Dear AhmadMansoor, my patched OllyDbg is hidden agains SD blacklist, like
ACPU, ACPUASM...etc. So HideTools is not needed. StrongOD plugin works like HideToolz. But I had used them with no success.
SndDbg and hacnho OllyIce failed too.
The father process has no problem, but if I wanna bypass child creation (by moving 8 to eax at the end of routine), debugger will be detected.
On some targets, this procedure will works:
1- BP on CreateFileA,ALt+F9, CTRL+F9, move 8 into EAX, F9... and Debugger is detected !.
Now CTRL+F2 and restart the target.
2- This time I just press F9 and target will run inside OllyDbg (this worked on just one target, but not worked for others. I thinks because of minimum protection)
Why child won't be created?
Because temp files are created before and SD thinks fathers has run this child process
So It's not because of single step breakpoint (I used HW BP for tracing too), but maybe because of timing check.
The attached target is SD1.12, but too restive !
Maybe unpacking and reversing loveboom unpacker is the last way !
PS: Olly 2.0 has no export needed for plugins, so they cann't be run !