Using Thread Local Storage (tls) in Olly

[EDIT JMI]: These Posts were originally part of the "Olly Invisible Plugin" Thread in the Software Release Forum. In that Thread, nikola posted the following comment in one of the Posts:

"@Others: Lemme see you leetors hide Olly from this one
http://www.maniactools.com/soft/mp3tag.exe
I tried for 30 minuts to hide this and gave up. I'm not even sure what this packer is. PEiD says Neolite but this is definantly not Neolite. Markus suggested elsewhere that this is Execryptor and i agree. I cant even start Olly after program is started becouse it shuts it down like RegMon. I changed ollys path, caption, most things i could. Tried this plugin but nothing. Someone made it on this one?"

JuneMouse made this very interesting reply about that software, discussing how to access the Thread Local Storage (tls) in Olly. nikola then suggested that that information be split off into a separate thread, and here it is for all to consider. Those further interested in system hooking and API hooking, review the "codeproject" reference listed by bgrimm and the API reference mentioned at the bottom of bgrimm's reference. All very interesting information. ]

hehe i was reading through (the Olly Invisible Plugin Thread) and i saw the post by nikola and mp3tag.exe has no need to hide olly from anything. it uses tls callbacks so tls gets the first chance to execute before reaching the ep

Code:

Log data
Address    Message
           OllyDbg v1.10
           Bookmarks sample plugin v1.06 (plugin demo)
             Copyright (C) 2001, 2002 Oleh Yuschuk
           Command line plugin v1.10
             Written by Oleh Yuschuk

           File '***********\mp3tag.exe'
           New process with ID 00000220 created
00840938   Main thread with ID 00000370 created
00400000   Module *****************\mp3tag.exe
77E10000   Module C:\WINNT\system32\user32.dll
77F40000   Module C:\WINNT\system32\GDI32.dll
77F80000   Module C:\WINNT\system32\ntdll.dll
7C570000   Module C:\WINNT\system32\kernel32.dll
77F813B1   System startup breakpoint
77F9FE4A   Debug string: LDR: Real INIT LIST
77F9FE4A   Debug string:      C:\WINNT\system32\kernel32.dll init routine 7c577a40
77F9FE4A   Debug string:      C:\WINNT\system32\user32.dll init routine 77e1df34
77F9FE4A   Debug string: LDR: kernel32.dll loaded.
77F9FE4A   Debug string:  - Calling init routine at 7c577a40
77F9FE4A   Debug string: LDR: user32.dll loaded.
77F9FE4A   Debug string:  - Calling init routine at 77e1df34
77F9FE4A   Debug string: LDR: Tls Callbacks Found. Imagebase 400000 Tls 6f90e0 CallBacks 6f910c
77F9FE4A   Debug string: LDR: Calling Tls Callback Imagebase 400000 Function 842d46

so here it decrypts and runs a check
and one can dump almost all memory well for me thats enough coz i dont want running exe
here is a strings before and after for this manic

if you know how to break back from zwContinue (simple follow in dump the context struct add b8 press ctrl+g in cpu window and type the address that you see in dump and when you are ther press f2 and f9 (hope you can decipher this

have fun the point being you need to know the ways and means will follow
just having plugins wont work as you may notice i have no plugions installed except for the default commanline that comes along
yeah fresh download and alien computer and no tools (not even hexeditor )
and about an hour time pass (any way had to pass time waiting for some one, sitting in cafe )