Loader or inline-patching for Safecast.
 

Hi all,
I've read some threads and tuts about loaders and inline patching and I tried to apply them on a target protected by Safecast (Safedisc) 2.20.020, but it seems this target is a bit different from the other ones.
What I need is to patch a dll extracted by the packer, written on the temp dir and loaded with LoadLibrary.
My problems are:
1 - (At the moment) I think I can't use a loader because when I try to start the app with CreateProcess, the registration form appear but after the real app doesn't start. It seems the protector acts like a debugger of itself so it doesn't work if this process has already a parent process which started it. Does exist another way to do that?
2 - If I try to inline patch it, I have no rights to write on the loaded dll space and moreover I don't know where the dll will be loaded so I don't have the right address to patch. I must use VirtualProtect?
3 - Does other packers work this same way?
Thanks

To make sure if the app acts like a debugger of itself set a bpx on DebugActiveProcess and see if it breaks.But i think your assumption is very probable because newer versions of safedisc do this.
If you debug the app you'll get LOAD_DLL_DEBUG_INFO if a dll is loaded or you can use the ToolHelp api to check if the dll is loaded -> you have the ImageBase -> you can patch (if the memory is protected use VirtualProtectEx to make it writeable).After you patched the dll call DebugActiveProcessStop so that safedisc can start to debug the app.But all this only works if the dll is loaded before safedisc starts to debug the app!If the dll is loaded after the call to DebugActiveProcess you have to look for another solution.
armadillo with debugblocker for example