Unpacking SdProtector Pro

[bLaCk-eye]

Did someone try to unpack this little protector:
http://www.sdprotector.com/std_setup.exe
It doesn't seem hard.From what i saw it uses CreateProcess on itself and then exits?
Could some look over it?
Thanks
bLaCk-eye

@ bLaCk-eye

Our friend Teerayoot did try to unpack but not much success. Here is the discussion on SD

http://forum.accessroot.com/~access/forums/index.php?showtopic=515

Regards,

[taos]

Quote:

Originally Posted by bLaCk-eye

Did someone try to unpack this little protector:
http://www.sdprotector.com/std_setup.exe
It doesn't seem hard.From what i saw it uses CreateProcess on itself and then exits?
Could some look over it?
Thanks
bLaCk-eye

A packer uses CreateProcess on itself to avoid any debugger.
It's simple. Armadillo uses it. There is a rule, a process that is debugged for a program can not be debugged by another, so it uses createprocess to debug itself (well, it uses another method but it uses createprocess to make the first program a child process).
Uses BPX createprocess or uses in olly the FILEATTACH handle to see that are 2 different handles for the same filename.
Normally, the packers uses CreateProcess (Create SUSPEND).
Then follow with writeprocessmemory to send code from the parent to his children ;-)

If you want to "detach" a parent process form his child, in the debugger and on any free line of code use this:

PUSH handle
CALL kernel32.DebugActiveProcessStop.

handle= is the handle that you get in Olly in File-Attach (use the handle of the child , of course)

[EDIT:JMI Don't post a "Reply" to your own post. Use the "Edit" button and add it to your previous post.]Regards