The below will not work with everything though, as the byte used in the PIB will still signify that a debugger is present, and so protectors such as Armadillo will still throw up errors as they compare the result of IsDebuggerPresent with this byte. Best thing to do really is to make IsDebuggerPresent overwrite this value with a zero and THEN return 0. Still not perfect however, as some protectors don't even call IsDebuggerPresent and just check the PIB directly, as it can easily be accessed by ofsetting from the FS register.
There are times you want IsDebuggerPresent to return a non-zero value anyway, so I find it easier to just modify the PIB (which indirectly modifies IsDebuggerPresent, as it depends on this value also) whenever I debug a program that checks this.
Quote:
Originally posted by Peter[Pan]
77E72740 64A118000000 mov eax, dword ptr fs:[00000018]
77E72746 8B4030 mov eax, dword ptr [eax+30]
77E72749 0FB640002 movzx eax, byte ptr [eax+02]
77E7274D C3 ret
change the movzx eax, byte ptr [eax+02]
to
XOR EAX, EAX
then fill the rest with nops
|