov edx, 61F8FDEE
0050A125 C1E9 02 shr ecx, 2
0050A128 83E9 02 sub ecx, 2
0050A12B 83F9 00 cmp ecx, 0
0050A12E 7C 1A jl short bdf00000050a14a
0050A130 8B048E mov eax, dword ptr ds: [esi + ecx * 4]
0050a4248b5c8e 04 mov ebx, dword ptr ds: [esi + ecx * 4 + 4]
0050a000003c3 add eax, ebx
0050A139 C1C8 06 ror eax, 6
........
0043DBD8 6A 60 push 60; here we use LordPE to correct ImageSize and then fully Dump this process.
0043 DBDA 68 A08C4600 push bdf000000468ca0
0043 DBDF E8 402D0000 call bdf0000000000924
0043DBE4 bf94000000 mov edi, 94
0043DBE9 8BC7 mov eax, edi
0043 DBEB E8 202B0000 call bdf0000000000710
0043DBF0 8965 E8 mov dword ptr ss: [ebp-18], esp
0043DBF3 8BF4 mov esi, esp
0043DBF5 893E mov dword ptr ds: [esi], edi
0043DBF7 56 push esi
0043DBF8 FF15 A8424600 call dword ptr ds: [4642A8]; kernel32.GetVersionExA
0043 DBFE 8B4E 10 mov ecx, dword ptr ds: [esi + 10]
0043DC01 890D F80D4800 mov dword ptr ds: [480DF8], ecx
0043DC07 8B46 04 mov eax, dword ptr ds: [esi + 4]
0043DC0A A3 040E4800 mov dword ptr ds: [480E04], eax
0043DC0F 8B56 08 mov edx, dword ptr ds: [esi + 8]
0043DC12 8915 080E4800 mov dword ptr ds: [480E08], edx
........
Run ImportREC 1.6 and select this process. Change OEP to 0003DBD8, and then click "automatically search for IAT" --> "Get input information" --> "show invalid function"
Then there are two invalid functions. The first one is fixed with "Trace Level 1 (disassembly)". If the second one cannot be fixed, the "Cut Pointer" will be executed. This is OK, and all functions are valid. "Fixed file grabbing". The program runs normally after shelling! Compilation language: Microsoft Visual C ++ 7.0