it is one of the addition yea ppl can bypass but instead of Messagebox i can directly end the program or dont execute anything which could trigger in Olly
What I mean is, "Is_Debugger_Present" and such is visible in OllyDbg BEFORE OllyDbg even runs the exe... so they can just bypass it from there, in stepping mode. No? I'm not an ASM expert but it doesn't look very safe to me.
Microsoft Visual Basic only lasted 7 short years: 1991 to 1998.
PureBasic: Born in 1998 and still going strong to this very day!
It's widely known by the RE community that inlining functions add another level of defense (obscurity). Especially inlining IsDebuggerPresent is a rather old trick. Furthermore it's still as easy to bypass as all the other lines of defense. Trial-and-error and tracing back to the instruction that caused it is an appropriate way for this. The hop from the TEB to the PEB and the specific flag is also quite easy to detect.
Don't get me wrong I appreciate your contribution but I just want to make the readers aware of that this is not THE solution they were waiting for regarding anti-cracking or so.
This is bypassed just by deleting the debugged flag, which is standard for any debugger hiding plugin for OllyDbg. So it does not add anything to the protection.
