Few days ago, one of my friends gave me the download address of
DiskInternals Unereaser 2.3 as an unpacking target.
Shit... OllyDbg never stops at OEP and alot of exceptions occurs. Its packer checks CRC, and... amazingly it detects
Modified OllyDbg and closes it easily.
PeID says the exe file is packed by UPX. But it's obvious that it says wrong !
Sometimes ago, I found that SDProtector checks the ClassID of OllyDbg main window. I mean CPU ClassID. Here is the parts of ClassIDs which SDProtector searchs for them :
ACPU
ACPUASM
ACPUDUMP
ACPUSTACK
ACPUINFO
ACPUREG
TCPU
TCPUASM
TCPUDUMP
TCPUSTACK
TCPUINFO
TCPUREG
So after patching OllyDbg to hide its caption and change its exe name, I've patched it to change ...CPU... to ...CCC... . This trick defeated SDProtector (I know the effective debugger detection of SD is based on ZwQueryInformationProcess ), but this time...
I couldn't find the ClassIDs list of this
unknown packer. Its Crack-Tools detection engine is active in runtime (like SD) and immediately detects OllyDbg when it's started.
I think it detects other ClassIDs of OllyDbg, but which of them?
Is there any suggestion?
Here is the download link :
hxxp://www.diskinternals.com/download/Uneraser_Setup.zip
Best Regards.