upb you want 9x IsDebuggerPresent raw code in kernel32.dll ??
her it is if you wanted that
Code:
BFF946F6 IsDebuggerPresent A1 E49CFCBF MOV EAX,DWORD PTR DS:[BFFC9CE4]
BFF946FB 8B08 MOV ECX,DWORD PTR DS:[EAX]
BFF946FD 8379 54 01 CMP DWORD PTR DS:[ECX+54],1
BFF94701 1BC0 SBB EAX,EAX
BFF94703 40 INC EAX
BFF94704 C3 RETN
well on being single stepped through
Code:
DS:[BFFC9CE4]=C00309C8
EAX=00401000 (OLLYDBG.<ModuleEntryPoint>)
second instruction
Code:
DS:[C00309C8]=81752074
ECX=81752094
Code:
817520B4 3C 21 75 81 B0 A0 5F C1 80 0B 75 81 80 26 75 81 <!u���_���u��&u�
817520C4 BC 47 74 81 0C D0 5B 83 00 00 00 00 00 00 00 00 �Gt�.�[�........
flag position on compare
Code:
EAX C00309C8
ECX 81752074
EDX 817520D4
EBX 00680000
ESP 0078FE38
EBP 0078FF78
ESI 81752074
EDI 00000000
EIP BFF946FD KERNEL32.BFF946FD
C 0 ES 016F 32bit 0(97A0)
P 1 CS 0167 32bit 0(FFFFFFFF)
A 0 SS 016F 32bit 0(97A0)
Z 0 DS 016F 32bit 0(97A0)
S 1 FS 3517 16bit 81752270(37)
T 0 GS 0000 NULL
D 0
O 1 LastErr ERROR_INVALID_NAME (0000007B)
EFL 00200A86 (O,NB,NE,A,S,PE,GE,G)
flag position after compare
Code:
EAX C00309C8
ECX 81752074
EDX 817520D4
EBX 00680000
ESP 0078FE38
EBP 0078FF78
ESI 81752074
EDI 00000000
EIP BFF94701 KERNEL32.BFF94701
C 0 ES 016F 32bit 0(97A0)
P 0 CS 0167 32bit 0(FFFFFFFF)
A 0 SS 016F 32bit 0(97A0)
Z 0 DS 016F 32bit 0(97A0)
S 1 FS 3517 16bit 81752270(37)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_INVALID_NAME (0000007B)
EFL 00200282 (NO,NB,NE,A,S,PO,L,LE)
on return
Return to 00401005 (OLLYDBG.00401005)
Code:
registers and flag on return
EAX 00000001
ECX 81752074
EDX 817520D4
EBX 00680000
ESP 0078FE38
EBP 0078FF78
ESI 81752074
EDI 00000000
EIP BFF94704 KERNEL32.BFF94704
C 0 ES 016F 32bit 0(97A0)
P 0 CS 0167 32bit 0(FFFFFFFF)
A 0 SS 016F 32bit 0(97A0)
Z 0 DS 016F 32bit 0(97A0)
S 0 FS 3517 16bit 81752270(37)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_INVALID_NAME (0000007B)
EFL 00200202 (NO,NB,NE,A,NS,PO,GE,G)
now ollydbg cant see the address 0xc00309c8