|
Unpacking SdProtector Pro
Did someone try to unpack this little protector:
http://www.sdprotector.com/std_setup.exe It doesn't seem hard.From what i saw it uses CreateProcess on itself and then exits? Could some look over it? Thanks bLaCk-eye |
@ bLaCk-eye
Our friend Teerayoot did try to unpack but not much success. Here is the discussion on SD ;) http://forum.accessroot.com/~access/forums/index.php?showtopic=515 Regards, |
Quote:
A packer uses CreateProcess on itself to avoid any debugger. It's simple. Armadillo uses it. There is a rule, a process that is debugged for a program can not be debugged by another, so it uses createprocess to debug itself (well, it uses another method but it uses createprocess to make the first program a child process). Uses BPX createprocess or uses in olly the FILEATTACH handle to see that are 2 different handles for the same filename. Normally, the packers uses CreateProcess (Create SUSPEND). Then follow with writeprocessmemory to send code from the parent to his children ;-) If you want to "detach" a parent process form his child, in the debugger and on any free line of code use this: PUSH handle CALL kernel32.DebugActiveProcessStop. handle= is the handle that you get in Olly in File-Attach (use the handle of the child , of course) [EDIT:JMI Don't post a "Reply" to your own post. Use the "Edit" button and add it to your previous post.]Regards |
| All times are GMT +8. The time now is 09:03. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX