Log in

View Full Version : How to hide OllyDBG from being detectected?


codezilla
July 30th, 2005, 11:57
Hi there,
I am trying to debug an application that does not allow to run if I try to load it in OllyDbg. It break with a message box saying Debugger detected try without debugger. No need to say that I tried IsDebugPresent plugin in Olly but didn't help.

How to start with this kind of application?

Thanks for your time

Codezilla

pnluck
July 30th, 2005, 12:12
maybe this progie use CheckRemoteDebuggerPresent or some trick to detect ollydbg, try to download hide debugger plugin for this trick.

codezilla
July 31st, 2005, 13:12
Please read my question carefully. I already used IsDebugPresent and Hide pluggins for olly but it does not hide the debugger for this application. I would appreciate little more details than some guesses on what may be actually happening. SoftIce is not freely available. So please answer your solution based on OllyDbg or some open source debugger.

Thanks

Codezilla

joe
July 31st, 2005, 13:25
Try use other plugin. I had seen 4 plugins to hide olly:
IsDebug&ExtraHide
HideDebugger123f
IsDebuggerPresent
SV_IsDebug14
Maybe some can to hide olly from this detection.
Else it may be problem and You must detect which protection is used inthis application.

JimmyClif
July 31st, 2005, 17:54
What is this BS of having 4 plugins doing the same thing? Isn't there Opensource anymore and aren't people trying to extend it in the best way possible?

This stuff makes me sick.

On another hand... Codezilla: Did you try to debug and see how to evade the ollydbg detection?

evlncrn8
July 31st, 2005, 19:24
or read your signature, or use the SEARCH button....

TQN
July 31st, 2005, 20:19
Try with Olly Invisible Plugin, found in ExeTools forum. It can bypass the CheckRemoteDebuggerPresent and NtQueryProcessInformation 7.

codezilla
July 31st, 2005, 21:43
Quote:
[Originally Posted by JimmyClif]What is this BS of having 4 plugins doing the same thing? Isn't there Opensource anymore and aren't people trying to extend it in the best way possible?

This stuff makes me sick.

On another hand... Codezilla: Did you try to debug and see how to evade the ollydbg detection?


My friend, I have no idea what you have suggested. [hrmpf] is like UFO to me. Can you please describe in more details what exactly it is and How can I use it in OllyDbg?

Thanks

codezilla
July 31st, 2005, 21:45
Quote:
[Originally Posted by TQN]Try with Olly Invisible Plugin, found in ExeTools forum. It can bypass the CheckRemoteDebuggerPresent and NtQueryProcessInformation 7.


That plugin is really invisible. I could not see it anywhere on the ExeTools form. I would appreciate if you can provide real location to that plug in.

Thanks

TQN
July 31st, 2005, 23:50
http://www.exetools.com/forum/showthread.php?t=7482

JimmyClif
August 1st, 2005, 15:51
[hrmpf] is from the movie Blazing Saddles. One should understand it as a coughing sound.

codezilla
August 1st, 2005, 17:06
Quote:
[Originally Posted by JimmyClif][hrmpf] is from the movie Blazing Saddles. One should understand it as a coughing sound.


Can you please make your answer more clear in terms of my question? How does it help me in this situation.

Thanks

JMI
August 1st, 2005, 18:39
codezilla: He's suggesting you "debug" the damn program and discover exactly "how" it is "detecting" Olly and use what you discover to help you solve your own problem.

But it is obvious you don't want to do any actual "work," you just want "someone" to give you a solution to your problem!!!!!

And JimmyClif: "hrmpf" was part of the English vocabulary long before "Blazing Saddles" hit the Silver Screen.

Regards,

codezilla
August 2nd, 2005, 12:30
Buddy, You are wrong here. I don't want others to solve my puzzle. I already own original software and My question still remains there. How do you start debugging if application does not even allow to go ahead in a debugger? I don't think here I am asking to solve the whole problem. what tool or debugger is used to start with in this case (as you suggested to debug)?

Hope I made it clear what I am looking for.

JMI
August 2nd, 2005, 16:08
codezilla:

Number 1: I'm not your "buddy," I'm a Moderator here.

Number 2: You obviously do NOT have any idea what you are actually doing, otherwise you would understand that there has to be some routine inside your target program which searches for the presence of a "debugger" (or at least the presence of Olly) and after it makes that detection, it refuses to keep running.

Number 3: If you understood Number 2, and if you knew how to actually USE a debugger (whether Sice or Olly) or had actually done some research on the issue of "debugger detection" and/or "anti-debugger routines" THEN you might understand that your debugger can be used to actually FIND where your target is searching for the debugger and (gasp) bypass that effort!

Number 4: Instead of looking for THAT information YOURSELF, YOU want someone to "tell you what tool or debugger" to use to solve "your" problem, when the answer is that you need to learn how a program detects "your" debugger and then actually "use your debugger" to "catch the target attempting to do that and stop it from refusing to keep running.

Number 5: So, again, the answer to YOUR question is YOU need to spend some quality time learning "how debuggers are detected" and then "how to intercept the start of your target program" so YOU can attempt to actually WATCH it run through the routine which "detects" your debugger and "branches" to the point where it "refuses" to continue running.

Number 6: Somewhere "inside" your target, the program does a "test" for a "debugger" and if one is "detected" it "branches" to the "no go" routine or "debugger detected" message. YOUR job is to find that location and figure out "how" to "make" it take the "path" it would have followed IF "no debugger had been detected."

Number 7: There is already information on this Forum which discusses these issues and much information on the Net addressing these concepts.

Number 8: OUR RULES oblige YOU to SEARCH for such information YOURSELF, BEFORE you "ask your question HERE."

Number 9: You, obviously, have NOT done that.

Number 10: YOU need to do that BEFORE you ask any more questions and "THEN" come back and tell US what YOU have learned and what further help you might still need.

Hope I made it clear what you "SHOULD" be looking for!!!

For example "debugger detection + olly" in goggle produced 744 entries; "anti-debugger + olly" produced 114 entries. There is already discussion of "debugger detection" in other Threads here. That's WHY we have a SEARCH button.

Regards,

MaDMAn_H3rCuL3s
August 2nd, 2005, 17:29
yeah this crack-pot again,...?
i closed his post on my forum cause all he wants is the answer and nothing else.. SafeD*** aint that hard to bypass the debugger checks dude...
obviously you think that someone cool tool /plugin is gonna work for the next decade...
try it on your own..
tell me your progress .. in a month or so when you are totally stuck.. i just might tell you how to do it..

codezilla
August 2nd, 2005, 22:08
Thank you for these detailed information my friend (Hope I didn't offend you by saying that). I admit that I am not very experienced reverser. but its matter of time. Sorry for any confusion. As you have taken enough time to reply in brief, I will try to follow it by heart.

Thanks again

Codezilla

codezilla
August 2nd, 2005, 22:18
MaDMAn_H3rCuL3s, I would rather follow what JMI said. My previous reply was to thank JMI only and not people like you. I have already inform you not to reply for my question. So don't waste others time.