i'm trying to debug an application an i don't understand somthing about it
here is the code that i done understand:



when i reach with olly to the 00504275 in eax,2 commnad and execute it (step) i get thrown to some place in ntdll.

if i "nops" the command then i get to a message the let me know that a debugger was found.

any idae ?

IN is a privileged instruction, thus, when executed from ring 3, it will cause an exception (which is probably handled in your case by an exception handler in the code)
so it probably works like this

<no debugger>
code -> executes the IN EAX, 2 instruction -> seh is hit -> seh adjusts the eip, sets flags or whatever to say no debugger was found and carries on...

<debugger>

code -> executes the IN EAX, 2 instruction -> seh is NOT hit -> thus, flags are not hit etc, nopping the instruction will definately not cause the seh to be activated -> flags not set = debugger found...

so! you should continue tracing in Ntdll for previously installed Handler

ok .. got it .. thanks..
I hate this target .. its a crackME with many debug tricks and it is an MD5 crypto..

Read up about SEH chains and the CONTEXT structure that exception handlers get passed. Once you've done that, debug your target again and run it up to just before the "in" instruction. Find the current top-level SEH record and make sure the exception handler that it points to is actually part of your target program, and not of some Windows dll. Place a breakpoint on the handler and step over the "in" - an exception gets thrown and given to Olly, press shift-F9 to pass it to the debuggee (i.e. its SEH chain). You will break in the exception handler that you placed a breakpoint in. Now look closely what the handler does. As evlncrn8 said, it will probably modify the eip field in CONTEXT structure and continue normal program execution at a different address.