About HideDebug

Hi,
I have put the HideDebug dll in the plugin directory. I don't see any menu or anything. Does it work automatically?

Thomas Antony

view the log-windows if it is loaded...

the hidedebugger 1.2.2 plugin has an extended menu which can be accessed by plugins -> hidedebugger ...

hope this helps...

[vrclr27]

Is the plugin directory set in options->appearance->directories
or
did you rename olly ? ->plugin expects exe name for imports

[MaRKuS-DJM]

this plugin doesn't load if you use some modified ollydbg which doesn't use ollydbg.ini

Quote:

Originally Posted by thomasantony

Hi,
I have put the HideDebug dll in the plugin directory. I don't see any menu or anything. Does it work automatically?

Thomas Antony

I can advise this version of a plug-in, she at perfectly me works. Try probably and you will not have problems.

[TQN]

The HideDebugger plugin only work with OllyDbg which has ver >= 1.08 and the OS is WinNT, 2000, or XP...
Some code in ODBG_Plugininit function of HideDebugger plugin:
text:100013F4 IsWinNT proc near ; CODE XREF: _ODBG_Plugininit+Fp
.text:100013F4 C7 05 F0 31 00 10+ mov VersionInformation.dwOSVersionInfoSize, 94h
.text:100013FE 68 F0 31 00 10 push offset VersionInformation ; lpVersionInformation
.text:10001403 FF 15 40 10 00 10 call ds:GetVersionExA ; Get extended information about the
.text:10001403 ; version of the operating system
.text:10001409 0B C0 or eax, eax
.text:1000140B 74 0C jz short locret_10001419
.text:1000140D 33 C0 xor eax, eax
.text:1000140F 83 3D 00 32 00 10+ cmp VersionInformation.dwPlatformId, VER_PLATFORM_WIN32_NT
.text:10001416 0F 94 C0 setz al
.text:10001419
.text:10001419 locret_10001419: ; CODE XREF: IsWinNT+17j
.text:10001419 C3 retn
.text:10001419 IsWinNT endp
....
.text:1000144C _ODBG_Plugininit proc near
.text:1000144C
.text:1000144C ollyDbgVer = dword ptr 14h
.text:1000144C hwndOlly = dword ptr 18h
.text:1000144C
.text:1000144C 55 push ebp
.text:1000144D 53 push ebx
.text:1000144E 56 push esi
.text:1000144F 57 push edi
.text:10001450 83 7C 24 14 6C cmp [esp+ollyDbgVer], 108
.text:10001455 0F 82 8E 02 00 00 jb loc_100016E9
.text:1000145B E8 94 FF FF FF call IsWinNT
.text:10001460 0B C0 or eax, eax
.text:10001462 0F 84 81 02 00 00 jz loc_100016E9
.......
9 loc_100016E9: ; CODE XREF: _ODBG_Plugininit+9j
.text:100016E9 ; _ODBG_Plugininit+16j ...
.text:100016E9 33 C0 xor eax, eax
.text:100016EB 48 dec eax
.text:100016EC
.text:100016EC loc_100016EC: ; CODE XREF: _ODBG_Plugininit+29Bj
.text:100016EC 5F pop edi
.text:100016ED 5E pop esi
.text:100016EE 5B pop ebx
.text:100016EF 5D pop ebp
.text:100016F0 C3 retn
.text:100016F0 _ODBG_Plugininit endp

Hi,
I got Olly 1.10 and also the HideDebug 1.22 I dfound the menu item but I use Win98 SE. So.....

Thomas Antony

Try "IsDebuggerPresent" Plugin ...

Quote:

_veDc Try "IsDebuggerPresent" Plugin ...

no IsDebuggerPresent Plugin also wont work in win9x
because its algo is different
it does not use fs:[30] aka peb is Debuged pointer
so these plugins wont work in win9x series
you have to find some other way
like trying to modify the inc eax to xor eax eax in kernel32.dll
coz the pointer it sbbs also isnt mapped
so you cant do follow in dump and null it out

[ricnar456]

For hide ollydbg to api IsDebuggerPresent you have the plugin OLLYGHOST this is ONLY for win98.

But i tell if you use ollydbg upgrade your SO to NT/XP/2000, in 98 OLLY has serious limitations.

For w98 use softice or trw2000.

Ricardo Narvaja

Hola Ricardo
c��mo es usted
es usted que habla del exe independiente
o un plugin de ese nombre

for all others
Dear Ricardo
how are you
are you talking about the standlaone exe or a plugin by that name ??

and some more the ollyghost by synapsus is kinda advanced it changes the
shared memory region access attributes to write instead of the original readonly so it may not be your blind click and play toy
but it enables you to set bps on hitherto not un kernelspace by default
so it almost transforms 9x into nt functionality
and it is a standalone exe not a plugin to ollydbg
unless ricardo posts information to the contrary

[ricnar456]

is a exe not a plugin,sorry, but work for me before i upgrade to XP.

Better is change to XP (nt or 2000 too)

Ricardo Narvaja