NO MORE annoying anti SOFT-ICE tricks
(how to improve SOFT-ICE)
by The Owl (Winice wizard eccelso)

HCU


Courtesy of Fravia's page of reverse engineering
              NO MORE annoying anti SOFT-ICE tricks or
              how to improve SOFT-ICE!


   intro

      today's best EXE protectors contain code to prevent debugging with 
   SOFT-ICE, which is the best debugger among the ones i came across so 
   far. following protectors are known to me to defeat SOFT-ICE:

      EEXE (Encrypt Exe found in FZC.EXE)
      HACKSTOP (found in WWPACK.EXE)
      PROTECT! (found in various files)
      GUARDIAN ANGEL (found in some versions of HWINFO.EXE)
      EXELITE (a Polish exe compressor)
      the one written by PREDATOR 666 (found in DCA.EXE v1.4)
      the one used by Martin Mal¡k (found in HWINFO.EXE v3.05 and up)
      DS-CRP by Dark Stalker (hi!)
      SECURE v0.19 by the authors of WWPACK
      ALEC v1.5 (the very best protector :-) by Random
      and a few others i don't remember right now...


   the problems

      SOFT-ICE can be detected/halted/crashed in many ways, here's a short
   list of them (some of them only makes single stepping harder but not
   impossible). i also included a short note on the effects for each version
   of SOFT-ICE:
                 :-( this trick works, 
                 :-) it causes no problems


      1. by the use of the INT3 interface provided by SOFT-ICE one can 
         check for the presence of SOFT-ICE and then have it execute various
         commands, e.g. HBOOT (see HackStop). the loader part of SOFT-ICE
         also leaves some traces in the low DOS memory, so one can find out
         the entrance values of the INT3 interface even if they were changed
         (see HMVS - a heuristic macro virus scanner - by J. Valky and
         L. Vrtik that uses SECURE v0.19). the Windows versions can also be
         detected by the following code (thanks to Dark Stalker and ACP :-):

           mov ebp,"BCHK"
           mov ax,4
           int 3
           cmp ax,4
           jne winice_installed

         it seems that BoundsChecker talks to SOFT-ICE via an interface very
         similar to the one between LDR.EXE and SOFT-ICE (although it's
         completely undocumented, as far as i know...)


         DOS: :-(
         W31: :-( (but the SECURE method is :-)
         W95: not tested yet (probably same as W31)
         WNT: not tested yet (probably same as W31)


      2. by checking for various devices SOFT-ICE installs ("CVDEBUG",
         "NU-MEGA", "SOFTICE1") and searching the part of the code SOFT-ICE
         leaves in the low DOS memory for some patterns (e.g. "CVDEBUG",
         "NU-MEGA", "SEGMAP", "S-ICE" (the latter coming from the filename),
         and any instruction sequence that's left there) one can detect the
         presence of SOFT-ICE. the Window$ versions provide a VXD entry point
         that can be get by:

           mov ax,01684h
           mov bx,0202h ; VXD ID for Winice, check out Ralf Brown's INTLIST
           xor di,di
           mov es,di
           int 2fh
           mov ax,es
           add di,ax
           cmp di,0
           jne winice_is_installed

         the Window$ versions can also be detected by calling the "debugger
         install check" function of the Window$ debug kernel (int 42/ax=0041),
         for more details see Ralf Brown's INTLIST.

         see HWINFO.EXE and DS-CRP.COM for an extensive application of these
         checks...


         DOS: :-(
         W31: :-) but the VXD entry point check is :-(
         W95: not tested yet (probably same as W31)
         WNT: not tested yet (probably same as W31)


      3. by the use of the undocumented ICEBP/INT01 instruction (opcode 0xF1):
         SOFT-ICE gives a short beep before the execution of this instruction
         (it will be reflected back to the V86 mode handler, thus at least
         the intended handler will get it) which can be VERY annoying (and
         make the execution VERY slow), see EEXE for an application of this.

         DOS: :-(
         W31: :-)
         W95: not tested yet (probably same as W31)
         WNT: not tested yet (probably same as W31)


      4. by using the TRAP flag, one can use the single stepping feature to
         call a protection routine (e.g. a decryptor). the problem is, that
         during single stepping SOFT-ICE clears the TRAP flag for the V86 task
         and will neither execute nor step into the INT01 handler of the
         V86 task. many schemes use this trick.

         DOS: :-(
         W31: :-(
         W95: not tested yet (probably same as W31)
         WNT: not tested yet (probably same as W31)


      5. by the use of the debug (DRx) and control (CRx) registers:
         accessing these registers in V86 mode leads to a General Protection
         Fault (INT0D), which SOFT-ICE doesn't handle correctly (it's normally
         used for emulating instructions that access the interrupt flag, the
         debug registers, the control registers, etc.). the protected mode
         handler emulates instructions that access these registers by
         executing them, however it doesn't make note about this for itself,
         i.e. whenever a debug fault is triggered SOFT-ICE will think that
         it must pop up and won't reflect back this exception to the V86 mode
         handler (that's waiting for it in vain). for a working example see
         GUARDIAN ANGEL. furthermore, accessing DR4/5 and CR1 will halt
         SOFT-ICE with a General Protection Violation error message, which is
         of course quite disturbing if it's used many times in the program...

         and best of all by accessing CR4 SOFT-ICE simply crashes since
         there's no emulation code for this kind of instructions (there's a
         jump table that tells SOFT-ICE which routine to use to handle these
         instructions and the table ends with CR3...). this method was first
         used by Random in his ALEC.EXE v1.4 :-)

         another sad fact is that the emulation in SOFT-ICE is not complete:
         it ALWAYS uses eax no matter what the original instruction was...

         e.g. mov dr0,ebx will load dr0 from eax!
              mov ecx,dr0 will load eax from dr0!

         i guess it's needless to say how easy it is to detect this behavior...

         a sidenote for protection writers: other memory managers that run
         DOS in V86 mode may or may not handle these instructions correctly,
         so the use of this trick is highly discouraged.

         DOS: :-(
         W31: :-(
         W95: not tested yet (probably same as W31)
         WNT: not tested yet (probably same as W31)


      6. by the use of INT08, which is the timer interrupt in real mode DOS,
         and the Double Fault Exception in protected mode. the protected mode
         handler checks whether it was entered from V86 mode or not, and in
         the first case it reflects back this interrupt to the V86 mode
         handler. however, one can't single step into it.

         DOS: :-(
         W31: :-)
         W95: not tested yet (probably same as W31)
         WNT: not tested yet (probably same as W31)


      7. by the use of the INT07 interrupt (this is the Coprocessor Not 
         Available Exception):
         instead of reflecting back this interrupt to the V86 mode handler,
         SOFT-ICE tries to skip the offending coprocessor instruction (it
         checks for some opcodes). it seems the Nu-Mega folks never thought
         it would be called directly... for a real life application get some
         programs written (and protected) by Predator 666.

         DOS: :-(
         W31: :-)
         W95: not tested yet (probably same as W31)
         WNT: not tested yet (probably same as W31)


      8. by the use of the Invalid Opcode Exception (INT06):
         SOFT-ICE tries to emulate some instructions (e.g. LOADALL), and then
         reflects back this exception to the V86 mode handler. however,
         certain opcodes aren't recognized and will give you an error message
         (i.e. execution will be interrupted, if the protection scheme uses
         this trick).

         DOS: :-(
         W31: :-(
         W95: not tested yet (probably same as W31)
         WNT: not tested yet (probably same as W31)


      9. by using direct INTxx calls that are triggered by hardware
         interrupts (e.g. INT08-INT0F, INT70-INT77, if the vectors in the PIC
         are not reprogrammed), one will not be able to single step into the
         interrupt handler. in fact, SOFT-ICE will even execute the next
         instruction and just then stop (if the next instruction is also an
         INTxx call of this type then it will be stepped over as well, and so
         on). so far, i know of no protection scheme that uses this trick,
         but i guess i've just given out a good idea :-).

         DOS: :-(
         W31: :-)
         W95: not tested yet (probably same as W31)
         WNT: not tested yet (probably same as W31)


      A. by reloading IDTR one can change the base and size of the interrupt
         table in real mode as well. however, SOFT-ICE will not emulate this
         instruction (it causes a General Protection Fault in V86 mode) thus
         a protection using LIDT won't run. the only problem is that memory
         managers don't like it very much, so probably we won't see it in a
         real life protection scheme, but one never knows :-).

         DOS: :-(
         W31: :-(
         W95: not tested yet (probably same as W31)
         WNT: not tested yet (probably same as W31)


      B. sometimes one has to call an interrupt directly (GENINT xx), e.g. to
         dump a memory range to disk by using one's memory resident dumper
         (you know what i mean :-) and it's very annoying that SOFT-ICE
         doesn't stop after the interrupt call but executes the program
         being debugged (thus one has to set a breakpoint for a moment at the
         current CS:IP which will result in an unwanted 0xCC byte in the dump,
         if all debug registers are already used).

         DOS: :-(
         W31: :-(
         W95: not tested yet (probably same as W31)
         WNT: not tested yet (probably same as W31)

      C. in plain DOS INT3 and INT1 are handled by the same routine (which is
         a simple IRET). however, SOFT-ICE changes the INT3 handler of the
         V86 task to another IRET which can be detected by comparing its
         offset to the one of the INT1 handler. see HWINFO.EXE for
         an application

         DOS: :-(
         W31: :-)
         W95: not tested yet (probably same as W31)
         WNT: not tested yet (probably same as W31)


   the solutions

      in the following part you'll be presented with some ideas about the
   solution for the problems described above (the file offsets refer to the
   DOS version v2.80, but the ideas should work for other versions, as well.
   the easiest way to apply the patches is using Hacker's View which can
   be found in HIEW531.ZIP).

      one general problem is that SOFT-ICE (at least the DOS version) doesn't
   reprogram the hardware interrupt vectors, and this makes life (and the
   interrupt handlers) a bit more complex. the IDT that SOFT-ICE uses has
   entries that point to the following type of code:

   push xx
   jmp handler_xx

   where xx goes from 0x00 to 0xFF. in v2.80 this code begins at offset
   0x4534. the Win31 version has a very similar code beginning at offset
   0x14167 in v1.52:

   push d,[offset_xx]
   jmp handler_xx


      if you want to understand the patches that follow right below, you
   should study the interrupt handlers (and you should also have a good
   understanding of protected mode). however, some problems cannot be solved
   without understanding the internal flags of SOFT-ICE, and this requires a
   complete disassembly of it, which is a quite hard task i can tell.

      anyway, sooner or later it will be done, and then we'll have the
   ultimate debugging/cracking tool in our hands 'cos we'll be able to put in
   some missing functions, e.g. emulation of FlatRealMode, tracing INT1, PIC
   reprogramming, prefetch queue emulation, dumping a memory range to disk,
   etc. until then, enjoy the poor man's patches...

      1. some exe protections mentioned earlier are based upon the INT3
         interface of SOFT-ICE (see Ralf Brown's Interrupt List for details).
         this interface is activated when the protected mode INT3 handler of
         SOFT-ICE encounters the magic values in SI and DI. that is, when you
         try to trace through an INT3 call, SOFT-ICE will regain control,
         check for the magic values, and in case they are not found, it will
         reflect back this interrupt to the V86 mode INT3 handler (which it
         was supposed to do anyway). if it finds the magic values, then
         it'll execute the command given in AX (and DS:DX). all of these
         checks happen invisibly to the hacker, so there seems to be no
         solution to defeat this kind of protection (well, there's a slow way
         if you step through every instruction and before the "guilty" INT3
         call you change one or two registers).

         however, there's a simple solution: change the magic values SOFT-ICE
         is looking for and this will defeat those protectors based upon the
         INT3 interface. however, it's easier said than done because both
         SOFT-ICE (and WIN-ICE) itself and (W)LDR.EXE use this interface for
         some kind of intra/inter process communication. so every reference
         to the magic values will have to be changed!

         to keep the story short here's what i've come up with:
         browsing a few minutes in Hacker's View (another important tool ;-)
         i found the places where those changes had to be done. in order to
         avoid changes where those magic values occur by chance, i wrote an
         MSUB script to change whole instructions (they represent enough
         context). the amount of necessary changes would have forced me to
         use some search&replace utility, anyway. MSUB.EXE can be found in
         MSUB13.ZIP (use an ftp search engine to find it).

         the scripts

         SICE-VAL.MS: you should specify the old and new magic values in it
                      (note that numbers are decimal!)

         SICE2NEW.MS: it will replace the old magic values with the new ones.
                      there are almost 2^32 possible values, only that value
                      is forbidden for SI that equals to the version of
                      SOFT-ICE (for v2.80 it is \128\2, i.e. 0x0280). before
                      SOFT-ICE installs itself, it checks for its presence by
                      using an undocumented function of its INT3 interface by
                      setting AH to 0 or 1. on return SI will be loaded with
                      the version number or left unmodified if it's not
                      installed yet, that's why the version number must differ
                      from the preloaded value of SI.

         example usage

                  MSUB.EXE SICE2NEW.MS S-ICE.EXE LDR.EXE 

         if you're fed up with the shareware delay built into MSUB.EXE,
         here's how you can get rid of it (thanks to a friend of mine ;-)

         patch MSUB.EXE v1.3 (113,152 bytes long) as follows:

         offset    old new
         00002307: ??  EB
         00002308: ??  03
         0000C0DF: 77  EB


         the protection that SECURE uses is quite clever 'cos it checks the
         first 16 kBytes for the instruction sequence of

         mov si,SI_MAGIC
         mov di,DI_MAGIC

         they're encoded as 0BEh,x,y,0BFh,u,v where x,y,u and v are the magic
         values. when it finds 0BEh and 0BFh separated by two bytes from each
         other then it calls INT3 with the supposed magic values (the INT3
         handler is a simple IRET, so no problem should arise if SOFT-ICE is
         not installed). and guess what happens when SECURE finds the traces
         of the loader part of SOFT-ICE in that low memory area...

         the only solution that would defeat this kind of protection is to
         change the instructions that load SI and DI before the INT3 calls
         (unfortunately you can't avoid those calls since SOFT-ICE has to
         check for its presence and do other things). for obvious reasons
         (i guess one of the previous versions of this file gave the SECURE
         authors the idea...) i won't give you tips on how to do it, i hope
         you're smart enough to do it yourselves.

         the only limit is that you have 6 bytes of space to load both SI and
         DI (i checked that whenever SOFT-ICE uses the INT3 interface it loads
         SI and DI by two consecutive instructions, i.e. you can use the MSUB
         scripts to search for and replace them). another method could be to
         change the HBOOT command to something else (by MSUB of course),
         however other dangerous commands could be still issued...


         the BoundsChecker interface can be modified in the same way we did
         it with the rest of the INT3 interface: simply modify the value that
         is expected in ebp (but BoundsChecker must be changed as well!).
         look for the string "KHCB" to find the appropriate place.
         the following file offsets are valid for WINICE for Win 3.1 v1.52:

         offset    old new
         000130C7: 'K' ?
         000130C8: 'H' ?
         000130C9: 'C' ?
         000130CA: 'B' ?

         for WINICE for Win95 v3.0:

         offset    old new
         00016FDD: 'K' ?
         00016FDE: 'H' ?
         00016FDF: 'C' ?
         00016FE0: 'B' ?

         and for WINICE for Win95 v3.01:

         offset    old new
         000243F0: 'K' ?
         000243F1: 'H' ?
         000243F2: 'C' ?
         000243F3: 'B' ?


      2. the device names can be changed to anything you want, look at the
         beginning of S-ICE.EXE. the real problem is when the protection
         checks for instruction sequences. my only advice is that step through
         the protection and see which part of the code is checked for, then
         try to modify it in S-ICE.EXE (or disassemble, modify and then
         recompile the whole executable, but that's not gonna happen for
         a long time, i guess... :-).

         to defeat the int41 check, you have to change both the return value
         of the real and protected mode handlers in WINICE and the value that
         is checked for in KRNL386.EXE, VMM32.VXD, EMM386.EXE, IFSHLP.SYS and 
         NET.EXE. all these changes are necessary otherwise some WINICE
         commands (HWND, TASK) won't work 'cos apparently they rely on some
         Window$ functions which are available only in the debug kernel (and
         during startup these programs/drivers do this int41 check which will
         fail if you don't change the values they're expecting, as well).

         there're five places in WINICE that have to be patched (one is a cmp,
         the other four are mov's) and one in each one of the rest. sorry,
         that i don't provide you with detailed offsets, but there're too many
         versions/combinations of both WINICE and Win31/Win95... note, that
         after these changes other programs that want to use debug kernel
         functions will fail :-)

         and now let's talk about the VXD entry point check. the ID is stored
         at file offset 0x7821E in WINICE for Win95 v3.01 (to find it in
         other versions as well just look for "SICE   ", and the ID will be
         a few bytes before this text).

         so to change the ID just overwrite it there. however, it's not
         enough since some companion programs also test for WINICE by trying
         to get the VXD entry point, i.e. they have to be modified as well.
         they're DLOG.EXE and WLDR.EXE, and search for int2F (opcode: 0xCD
         0x2F) to get to the right place... :-)

         anyway, for the versions that come with WINICE for Win95 v3.0,
         the file offsets of the ID are 0x625/6 and 0x68B9/A respectively.


      3. what we have to do is simply skip the unnecessary parts in the
         handler (the beeps) and simulate the instruction as it would have
         been a direct INT 01 call (opcode: 0xCD 0x01). this way one will not
         only get rid of the beeps but be able to trace into the handler as
         well (and we'll have some space to put some extra code in when we'll
         need it :-).

         offset    old new
         00001DD5: 50  EB
         00001DD6: 51  60


      4. [this part is being worked on]
 

      5. there are two possible solutions: we either disable the DRx emulation
         feature of SOFT-ICE (this is quite easy to do) or correct it (this is
         really hard to do). SOFT-ICE emulates each instruction by executing
         a function whose offset is looked up in a table. each function ends
         in the same way: IP of the V86 task is incremented by the appropriate
         amount of bytes. so to disable emulation we'll change the pointers
         in that table to the common end of the functions, this way these
         instructions will essentially be handled as NOPs. i don't know
         whether it's worth to do it or not, since this modification can be
         detected by simply loading one of the debug registers and then
         checking whether it's really been modified or not. a more elegant
         solution would be to reserve a few bytes in the data segment of
         SOFT-ICE for storing the values of these registers and emulate the
         instructions (or at least their loading). anyone out there willing
         to do that?

         anyway, here's how to do the patch: the table itself is at file
         offset 0x1F1DD and it has 12 words in it pointing to the
         emulation code of the following instructions:

             mov eax,dr0 and mov dr0,eax
             mov eax,dr1 and mov dr1,eax
             mov eax,dr2 and mov dr2,eax
             mov eax,dr3 and mov dr3,eax
             mov eax,dr4 and mov dr4,eax
             mov eax,dr5 and mov dr5,eax
             mov eax,dr6 and mov dr6,eax
             mov eax,dr7 and mov dr7,eax
             mov eax,cr0 and mov cr0,eax
             mov eax,cr1 and mov cr1,eax
             mov eax,cr2 and mov cr2,eax
             mov eax,cr3 and mov cr3,eax

         note that there's no offset for emulating CR4...

         the offset of the common exit point (i.e. the new value you may want
         to set these pointers to) is 0x175A (this is NOT a file offset...).

         these patches still don't cure the problem with CR4. if you decided
         to get rid of the emulation entirely (including CR4) then you can
         do it much easier:

         offset    old new
         00002E7E: 03  0A
         00002E7F: 00  01


      6. i'll give you a general solution in section 8 since INT08 is just a
         a subset of the hardware interrupts which are discussed there.


      7. this problem can be solved quite easily: we replace the original
         protected mode handler with the one that serves all not_IRQ_related
         interrupts (and whose only task is to reflect them back to the
         V86 mode handler).

         offset    old new
         0000455A: B6  14
         0000455B: DF  D6


      8. what we have to do is to skip the call that prints the error message
         and simply reflect this interrupt back to the V86 mode handler.
         note that your buggy programs won't cause SOFT-ICE to pop up after
         this patch :-) (however, you'll be able to break in and see what
         went wrong).

         offset    old new
         00002447: A9  C3


      9. now we'll make use of the extra space we made in the original INT01
         handler. we have to check whether the interrupt was triggered by a
         hardware IRQ or not. this can be done by the following routine:

         push eax          ; save the registers that will be modified
         pushf             ; the order of PUSHs is important!
         mov al,0Bh        ; we'll read in the in-service registers
         out 20h,al        ; master PIC
         out 0A0h,al       ; slave PIC
                           ; there might be needed a short delay here
                           ; however, on my machine it isn't :-)
         in al,20h         ; read INTs being serviced by master PIC
         mov ah,al         ; save for later test
         in al,0A0h        ; read INTs being serviced by slave PIC
         test ax,0FFFFh    ; was it a hardware int?
         jnz original      ; 
         popf              ; restore flags
         pop eax           ; the general handler doesn't expect it
         jmp offset 1B70h  ; this has to be the general handler (this offset
                           ; is valid in v2.80)
         original:
         mov ax,8          ; the first two instructions of the original handler
         popf              ; were push eax, mov ax,8, thus we won't pop eax
         jmp offset 1A77h  ; this has to be the original handler's offset
                           ; plus 5 bytes (the length of push eax, mov ax,8)

         and at the beginning of the original handler (offset 0x1A72) we put:
         jmp offset 1DD7h  ; and since it's only 3 bytes long,
                           ; we get 2 spare bytes :-)

         the binary patches follow:

         offset    old new
         00001A72: 66  E9
         00001A73: 50  62
         00001A74: B8  03

         00001DD5: 50  EB
         00001DD6: 51  60
         00001DD7: B9  66
         00001DD8: 03  50
         00001DD9: 00  9C
         00001DDA: B0  B0
         00001DDB: 03  0B
         00001DDC: E6  E6
         00001DDD: 61  20
         00001DDE: 51  E6
         00001DDF: 33  A0
         00001DE0: C9  E4
         00001DE1: E2  20
         00001DE2: FE  8A
         00001DE3: E2  E0
         00001DE4: FE  E4
         00001DE5: E2  A0
         00001DE6: FE  A9
         00001DE7: E2  FF
         00001DE8: FE  FF
         00001DE9: E2  B8
         00001DEA: FE  08
         00001DEB: E2  00
         00001DEC: FE  75
         00001DED: E2  06
         00001DEE: FE  9D
         00001DEF: E2  66
         00001DF0: FE  58
         00001DF1: E2  E9
         00001DF2: FE  7C
         00001DF3: E2  FD
         00001DF4: FE  9D
         00001DF5: E2  E9
         00001DF6: FE  7F
         00001DF7: E2  FC


      A. to solve this problem we should do a complete disassembly of SOFT-ICE
         since we have to keep track of the base and size of the V86 mode
         interrupt table, and this requires too many changes to be worth to do
         it with simple byte patches.


      B. a somewhat lame (but it's more than nothing) solution is the
         following: we chain in a P RET command after GENINT by patching
         the jump at the end of the GENINT handler to the beginning of P RET.
         after executing GENINT we'll land at the IRET of our handler and
         a further P or T will take us back to the original instruction we
         were at. i said it was somewhat lame... but it works :-)

         offset    old new
         000118BF: BC  00
         000118C0: E0  C7


      C. before executing anything call up SOFT-ICE and change the offset of
         the V86 mode INT3 handler to the one of the INT1 handler.


      D. !!! SURPRISE !!!

         while you're in WINICE for Win95 v3.0 or 3.01 type in the following
         command: "ver ice" and see what you get... however, note that due
         to a bug (or feature?) you can use only once this command during
         a session, you have to restart WINICE to be able to get the
         message again.

         and while we're at undocumented features, try out "ver ?" as well.
         in the next release, i'll try to write a detailed description
         of the new commands (not that if it were that hard to find out...)


   unsolved mysteries :-)

      1. even the Nu-Mega docs tell about a problem when SOFT-ICE for DOS is
         loaded from the command line: if HIMEM.SYS is installed the machine
         simply reboots. i tracked down the problem and found out that the
         processor resets itself because of a triple fault. it happens so:

         after preparing the IDT and GDT (and loading IDTR and GDTR), paging
         will be enabled in CR0, and then DS and ES will be loaded a
         descriptor offset of 8. however, both this descriptor and the IDT
         seem to be invalid, and this leads to a triple fault. unfortunately,
         i couldn't find out what goes wrong during the setup of IDT and GDT,
         perhaps someone else out there will do the dirty job :-)... and maybe
         Nu-Mega will award you with a free, legal version :-)).


      2. on a Cyrix 486DLC-40 system (both with and without a coproc) SOFT-ICE
         gets a Page Fault and halts if the processor is running at 40 MHz,
         but works fine at 33 MHz. the Page Fault seems to happen while the
         code window is being put out (i.e. during the execution of the wc
         command). this is nonsense! so far, no solution... and yes, it's
         another dirty job...


   P.S. for everyone

         perhaps there's someone out there who didn't know it so far...
         WINICE can be used without Window$ (and you'll be able to debug
         programs that use some DOS extender, if it can make use of DPMI, but
         that's the case with the most popular ones, e.g. DOS4GW or PMODE/W)!
         the trick is that you have to make a 'crippled' version of Window$,
         i.e. make Window$ start without its GUI. a complete description of
         this can be found at the following URL:

                http://www.fys.ruu.nl/~faber/Windows_No_GUI

         after creating this GUI-less Window$ all you have to do is to start
         WINICE (beware, your normal Window$ shouldn't be on your PATH!) and
         voila, you'll be in a DOS session (i hope that you could find it out
         yourself that you had to start COMMAND.COM as your KRNL386.EXE...)
         with WINICE being able to pop up whenever you need it (of course, for
         native Window$ programs you'll need a full Window$).

         and if we're at Window$ here's another trick: if you don't want to
         see the logo being shown every time you start Window$, either start
         WIN.COM with a command line paramater of ':' i.e.

                WIN.COM :

         or (as the above method doesn't work with our GUIless version since
         WINICE doesn't seem to pass any parameters or you are too lazy to
         type in every time 2 more characters :-) look for the string 'LOGO'
         in WIN.COM and change it to something else (it's enough to change
         only one bit). note, that the WIN.COM of Window$ for Workgroups
         doesn't like this patch...


   P.S. for protection writers

         i know that some of the above modifications can be defeated (i could
         do it myself) however i won't make your life easier... i hope you
         understand why :-)

The Owl 1997

SICE-VAL.MS
cut from here ------
# OLD_SI: 'FG'
# OLD_DI: 'JM'

# OLD_SI
!:p=\71\70
# OLD_DI
!:q=\77\74

# NEW_SI
!:x=\71\68
# NEW_DI
!:y=\77\74
-------------- until here

SICE2NEW.MS
cut from here ------

!binary
!include sice-val.ms

# mov si,OLD_SI -> mov si,NEW_SI
\190:p
\190:x
# mov di,OLD_DI -> mov di,NEW_DI
\191:q
\191:y

# cmp si,OLD_SI -> cmp si,NEW_SI
\129\254:p
\129\254:x
# cmp di,OLD_DI -> cmp di,NEW_DI
\129\255:q
\129\255:y

# cmp w,[bp+4],OLD_SI -> cmp w,[bp+4],NEW_SI
\129\126\4:p
\129\126\4:x
# cmp w,[bp+0],OLD_DI -> cmp w,[bp+0],NEW_DI
\129\126\0:q
\129\126\0:y

# mov w,[bp+4],OLD_SI -> mov w,[bp+4],NEW_SI
\199\70\4:p
\199\70\4:x
# mov w,[bp+0],OLD_DI -> mov w,[bp+0],NEW_DI
\199\70\0:q
\199\70\0:y


# not sure about these ones...

# cmp w,[4],OLD_SI -> cmp w,[4],NEW_SI
\129\62\4\0:p
\129\62\4\0:x

# mov ax,OLD_SI -> mov ax,NEW_SI
\184:p
\184:x
------------ until here	

You are deep inside Fravia's page of reverse engineering, choose your way out:

project 2
homepage links red anonymity +ORC students' essays
tools antismut cocktails search_forms mail_Fravia
Is reverse engineering illegal?