melted MeltICE
(SoftIce 3.xx detection and another lesson for shareware programmers)
by Frog's Print
(22 August 1997, slightly edited by Fravia)
With an important addition by Kox! (27 August 1997)
Courtesy of fravia's page
of reverse engineering
Well, Frog's Print finding are indeed
interesting. I'm pretty sure that we are going to assist, in the next
future, to an explosion of many little anti-softice (and anti-wdasm) tricks.
I may open an extra section of my site to this if necessary... btw, to-day ReZiDeNt signalled an "anti-BRW" trick inside Ultraedit...
Note that since the programmers keep programming in "high" languages,
all this can (at most) defeat the stupid lamers... the good-guy=1 and beggar
off=0 flags are always the same... poor programmers... how long should we
repeat it to you? YOU HAVE TO PROGRAM PROTECTIONS IN ASSEMBLER ON YOUR OWN,
you do not have to:
1) Use Visual Basic made protections;
2) Use ready-made third party protections (if the people selling them
would put their money where their mouths are you would see many more
working demos of their protections on the net, btw);
3) Use Visual C++ made protections;
Write your own small protections routines in assembler using some forgotten
dos call and some empty bits inside the file header for Ginger Rogers' sake,
and you'll fend off more than 80% of all attacks on your software!
Well here you go: Meltice melted away under the touch of Frog's Print...
MeltICE
(SoftIce 3.xx detection)
by Frog's Print
I found today at http://www.window95.com a file named MeltICE. This is an updated
version of "ICEcream" whose only purpose was to detect if a version of SoftIce was
loaded and "to make shareware developers a little bit easier about the safety of
their software" as it's author (David Eriksson) wrote.
The file contains a source code that (lazy) protectionists can add to their programs.
MelICE was written specially for the new versions of SoftIce: v3.0 and 3.01 (Win 95/NT).
How it works:
The program will open the VxD driver named SICE (Windows 95) or NTICE (for Windows NT)
with CreateFile. It will then check the file's Handle (in EAX) in order to see if
SoftIce Win95 or WinNT is loaded or not.
Below are the source code of MeltICE and a disassembly listing that I did with W32dasm
of an .exe file compiled with this code:
MeltICE - SoftICE '95 version 3 detection - Made by David Eriksson
#include <stdio.h>
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
// See if SoftICE version 3.x for Windows 95 is loaded
BOOL IsSoftIce95Loaded()
{
HANDLE hFile;
hFile = CreateFile( "\\\\.\\SICE",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if( hFile != INVALID_HANDLE_VALUE )
{
CloseHandle(hFile);
return TRUE;
}
return FALSE;
}
// See if SoftICE version 3.x for Windows NT is loaded
BOOL IsSoftIceNTLoaded()
{
HANDLE hFile;
hFile = CreateFile( "\\\\.\\NTICE",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if( hFile != INVALID_HANDLE_VALUE )
{
CloseHandle(hFile);
return TRUE;
}
return FALSE;
}
// Example code for calling these functions
int main(void)
{
if( IsSoftIce95Loaded() )
printf("SoftICE for Windows 95 is active!\n");
else if( IsSoftIceNTLoaded() )
printf("SoftICE for Windows NT is active!\n");
else
printf("Can't find SoftICE with this method!\n");
return 0;
}
And now, the Dead Listing of an .exe file using that code:
* Referenced by a CALL at Address :004011DE
:00401080 E87BFFFFFF call 00401000 ; first, check for S-Ice Win95
:00401085 85C0 test eax, eax ; check if loaded...
:00401087 7410 je 00401099 ; No, jump to check_NT, if yes:
:00401089 6894604000 push 00406094 ;->"SoftICE for Windows 95 is active!"
:0040108E E83D000000 call 004010D0
:00401093 83C404 add esp, 4
:00401096 33C0 xor eax, eax
:00401098 C3 ret ; S-Ice Win95 detected. Bye_bye.
:Check_NT
:00401099 E8A2FFFFFF call 00401040 ; Now, check for S-Ice WinNT
:0040109E 85C0 test eax, eax ; check if loaded...
:004010A0 7410 je 004010B2 ; jump if NOT loaded to can't_find, else
:004010A2 6870604000 push 00406070 ;->"SoftICE for Windows NT is active!"
:004010A7 E824000000 call 004010D0
:004010AC 83C404 add esp, 4
:004010AF 33C0 xor eax, eax
:004010B1 C3 ret ; S-Ice WinNT detected. Bye_bye.
:can't_find
:004010B2 6848604000 push 00406048 ;->"Can't find SoftICE with this method!"
:004010B7 E814000000 call 004010D0
:004010BC 83C404 add esp, 4
:004010BF 33C0 xor eax, eax
:004010C1 C3 ret ; S-Ice not found.
********************************End of detection********************************
The detection/CreateFileA routine for S-Ice Win95:
:00401000 6A00 push 00000000 ; CreateFileA parameters
:00401002 6880000000 push 00000080 ; ...
:00401007 6A03 push 00000003 ; ...
:00401009 6A00 push 00000000 ; ...
:0040100B 6A03 push 00000003 ; ...
:0040100D 68000000C0 push C0000000 ; ...
* Possible StringData Ref from Data Obj ->"\\.\SICE" ; VxD driver for S-Ice Win95
:00401012 6830604000 push 00406030
* Reference To: KERNEL32.CreateFileA, Ord:0031h
:00401017 FF15BCA04000 Call dword ptr [0040A0BC] ; CreateFileA
:0040101D 83F8FF cmp eax, FFFFFFFF ; Handle= -1 ?
:00401020 740D je 0040102F ; Yes, jump otherwise...
:00401022 50 push eax ; SoftIce Win95 IS loaded!
* Reference To: KERNEL32.CloseHandle, Ord:0018h
:00401023 FF15F8A04000 Call dword ptr [0040A0F8] ; Close file's handle
:00401029 B801000000 mov eax, 00000001 ; Eax:=1
:0040102E C3 ret !
; Back to the caller
* Referenced by a (C)onditional Jump at Address :00401020
:0040102F 33C0 xor eax, eax ; Eax:=0 (not loaded)
:00401031 C3 ret !
; Back to the caller
...
The detection/CreateFileA routine for S-Ice WinNT:
...
* Referenced by a CALL at Address :00401099
:00401040 6A00 push 00000000 ; CreateFileA parameters
:00401042 6880000000 push 00000080 ; ...
:00401047 6A03 push 00000003 ; ...
:00401049 6A00 push 00000000 ; ...
:0040104B 6A03 push 00000003 ; ...
:0040104D 68000000C0 push C0000000 ; ...
* Possible StringData Ref from Data Obj ->"\\.\NTICE"; VxD driver for S-Ice WinNT
:00401052 683C604000 push 0040603C
* Reference To: KERNEL32.CreateFileA, Ord:0031h
:00401057 FF15BCA04000 Call dword ptr [0040A0BC] ; CreateFileA
:0040105D 83F8FF cmp eax, FFFFFFFF ; Handle= -1 ?
:00401060 740D je 0040106F ; Yes, jump otherwise...
:00401062 50 push eax ; SoftIse WinNT IS loaded!
* Reference To: KERNEL32.CloseHandle, Ord:0018h
:00401063 FF15F8A04000 Call dword ptr [0040A0F8] ; Close file's handle
:00401069 B801000000 mov eax, 00000001 ; Eax:=1
:0040106E C3 ret !
; Back to the caller
* Referenced by a (C)onditional Jump at Address :00401060
:0040106F 33C0 xor eax, eax ; Eax:=0 (not loaded)
:00401071 C3 ret !
; Back to the caller
OK, we see that this new simple and 'ready-to-use' protection will probably please
a huge amount of unexperimented shareware programmers. Since it is available at
Windows95.com, I assume we may have to face it very soon.
But is S-T-U-P-I-D because we now will be able to check if any program is detecting
Soft-Ice even before it will have the time to do so: just with a BPX CreateFile(A).
Anyway, this will make shareware crackers a little bit easier about the safety of
the software they want to reverse engineer too.
(c) Frog's print 1997. All rights reserved
Here is the important addition by Kox (27 August 1997):
Defeating MeltedICE for good in 10 Seconds.
They sure can't be serious for publishing such MeltedICE.
You can never rely on a constant string comparison to detect SoftICE.
Here is how to defeat it in 10 seconds:
(I guess everybody knows this, but just in case someone didn't think of it..)
Just replace the string "SICE" with "KICE" (or whatever you want) in the files
"Winice.exe" and "nmtrans.dll"
(Please do not use "KICE" ,just use a unique string... cause those MeltedICE
people may update it by checking for "KICE" too :)
And gone is the check for VxD name "SICE".
You can check the VxD names with many tools.. (Infospy for example)
This goes for win95 version and i guess would work for NT too..
(although for NT you have to recalculate the checksums as in +HCU Project 2)
This way of detecting SoftICE is the same one used
in the "nmtrans.dll" Function "DevIO_ConnectToSoftICE" so i guess they
reversed engineer that function.. (You see the pun,they do reverse engineer
too,
i guess no one can just live without Reverse Engineering :-) well,except for
zombies ..
Later
Kox
You are deep inside fravia's page of reverse engineering,
choose your way out:
project 2
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering illegal?