Authored by: Devoney on Tuesday, October 09 2007 @ 09:50 AM CEST

There is also a way to modify OllyDbg. So it does not use OLLYDBG as class to make its window with. Ofcourse you first need to understand how the security of the app works. But wen playing with cracking it, continously changing the option "Break on new module" and setting a breakpoint on FindWindowA costs a lot of time. Once understood you can go around with this by doing the following: Open OllyDbg in OllyDbg. Set a breakpoint on RegisterClassA with "Set a breakpoint on every reference". Run OllyDbg. OllyDbg breaks, one parameter is pushed before calling the function RegisterClassA. In my case this is ECX. ECX is the pointer to a DWORD. 00431E34 |. 52 PUSH EDX ; /pWndClass = 0012F884 00431E35 |. E8 14E30600 CALL ; RegisterClassA Looking at the memory registers at the right I see that EAX is a pointer to ASCII "OLLYDBG". EAX holds the hex value "4A7B4C". Right click this value and select "follow in dump". In the left box below we can now change the bytes so we get another text, as long as its not longer, shorter could be?? now backup the file and OllyDbg does not use OLLYDBG as class anymore so Exeshield can not find OllyDbg by its class anymore. I dont know if the plugin to hide OllyDbg does the same. Great tutorial!

---
--< Share Your Knowledge >---