I have tried using this pluggin, but if it doesn't work for a particular program, is their any other methods you can use to bypass the programs protection?

Greetings,

maybe you misunderstood the meaning of the plugin?
The plugin only allows to fake results of IsDebuggerPresent() API call.

kernel32!IsDebuggerPresent:
77E72740 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
77E72746 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
77E72749 0FB640 02 MOVZX EAX,BYTE PTR DS:[EAX+2]
77E7274D C3 RETN

Matt Pietrek documented fields of TIB in his May 1996 article in MSJ.
There is TIB for each thread running in Win32 system, and in all Intel-based Win32 implementations, FS register points to TIB.

obtain win32 TIB address of active thread: FS:[18]
obtain win32 PEB (program environment block) address: [TIB+30]
obtain debugged flag: [PEB+2]

Pseudocode:

<pre>
BOOL WINAPI IsDebuggerPresent(void)
{
return NtCurrentTeb()->Peb->BeingDebugged;
}
</pre>

There are literally dozens of methodes to detect user/kernel mode debuggers.
These are beyond the context of the plugin.

Describe what your target is packed/encrypted with and someone *might* help you.
Something more information than "doesnt work" would improve quality of help, of course.

Regards,

A. Focht

focht: i want to thank you for supporting the forum with your detailed explanations.

maybe, someday, we will gather all the posts and make a FAQ. anyone intrested ?

1tox latest version 2.63 is what I was working on, it wont let me run it in Olly, even if I try to hide it with the Olly "is debugger present" pluggin, checking with Peid, it shows that the protection is Armadillo 1.xx-2.xx & Silicon Realms Toolworks.
I'm not interested in keeping the program, I just started working on it because I found other 1tox Olly tuts for earlier versions, and once I started working on this one, I couldn't let it go, as I saw it as a means to increase my knowledge, once I've cracked it I'll delete it from my system.

Greetings,

of course it works as expected.
If you "hide" in IsDebuggerPresent plugin, it will correctly fake the return value thus bypassing this check.
As you already stated: this is not the only anti-debugging trick used.

The protector itself creates a second instance of the process (suspended), with the first instance as "debugger" or "controller" you might call it and the second instance as debuggee.
bpx DebugActiveProcess() and you will see what i mean...
WaitForDebugEvent() and ContinueDebugEvent() synchronize the "communication" between both processes.

There exist some tutorials how to cope with such protecttion, google em.
I know there are some (good) spanish ones.
Free online translators might be sufficient to extract the useful information.

Regards,

A. Focht

Actually, I had noticed this, I did set a breakpoint on it, and noticed other instances of is debuggerpresent, can you give me a link to a good tut, even if Spanish, and I'll get it translated?

If the email address on your homepage *****wmb@optusnet.***.** is valid, i will send the links to you.
As you might know, posting such stuff/links is not permitted here

Regards

Yes, that email is valid, please do send, I would really appreciate that.

Hey, that translator site works well, have downloaded a lot, and translated, will read through this arvo, thanks a lot :-)

"maybe, someday, we will gather all the posts and make a FAQ. anyone intrested ? "

Yup, I'd be interested in that