Monday, April 9, 2012

[MASM] Anti Ollydbg

This is my second snippet in MASM
This Snippet is used to say when your application is debugged in Ollydbg or immunity debugger
Although there are ways to bypass this but this is one of the way :)
Something is always better than nothing
So here it is
.386
.model flat,stdcall
option casemap:none

include     \masm32\include\windows.inc
include     \masm32\include\kernel32.inc
include     \masm32\include\user32.inc


includelib  \masm32\lib\kernel32.lib
includelib  \masm32\lib\user32.lib

.data

ollyTitle   db "Ollydbg :D"
ollyMsgboxP  db "Present"
ollyMsgboxN  db "Not Present"

.code   

start:
    xor eax,eax ; clearing the eax and set to 0
    cmp esi,0FFFFFFFFh ;comparing the esi with 0FFFFFFFF hexa decimal = -1
    jnz ollyNotPresent
    jmp ollyPresent

ollyNotPresent:
    invoke  MessageBoxA,0,ADDR ollyMsgboxN,ADDR ollyTitle,MB_OK
    invoke  ExitProcess,0

ollyPresent:
    invoke  MessageBoxA,0,ADDR ollyMsgboxP,ADDR ollyTitle,MB_OK
    invoke  ExitProcess,0

END start

3 comments for "[MASM] Anti Ollydbg"

  1. sir ...

    xor eax,eax ;
    cmp esi,0FFFFFFFFh;

    how this code will not allow debugging..??
    I mean how these 2 lines judging the presence of debugger..??

    ReplyDelete
  2. No this code does allow debugging but when u try to debug any program in Ollydbg the esi flag is set to -1 check it
    you can make this code to stop debugging in olly further once you detect

    ReplyDelete
  3. ohk.. i got it .....it means it will check the esi flag n if it is -1 then the olly is present n then we can add our further code for protecting our application...
    thanks sir....:) :)

    ReplyDelete

background