L ZZZZZZ RRRRR SSSSS L Z R R S L aaa Z aaa R R u u S L a Z a RRRRR u u SSSSS XX L aaaa Z aaaa R R u u S XXXX L a a Z a a R R u u S XXXXXX LLLLLLL aaaaa ZZZZZZZ aaaaa R R uuuuu SSSSSS XXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX XXXXXX XXXX proudly presents his 14.Cracking Tutorial (30.05.1999) XX How to detect MeltIce I. Tools you need for my tutorial II. The Crack III. BTW I. Tools you need for my tutorial W32Dasm (get it at CrackZ page (you find a link at http://come.to/hellforge)) It's better to have SICE and a C++ compiler, but you won't need them, only if you want to check, if I am telling you the truth. II. The Crack: Greetings. This time I have once more not a special target, but I want to have a look at a anti-SoftIce routine called MeltIce. This is a small routine whichs finds SICE when the SICE VXD is installed. Let's have a look at the source (C++). BOOL IsSoftIce95Loaded() // Function IsSoftIce95Loaded (returns true/false) { HANDLE hFile; // define a Handle for a file // "\\.\SICE" without escape stuff hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, // Looks FILE_SHARE_READ | FILE_SHARE_WRITE, // for NULL, // the VXD OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if( hFile != INVALID_HANDLE_VALUE ) // If it is there { CloseHandle(hFile); // then Close file return TRUE; // and return TRUE } return FALSE; // else return FALSE } ////////////////////////////////////////////////////////////////////// // // See if SoftICE version 3.x for Windows NT is loaded // BOOL IsSoftIceNTLoaded() // Absolutely the same for the WINICE VXD { HANDLE hFile; // "\\.\NTICE" without escape stuff hFile = CreateFile( "\\\\.\\NTICE", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if( hFile != INVALID_HANDLE_VALUE ) { CloseHandle(hFile); return TRUE; } return FALSE; } I implemented them in a test proggie (Borland C++ Builder 4) in this way: This snippet is called, when the main window is created (Form1->OnCreate) if( IsSoftIce95Loaded() ) // If it detects SICE fow WIN95 Application->Terminate(); // Bye, bye else if( IsSoftIceNTLoaded() ) // If it detects NTICE Application->Terminate(); // Bye, bye ... Now I compiled it (static linker, linked packages) and had a look at the asm code in W32Dasm. The correct passage were easy to detect, because the strings "\\\\.\\SICE" and "\\\\.\\NTICE" are hardcoded. You find the correct passage with the help of the string reference. You will see this: :004014D4 6A00 push 00000000 :004014D6 6880000000 push 00000080 :004014DB 6A03 push 00000003 :004014DD 6A00 push 00000000 :004014DF 6A03 push 00000003 :004014E1 68000000C0 push C0000000 * Possible StringData Ref from Data Obj ->"\\.\SICE" | :004014E6 6828734400 push 00447328 * Reference To: KERNEL32.CreateFileA, Ord:0000h | :004014EB E806440400 Call 004458F6 // Create the file :004014F0 8945FC mov dword ptr [ebp-04], eax :004014F3 837DFCFF cmp dword ptr [ebp-04], FFFFFFFF // is the file there :004014F7 7410 je 00401509 // if not, then jump :004014F9 FF75FC push [ebp-04] * Reference To: KERNEL32.CloseHandle, Ord:0000h // Close the file | :004014FC E8E3430400 Call 004458E4 :00401501 B801000000 mov eax, 00000001 // return eax=1 :00401506 59 pop ecx :00401507 5D pop ebp :00401508 C3 ret // Return from procedure * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004014F7(C) // File doesn't exist | :00401509 33C0 xor eax, eax // return eax=0 :0040150B 59 pop ecx :0040150C 5D pop ebp * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004014A2(C) | :0040150D C3 ret // Return from procedure For NTICE it is completely the same and you will find the reference only few lines farther down. That was rather easy, so let's make the conditions harder. This time the strings are not hardcoded anymore. (One moment I must write a proggie, but I'll be back in some minutes ;-) OK, I am back. I changed those lines for SICE: String SICE=String(char(92))+String(char(92))+String(char(92))+String(char(92))+ String(char(46))+String(char(92))+String(char(92))+String(char(83))+ String(char(73))+String(char(67))+String(char(69)); // That's \\\\.\\SICE hFile = CreateFile( SICE.c_str(), // give my string to create the file The same for NTICE: String ntice=String(char(92))+String(char(92))+String(char(92))+String(char(92))+ String(char(46))+String(char(92))+String(char(92))+String(char(78))+ String(char(84))+String(char(73))+String(char(67))+String(char(69)); hFile = CreateFile(ntice.c_str(), Let's have a look at the code in W32Dasm. There is no string left, we could refer to. But remember, our first approach gave us many parts of code that could be usefule for us and should be unchanged. One thing we could find rather good is the CreateFileA. This is our starting point. Let's search for CreateFileA until we find something comparable to the code we found in our first approach. In my case it was the first CreateFileA I found in W32Dasm. I saw this: :004017B0 6A00 push 00000000 :004017B2 6880000000 push 00000080 :004017B7 6A03 push 00000003 :004017B9 6A00 push 00000000 :004017BB 6A03 push 00000003 :004017BD 68000000C0 push C0000000 :004017C2 8D45FC lea eax, dword ptr [ebp-04] :004017C5 E88E000000 call 00401858 :004017CA 50 push eax * Reference To: KERNEL32.CreateFileA, Ord:0000h // Create File | :004017CB E8CE5B0400 Call 0044739E :004017D0 894584 mov dword ptr [ebp-7C], eax :004017D3 837D84FF cmp dword ptr [ebp-7C], FFFFFFFF // Does it exist :004017D7 742B je 00401804 // If not, then jump :004017D9 FF7584 push [ebp-7C] * Reference To: KERNEL32.CloseHandle, Ord:0000h // else close file | :004017DC E8AB5B0400 Call 0044738C :004017E1 B801000000 mov eax, 00000001 // and return eax=1 :004017E6 50 push eax :004017E7 FF4DA4 dec [ebp-5C] :004017EA 8D45FC lea eax, dword ptr [ebp-04] :004017ED BA02000000 mov edx, 00000002 :004017F2 E8F1580400 call 004470E8 :004017F7 58 pop eax :004017F8 8B5588 mov edx, dword ptr [ebp-78] :004017FB 64891500000000 mov dword ptr fs:[00000000], edx :00401802 EB1E jmp 00401822 // jump to "Back" * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004017D7(C) | :00401804 33C0 xor eax, eax // return eax=0 :00401806 50 push eax :00401807 FF4DA4 dec [ebp-5C] :0040180A 8D45FC lea eax, dword ptr [ebp-04] :0040180D BA02000000 mov edx, 00000002 :00401812 E8D1580400 call 004470E8 :00401817 58 pop eax :00401818 8B5588 mov edx, dword ptr [ebp-78] :0040181B 64891500000000 mov dword ptr fs:[00000000], edx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401802(U) // "Back" | :00401822 8BE5 mov esp, ebp :00401824 5D pop ebp :00401825 C3 ret // return to main As always, the equivalent for NTICE is located some line farther down (search for CreateFileA again, it should be the next one) What can we learn? Good question! We can learn how to detect MeltIce and get rid of it. Either you can change the jump (as I prefer) or the line eax gets 1 (change that to mov eax, 00000000). Then a small anti SICE routine would be wasted. I don't know if MeltIce is often used, in fact I never experienced it and I believe I am the only guy (in my CrackMes) that uses it. So you have at least some starting points for my CrackMes. That's all folks. I hope you came until here ;-) III. BTW Hope my tutorial was helpful for you and see you again in my next tutorial. Greets to: Fravia+, tKC, ED!SON, Moral Insanity, The Sandman, Eternal Bliss, DaVinci and all [hf] members All Tutorials by LaZaRuS [hf] #| date | name |version|W32Dasm|Soft-Ice|kind of crack | --|--------|------------------|-------|-------|--------|-------------------------| 01|20.01.99|Jaylock |1,0,0,1| (X) | (X) |serial# | 02|31.01.99|Goldwave |4.02 | (X) | (X) |serial#,nag-screens | 03|28.03.99|AxMan |3.00 | (X) | (X) |serial#,remove date-limit| | | | | | |nag-screen, key generator| 04|29.03.99|C++Builder Strings| | (X) | (X) |how to find strings in | | | | | | |C++ Builder that are not | | | | | | |hardcoded | 05|29.03.99|Better Protection | | | |How to protect shareware | | | | | | |better against crackers | 06|04.04.99|Start Clean |1.2 | (X) | (X) |nag-screen/serial/keygen | 07|06.04.99|MP3 TO EXE |1.02 | (X) | (X) |nag-screen/serial | 08|06.04.99|HexDecCharEditor |1.02 | (X) | |make it registered | 09|20.04.99|PowerZip |4.51 | (X) | |serial/time-check/... | 10|24.04.99|eKH CrackMe |1.0 | (X) | |serial | 11|25.04.99|F-Secure |4.02 | (X) | |time limit/nag | 12|29.04.99|Latido's JS |3.0 | | |serial | | |Reverse Me | | | | | 13|24.05.99|Italian Soccer |1.10 | (IDA) | |patch to remove the time | | |Manager | | | |limit | 14|30.05.99|MeltIce | | (X) | (X) |how to defeat this Anti | | | | | | |SICE trick | LaZaRuS [hf] Visit Hellforge at http://come.to/hellforge for more tutorials and high quality cracking links. If you want to mail me: lazarus666@gnwmail.com