Problem with old SDProtector

[Newbie_Cracker]

Hello everybody.

After about 3 years of SDProtector 1.16 release, I have a troble with unpacking it.

I have headache after debugging it for 3 days !!!

Some of its debugger detection methods are unknown for me. Lets explain more.

By using HideOD, PhantOm, or OllyAdvanced plugin, antidebug methods of father process could be bypassed.

Settings of HideOD:
- CheckRemoteDebuggerPressent
- HideNtDebugBit
- ZwQueryInformationProcess (method 2)

Advanced Olly:
- GetTickCount
- Anti-RDTSC

I found a chinese tutorial from Love LOVEBOOM which explains SDProtector 1.12 codes. I've translated and attached it.

Using it (and NCR+ tut on SD) I found that CreateFileA is responsible for creation of child process.
If the temp files are found, it means than the father is running and current process is child. So the check routine returns 8 in EAX and an JE executed as LOVEBOOM said in his tutorial.

Code:

0049C335    E8 7A380000     CALL Copy_of_.0049FBB4		Call CreateFileA
0049C33A    8BF0            MOV ESI,EAX			We are here after returning from CreateFileA
0049C33C    83FE FF         CMP ESI,-1
0049C33F    0F84 72010000   JE Copy_of_.0049C4B7
0049C345    8D4C24 1C       LEA ECX,DWORD PTR SS:[ESP+1C]
0049C349    6A 00           PUSH 0
0049C34B    51              PUSH ECX
0049C34C    8D5424 18       LEA EDX,DWORD PTR SS:[ESP+18]
...
...
0049C4E4    B8 01000000     MOV EAX,1		If EAX become 1, the child process will be created out of our debugger
0049C4E9    5F              POP EDI
0049C4EA    5E              POP ESI
0049C4EB    5D              POP EBP
0049C4EC    5B              POP EBX
0049C4ED    81C4 48010000   ADD ESP,148
0049C4F3    C3              RETN
0049C4F4    5F              POP EDI
0049C4F5    5E              POP ESI
0049C4F6    5D              POP EBP
0049C4F7    B8 08000000     MOV EAX,8		In this case, SD think that the child process is running
0049C4FC    5B              POP EBX
0049C4FD    81C4 48010000   ADD ESP,148
0049C503    C3              RETN			Returns to below code
========
00490315    83E8 08         SUB EAX,8
00490318    60              PUSHAD
00490319    9C              PUSHFD
0049031A    58              POP EAX
0049031B    8BC8            MOV ECX,EAX
0049031D    66:81E1 0001    AND CX,100
00490322    0F85 9F000000   JNZ Copy_of_.004903C7
00490328   /74 01           JE SHORT Copy_of_.0049032B

But debugger will be detected and in this version of SD, an unknown exception occurs and after Shift+F9, Application Error message appears and says something about Single Step Exception !

I checked almost all setting of Phantom or OllyAdvanced, but debugger was detected !
I should say that my modifyed OllyDbg is hided well agains SDProtector, ExeCryptor, Themida and so on. Even I used SndDbg, but got nothing, even for SD v1.12.

Any suggestion?

I don't want to attach to process and dump. I can hook imports to find APIs (by Akira's tracer), but want to bypass debugger check completely.


(I had problem to upload second file, so if you wanna test it, got it from here:
http://rapidshare.com/files/81854831/SD1.16.rar.html)

[KuNgBiM]

This is SDProtector 1.16Stripper��Author by loveboom.. Try it��

[Newbie_Cracker]

Quote:

Originally Posted by KuNgBiM

This is SDProtector 1.16Stripper��Author by loveboom.. Try it��

I know this exits. I want to do things manually 'cause:

1- There is nothing for v1.12
2- loveboom stripper does not work always
3- I wanna improve my knowledge

[ahmadmansoor]

Hi my dear friend Newbie_Cracker :
about this protecter for hide ur olly it easy hehehe... How ? this is
tools :
if u use olly without unpatch version (normal) all u have to do is :
use just Olly Advanced 1.26 beta 12 with this option
Anti-Debug : Enable all except :kill anti-Attach
Get TickCount : counter+1
debug bits : Enable all
Then use HideToolz V2.1
and all will work
Don't use any of HideOD or PhantOm make them all disable
___________
but if u use OllyIce patched version by Hacnho u don't want to use

HideToolz
__________________________________________
note BP and HBP will not work it will catch it . but i have way to pass it
wait to next Post Or PM
Ur best Friend AhmadMansoor

by the way did u fiend the way to modify Olly 2.0 to enable Plgins menu . I

am working on it ...

[Newbie_Cracker]

Dear AhmadMansoor, my patched OllyDbg is hidden agains SD blacklist, like ACPU, ACPUASM...etc. So HideTools is not needed. StrongOD plugin works like HideToolz. But I had used them with no success.
SndDbg and hacnho OllyIce failed too.

The father process has no problem, but if I wanna bypass child creation (by moving 8 to eax at the end of routine), debugger will be detected.

On some targets, this procedure will works:
1- BP on CreateFileA,ALt+F9, CTRL+F9, move 8 into EAX, F9... and Debugger is detected !.
Now CTRL+F2 and restart the target.
2- This time I just press F9 and target will run inside OllyDbg (this worked on just one target, but not worked for others. I thinks because of minimum protection)

Why child won't be created?
Because temp files are created before and SD thinks fathers has run this child process

So It's not because of single step breakpoint (I used HW BP for tracing too), but maybe because of timing check.

The attached target is SD1.12, but too restive !

Maybe unpacking and reversing loveboom unpacker is the last way !

PS: Olly 2.0 has no export needed for plugins, so they cann't be run !

[ChupaChu]

I am not an unpacker, but when it comes to antidebug stuff i can recommend hanolly.
Read more here: http://www.tuts4you.com/forum/index.php?showtopic=14168

There is source of the plugin included (look for drizz post) so you can adjust it to
suit your needs.

Take care not to have running any other olly releases with hanolly as it will couse BSOD.

BR, ChupaChu!

[Magic_h2001]

Tools:
- Modified Olly (names, classes,exports,....)
- HideOD: all options checked and ZwQueryInformationProcess (method 2)

after bypassing <CreateProcessA> Fill with NOP <ResumeThread> API (very important) then continue unpacking....

[Newbie_Cracker]

My mainboard has beed died !
I don't have a good pc to test this, but if i remember correctly, after CreateProcessA, ExitProcess will be executed, and there is no suspended process to use ResumeThread.

Am I correct?

[ahmadmansoor]

yes as Newbie_Cracker say after CreateProcessA, ExitProcess will be executed
i have Modified all Olly (names, classes,exports,....) and used all kind of fixer..but no Good result ........
thanks in adv