PDA

View Full Version : Adobe 5 READER (godammit, READER!!) is S-ICE hostile


aimless
June 18th, 2001, 09:37
Install Acrobat Reader 4
Open a .pdf file
Assume ICE is in background
No Problem

Install Acrobat Reader 5
Open a .pdf file
Assume ICE is in background
DOES NOT OPEN.

CTRL+ALT+DEL does NOT show the process. Is this paranoid? Or am I just going crazy.

Me? I have Win98/SE (yeah!)

Leads anyone?

rickz
June 18th, 2001, 18:59
same for me on a win2k installation.

madmax
June 18th, 2001, 21:21
Its not so much Adobe, but rather the InterTrust plug-in with filename DOCBOX.API...It checks for sice using IDT method and CreateFileA/SICE, so you need to either use FrogSICE, Icedumps /protect feature, or better yet modify your winice.exe and other files, as was done in the old days =) I recommend this, as more and more programs are using anti-debug stuff, and frogsice/icedump are nice but not perfect! Anyways, to get around the IDT check, i patched DOCBOX.API at offset 0x34A65 to change jz ==> JMP
I assume u can handle that! Have fun

madmax!

Russ
June 18th, 2001, 21:45
This is a paste from Acrobat's readme (C:\Program Files\Adobe\Acrobat 5.0\Reader\ReadMe.html).

"Debugging with Acrobat Reader 5.0
If you need to use a debugger while Acrobat Reader 5.0 is running, to enable debugging remove the InterTrust directory and DocBox.api plug-in contained within it from the Acrobat 5.0/Reader/Plug_ins directory. [416341]"
That's to easy.

017F:37034A59 668B5144 MOV DX,[ECX+44] ;IDT read at interrupt 11?
017F:37034A5D 6681F20005 XOR DX,0500 ;8500 XOR 0500 = 8000
017F:37034A62 F6C61F TEST DH,1F ;10000000 (80) AND 00011111(1F) = 00000000 ZF = 1
017F:37034A65 7505 JNZ 37034A6C
017F:37034A67 B801000000 MOV EAX,00000001
017F:37034A6C 3BC7 CMP EAX,EDI

Just change your IDT+44 to something besides 0085 (mine is 008E with sice unloaded). There are two more cheesy meltice tricks that I'll let you find (or use FrogsICE).

Or just do what madmax said. I see he beat me to the post.