last update @ 24.09.03

contact me via email : cdaemon@gmx.net or via irc (efnet) #unpacking

yeah yeah!!!! my first ring0 tracer... it's really lame... but hey! it (ring0-with api) worx!!!! this one is able to detect calls, puts an int3 @ next eip (after returning from our call) and reenables trap flag in eflags... (reenables tracing engine this way) (several bugs in it!!! stack problems...)

same as above one just a little bit better (again!) Heavy worx only for soft-ice (unpatched, and not hided with frogs-ice...) (i haven't tested it with frogs-ice so i can't tell u what happens if u have loaded it)

another trick how to kill debug register breaking (could also be ported to NT by using context_structure instead of idt interrupt redirecting)

please enable I3HERE ON! if u execute this file!!! it shows u a nice example, how u could defeat single stepping! be careful with this program it could crash your system with easy!

same as above, BUT using a VXD instead of exploiting Ring0

using fs:[20h] to detect if the program is being executed under an application debugger! like Ollydbg ;-) (do you remember Hypno ???)

using int1 to detect the presence of soft-ice

A small breakpoint table scanner for softice --- works for ALL os now (thx EliCZ!)

by scanning the loaded drivers (simple but as always EFFECTIVE!)

using PEB (aka FS:[30h]) (detects appdebuggers like Ollydbg!)

ähmm, yeah! just played around with icedump and saw that they prevent the setting of the gd-flag in debug register 7! so the easiest way is to set gd-flag and check afterwards if it's still turned on

how to detect if softice is running in memory or not :) this idea came in my mind while reading the .docs and while playing around with icedump! icedump installs new interrupt handlers for a lot of interrupts so why not compare em ???? this method worx VERY good!

this program detects if it got traced via the lovely \tracex command! and YEAH it's for the updated version of their tracer icedump v6.0.2.4! idea in here is simple! \tracex command sets up a fake idt and this is what we use to detect it! if u wanna test this program, please let icedump trace it till the messagebox!

another way how we can determine if icedump is (or was) active in memory (checking the interrupt 0x68) icedump just patches it to 0xCF (iret) So why not check for 0xCF ???? (worx fine!)

idea is again easy just gaining r0 (via idt! pretty lame i know!) then calling VMMCall GetVxDLocationList and scanning the vxd names (etc) (tested with softice v4.00 and icedump 6.0.2.5)

idea is again easy... we just modify the permissions of the page! (nearly NO one uses this stuff beside of SVKP)... turn \PROTECT on and execute this file... icedump WON'T catch the IDT accesses :)

added a new command to icedump called: \hook for hooking any api in any dll (global and iat hooking)

it's just a small program i developed to hook any api via our beloved export table

just a small piece of code... don't blame me! i know the source might be pretty incompatible better use the above one!

just another idea... nothing special!

a nice way how to stop the process getting loaded from an unpacker for example or any other app (using fs:30h to get pointer to the process database)

Playing around with page_access levels.... very nice idea by silicon_realms (armadillo)

same idea as above but a bit changed (it's just a test and it suceeded!)

A nice lookup table (collected em all... hopefully i didn't miss any!)

Still under development

hook_v86_int_chain installs the handler in the system

the com file then executes the interrupt which is getting caught by my handler.... nothing more!

hook_v86_int_chain installs the handler in the system (allocates memory in the system area... copies the hooking routine to that place and stays active after ExitProcess) the com file then executes the interrupt which is getting caught by my handler.... nothing more! a little bit improved with VxDCall SYSMODAL_Message etc... defeating Sice detection via int68h (ah=43)

a nice vxd, that shows u whenever an int1 or 3 gets executed in your sice console (using vwin32 trace_out) (cs:eip)

just a small source for generating crc

just a small source rc4 in asm (mainly done by tE!)

encryption algo based on rc4 (just modified!)

unpacker for lame encryptor

unpacker for ryptor

unpacker for scc

unpacker for idec

unpacker for noodlecrypt

unpacker for softlocx

unpacker for visual protect

unpacker for pc guard

unpacker for tElock (this version got never released to the public!)

unpacker for different Bit-Arts Products!

unpacker for k-kryptor.k2

unpacker for k-kryptor.k4

unpacker for k-kryptor.k5

unpacker for k-kryptor.k8 (ONLY DUMP REBUILDER!!!)

full decryptor for Armadillo v2.51 (Final Build, Trial Version)

full decryptor for Softdefender V1.1

crackme8 by noodlespa solved

A tutorial on general unpacking (GERMAN!)

finally i release a public version of it :))) people don't cry, it's damn incompatible so be warned... use it only @ tasm generated files!!! otherwise it will fail in 90% :)))