Well, let me rephrase. It's not one of the toughest, it just has the best anti-debug routines.

TO actually capture and unpack the program is quite easy. Especially finding the OEP is insanely simple.

The only thing that makes it "hard" to debug is it creates a new process. It won't do this, tho, if the temp file it creates contains the correct crypto(GetTickCount() && CheckSumOfFileData). Upon launch, protector attempts to read the temp file, it its nonexistent, it writes it, and calls createprocess to start over. If it finds it, it compares 4 byte DWORD read in from file to calculated DWORD. If they match within certain amount, it runs normal to OEP without calling CreateProcess. We can force it by feeding GetTickCount return with a constant value, and then the output is only constant (since second part is file checksum). Then you fake ReadFile to with this constant value, and bytesread to 4, and you are good. Program will run under debugger then.


-Lunar