Anti anti-debugging tricks.. ---------------------------- Only three tricks, two against 'meltice' anti debugging, and one against the int68 anti debugging --int 68-------------------- INT 68,43 returns 4300 in ax if no debugger returns F386 in ax if debugger is present well, i just traced through an int68,43, to see where the return code came from eventually, i ended up in winice.exe itself.. take a look 0C29:1215 B886F3 MOV AX,F386 0C29:1218 CF IRET :d eip l 10 0C29:00001215 B8 86 F3 CF 2E 83 3E 19-00 FF 0F 84 18 00 B0 0B ......>......... i searched these bytes in winice.exe..found them @offset 1615h in winice.exe v3.23 i patched it, rebooted, heh, windows dont work anymore :) disabled softice.. patched it back to what it was.. and decided to memory patch.. search for these bytes in memory and then patch them :- b8 86 f3 cf 2e -> b8 00 43 cf 2e :s 0 l ffffffff b8 86 f3 cf 2e 83 3e 19 Pattern found at 0030:0000D4A5 (0000D4A5) <-- yippie, the actual code in winice.exe :s Pattern found at 0030:C3209A3A (C3209A3A) <-- mirror of my search pattern.. :s Pattern not found the search pattern and file offset is the same for SoftICE 3.25 :D --\\.\SICE------------------ the meltice way to detect SoftICE.. easiest way to defeat this is just by searching for 'SICE ' or 'NTICE' in winice.exe '\\.\SICE' or '\\.\NTICE' in nmtrans.dll and changing it to read something else.. eg. 'RICE' or 'S CE' etc... winice.exe v3.23 offset 31724h : 'SICE ',0,0,0,0 winice.exe v3.25 offset 31b3ch : 'SICE ',0,0,0,0 nmtrans.dll v3.23 offset 23644h : '\\.\SICE',0,0,0,0 nmtrans.dll v3.25 offset 77b24h : '\\.\SICE',0,0,0,0 if you dont modify nmtrans.dll, symbol loader will think softice isnt loaded.. string has to be the same in nmtrans.dll as in winice.exe.... --\\.\SIWVID---------------- easiest way of defeating this meltice method, is finding the reference in memory and altering it.. :s 0 l ffffffff 'SIWVID ' 00 00 Pattern found at 0030:C00207F0 (C00207F0) if you found the correct one, your data window should look like this -----SIWVID(01)+0020----------------------------------------------------------- 0030:C00207F0 53 49 57 56 49 44 20 20-00 00 00 80 C8 8D 02 C0 SIWVID ........ 0030:C0020800 18 93 02 C0 18 93 02 C0-00 00 00 00 00 00 00 00 ................ 0030:C0020810 01 08 04 00 D0 07 02 C0-05 00 00 00 00 00 00 00 ................ 0030:C0020820 B0 6E 16 C0 50 00 00 00-31 76 73 52 32 76 73 52 .n..P...1vsR2vsR 0030:C0020830 33 76 73 52 28 43 29 20-43 6F 70 79 72 69 67 68 3vsR(C) Copyrigh 0030:C0020840 74 20 4E 75 2D 4D 65 67-61 20 54 65 63 68 6E 6F t Nu-Mega Techno ------------------------------------------------------------------------------- just alter the ascii 'SIWVID' to read soemthing else.. i prefer ' IWVID'.... --no more :(---------------- yep, i probably know no more ways to defeat anti debugging, except tracing through the program and locating its detection code.. well, if i find out anymore easy ways to defeat anti debugging, i will ammend this mini tutorial R!SC - risc@notme.com