Hi,
try this method for hiding Olly (it should work on Armadildo also)..I found it elsewhere: credits goes to DaGoN

----------------------------------------

1. install Olly in a subfolder (e.g. c:\dildo\0llyDbg). Note that there's a 0 -zero- in the place of the 'O' of Olly

2. Open Ollydbg with winhex or another hex editor and find for this sequence
20332E31004F6C6C79446267 then substitute the O of Olly with a zero '0' (e.g. 0llyDbg)

3.find again for 6E7570004F6C6C79 and substitute the O of olly with a zero.

4. find again for 6F6C6C796462672E657865005F416464736F7274656464617461 and still do as before.

5. Rename the file Ollydbg.ini as 0llydbg.ini (there's always a zero instead of the 'O')

6. change the following parameters in the 0llydbg.ini to point to the current folders
"Symbolic data path", "UDD path", "Plugin path"

7. To allow plugins to be loaded now you have to open each one with WinHex and to find the string "OLLYDBG.EXE" then replace the 'O' with a zero.

In this way most of the unpackers as also Armadildo will not still identifies Olly as Olly but as a generic debugger, so the only protection remaining are those not specific for Olly...


NB. I tested these byte sequences on version 1.09d and 1.10, but the concepts is the same for any other version of Olly (after having pasted them into WinHex you'll see which is the textual corresponding meaning)

cya

Thanks for sharing.

Thanks. I think this can be added into my plugin.

your plug, which one?

I am rewrite the Delphi Plugin and OllyDbg Plugin SDK for Delphi. I am busy now and need more time to finish the plugin.

It would be good if you made the plugin to randomize the names.

-nt20

Thanks for your idea, nikolatesla20 !
I will make it. But now, I am busy with a .NET project and a IDA Delphi 6, 7 RTL Signature. I will release this signature on this week.
TQN

Does anyone had success with this trick? Because it seems not to work for me, after doing exactly what is explained above..

for me it's working, I tested accurately before posting on the last 1.10 version of Olly..what doesn't work?

I do not say that it's not working at all - but for me it's not..

It does not work with ASprotect latest...- I haven't tried it with Armadillo, maybe this has something to do with my OS ( winxp sp2 beta)...

winxp sp2 beta is reported to break alot of software. And WHY are you running sp2 beta anyway. Just because some beta version of software has been release, doesn't mean everyone should install it, and if one does, one should EXPECT problem. That's why they call it "beta."

Regards,

@JMI - bacause I am a Beta-tester...
And there is a much smarter way to hide the debugger, which works for me but it seems that you can use the trick posted by Shub-nigurrath, so It's not needed to tell you..

Thanks Shub-nigurrath. Nice trick. I tested it on jv16 PowerTools v1.4.1 and it works.

But what about number 7:Do you mean changing the string in the plugins itself? I did not and all plugins worked too.

EDIT: I know already why it worked without changing the plugins. If you have both 0llydbg and the original Ollydbg.exe in the same dir, it works . When I removed the ollydbg.exe I got a lot of errors when starting 0llydbg.exe. When I put it back, anything works well and the program is still hidden.

Hi,

2 tDJ
the change of string inside the olly plugins is simply because they are searching for ollydbg.exe which shouldn't be anymore there..remove because some tricks seek for a file called Ollydbg.exe and if present in the folder, it vanishes the trick..renaming the plugins string as I said allow 0llydbg to still loads all the plugins correctly.

2 proletsearch
It's strange that's not working 4 U? Consider that the trick only hide Olly as being Olly and not as being a debugger, if you understnd what I mean..after the trick you have to apply also normal generic debugger tricks...
Anyway you are mentioning also a lot of other tricks you know..I'm collecting for a thing I'm writing all the possible specific Olly tricks available around..plz can you post them here or PM them to me, just for completeness...it might be interesting..

cya

Search and replace for all 12 plugins at once was easily done by PowerGREP.

too bad powergrep can't search for unicode text (without having to write it out in hex with 0x00's)

Search and replace for all 12 plugins at once was easily done by PowerGREP.

for those who use 0lly and would like to easily implements this tricks.. you could also make a generic byteshunter patch with Codefusion and make it *.* .. so it could be possible to browse the target and will work with any plugin or extra files this great debugger use... this is just a little tip.

Regards

you can easily do everything using a bat file using this nice unix style utility

gsar - General Search And Replace utility
http://gnuwin32.sourceforge.net/packages/gsar.htm

it's an excellent utility and its sources are easily modificable..