[bgrimm]

I guess to rephrase the question, I'm not wondering about how the protection/unpacking works, it's what is ollydbg doing with the extra F9<run program> command and then hitting Shift-F9 Pass exception & run command.

For example I tried the same commands in olly on an app protected by Yoda's Protector (not cryptor). Just executed program until exception, then pressed F9, then passed exception with shift-F9 and it stopped at oep. (I would assume if the protection used multiple exceptions it would stop just outside the seh handler of the packer/cryptor and allow me to trace from there).

Matter of fact pressing any F5/6/7/8/9 key then pressing Shift-F9 causes the debugged program to stop after passing the exception. That is my confusion.

-bg