I can't figure out what dbh does. In the docs it says that it hides the debugger, but I can't figure out what exactly that means. It doesn't make the debugger window go away, it doesn't apear to hide the debugger from the program being debugged.

If it does either of the above, I've gotta assume I'm using it wrong. If so, how do you use it?

-Chris

DBH hides the fact that the program is debugged from the program itself. IsDebuggerPresent returns 0 when called from the debugged program. Just tested this and it works fine.

Sweet, Thanks.

It apears that the program I am working with is a little more subtle in it's debugger detection. dbh does nothing for me. Oh well.

it was only meant for the isdebuggerpresent. of course id be happy to add functionality to it, so if you can email me details on how your target detects olly id be happy to try and add it to dbh. =)

Haha, yeah. I'd love to know how my target detects olly too! I have a feeling it's an int3 detection, but the code is very hard to follow (and I can't seem to find an in depth description of int3 detection).

can it be the usual winclass name / appname detection? rename olly and try again? If the protection is a commercial one named after a small animal then it might work

There are no small animals involved, and renaming didn't do anything. This is a commercial protection, but only a handfull of people have ever seen the program.

Before you get too into this, I gotta say I won't be able to tell you how I defeat this anti-debugger if I do (I'm all about spreading knowledge, but the company I work for isn't). EDIT: I'm really sorry. I know this place is all about spreading information. If there's anything I can do to get some info here I'll do it.

i've tried dbh too, but it does no work! the api isdebuggerpresent returns 1 always, and the nag (vbox) catch me.
i don't know if i'm using right; the script is:
dbh

only?? or
dbh
ret

??

I'm guessing you want:

dbh
run

Anonymous: what program did you test it with? Just DBH should be enough - execute it and IsDebuggerPresent should return 0. If it doesn't please mail me telling what app you tested it on.

TheTwo: well, there are times when you don't spread the info. I'm all for SELECTIVE spreading. All info you are able to give will be appreciated, but of course you are free to not provide any at all. =)

well, there are times when you don't spread the info. I'm all for SELECTIVE spreading.

If that means my suggestion was correct, I'm supprised.... it really was a guess. I've never had dbh block an anti-debugger. If I broke some kind of netiquite, I'd like to know privately. I don't (and can't) have icq, but the email I put in for registration is valid.

TheTwo: I think you are reading hidden meanings where there are none. My comment about selective information spreading had nothing to do with this thread in particular. =)

the apps are a spanish program for printing labels protected with vbox, and another protected with asprotect 1.23

i made a .txt with dbh in a line only, ran debugger till ep, execute the script and f9, and..... nag...

i did it right?

write a test prog that calls IsDebuggerPresent and test with it

I think you are reading hidden meanings where there are none. My comment about selective information spreading had nothing to do with this thread in particular. =)

Ahhhh.. Silly me. I get it now.

i made a test in windows98 and neither dbh nor isdebuggerpresent plugin didnīt work.
in both cases isdebuggerpresent returned 1.

i use ollydbg 1.10b, last version ollyscript, win98, and last version isdebuggerpresent plugin.