On Thu, Jan 23, 2003 at 10:12:32AM +0100, Rein Klazes wrote:
Hi,
The latest version of newsbin 4.1B5 refuses to run, displaying "debugger or monitoring tool detected".
The detection code is very simple, immedeately at the program entry point 0x516000 it does (intel syntax):
| Disassembly of 0x00516000 | 0x51600D: 64A023000000 mov al,fs:[0x23] | 0x516013: EB03 jmp 0x516018 | ;*************************************************** | 0x516018: 84C0 test al,al | 0x51601A: EB03 jmp 0x51601f | ;*************************************************** | 0x51601F: 7567 jnz 0x516088
This jump is taken and leads immedeatly to the messagebox displaying the message above.
Any idea's and/or explanation?
Well, we store the thread pid there, see thread.h:
DWORD pid; /* !2- 20 Process id (win95: debug context) */
Try to move the pid somewhere else and mark this field as unused.
Ciao, Marcus