Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page New Protector
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #18  
Old 09-04-2003, 01:01
Lunar_Dust
 
Posts: n/a
Well, let me rephrase. It's not one of the toughest, it just has the best anti-debug routines.

TO actually capture and unpack the program is quite easy. Especially finding the OEP is insanely simple.

The only thing that makes it "hard" to debug is it creates a new process. It won't do this, tho, if the temp file it creates contains the correct crypto(GetTickCount() && CheckSumOfFileData). Upon launch, protector attempts to read the temp file, it its nonexistent, it writes it, and calls createprocess to start over. If it finds it, it compares 4 byte DWORD read in from file to calculated DWORD. If they match within certain amount, it runs normal to OEP without calling CreateProcess. We can force it by feeding GetTickCount return with a constant value, and then the output is only constant (since second part is file checksum). Then you fake ReadFile to with this constant value, and bytesread to 4, and you are good. Program will run under debugger then.


-Lunar
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Best software protector: Themida or Enigma Protector? smartins General Discussion 13 04-27-2010 17:58
Has anyone seen this protector used yet? Nalpeiron Protector JCB General Discussion 0 10-02-2005 01:50


All times are GMT +8. The time now is 19:19.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )