Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: SoftICE: CreateFile(\\.\NTICE) doesnt work with latest ver?

  1. #1
    onebitshort
    Guest

    Question SoftICE: CreateFile(\\.\NTICE) doesnt work with latest ver?

    SoftICE v4.3.2 ... I just tried the good old simple CreateFileA method (\\.\NTICE and a few others) which worked fine on older builds but it's no longer working, anyone know why? I didnt have any luck with Google apart from one guy who asked the same question but didnt get any response except for "it should work". I know there are other ways to detect SI but I'd like to know why this no longer works (or what they new device name is)

    And by the way yes i do have \system32\drivers\ntice.sys, and the "ntice" service is running which makes it even stranger why I can't call CreateFile on it. (And yes I am logged in as Admin)
    Last edited by onebitshort; November 28th, 2006 at 00:59.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    Yeah, Softice provides it's own MeltIce protection. Pretty cool huh?

    If you look at the SymbolicLink name of NTICE using WinObj (or Four-F's extended version, WinObjEx) under the GLOBAL?? heading, you'll see the name is now \Device\NTicexxxx, where the xxxx is a 4 character combination which is based on the serial number.

    You can check out the routines in Softice. Like many other drivers, NTICE creates a Symbolic Link name during DriverEntry with IoCreateSymbolicLink, and deletes it during DriverUnload (not normally called) with IoDeleteSymbolicLink. The INIT (DriverEntry) section is mostly paged out after Softice starts but you can still check out what's happening by looking at the DriverUnload function. If interested..

    The DriverUnload function just happens to be immediately after the IRP_MJ_SHUTDOWN routine.
    You can find the IRP_MJ_SHUTDOWN routine by typing
    DRIVER NTICE
    and disassembling the address shown for IRP_MJ_SHUTDOWN. A few screens down look for the IoDeleteSymbolicLink function, you should see your serial number displayed as one of the earlier parameters.

    Code:
    .text:000115C0 DriverUnload    proc near               ; CODE XREF: start+6F7p
    .text:000115C0                                         ; start:loc_1C57B5p
    .text:000115C0
    .text:000115C0 SymbolicLinkName= dword ptr -8
    ...
    .text:00011736
    .text:00011736 loc_11736:                   ; CODE XREF: DriverUnload+170
    .text:00011736                 push    offset SerialNumber
    .text:0001173B                 push    offset aDosdevicesNtic ; "\\DosDevices\\NTice"
    .text:00011740                 mov     esi, offset SymbolicNameBuffer
    .text:00011745                 push    esi
    .text:00011746                 call    InitializeSymbolicNameBuffer
    .text:0001174B                 push    esi             ; SourceString
    .text:0001174C                 lea     eax, [ebp+SymbolicLinkName]
    .text:0001174F                 push    eax             ; DestinationString
    .text:00011750                 call    ds:RtlInitUnicodeString_0
    .text:00011756                 lea     eax, [ebp+SymbolicLinkName]
    .text:00011759                 push    eax             ; SymbolicLinkName
    .text:0001175A                 call    ds:IoDeleteSymbolicLink
    .text:00011760                 push    DeviceObject    ; DeviceObject
    .text:00011766                 call    ds:IoDeleteDevice
    ...
    .text:00011779                 leave
    .text:0001177A                 retn    4
    .text:0001177A DriverUnload    endp
    The comparable IoCreateSymbolicLink is in DriverEntry:

    Code:
    INIT:001C4A29                 push    ebp
    INIT:001C4A2A                 mov     DeviceObject, eax
    INIT:001C4A2F                 push    offset aDosdevicesNt_0 ; "\\DosDevices\\NTice"
    INIT:001C4A34                 mov     ebx, offset SymbolicNameBuffer
    INIT:001C4A39                 push    ebx
    INIT:001C4A3A                 mov     dword ptr [esi+38h], offset IRP_MJ_CREATE_CLOSE
    INIT:001C4A41                 mov     dword ptr [esi+40h], offset IRP_MJ_CREATE_CLOSE
    INIT:001C4A48                 mov     dword ptr [esi+78h], offset IRP_MJ_SHUTDOWN
    INIT:001C4A4F                 mov     dword ptr [esi+70h], offset IRP_MJ_DEVICE_CONTROL
    INIT:001C4A56                 mov     dword ptr [esi+74h], offset IRP_MJ_INTERNAL_DEVICE_CONTROL
    INIT:001C4A5D                 call    InitializeSymbolicNameBuffer
    INIT:001C4A62                 push    ebx             ; SourceString
    INIT:001C4A63                 lea     eax, [esp+5A4h+SymbolicLinkName]
    INIT:001C4A67                 push    eax             ; DestinationString
    INIT:001C4A68                 call    ds:RtlInitUnicodeString_0
    INIT:001C4A6E                 lea     eax, [esp+5A0h+DeviceName]
    INIT:001C4A72                 push    eax             ; DeviceName
    INIT:001C4A73                 lea     eax, [esp+5A4h+SymbolicLinkName]
    INIT:001C4A77                 push    eax             ; SymbolicLinkName
    INIT:001C4A78                 call    ds:IoCreateSymbolicLink
    You can see what it does is to take the basic Symbolic Link string "\\DosDevices\\NTice" and concatenate it with some algorithm based on the serial number.

    In terms of the MeltIce detection, the following obviously won't work any longer:

    Code:
    HANDLE hFile = CreateFile( "\\\\.\\NTICE",
    				GENERIC_READ | GENERIC_WRITE,
    				FILE_SHARE_READ | FILE_SHARE_WRITE,
    				NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    
    if(hFile!=INVALID_HANDLE_VALUE)
    {
         // Softice Detected
         CloseHandle(hFile);
    }
    One apparent solution then is to parse the names of all Symbolic Link objects and check for one which begins with "NTICE".

    Kayaker

  3. #3
    onebitshort
    Guest
    Awesome reply, thanks!

    Strange - I was looking through WinObjEx\Global\ yesterday, SoftICE was definately running, but I couldn't see any NTIceanythings. Likewise I couldnt see any in Services, or Drivers, even though it was definately running. The only thing I could get CreateFile to work on was SIWVIDSTART, which is a bit useless.

    But today I can see them all? lol

    So I can now see NtIce in Services, I can see NtIceXXXX as a Symbolic Link in WinObj\Global?, and I can see \SystemRoot\System32\Drivers\NTice.SYS when I call EnumDeviceDrivers

    Do FrogsICE or MeltICE or any of those protections change the name of either the ntice.sys file or the NTIce service?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    IceExt does a couple of runtime modifications of the NTICE service name via SSDT hooking to protect against using NtCreateFile, NtQuerySystemInformation and NtQueryDirectoryObject to detect the service. This isn't absolute protection against other methods of detecting the service however such as direct registry access or using PsSetLoadImageNotifyRoutine (a la Daemon Tools/SPTD) or even DKOM access ("Direct Kernel Object Manipulation" as the buzzword is coined).

    A more reliable method would be to change the service name yourself manually, though this doesn't mean Softice couldn't be detected in other ways. You can do this by editing the registry and a few Softice files. I have a VMWare image where the NTICE service has been renamed to NOICE (the file is now noice.sys). Change all pertinent entries in the registry and search for unicode string refs to "NTICE" in the files ntice.sys, siwvid.sys and bootcfg.sys (I think those are all that is required) and change the name there as well, updating the PE checksum afterwards. The unicode string refs are the ones which refer to CurrentControlSet\Services\NTICE. You could do the same with the other Softice services SIWVID and SIWSYM as well.

  5. #5
    onebitshort
    Guest
    Ooh ... I just tried a brute-force approach - CreateFile "NTICE0000" to "NTICE9999". It successfully found mine, plus it only takes a couple milliseconds to test all 10000 combinations

    The only two things I'm not sure about ...
    1 - is the number in decimal or hex? (not that testing 0000 to FFFF would be much slower)
    2 - is it always going to be four digits like 0000 if it's < 1000 ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    Well, I checked on 2 installations, XP and 2K, they were both 4 characters but in one case it included a letter. To truly answer your question though, forgive me saying, but that's what reversing is all about. I gave the clue that that particular answer would be found in the algo within what I called InitializeSymbolicNameBuffer.

    If you check it out you'll see it contains no ring0 specific code and is a small enough string manipulation routine that could be easily "ripped". An ideal subject for what IDA can help with (save as asm file). I don't really know the answer to your question but it seems that the code could easily be duplicated in a test app and you could step through it to determine exactly what it does. If you do, please let us know, it would be interesting.

    Cheers,
    Kayaker

  7. #7
    trick is used on starforce ages ago...
    softice records the serial in the registry under 'Serial'
    take the last 4 chars, append those to \\.\ntice
    voila...

  8. #8
    onebitshort
    Guest
    Kayaker,
    Well, I checked on 2 installations, XP and 2K, they were both 4 characters but in one case it included a letter.
    Was the letter in the hex A-F range ?

    trick is used on starforce ages ago...
    softice records the serial in the registry under 'Serial'
    take the last 4 chars, append those to \\.\ntice
    voila...
    Hmmm not quite ... but the 4byte serial does exist in the main serial, sort of ...
    Assume that my HKEY_LOCAL_MACHINE\SOFTWARE\NuMega\DriverStudio\ Serial = 1234ABCD5678
    The 4-byte serial that my ntice driver is running as is 6DB4, which you can see in reverse, seperated by one byte per char, which i highlighted bold

    Is that the same with yours?
    Last edited by onebitshort; November 29th, 2006 at 02:31.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    onebitshort
    Guest
    It looks like our usermode friend nmtrans.dll also uses that code
    Code:
    1001FBF5  |.  51                        push ecx                                                    ; /pBufSize
    1001FBF6  |.  68 343E2510               push nmtrans.10253E34                                       ; |Buffer = nmtrans.10253E34
    1001FBFB  |.  50                        push eax                                                    ; |pValueType
    1001FBFC  |.  50                        push eax                                                    ; |Reserved
    1001FBFD  |.  68 E4860710               push nmtrans.100786E4                                       ; |ValueName = "Serial"
    1001FC02  |.  52                        push edx                                                    ; |hKey
    1001FC03  |.  FF15 00C00610             call near dword ptr ds:[<&ADVAPI32.RegQueryValueExA>]       ; \RegQueryValueExA
    1001FC09  |.  85C0                      test eax, eax
    1001FC0B  |.  75 0A                     jnz short nmtrans.1001FC17
    1001FC0D  |.  C705 303E2510 01000000    mov dword ptr ds:[10253E30], 1
    1001FC17  |>  8B4424 04                 mov eax, dword ptr ss:[esp+4]
    1001FC1B  |.  50                        push eax                                                    ; /hKey
    1001FC1C  |.  FF15 04C00610             call near dword ptr ds:[<&ADVAPI32.RegCloseKey>]            ; \RegCloseKey
    1001FC22  |>  68 343E2510               push nmtrans.10253E34
    1001FC27  |.  8D4C24 10                 lea ecx, dword ptr ss:[esp+10]
    1001FC2B  |.  68 D8860710               push nmtrans.100786D8                                       ;  ASCII "\\.\NTICE"
    1001FC30  |.  51                        push ecx
    1001FC31  |.  E8 3A000000               call nmtrans.1001FC70
     
    ...
    ...
    
    1001FC70  /$  81EC 04020000             sub esp, 204
    1001FC76  |.  8A15 FC010810             mov dl, byte ptr ds:[100801FC]
    1001FC7C  |.  53                        push ebx
    1001FC7D  |.  55                        push ebp
    1001FC7E  |.  56                        push esi
    1001FC7F  |.  57                        push edi
    1001FC80  |.  B9 3F000000               mov ecx, 3F
    1001FC85  |.  33C0                      xor eax, eax
    1001FC87  |.  8D7C24 15                 lea edi, dword ptr ss:[esp+15]
    1001FC8B  |.  885424 14                 mov byte ptr ss:[esp+14], dl
    1001FC8F  |.  889424 14010000           mov byte ptr ss:[esp+114], dl
    1001FC96  |.  F3:AB                     rep stos dword ptr es:[edi]
    1001FC98  |.  66:AB                     stos word ptr es:[edi]
    1001FC9A  |.  AA                        stos byte ptr es:[edi]
    1001FC9B  |.  B9 3F000000               mov ecx, 3F
    1001FCA0  |.  33C0                      xor eax, eax
    1001FCA2  |.  8DBC24 15010000           lea edi, dword ptr ss:[esp+115]
    1001FCA9  |.  8BAC24 18020000           mov ebp, dword ptr ss:[esp+218]
    1001FCB0  |.  F3:AB                     rep stos dword ptr es:[edi]
    1001FCB2  |.  66:AB                     stos word ptr es:[edi]
    1001FCB4  |.  AA                        stos byte ptr es:[edi]
    1001FCB5  |.  B9 40000000               mov ecx, 40
    1001FCBA  |.  33C0                      xor eax, eax
    1001FCBC  |.  8BFD                      mov edi, ebp
    1001FCBE  |.  8B9424 1C020000           mov edx, dword ptr ss:[esp+21C]
    1001FCC5  |.  F3:AB                     rep stos dword ptr es:[edi]
    1001FCC7  |.  B9 40000000               mov ecx, 40
    1001FCCC  |.  8D7C24 14                 lea edi, dword ptr ss:[esp+14]
    1001FCD0  |.  F3:AB                     rep stos dword ptr es:[edi]
    1001FCD2  |.  8BFA                      mov edi, edx
    1001FCD4  |.  83C9 FF                   or ecx, FFFFFFFF
    1001FCD7  |.  F2:AE                     repne scas byte ptr es:[edi]
    1001FCD9  |.  F7D1                      not ecx
    1001FCDB  |.  49                        dec ecx
    1001FCDC  |.  51                        push ecx
    1001FCDD  |.  52                        push edx
    1001FCDE  |.  55                        push ebp
    1001FCDF  |.  E8 9C2E0200               call nmtrans.10042B80
    1001FCE4  |.  8BBC24 2C020000           mov edi, dword ptr ss:[esp+22C]
    1001FCEB  |.  83C9 FF                   or ecx, FFFFFFFF
    1001FCEE  |.  33C0                      xor eax, eax
    1001FCF0  |.  8D9424 20010000           lea edx, dword ptr ss:[esp+120]
    1001FCF7  |.  F2:AE                     repne scas byte ptr es:[edi]
    1001FCF9  |.  F7D1                      not ecx
    1001FCFB  |.  2BF9                      sub edi, ecx
    1001FCFD  |.  8BC1                      mov eax, ecx
    1001FCFF  |.  8BF7                      mov esi, edi
    1001FD01  |.  8BFA                      mov edi, edx
    1001FD03  |.  C1E9 02                   shr ecx, 2
    1001FD06  |.  F3:A5                     rep movs dword ptr es:[edi], dword ptr ds:[esi]
    1001FD08  |.  8BC8                      mov ecx, eax
    1001FD0A  |.  83E1 03                   and ecx, 3
    1001FD0D  |.  F3:A4                     rep movs byte ptr es:[edi], byte ptr ds:[esi]
    1001FD0F  |.  8D8C24 20010000           lea ecx, dword ptr ss:[esp+120]
    1001FD16  |.  51                        push ecx
    1001FD17  |.  E8 64650400               call nmtrans.10066280
    1001FD1C  |.  8BD8                      mov ebx, eax
    1001FD1E  |.  83C9 FF                   or ecx, FFFFFFFF
    1001FD21  |.  8BFB                      mov edi, ebx
    1001FD23  |.  33C0                      xor eax, eax
    1001FD25  |.  83C4 10                   add esp, 10
    1001FD28  |.  BE 02000000               mov esi, 2
    1001FD2D  |.  F2:AE                     repne scas byte ptr es:[edi]
    1001FD2F  |.  F7D1                      not ecx
    1001FD31  |.  49                        dec ecx
    1001FD32  |.  8D7C24 14                 lea edi, dword ptr ss:[esp+14]
    1001FD36  |.  894C24 10                 mov dword ptr ss:[esp+10], ecx
    1001FD3A  |>  3B7424 10                 /cmp esi, dword ptr ss:[esp+10]
    1001FD3E  |.  7D 22                     |jge short nmtrans.1001FD62
    1001FD40  |.  0FBE141E                  |movsx edx, byte ptr ds:[esi+ebx]
    1001FD44  |.  52                        |push edx
    1001FD45  |.  E8 44500200               |call nmtrans.10044D8E
    1001FD4A  |.  83C4 04                   |add esp, 4
    1001FD4D  |.  85C0                      |test eax, eax
    1001FD4F  |.  74 09                     |je short nmtrans.1001FD5A
    1001FD51  |.  8A041E                    |mov al, byte ptr ds:[esi+ebx]
    1001FD54  |.  8807                      |mov byte ptr ds:[edi], al
    1001FD56  |.  47                        |inc edi
    1001FD57  |.  C607 00                   |mov byte ptr ds:[edi], 0
    1001FD5A  |>  83C6 02                   |add esi, 2
    1001FD5D  |.  83FE 08                   |cmp esi, 8
    1001FD60  |.^ 7E D8                     \jle short nmtrans.1001FD3A
    1001FD62  |>  8D7C24 14                 lea edi, dword ptr ss:[esp+14]
    1001FD66  |.  83C9 FF                   or ecx, FFFFFFFF
    1001FD69  |.  33C0                      xor eax, eax
    1001FD6B  |.  F2:AE                     repne scas byte ptr es:[edi]
    1001FD6D  |.  F7D1                      not ecx
    1001FD6F  |.  2BF9                      sub edi, ecx
    1001FD71  |.  8BF7                      mov esi, edi
    1001FD73  |.  8BD1                      mov edx, ecx
    1001FD75  |.  8BFD                      mov edi, ebp
    1001FD77  |.  83C9 FF                   or ecx, FFFFFFFF
    1001FD7A  |.  F2:AE                     repne scas byte ptr es:[edi]
    1001FD7C  |.  8BCA                      mov ecx, edx
    1001FD7E  |.  4F                        dec edi
    1001FD7F  |.  C1E9 02                   shr ecx, 2
    1001FD82  |.  F3:A5                     rep movs dword ptr es:[edi], dword ptr ds:[esi]
    1001FD84  |.  8BCA                      mov ecx, edx
    1001FD86  |.  83E1 03                   and ecx, 3
    1001FD89  |.  F3:A4                     rep movs byte ptr es:[edi], byte ptr ds:[esi]
    1001FD8B  |.  5F                        pop edi
    1001FD8C  |.  5E                        pop esi
    1001FD8D  |.  5D                        pop ebp
    1001FD8E  |.  5B                        pop ebx
    1001FD8F  |.  81C4 04020000             add esp, 204
    1001FD95  \.  C3                        retn
    Geez ... that's a lot of work just to churn out 4 bytes
    I might rip it later for further testing but for now I'll just try and invoke it normally and watch what it does with my valid serial
    Last edited by onebitshort; November 29th, 2006 at 02:39.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    onebitshort
    Guest
    ok ...

    Get a copy of nmtrans.dll from your SoftICE dir
    Then LoadLibrary it ... then call NmSymIsSoftICELoaded(); (no params)
    It'll return 0 if not loaded, or 1 if SoftICE is loaded. And that's all there is to it . Set a breakpoint just before the call and you can step through to see what it does with the serial

    NmSymIsSoftICELoaded immediately calls nmtrans.DevIO_ConnectToSoftICE, which is simply this - first the Win9x SICE check then the NTICE check with the four extra digits:
    Code:
    1001FB90 nm>/$  81EC 08010000 sub esp, 108
    1001FB96    |.  56            push esi
    1001FB97    |.  8B35 48C00610 mov esi, dword ptr ds:[<&KERNEL32.Create>;  kernel32.CreateFileA
    1001FB9D    |.  6A 00         push 0                                   ; /hTemplateFile = NULL
    1001FB9F    |.  68 80000000   push 80                                  ; |Attributes = NORMAL
    1001FBA4    |.  6A 03         push 3                                   ; |Mode = OPEN_EXISTING
    1001FBA6    |.  6A 00         push 0                                   ; |pSecurity = NULL
    1001FBA8    |.  6A 03         push 3                                   ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
    1001FBAA    |.  68 00000080   push 80000000                            ; |Access = GENERIC_READ
    1001FBAF    |.  68 04870710   push nmtrans.10078704                    ; |FileName = "\\.\SICE"
    1001FBB4    |.  FFD6          call near esi                            ; \CreateFileA
    1001FBB6    |.  83F8 FF       cmp eax, -1
    1001FBB9    |.  0F85 A7000000 jnz nmtrans.1001FC66
    1001FBBF    |.  A1 303E2510   mov eax, dword ptr ds:[10253E30]
    1001FBC4    |.  C74424 08 000>mov dword ptr ss:[esp+8], 100
    1001FBCC    |.  85C0          test eax, eax
    1001FBCE    |.  75 52         jnz short nmtrans.1001FC22
    1001FBD0    |.  8D4424 04     lea eax, dword ptr ss:[esp+4]
    1001FBD4    |.  50            push eax                                 ; /pHandle
    1001FBD5    |.  6A 01         push 1                                   ; |Access = KEY_QUERY_VALUE
    1001FBD7    |.  6A 00         push 0                                   ; |Reserved = 0
    1001FBD9    |.  68 EC860710   push nmtrans.100786EC                    ; |Subkey = "Software\NuMega\SoftIce"
    1001FBDE    |.  68 02000080   push 80000002                            ; |hKey = HKEY_LOCAL_MACHINE
    1001FBE3    |.  FF15 08C00610 call near dword ptr ds:[<&ADVAPI32.RegOp>; \RegOpenKeyExA
    1001FBE9    |.  85C0          test eax, eax
    1001FBEB    |.  75 35         jnz short nmtrans.1001FC22
    1001FBED    |.  8B5424 04     mov edx, dword ptr ss:[esp+4]
    1001FBF1    |.  8D4C24 08     lea ecx, dword ptr ss:[esp+8]
    1001FBF5    |.  51            push ecx                                 ; /pBufSize
    1001FBF6    |.  68 343E2510   push nmtrans.10253E34                    ; |Buffer = nmtrans.10253E34
    1001FBFB    |.  50            push eax                                 ; |pValueType
    1001FBFC    |.  50            push eax                                 ; |Reserved
    1001FBFD    |.  68 E4860710   push nmtrans.100786E4                    ; |ValueName = "Serial"
    1001FC02    |.  52            push edx                                 ; |hKey
    1001FC03    |.  FF15 00C00610 call near dword ptr ds:[<&ADVAPI32.RegQu>; \RegQueryValueExA
    1001FC09    |.  85C0          test eax, eax
    1001FC0B    |.  75 0A         jnz short nmtrans.1001FC17
    1001FC0D    |.  C705 303E2510>mov dword ptr ds:[10253E30], 1
    1001FC17    |>  8B4424 04     mov eax, dword ptr ss:[esp+4]
    1001FC1B    |.  50            push eax                                 ; /hKey
    1001FC1C    |.  FF15 04C00610 call near dword ptr ds:[<&ADVAPI32.RegCl>; \RegCloseKey
    1001FC22    |>  68 343E2510   push nmtrans.10253E34                   ; Serial
    1001FC27    |.  8D4C24 10     lea ecx, dword ptr ss:[esp+10]
    1001FC2B    |.  68 D8860710   push nmtrans.100786D8                    ;  ASCII "\\.\NTICE"
    1001FC30    |.  51            push ecx
    1001FC31    |.  E8 3A000000   call nmtrans.1001FC70
    1001FC36    |.  83C4 0C       add esp, 0C
    1001FC39    |.  8D5424 0C     lea edx, dword ptr ss:[esp+C]
    1001FC3D    |.  6A 00         push 0
    1001FC3F    |.  68 80000000   push 80
    1001FC44    |.  6A 03         push 3
    1001FC46    |.  6A 00         push 0
    1001FC48    |.  6A 03         push 3
    1001FC4A    |.  68 00000080   push 80000000
    1001FC4F    |.  52            push edx
    1001FC50    |.  FFD6          call near esi
    1001FC52    |.  8BF0          mov esi, eax
    1001FC54    |.  83FE FF       cmp esi, -1
    1001FC57    |.  75 0B         jnz short nmtrans.1001FC64
    1001FC59    |.  68 010058A6   push A6580001                            ; /Error = A6580001 (-1504182271.)
    1001FC5E    |.  FF15 C8C00610 call near dword ptr ds:[<&KERNEL32.SetLa>; \SetLastError
    1001FC64    |>  8BC6          mov eax, esi
    1001FC66    |>  5E            pop esi
    1001FC67    |.  81C4 08010000 add esp, 108
    1001FC6D    \.  C3            retn
    Last edited by onebitshort; November 29th, 2006 at 03:31.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    onebitshort
    Guest
    Kayaker, I just noticed this paragraph http://www.woodmann.com/crackz/Tutorials/Protect.htm
    In SoftICE v4.3.2 this detection method no longer works as internally the SymbolicLink name of NTICE has a 4 digit number appended (this is based upon the serial number used to install SoftICE), a discussion of this is available here courtesy of SoftICE guru Kayaker.
    But the link is invalid (it just points to showthread.php but doesnt specify the thread) - have you got a working link for that? Many thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Try the link without the "( )" as

    http://www.woodmann.com/crackz/Tutorials/Protect.htm

    and it should work. Did for me, just now.

    Regards,
    JMI

  13. #13
    onebitshort
    Guest
    No not that link, the one mentioned in the quote - "a discussion of this is available here, but that link is just to showthread.php without and thread ID
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    onebitshort
    Guest
    Only 60 references for NmSymisSoftICELoaded at Google and only 23 for DevIO_ConnectToSoftICE, but one of the more interesting ones is from a book 'Crackproof Your Software' (append .pdf to find the ebook) which mentions it:
    Detecting SoftICE by Calling the NmSymIsSoftICELoaded DLL
    Function from the nmtrans.dll Library


    The SoftICE DLL library nmtrans.dll contains the NmSymIsSoftICELoaded function, which we can use to see whether SoftICE is active in memory. This trick can be used in all Windows versions, and it is not used very often.

    To use this trick, first load the nmtrans.dll library into memory by API− calling LoadLibraryA. Next, find its address by API−calling GetProcAddress, and then calls it. If the return value is other than 0 then SoftICE is active in memory.

    The nmtrans.dll library uses an API call to CreateFileA for SoftICE detection, as shown in the section above titled "Detecting SoftICE by Opening Its Drivers and Calling the CreateFileA API Function (SICE, NTICE)." It is important to test breakpoints at API calls to the LoadLibraryA, GetProcAddress, CreateFileA, and possibly even to NmSymIsSoftICELoaded.

    Because paths for Windows 9x and Windows NT are firmly set, this isn't an ideal tool, because SoftICE could be installed anywhere. In the "Using the Windows Registry to Find the Directory Where SoftICE Is Installed" section later in this chapter, I will show you how to use the Windows registers to determine where SoftICE has been installed.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    The SEARCH Button can be your friend.

    http://www.woodmann.com/forum/showthread.php?t=7237&highlight=SoftICE+v4.3.2

    Maybe that's it. Nope. that's just about maping the keyboard. Guess we'll have to see if Kayaker remembers in the morning.

    Regards,
    JMI

Similar Threads

  1. Replies: 1
    Last Post: February 9th, 2003, 09:01
  2. WinXP: SoftICE breakpoints dont work?
    By Vaboc in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: August 25th, 2002, 06:09
  3. SoftICE doesn't work on Windows XP beta
    By Solomon in forum Tools of Our Trade (TOT) Messageboard
    Replies: 9
    Last Post: December 12th, 2001, 00:29
  4. Softice doesnt work? try this....
    By matthew in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: December 8th, 2001, 17:12
  5. aspack site down ? Need latest asprotect with latest revirgin dev
    By tsehp in forum Advanced Reversing and Programming
    Replies: 32
    Last Post: July 11th, 2001, 15:31

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •