.386
      .model flat, stdcall
      option casemap :none   ; case sensitive

      include \masm32\include\windows.inc
      include \masm32\include\user32.inc
      include \masm32\include\kernel32.inc

      includelib \masm32\lib\user32.lib
      includelib \masm32\lib\kernel32.lib

    .data
       DbgNotFoundTitle db "Debugger status:",0h
       DbgFoundTitle db "Debugger status:",0h
       DbgNotFoundText db "Debugger not found!",0h
       DbgFoundText db "Debugger found!",0h
       OriginalFileName db "%s%s.exe",0h
    .data?
       filename db 512 dup(?)
    .code

start:

; MASM32 BadStringFormat example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net

; This example takes advantage of OllyDBG not handleing strings properly.
; Code is based on Piotr Bania`s description.
; How does it work? If we name the file %s%s or any other name that has
; %s%s in it`s name OllyDBG will crash.
; How to use this?
; We just check if the file has been renamed.

PUSH 512
PUSH offset filename ;%s%s.exe
PUSH 0
CALL GetModuleFileName

MOV ECX,offset filename
ADD ECX,EAX

  @SeekFileName:
DEC ECX
CMP BYTE PTR[ECX],'\'
JNE @SeekFileName

MOV BYTE PTR[ECX],0
INC ECX

PUSH ECX
PUSH offset OriginalFileName ;%s%s.exe
CALL lstrcmp

TEST EAX,EAX
JNE @DebuggerDetected

PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox

JMP @exit
  @DebuggerDetected:

PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox

  @exit:

PUSH 0
CALL ExitProcess

end start

rule Detect_OllyDBG_BadFormatTrick: AntiDebug {
    meta: 
        description = "Detect bad format not handled by Ollydbg"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "%s%s.exe" fullword ascii
    condition:   
       $1
}