|
The HideDebugger plugin only work with OllyDbg which has ver >= 1.08 and the OS is WinNT, 2000, or XP...
Some code in ODBG_Plugininit function of HideDebugger plugin:
text:100013F4 IsWinNT proc near ; CODE XREF: _ODBG_Plugininit+F�p
.text:100013F4 C7 05 F0 31 00 10+ mov VersionInformation.dwOSVersionInfoSize, 94h
.text:100013FE 68 F0 31 00 10 push offset VersionInformation ; lpVersionInformation
.text:10001403 FF 15 40 10 00 10 call ds:GetVersionExA ; Get extended information about the
.text:10001403 ; version of the operating system
.text:10001409 0B C0 or eax, eax
.text:1000140B 74 0C jz short locret_10001419
.text:1000140D 33 C0 xor eax, eax
.text:1000140F 83 3D 00 32 00 10+ cmp VersionInformation.dwPlatformId, VER_PLATFORM_WIN32_NT
.text:10001416 0F 94 C0 setz al
.text:10001419
.text:10001419 locret_10001419: ; CODE XREF: IsWinNT+17�j
.text:10001419 C3 retn
.text:10001419 IsWinNT endp
....
.text:1000144C _ODBG_Plugininit proc near
.text:1000144C
.text:1000144C ollyDbgVer = dword ptr 14h
.text:1000144C hwndOlly = dword ptr 18h
.text:1000144C
.text:1000144C 55 push ebp
.text:1000144D 53 push ebx
.text:1000144E 56 push esi
.text:1000144F 57 push edi
.text:10001450 83 7C 24 14 6C cmp [esp+ollyDbgVer], 108
.text:10001455 0F 82 8E 02 00 00 jb loc_100016E9
.text:1000145B E8 94 FF FF FF call IsWinNT
.text:10001460 0B C0 or eax, eax
.text:10001462 0F 84 81 02 00 00 jz loc_100016E9
.......
9 loc_100016E9: ; CODE XREF: _ODBG_Plugininit+9�j
.text:100016E9 ; _ODBG_Plugininit+16�j ...
.text:100016E9 33 C0 xor eax, eax
.text:100016EB 48 dec eax
.text:100016EC
.text:100016EC loc_100016EC: ; CODE XREF: _ODBG_Plugininit+29B�j
.text:100016EC 5F pop edi
.text:100016ED 5E pop esi
.text:100016EE 5B pop ebx
.text:100016EF 5D pop ebp
.text:100016F0 C3 retn
.text:100016F0 _ODBG_Plugininit endp
|