************************************
* FrogsICE v1.08.9 for win95/98/ME *
*   by +Frog's Print & +Spath      *
************************************

1) How to use it
2) Options
3) Misc features & command line options
4) System back-up / restoration
5) Tips/infos/Warnings
6) FAQ
7) BUGS REPORT

================
1) How to use it
================

Copy the driver for your OS (win95/98 or ME) to the same folder
as FPLoader.exe and FrogsICE.dat.Launch FPloader.exe and an icon
will appear in the system tray.
Right or Left click on it to get the options dialog box.
Check/unchecked options, enable FrogsICE and then, run
the software you suspect to have anti-SoftICE code.

__________________________________________________________________________

==========
2) Options
==========

-BASIC OPTIONS GROUP:
--------------------

 -BLUE_SCREEN_OF_DEATH:
  Display a BSOD each time FrogsICE detects anti-SoftICE code.
  Infos shown are useful to give you maximum informations about
  the detection (type, registers values, address of the detection
  inside the program...).
  Those infos are the same as those logged to file.
  The BlueScreenOfDeath is not available for drX hooks.
  When the BSOD occures you will be prompted to:
  - Press (Y)es to fool the app : FrogsICE will do its best to hide
                                  SoftICE from the detection.
  - Press (N)o to let it run    : FrogsICE will let your soft detect
                                  SoftICE.
  - Press ESCAPE to disable BSOD: Will temporarily disable FrogsICE BSOD.
                                  This is useful is your app tries 1000
                                  times (or more!) to detect SoftICE and
                                  you are stuck in front of a blue screen.
                                  FPLoader will detect that you have
                                  disabled the BSOD.

  When the BSOD is disabled, FrogsICE will ALWAYS try to fool the app,
  just like if you pressed the (Y)es key.
  FrogsICE BSOD will give you a code reference about the detection.
  For more infos about this detection see 'Code.txt'.

 -HIDE SOFTICE DRIVERS:
  Hide SoftICE drivers (SICE, SIWDEBUG and SIWVID) so that they cannot
  be detected in the DDB List.
  This option is grayed (and useless!) if SoftICE is not loaded.

 -LOG TO FILE:
  Save to file each detection hooked by FrogsICE. The log file name is
  randomly created to avoid any app to detect/erase it (although it is
  protected from deletion). It will **always** be created in the root
  of your Window$ drive (ex: c:\Fihjzpan.wga).
  The log will not be overwritten if it already exists, but the text
  will be appended.
  Disable it if you simply want to run an app with anti-SoftICE code and
  don't care about (or already know) details of the detection.
  When quitting FrogsICE, if a logfile exists it will ask you if you want
  to keep it or delete it.

 -PROTECT SOFTICE FILES:
  Locks up all files in SoftICE directory (and subdirectories) to prevent
  any nasty application to delete them.
  This option locks up FrogsICE logfile as well.

 -AUTO-SCAN ON STARTUP/EXIT:
  FrogsICE will perform some scanning tests when you load it and when you
  exit it. It will check the memory for some 'unwanted' datas occurences
  ('WINICE' string etc..., debugger flags) and clean up the memory if
  it finds any, and will check your IDT to see if there were any suspicious
  modifications done. FrogsICE will inform you about what it has found.
  You should always leave this option enabled, as the memory scanning process
  is very important. Althought it is useless to try to detect SoftICE by
  searching 'WINICE.BR' in memory in win98, the string 'WINICE.EXE' for
  instance is most of the time present and could be easily detected.
  Sometimes, you may receive a warning due to Winice.exe or due to other
  apps you may use to hide SoftICE during the IDT scan.
  FrogsICE will return the list of modified interrupts. If you have any
  BPINT's set, it is safer to quit FrogsICE and disable these BPINT's,
  then re-run FrogsICE.

 -HIDE FPLOADER:
  FPLoader.exe will hide its process and task names from apps trying
  to detect it. You MUST RESTART FrogsICE to effect this change.

 -BEEP:
  FrogsICE will beep when it has found anti-debugger code.


-QUICK OPTIONS GROUP:
--------------------

 -DEFAULT SETTINGS / BULLETPROOF / USER DEFINED
  Menu to restore FrogsICE default settings, set them to maximum security
  (all options enabled except 'BSOD') or to quickly check
  the current options.

 -PROTECTIONS COMBOBOX:
  You can select, edit, add or remove protections/programs with anti-SoftICE
  code. They will be saved to FrogsICE.dat which already included several
  samples.


-ADVANCED OPTIONS GROUP:
-----------------------

 -POPUP SOFTICE:
  This option forces SoftICE to break when FrogsICE hooks anti-debugger code.
  When enabling this menu, you will need to set SoftICE break on int01
  command:
  => 'I1HERE ON'.
  The break will occure BEFORE FrogsICE give control back to the app and
  some useful infos will be displayed in SoftICE command windows:
  . address cs:eip of the detection
  . address of the SEH proc for int03 hooks
  . address of string datas for MeltICE tricks...
  This option is helpful with packed/ecrypted programs (Vbox, Asprotect...).
  At the break time, you can use your favorite dumper (IceDump...) to save
  the detection code to analyze it later ;-)
  Then, press F5 to let your app run.
  Note that if your application uses a lot of anti-debugger tricks, you can
  disable this feature simply by typing 'I1HEREOFF' at SoftICE prompt.
  SoftICE versions prior to v4.00 may not popup when a program tries
  to access Debug Registers ('Hook DRx' menu enabled).
  This menu option is grayed if SoftICE is not loaded.

 -HOOK DRX:
  This is a powerful feature which is not active by default.
  Il will detect any access (Read/write) to Debug Registers (dr0-dr7).
  Use it with care as it may crash your computer. If SoftICE is loaded,
  it is safer to disable or clear BPM breakpoints.
  This option is only available for 486i+ CPU otherwise it will be grayed.
  FrogsICE WILL NOT display a BlueScreenOfDeath when detecting a drX access.
  From version 0.99, the DRx access are automatically logged to file (you do
  not need any more to deactivate this menu to create the logfile)
  Note also that your app may not exit process normaly in some rare
  circumstances. If this happens, kill it (CTRL-ALT-DEL) after a while.

 -IDT MONITOR/PROTECTOR:
  If this option is enabled, FrogsICE will prevent any application to
  modify interrupt vectors inside the IDT.

 -INT03 HOOK:
  Force FrogsICE to hook int03h **before** SoftICE hooks it.
  This applies to PMode only. By default, FrogsICE doesn't hook any
  call to int03.
  Before using this function ensure that you disabled breakpoints on
  execution (BPX) and set the IN3HERE to OFF otherwise SoftICE may crash
  (instead use BPM xxxxxxxx X, for instance "BPM MessageBoxA X") or
  FrogsICE could hook the 0cch opcode used by SoftICE to set BPX and
  would not give control back to SoftICE (FrogsICE will consider
  the 0cch opcode as an anti-debugger code!).
  Set SoftICE "FAULTS" command to "OFF" as well.
  FrogsICE will inform you in its logfile if it has found any SEH
  procedure which could be used by your app:
   ."SEH proc address at cs:xxxxxxxx" where xxxxxxxx is the address of
     the SEH requested
   ."SEH proc address at cs:????????" if no SEH was found (this does NOT
     mean that there is no SEH!).
  If a SEH is found it will be **automatically** executed (Armadillo,
  AZPR, VBoxed apps...).
  Note that it doesn't matter if SoftICE is loaded or not, as it will
  always work ;-)


-ADJUST LOCALTIME TO RTC:
------------------------
  This option will adjust Windows local time to match the CMOS Real
  Time clock.
  As long as you are using SoftICE, Windows cannot update the local
  time. This means that if you start a debugging session at 9.10PM
  for 10mn, Windows will still display 9.10PM after that time.
  An app could check the difference between the RTC and the local
  time and believe SoftICE is loaded.
  This option fixes this problem (for both the time and the date).
  Avoid adjusting Windows's clock while this option is activated.
  Also note that it only works when the VxD is enabled.


-MISC OPTIONS GROUP:
-------------------

 -RUN APP...:
  Let you run any programs files (exe, com, pif and bat).
  
 -RUN LOADER32:
  Runs Loader32.
  FrogsICE will patch nmtrans.dll in memory so that Loader32 will run
  even if the 'Hide SoftICE Drivers' options is checked. When quitting,
  FrogsICE will kill Loader32's process as well because it couldn't
  work without FrogsICE as it was patched.

 -SCAN NOW...
  Let you perform the scanning test (as described in the Basic Options
  Group) at any time.


-EXIT:
-----
Guess!

    
-ABOUT:
------
Everything you always wanted to know about FrogsICE...


-LOGFILE GROUP:
--------------
 -VIEW LOG:
  This menu is enabled if FrogsICE has detected anti SoftICE code and
  grayed otherwise. It will launch Notepad to display the logfile.

 -DELETE LOG:
  This menu is enabled if FrogsICE has created a logfile and grayed
  otherwise. It will erase FrogsICE logfile.
  

-ACTIVATION GROUP:
-----------------
 -ENABLE / DISABLE:
  Loads/unloads FrogsICE. Note that at startup, FrogsICE is deactivated
  by defaut but you can force it to get loaded (see below, cmdline options).

______________________________________________________________________________


========================================
3) Misc features & command line options:
========================================

-COMMAND LINE OPTIONS:

FrogsICE's loader accepts 3 different command line args:
 fploader.exe E : enable FrogsICE at start-up (turned off
                  by default).
 fploader.exe C : create a back-up copy of your IDT.
 fploader.exe R : restore IDT from backed-up copy.

For mor infos about C & R options, see: "4) System back-up/restoration"


-SETTINGS:

Upon exit, FrogsICE saves its settings (menu options + protections combobox
items) inside a dat file (FrogsICE.dat).


-DOT COMMANDS:

When FrogsICE is loaded, you can get some infos from within SoftICE screen by
using the "." (dot) command.
From SoftICE type ".frogsice" and you'll get the following menu:

      ========================== FrogsICE v1.00 ready =====================
      [1]=Detections hooked
      [2]=Current settings
      [3]=Anti-debugging tricks help
      [4]=Enable/Disable FrogsICE :-(
      ============ Select menu option [1]-[4] or [ECS] to quit ============

  -[1]=Detections hooked:
   This menu is useful when you are tracing an app. At any time, it can
   tell you if FrogsICE has detected some anti-SoftICE code while you were
   debugging your soft, and will even give you the kind of detection (code #xx)
   + its location inside the program (only for the last hook found).

  -[2]=Current settings:
   Inform you about the current settings just in case you forgot to disable
   some 'dangerous' features (DRx hook, int3..) or forgot to enable others.


  -[3]=Anti-debugging tricks help
   display infos about some anti-SoftICE/debugger codes that you may need
   while tracing a software:

   ================== FROG'S PRINT ANTI-SOFTICE TRICKS HELP ================
   [a]=int03h(#01-02)  [b]=int2fh(#03-04) [c]=int41h(#05-06)  [d]=int68h(#07)
   [e]=Get_DDB(#09)    [f]=dr0-7(#0A)     [g]=MeltICE(#0B-0E) [h]=VWIN32(#0C)
   [i]=RegOpenKey(#0D) [j]=IDT(#0F)

   Note that values displayed in brackets (#01-#02...) are the code references
   returned by FrogsICE (see code.txt) as usual :-)


  -[4]=Enable/Disable FrogsICE :-(
   From this menu, you can disable FrogsICE: it will stop monitoring and
   hooking your system (all hooks will be disabled, except of course those
   hiding FrogsICE from detection and SoftICE drivers names), which could
   be useful in case of a crash during a debugging session. You can activate
   it again at any time (and it will restore your previous settings) from
   SoftICE, but if you forget to do so, FPLoader will warn you about that.
   As the scanning option is performed by the loader, it will remain unchanged.
   Note also that the 'log to file' feature will be disabled as well, of course.
   If you need to set breakpoints on execution (BPX), then use this feature
   to temporarily restore int 03 back to SoftICE.

-OTHERS:

 From v0.99, FrogsICE includes a lot of new features which are 'transparent'
 for the user. You do not have to worry or know about them (that's not secret
 but I don't want to spend 10 hours to write them down!) but they have been
 added to re-enforce detection routines, better hide SoftICE and FrogICE...

_______________________________________________________________________________

===============================
4) SYSTEM BACK-UP / RESTORATION
===============================

FrogsICE includes the option to save and restore your IDT in case
of a crash. If a crash occures and FrogsICE doesn't get unloaded,
your computer will freeze (no way it can survive :-( due to too many
modifications done to your system.
The first time you run FrogsICE, it will look for the back-up file
(idt.bak) and will suggest you to create one if it doesn't exists.
At any time you could (C)reate a new one with the 'C' command
line parameter (fploader.exe C).
In you get into trouble, you can -as quickly as possible- (R)estore
your system by running the loader with the 'R' command line
(fploader.exe R).
When creating the back-up file ensure that you do not have any BPINT
set within SoftICE (or any other debugger), and that no running softs
have changed your IDT (TRW2000, Icedump...).
Also, if you created a system back-up when Softice was running, only
use it to restore your system when SoftICE is running.

_______________________________________________________________________________

======================
5) TIPS/INFOS/WARNINGS:
======================

- For best results, do not copy FrogsICE's files to a root drive
  (c:\fploader.exe, d:\fploader.exe), or to your path (c:\, c:\windows...)
  and do not copy a file with anti-SoftICE code inside FrogsICE folder
  (the file may look for -and detect- it with a simple FindFisrt/FindNext
  call).

- This version of FrogsICE is for win32 app ONLY. If you need to check
  anti-debuggers tricks from a DOS (exe or com) file use FrogsICE v0.43
  available at frogsprint.cjb.net.

- DO NOT enable or disable BPINT's while FrogsICE is running !!! BPINT's
  modify IDT interrupt vectors and could crash your computer. Instead,
  enable or disable them BEFORE or AFTER using FrogsICE.

- When FrogsICE hooks anti-SoftICE code, it will add the '>' sign on the
  left side of any register used for the detection. (Ex: >eax=00000004h )

- It is sometimes better to disable FrogsICE's BSOD as it may cause some
  problems but don't forget that this is the best way to stop your system
  and to give you enough time to think twice before acting!

- If you are using others tools to hide/patch/embellish SoftICE (Icedump,
  TRW...), FrogsICE should not interfer with them, but the scanning process
  may give you some warnings (simply ignore them and everything should work
  fine -hopefully ;-). 
  However, you should consider launching such tools BEFORE or AFTER running
  FrogsICE but NEVER when FrogsICE is already running.

- From version 0.99, ASM source code is no longer included with FrogsICE.
  Lately, many commercial companies have produced softwares trying to
  fool/crash FrogsICE, so I have no reason to distribute the source to make
  protectionists life easier.
  If you're one of them and want to know how FrogsICE work, just do like I
  do with your softs: disasm and debug it :-(
  
________________________________________________________________________________


6) FAQ
======

 a) - "Each time I try to run FrogsICE, it crashes Windows!!"
   
 => you're wrong, FrogsICE doesn't crash window$, but window$ crashes FrogsICE :-p


 b) - "Will you ever release FrogsICE for Win2000 ??"

 => Sorry, don't know what "Win2000" is...


______________________________________________________________________________________________ 

7) BUGS REPORT
==============

Please submit any bugs or problem to: bugs@frogsice.cjb.net

DO NOT FORGET to give as many details as possible (all error codes returned
by FPLoader, your OS, FrogsICE version...)

______________________________________________________________________________________________ 
+Frog's Print October 2000

http://frogsprint.cjb.net
