Quote:
Originally Posted by ZeNiX
For VMProtect and Themida/WinLicense,
Here is my method for loader.
1. Hook the API near OEP or near your patch point.
2. Check the return address from stack.
Then, you know when your target is unpacked.
|
Yeah, It is very useful especially for patching child process created by father process; such as Armadillo, SDProtect, etc.
I always use hook method when loaders like dUP2 fails to patch on time.
So if the VMProtect does not check for API hooking, this method is the best.