Posted September 15, 201311 yr Anti-Debug Time Plugin for OllyDbg V.2 General InformationModern computer programs are more complex in writing and more difficult for reversing. Serious programs have various means of protection against debugging. It prevents application reversing. There are a number of various approaches, like Debug Blocker, Nanomites, others.Measuring time to identify that an application is being debugged becomes the widespread practice lately. The OllyDbg has the «HideOD» and «Hide Debugger» anti-debug plugins, which have no possibility to hide actual time. This causes difficulties in application reversing.Let’s consider the system of debugger identification. The debuggers are capable of making breakpoints in code. In this case the operation of the program is suspended. The program can detect such stopping by monitoring the system time. If there is a too long pause between the instructions – most likely the program has been stopped for analysis. http://www.codeproject.com/Articles/614775/Anti-Debug-Time-Plugin-for-OllyDbgAntiDebugTimePlugin.zip Edited September 15, 201311 yr by Amer
September 15, 201311 yr great article! but strange it writes the registry for communication.. it could be easily done with mapped files for example.
September 15, 201311 yr it's good, but for example look code GetTickCount: 75BF8FAC >/$ /EB 02 JMP SHORT KERNELBA.75BF8FB0 75BF8FAE |> |F3: /PREFIX REP: 75BF8FAF |. |90 |NOP 75BF8FB0 |> \8B0D 2403FE7F MOV ECX,DWORD PTR DS:[7FFE0324] 75BF8FB6 |. 8B15 2003FE7F |MOV EDX,DWORD PTR DS:[7FFE0320] 75BF8FBC |. A1 2803FE7F |MOV EAX,DWORD PTR DS:[7FFE0328] 75BF8FC1 |. 3BC8 |CMP ECX,EAX 75BF8FC3 |.^ 75 E9 \JNZ SHORT KERNELBA.75BF8FAE ... we can manually read timer value
July 17, 20178 yr Hello, thanks for your article , and how to create a frame window like cpu window in ollydbg 2.01?
Create an account or sign in to comment