I was able to get my ripper running just right last night (thanks to the people on this board!)

My question is how much safer or less detectable is a ripper that runs once gets the key and exits vs one that just loops for your entire EQ session?

Seems to me that if SOE puts code in to catch key rippers it would not matter if your piece of code runs for 1 second vs looping and never exits.

My hope is the that the run and exit code is better :)

my 2cp on that - plz correct me if i am wrong.

SoE can only match aginst a footprint of your program and it needs to be in memory to compare (unless they do a HD scan, but i doubt they would go that far, cause of several reasons ... i would not like if EQ is running over my HD and i am sure many people would not like it too, even they don´t use any utils...)
From that point of view SoE has to catch your program while it is running. That means scan tasklist, find dubious process (what is a dubious process if you dont name your sniffer get_me_that_damn_EQ_crypt_key.exe :P ) and do a footprint match against the memory space of this process.
How long is your program in memory ?... some miliseconds... not that much time.

An other problem is if they find a way to detect that you read the memory of their process, but virusscan and other software do that too (but not every time you zone)...

read my reply in the other sense heading thread on my views..