.386
.model flat, stdcall
option casemap :none ; case sensitive
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\advapi32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\advapi32.lib
.data
DbgNotFoundTitle db "Debugger status:",0h
DbgFoundTitle db "Debugger status:",0h
DbgNotFoundText db "Debugger not found!",0h
DbgFoundText db "Debugger found!",0h
szOllyKey db "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug",0h
szIsOllyKey db "Debugger",0h
szREGSZ db "REG_SZ",0
.data?
szBuff db 256h dup(?)
lpcbData dd ?
lpdwDisp dd ?
hKey dd ?
.code
start:
; MASM32 antiOllyDBG example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net
; This example will read data from Windows Registry key szOllyKey.
; This key is set to the system debugger, if application crashes
; application at that key location will be called.
; For other examples, see the Registry-OllyDbg.zip archive.
MOV lpcbData,256h
INVOKE RegOpenKeyEx, HKEY_LOCAL_MACHINE, addr szOllyKey, 0,KEY_WRITE or KEY_READ, addr hKey
INVOKE RegQueryValueEx, hKey, addr szIsOllyKey, 0, addr szREGSZ, addr szBuff, addr lpcbData
OR EAX,EAX
JNE @DebuggerNotFound
MOV ECX,offset szBuff+1
@SeekQuote:
INC ECX
CMP BYTE PTR[ECX],'"'
JNE @SeekQuote
MOV BYTE PTR[ECX],0h
JMP @DebuggerDetected
@DebuggerNotFound:
PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox
JMP @exit
@DebuggerDetected:
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset szBuff+1
PUSH 0
CALL MessageBox
@exit:
PUSH 0
CALL ExitProcess
end start
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}