New Protector

of all protectors out there right now, I think its one of the toughest..very well done anti-debug routines.

-Lunar

The method of its returning to oep is really astonishing!
At 4d5e78 it wipes some code.
Then through hundreds of ret by a table in stack.
Many tricks are good to learn, including anti-debugging.

Well, let me rephrase. It's not one of the toughest, it just has the best anti-debug routines.

TO actually capture and unpack the program is quite easy. Especially finding the OEP is insanely simple.

The only thing that makes it "hard" to debug is it creates a new process. It won't do this, tho, if the temp file it creates contains the correct crypto(GetTickCount() && CheckSumOfFileData). Upon launch, protector attempts to read the temp file, it its nonexistent, it writes it, and calls createprocess to start over. If it finds it, it compares 4 byte DWORD read in from file to calculated DWORD. If they match within certain amount, it runs normal to OEP without calling CreateProcess. We can force it by feeding GetTickCount return with a constant value, and then the output is only constant (since second part is file checksum). Then you fake ReadFile to with this constant value, and bytesread to 4, and you are good. Program will run under debugger then.


-Lunar