Words highlighted in yellow are API functions you should try to get more info on.
Words highlighted in sky blue are disassembled codes from example programs.
Words highlighted in red are important terms you should try to get more info on.

Welcome to my eighth tutorial.
This time I will show you how to defeat a few easy anti-SoftICE tricks some beginners have trouble with.

I have included in the tutorial archive a few example programs I made with SoftICE detection in them.
We will use them as examples because they are very small :)

Now let's start first with BoundsChecker.

BoundsChecker:
BoundsChecker is the signature that SoftICE carry when it's loaded in memory.
To detect BoundsChecker in Windows, we put 'BCHK' in register EBP and move 4 in AX,
then we call Interrupt 3h. If BoundsChecker signature is not found, AL will remain 4, if detected
AL equals 0. Here's a disassembled listing of the BoundsChecker protection included:

:00401000 BD4B484342 :00401005 66B80400 :00401009 CC :0040100A 3C04 :0040100C 7515

mov ebp, 4243484B mov ax, 0004 int 03 cmp al, 04 jne 00401023

'BCHK'

To reverse the protection, just replace 75h 15h with 90h 90h (the NOP opcode) and
it runs fine (Type A in SoftICE).

The next SoftICE protection might be a little complicated for beginners.

Int 3 hooker (no, this isn't the prostitute you want):
It uses the int 3 hook which will raise an exception and crash the computer, but
by setting up an exception filter first, the program will continue normally at a given offset.
We do this by calling SetUnhandledExceptionFilter which its prototype parameter is the
address it will go to if the interrupt raises an exception. If you do not have a debugger loaded
it will continue normally after the INT 3. Here's the listing of the disassembled program:

:00401000 6820104000 * KERNEL32.SetUnhandledExceptionFilter :00401005 E83C000000 :0040100A CC :0040100B 6A00

push 00401020 call 00401046 int 03 push 00000000

To defeat this, create a breakpoint on SetUnhandledExceptionFilter in SoftICE and run
the program, SoftICE should pop up in the API code. Press F11 once and you will be
on the line with INT 3h. Be careful not to step over this code in SoftICE, if you do, you'll
most likely get the BlueScreenOfDeath and will have to restart Windows. To pass the
check, you'll either have to change CCh to 90h (NOP) or you type "R EIP=40100B" in
SoftICE. R is to display or change register, in our case we are changing EIP, which is
the next instruction to execute. So we bypass the interrupt and we run normally.

Now we got a more stable way to detect SoftICE, using interrupt 68h.
Interrupt 68h:
This interrupt returns F386h in AX if WinICE (SoftICE) is detected.
Here's the example program disassembled:

:00401000 B443 :00401002 CD68 :00401004 663D86F3 :00401008 7415

mov ah, 43 int 68 cmp ax, F386 je 0040101F

(Information from FrogsICE's documentations - +Frog's Print & +Spath)
You cannot set a breakpoint on Interrupt 68h by using "BPINT 68", but you can
hook it like this "BPX exec_int if ax==68". When you break on that, type "D EBP+48"
in SoftICE and you should see in the Data Window something similar to:
xxxx:XXXXXXXX 04 10 40 00 ...
x is the section (or segment from old DOS) and X is the offset address. 04 10 40 00 is
in Little-Endian, SoftICE uses Big-Endian, so we clear breakpoints "BC *" and create
breakpoint on 401004. Now press F5 and we land right on the compare between AX and
immediate value F386h. We step over that and now since we have SoftICE loaded, we
see that the zero flag is set and it will jump to 40101F which is the "Bad" message.
We could reverse the flag by typing "R FL Z" (Z as in Zero Flag) and we will not jump.
Or we can change 74h 15h to 90h 90h and it will never jump, but to make it permanent,
we will have to patch the file with a hex editor.

And now last but not least, the ICE melter...
MeltICE:
This method in my opinion is the easiest of all SoftICE protection to detect and remove.
It has been widely translated into different programming languages such as Delphi, Win32ASM,
C++ and believe it or not, I was able to change the parameters to make it adapt to VB.
Here's the disassembled code for MeltICE:

:00401021 6A00 :00401023 6880000000 :00401028 6A03 :0040102A 6A00 :0040102C 6A03 :0040102E 68000000C0 :00401033 683E304000 * KERNEL32.CreateFileA :00401038 E84F000000 :0040103D 83F8FF :00401040 7515

push 00000000 push 00000080 push 00000003 push 00000000 push 00000003 push C0000000 push 0040303E ;'\\.\SICE' call 0040108C cmp eax, FFFFFFFF jne 00401057

It uses CreateFileA to attempt to open SoftICE driver. According to CreateFileA, if driver
exists, the handle is returned in register EAX. If not found, EAX contains FFFFFFFFh or
-1 in decimal. SoftICE for Windows NT uses a different driver name "NTICE" butCreateFileA
can be used in the same way to detect NTICE. To defeat MeltICE, we can just patch the
jump with NOP's and it will run normally. However some programs use different jump methods
so the way you patch it depends on the program, but just remember make the program think
EAX = FFFFFFFFh and the program will run fine.

Here's some explaination to the words highlighted in red.
Important terms:

Big-Endian is a format of how hexadecimals are stored. The Windows calculator uses Big-Endian.
But want to store the hex value in memory, it will be stored in Little-Endian format, which is like a
swap of Big-Endian. For example, I get hex value 12345678h from Windows Calculator and I use
the asm MOV code to store it into a memory location "MOV [00401000], 012345678h", after the
MOV I check 401000, the value stored there will show 78 56 34 12, that's called Little-Endian.

This concludes my eighth tutorial, hope you at least learn at little from it.
Look for my next tutorial soon...

Pr1mus, Sheep, PhaNt0M, Dvs17, Potsmoke, Thrawn, r00t, abductor, seifer, ManKind, Rheingold,
Lord Anshar, Yado, X-Lock, BuG, Boba Fett, Acid_Cool_178, arachno, Trevil, tantox and all else who I
have forgotten to include here.

Special thanks to lucifer48, defiler, alpine, ACiD BuRN, TSCube, roy, abductor, seifer and
LaZaRuS for their great tutorials, their tutorials are the ones I learned most of my skills from.

Group Greetz to Hellforge, FHCF, TNO, WCC, EVC, Eclipse, Immortal Descendants.

Find me on IRC channel #Lockless.
E-mail: bishop@biteme.com

BiSHoP of Lockless Crew :: we fly high ::