

              NO MORE annoying anti SOFT-ICE tricks!


      Today's best EXE protectors contain code to prevent debugging with
   SOFT-ICE, which is the best debugger among the ones I came across so
   far. Following protectors are known to me to defeat SOFT-ICE:

      EEXE (Encrypt Exe found in FZC.EXE)
      HACKSTOP (found in WWPACK.EXE)
      PROTECT! (found in various files)
      and perhaps a few others...

      All of the above protectors are based upon the INT3 interface of
   SOFT-ICE (see Ralph Brown's Interrupt List for details). This interface
   is activated when the protected mode INT3 handler of SOFT-ICE encounters
   the magic values in SI and DI. That is, when you try to trace through
   an INT3 call, SOFT-ICE will regain control, check for the magic values,
   and in case they are not found, it will go on to the original INT3 handler
   (which it was supposed to do anyway). If it finds the magic values, then
   it'll execute the command given in AX (and DS:DX). All of these checks
   happen invisibly to the hacker, so there seems to be no solution to defeat
   this kind of protection (well, there's a slow way if you step through
   every instruction and before the "guilty" INT3 call you change one or two
   registers).

      But our precious time doesn't allow us to do it every time we
   encounter a "yet unhackable" (Hi, Ralph Roth ;-) protector!

      Well, I've found a simple solution: changing the magic values
   SOFT-ICE is looking for will defeat those protectors based upon the
   INT3 interface. However, it's easier said than done because both SOFT-ICE
   itself and LDR.EXE use this interface for some kind of intra/inter process
   communication. So every reference to the magic values must be changed!

   It took me a few minutes in Hacker's View (another important tool ;-) to
   find the places where those changes had to be done. In order to avoid
   changes where those magic values occur by chance, I wrote some MSUB
   scripts to change whole instructions (the amount of necessary changes
   would have forced me to use some search&replace utility, anyway).
   You can find MSUB.EXE in MSUB13.ZIP (an archie search will certainly
   help you to find an ftp site carrying this great utility).


   The Scripts

   You should specify the old and new magic values in SICE-VAL.MS (note that
   numbers are decimal!)

   SICE2NEW.MS will replace the old magic values with the new ones (2^32
               possible values, although not all of them can be made back)
               (I strongly advise you to patch the original files and not
               already patched ones, see below for explanation), and
   SICE2OLD.MS will make the changes back (since some instructions specified
               in the search patterns occur in other parts of the files to be
               patched where they should not be changed, you may choose their
               operands as magic values by chance, and that means that the
               changes cannot be made back! So you should better keep the
               original files and not use this script!)

               /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
                         example usage

               msub.exe sice2new.ms s-ice.exe ldr.exe

               it will change the original values
               to the new ones.
               /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

