Someone asked to look at the CodeCoffer packer software to
see how good the protection is on apps. This is the first
protector I have come across that actually detects Olly and
kills its process. Check for Olly is 55C24E it checks more
than Olly but back to the question hiding Olly now any one
come accross this yet.

just change the window title/class.

No Olly needs OLLYDBG to run correctly .. thats how its finding
it Ive changed the every reference to OllyDbg and the name itself
but Olly changes it back

It's a 5 minute job to change it, so your obviously not changing every occurance - are you changing both the ascii and unicode versions of the name?

Yeah I know wide and ansi formats 41 ansi and 8 unicode changed
still is able to detect it and no its not the IsDebuggerPresent

Have you also cleared the debug flag in the process environment/information block? New protectors prefer this to IsDebuggerPresent as it means there's no API call to break on.

If you don't know what I'm talking about, then just single step through some code which DOES call IsDebuggerPresent and single step through that API code and see what it does

well the IsDebuggerPresent plugin put 7ffdf002 in 0 this is the flag read for the api,a nd for rhe programs too, and with the title of the window try the program windowhacker with this interchange the handle with this program and the title of ollydbg (filemon, regmon or the program you want) will be windowhacker.

Ricardo

Ricardo dl this protect and you will see .. I wrote a plugin for
Imprec to get the imports back since they are all immulated ..
just stumps me to it finding Olly after changing every possible
way to detect it .. quick note on it 10003d77 is the oep for
the perplex.dll it decrypts when started to decrypt the rest of
the program program OEP on this machine (w2k) is 4A8BA4 for the
latest download

btw it does a process walk when it looks for
TRW200, Olly, softice, procdump32, etc

> No Olly needs OLLYDBG to run correctly
Not if you patch Olly itself, just change the 0 to a zero or something ...

tElock detects olly too now, with a enumwindows

what does IsDebuggerPresent do? How does it detect the presence of a debugger?

JB

Its an API call, see MSDN

kernel32.dll:IsDebuggerPresent
77E7191E >/$ 64:A1 18000000 mov eax,dword ptr fs:[18] ; IsDebuggerPresent
77E71924 |. 8B40 30 mov eax,dword ptr ds:[eax+30]
77E71927 |. 0FB640 02 movzx eax,byte ptr ds:[eax+2]
77E7192B \. C3 retn

Guys I know what IsDebuggerPresent.
What I was asking is what the code of IsDebuggerPresent does to detect a debugger (does it set the debug flag in the process environment/information block or something else) ..

JB

IsDebuggerPresent (from Win2K kernel32.dll):
<pre>77E8171D >/&#036; 64:A1 18000000 MOV EAX, DWORD PTR FS:[18]
77E81723 |. 8B40 30 MOV EAX, DWORD PTR [EAX+30]
77E81726 |. 0FB640 02 MOVZX EAX, BYTE PTR [EAX+2]
77E8172A &#92;. C3 RETN</pre>

ehehe, I did not understant that was the answer. Thank you.
BTW what is FS:[18]?

JB

The PIB (Process Information Block), and yes, it can be changed so that IsDebuggerPresent always returns false regardless

Something I stumbled upon while debugging a prog. Wouldn't let me debug any further...

<pre>
0012EFC0 |00191358 UNICODE "yes"
0012EFC4 |00000008
0012EFC8 |00BA4988 ASCII "Disable Script Debugger"
0012EFCC |00BA4928
0012EFD0 |00BA0124 ASCII "yes"
0012EFD4 |00180017
0012EFD8 |00BA4988 ASCII "Disable Script Debugger"

</pre>