Code:
#pragma comment( linker, "/ENTRY:main" )
#include
char *szString = "Olly Found!";
int main()
{
_asm
{
cmp esi, -1
je OllyFound
jmp NotFound
OllyFound:
push 0
push szString
push szString
push 0
call dword ptr [MessageBoxA]
NotFound:
// Just return after..
}
return 0;
}
#include
char *szString = "Olly Found!";
int main()
{
_asm
{
cmp esi, -1
je OllyFound
jmp NotFound
OllyFound:
push 0
push szString
push szString
push 0
call dword ptr [MessageBoxA]
NotFound:
// Just return after..
}
return 0;
}
Other then being easily patched, you can also setup a plugin method to bypass this with Olly itself. I coded a plugin, for learning experiences on how to code Olly plugins just now to accomplish this. Although I highly doubt this is the best method possible of doing this, here ya go:
Code:
#include
#include "plugin.h"
HINSTANCE m_hInstance;
HINSTANCE m_hDllInstance;
HWND m_hWnd;
BOOL bInitializePause;
//
// Main Entry Point
//
BOOL WINAPI DllEntryPoint( HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved )
{
if( dwReason == DLL_PROCESS_ATTACH )
m_hInstance = hInstance;
return 1;
}
//
// Plugin Name / Data
//
extc int _export cdecl ODBG_Plugindata(char shortname[32])
{
strcpy(shortname,"EsiCheck");
return PLUGIN_VERSION;
};
//
// Initialization
//
extc int _export cdecl ODBG_Plugininit(int ollydbgversion,HWND hw,ulong *features)
{
if( ollydbgversion < PLUGIN_VERSION )
return -1;
m_hWnd = hw;
Addtolist( 0,0,"EsiCheck Plugin v1.0" );
Addtolist( 0,1,"Coded by: Wiccaan" );
return 0;
}
//
// Menu Setup
//
extc int _export cdecl ODBG_Pluginmenu(int origin,char data[4096],void *item)
{
switch( origin )
{
case PM_MAIN:
strcpy( data, "0 &About" );
return 1;
default:
break;
}
return 0;
}
//
// Main Plugin Callback
//
extc void _export cdecl ODBG_Pluginaction(int origin,int action,void *item)
{
if( origin == PM_MAIN )
{
switch( action )
{
case 0:
MessageBox( m_hWnd, "Ollydbg EsiCheck v1.0\nCoded by: Wiccaan", "EsiCheck", MB_OK|MB_ICONINFORMATION );
break;
default:
break;
}
}
}
//
// Close Plugin
//
extc int _export cdecl ODBG_Pluginclose(void)
{
return 0;
}
//
// Plugin Reset Reset Initialize Pause Flag
//
extc void _export cdecl ODBG_Pluginreset(void)
{
bInitializePause = false;
}
//
// Olly Pause If First Pause Reset ESI
//
extc int _export cdecl ODBG_Paused(int reason,t_reg *reg)
{
if( !bInitializePause )
{
reg->r[ 6 ] = 0;
bInitializePause = true;
}
return 0;
}
#include "plugin.h"
HINSTANCE m_hInstance;
HINSTANCE m_hDllInstance;
HWND m_hWnd;
BOOL bInitializePause;
//
// Main Entry Point
//
BOOL WINAPI DllEntryPoint( HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved )
{
if( dwReason == DLL_PROCESS_ATTACH )
m_hInstance = hInstance;
return 1;
}
//
// Plugin Name / Data
//
extc int _export cdecl ODBG_Plugindata(char shortname[32])
{
strcpy(shortname,"EsiCheck");
return PLUGIN_VERSION;
};
//
// Initialization
//
extc int _export cdecl ODBG_Plugininit(int ollydbgversion,HWND hw,ulong *features)
{
if( ollydbgversion < PLUGIN_VERSION )
return -1;
m_hWnd = hw;
Addtolist( 0,0,"EsiCheck Plugin v1.0" );
Addtolist( 0,1,"Coded by: Wiccaan" );
return 0;
}
//
// Menu Setup
//
extc int _export cdecl ODBG_Pluginmenu(int origin,char data[4096],void *item)
{
switch( origin )
{
case PM_MAIN:
strcpy( data, "0 &About" );
return 1;
default:
break;
}
return 0;
}
//
// Main Plugin Callback
//
extc void _export cdecl ODBG_Pluginaction(int origin,int action,void *item)
{
if( origin == PM_MAIN )
{
switch( action )
{
case 0:
MessageBox( m_hWnd, "Ollydbg EsiCheck v1.0\nCoded by: Wiccaan", "EsiCheck", MB_OK|MB_ICONINFORMATION );
break;
default:
break;
}
}
}
//
// Close Plugin
//
extc int _export cdecl ODBG_Pluginclose(void)
{
return 0;
}
//
// Plugin Reset Reset Initialize Pause Flag
//
extc void _export cdecl ODBG_Pluginreset(void)
{
bInitializePause = false;
}
//
// Olly Pause If First Pause Reset ESI
//
extc int _export cdecl ODBG_Paused(int reason,t_reg *reg)
{
if( !bInitializePause )
{
reg->r[ 6 ] = 0;
bInitializePause = true;
}
return 0;
}
What this does is when Olly pauses, it checks if the initialize boolean 'bInitializePause' has been set yet. If not, then this is the first time Olly is paused, and usually means the OEP break that Olly does by default. With that, it will reset the register ESI to 0 and then set the boolean to true meaning we have called this once already and do not need it anymore.
When the program is reloaded through Olly, the plugin will be called to reset the flag and do it again.
Enjoy.
No hay comentarios:
Publicar un comentario