|
|
|
|
#1
09-07-2004, 06:57
|
|||
|
|||
|
SD Protector Pro
Has someone some hints on this protection?
Seems to be uncracked at the moment. PEid says C++, and the sections seem not altered, at least in an executable protected with a demo version. Filemon and Regmon detection are high as a reboot is needed before using programs protected with it even that they are not running.(don't understand where it is checking they have been ran before). 
|
|
#2
09-07-2004, 07:32
|
|||
|
|||
|
armadillo with copymem2 similar
is a copymem2 protection the difference is the program start in the son and this create the father, and this second process start debugging the son, in a similar way to armadillo with copymem2.
I cannot write a tut but i look is very similar only with the difference of start executing the son. Ricardo Narvaja
|
|
#3
09-07-2004, 18:03
|
|||
|
|||
|
And how can the trick of knowing programs you ran in the past and are not turned on in the moment you start the program be done?
For example: I start regmon and then shutdown it. I start sd protected program and it says "Debugger detected, for some debuggers like filemon and regmon you need a reboot to use the program again". I mean...how can he know i started regmon as when i started it the program was not in execution? There was an essay or something in the accessroot forum but since it was destroyed i cannot find tutorials about this on the net.
|
|
#4
09-07-2004, 20:56
|
|||
|
|||
|
Regmon and Filemon
I don't try with regmon or filemon, but you try with a renamed regmon with other name of the file and other name of the window? similar case for filemon try renaming the file and renaming the class and title of the main window, i think is possible avoid detection.(is only a suggestion i don't try)
Ricardo Narvaja
|
|
#5
09-08-2004, 07:33
|
|||
|
|||
|
Sd Protector Pro is a nice packer.
It uses some nice trick to avoid dumping and also avoid the usage of ImpRec. hints: look at pages access rights  Rebuilding the imports is quite easy, you just got to write a litle plugin for imprec, that is able to parse the "obfuscation", or rather, the garbage, and locate the code that calculate the good api address. Then there are some threads (2) that detects tools running. With Soft ICE you can easily disable them: Hint: bpint is your friend. I won't give too much info for now, but its a lot easier with Soft ICE than it is with Olly Cheers.
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Best software protector: Themida or Enigma Protector? | smartins | General Discussion | 13 | 04-27-2010 17:58 |
| Has anyone seen this protector used yet? Nalpeiron Protector | JCB | General Discussion | 0 | 10-02-2005 01:50 |
Hybrid Mode
