Help With Writing Olly Plugin.

[Fungus]

Hi All, I was wondering if someone could have a look at my src and tell help figure out what I have done wrong or am missing with my plugin code.

:EDIT:

the dialog boxes don't appear correctly, and the patch just crashes olly when he tries to load a file.

here is the src. It is in masm and winasm studio.

It is a plugin to patch GetSystemTime, to hide olly from various techniques that read it and do some other things, like int3 or checking how long some code takes to execute.

thx

Edited April 12, 2007 by Fungus

[Angel-55]

Not much only a little problem

i fixed you had inc eax just after xor eax,eax

is caused the problem i removed it and the dialog appeares

normally now i hope it's working too bro' please check it can you ?!

Dialog appeares well now i'am only

checking why ollydbg crashes so try the

attached file and check dialog i'll see the other problem......

Source.rar

Edited April 12, 2007 by Angel-55

[Fungus]

Angel-55: thanks alot! Will check immediate

It's my first serious x86 code, so I really appreciate your help very much.

[zako]

Its nice that you share your source code Fungus

[Fungus]

Its nice that you share your source code Fungus

zako; glad to , aren't we supposed to be helping each other here?

Ok, here is my newest src (deleted the previous)

ok, I got it working, but it only patches GetSystemTime in Olly's Process, not in the Debugged Process. Any clues?

src.rar

thx

[Angel-55]

Fungus can you explain more please

i don't understand what you mean 100%

so a bit more explaination is better and any

target to try it with the plugin ?? "CrackMe or similar"

thanx' in advanced and congratulations

for your working Plugin "nice work bro' keep it" !!

Cheers

[MOID]

Because GetSystemTime is pretty constant in all apps, you can get the address of it with GetProcAddress. If you want you can even get the patch addresses from Olly's context. Then, to patch the code in the debuggee you can use Writememory.

[Fungus]

Angel 55: oh like xADT, it has a plugin for GetSystemTime and int, it sets SEH, invokes GetSystemTime, executes an int3, then invokes GetSystemTime again, and subtracts the results from each other,

if seconds > 0, then I am being debugged.

MOID: do you have an example to use writememory for this? thx

[Guest shot]

I cant download the src i get an error

The error returned was:

Sorry, some required files are missing, if you intended to view a topic, it's possible that it's been moved or deleted. Please go back and try again.

any clue on why this is?

[Fungus]

Because Teddy changed host yesterday or so, and there is bound to be some errors

I can ul somewhere if you wanna look.

I have expanded it to handle GetLocalTime aswell, but I'm still trying to figure out how to set the segment properly, so I write to the debugged process. I checked the src code of Is Debugger Present 1.4, but the way he is setting the segment base isn't making any sense to me

I don't understand the assume directive of MASM yet.

It looks like this....

get_byte_location proc
	push ebx
	invoke Getcputhreadid
	.if (eax)
		invoke Findthread,eax				 ;retreive thread info
		assume eax:ptr t_thread
		push [eax].reg.base[4*4]			  ;base of FS
		pop ebx
		add ebx,30h
		invoke Readmemory,addr dw_buffer,ebx,4,MM_RESTORE
		mov eax,dw_buffer
		add eax,2h
	.endif
	pop ebx
	ret

if someone could explain how it works exactly, that would be really cool. The docs on in the SDK don't say much about Findthread, let alone how to set the segment base.

Edited April 14, 2007 by Fungus

[Guest shot]

yes please ul it somewhere else , Thanks

[Angel-55]

Fungus do you get any errors while

using this method ?? if so then could you

please wriet what WinASM says to you and thanx' again .......

the IsDebuggerPresent source isn't with me

i fsome one could upload it it would be nice and

thanx' in advanced and to attach cause there is a problem !!

[zako]

i fsome one could upload it it would be nice and

Its available on the authors home page

http://membres.lycos.fr/svtc/

[Angel-55]

Sorry Zako i don't know the author

or his page so thanx' bro' for giving a link

really appreciated thanx' again.........

IsDebuggerPresent_Source.rar

[Teddy Rogers]

Attachments should be working again. Sorry about this folks...

Ted.

[Angel-55]

Ted. i have one question why doesn't this link work ??

Link: www.tut4you.com

and thanx' for fixing the attachment problem

it works now perfectly good job !!

[Teddy Rogers]

Its a spelling mistake, it should be:

http://www.tuts4you.com/

Ted.

[Angel-55]

No Ted. it's a writting mistake it still

doesn't work check it your self here i get this message !!

"This directory no longer exists, please go to: http://www.tuts4you.com/"

I go to that ink and same message like a loop "Endless One"

do you mind checkign it please and thanx'

Edited April 14, 2007 by Angel-55

[Teddy Rogers]

Maybe a DNS between you and the host still needs to be updated. It looks to me from the link you are trying to go to:

http://www.tuts4you.com/%22

Which, is a directory that does not exist.

If you want to continue this it may be better to start a new topic in Site Bug Reports forum...

Ted.

[Fungus]

Angel: I haven't tried it yet, I don't understand how the segment base works (guess I spoke too soon in another thread eh?) I keep researching until I figure it out...