Thread: Problem with old SDProtector
View Single Post
  #1  
Old 01-07-2008, 09:51
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
  
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 50
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
Problem with old SDProtector
Hello everybody.

After about 3 years of SDProtector 1.16 release, I have a troble with unpacking it.

I have headache after debugging it for 3 days !!!

Some of its debugger detection methods are unknown for me. Lets explain more.

By using HideOD, PhantOm, or OllyAdvanced plugin, antidebug methods of father process could be bypassed.

Settings of HideOD:
- CheckRemoteDebuggerPressent
- HideNtDebugBit
- ZwQueryInformationProcess (method 2)

Advanced Olly:
- GetTickCount
- Anti-RDTSC

I found a chinese tutorial from Love LOVEBOOM which explains SDProtector 1.12 codes. I've translated and attached it.

Using it (and NCR+ tut on SD) I found that CreateFileA is responsible for creation of child process.
If the temp files are found, it means than the father is running and current process is child. So the check routine returns 8 in EAX and an JE executed as LOVEBOOM said in his tutorial.

Code:
0049C335    E8 7A380000     CALL Copy_of_.0049FBB4		Call CreateFileA
0049C33A    8BF0            MOV ESI,EAX			We are here after returning from CreateFileA
0049C33C    83FE FF         CMP ESI,-1
0049C33F    0F84 72010000   JE Copy_of_.0049C4B7
0049C345    8D4C24 1C       LEA ECX,DWORD PTR SS:[ESP+1C]
0049C349    6A 00           PUSH 0
0049C34B    51              PUSH ECX
0049C34C    8D5424 18       LEA EDX,DWORD PTR SS:[ESP+18]
...
...
0049C4E4    B8 01000000     MOV EAX,1		If EAX become 1, the child process will be created out of our debugger
0049C4E9    5F              POP EDI
0049C4EA    5E              POP ESI
0049C4EB    5D              POP EBP
0049C4EC    5B              POP EBX
0049C4ED    81C4 48010000   ADD ESP,148
0049C4F3    C3              RETN
0049C4F4    5F              POP EDI
0049C4F5    5E              POP ESI
0049C4F6    5D              POP EBP
0049C4F7    B8 08000000     MOV EAX,8		In this case, SD think that the child process is running
0049C4FC    5B              POP EBX
0049C4FD    81C4 48010000   ADD ESP,148
0049C503    C3              RETN			Returns to below code
========
00490315    83E8 08         SUB EAX,8
00490318    60              PUSHAD
00490319    9C              PUSHFD
0049031A    58              POP EAX
0049031B    8BC8            MOV ECX,EAX
0049031D    66:81E1 0001    AND CX,100
00490322    0F85 9F000000   JNZ Copy_of_.004903C7
00490328   /74 01           JE SHORT Copy_of_.0049032B
But debugger will be detected and in this version of SD, an unknown exception occurs and after Shift+F9, Application Error message appears and says something about Single Step Exception !

I checked almost all setting of Phantom or OllyAdvanced, but debugger was detected !
I should say that my modifyed OllyDbg is hided well agains SDProtector, ExeCryptor, Themida and so on. Even I used SndDbg, but got nothing, even for SD v1.12.

Any suggestion?

I don't want to attach to process and dump. I can hook imports to find APIs (by Akira's tracer), but want to bypass debugger check completely.


(I had problem to upload second file, so if you wanna test it, got it from here:
http://rapidshare.com/files/81854831/SD1.16.rar.html)
Attached Files
File Type: rar SDProtector 1.12 Analysis by LOVEBOOM.rar (128.7 KB, 21 views)
__________________
In memory of UnREal RCE...
Reply With Quote