
       . . t h e  w h i z  k i d  p r o u d l y  p r e s e n t s . .

                             
                    ܲ     
۲   ۲   ۲       ܲ    ۲ ܲ   
   ۲    ۲      ۲  ܲ      
 ۲  ۲  ܲ  ۲          ۲ 
  ۲ ܲ ۲ ܲ       ܲ  ۲  ۲    ۲
     ۲   ۲  ۲ ۲  ܲ     ۲  ۲  ۲  ۲ 
      ۲    ۲   ۲     ۲    
                             
                   


Hi and welcome to another cracking tutorial from me :)
In this tutorial i will teach you newbies (like me), how to 
easily defeat an easy yet common Anti-SoftICE trick.
this trick is well known as MeltICE.

Tools:
------

SoftICE
W32dasm
Hacker's View


How MeltICE works?
------------------

The big thing behind MeltICE is a simple API call (createfilea),
which attempts to create a file over the VxD named SICE.
if it can create a file there, then SoftICE isn't loaded,
if it can't, well, you know what happens :).

Patching MeltICE
----------------

There are few methods patching MeltICE. I have prepared a little
crackme, which will be discussed in this tutorial.
Open up the crackme. you'll get a message saying that Softice is loaded
bla bla bla....  Click Cancel and exit the app.
Open SoftICE (SI from NOW on!) using Ctrl+D, and set a breakpoint
over CreateFileA (bpx createfilea). ReOpen the crackme, and Boom!
SI pops. now we are inside the call to createfilea.
Press F11 3 times, and now you are in this code refrence:

* Reference To: kernel32.CreateFileA, Ord:0000h
                                  |
:00442F49 E84E30FCFF              Call 00405F9C
:00442F4E 83F8FF                  cmp eax, FFFFFFFF
:00442F51 7408                    je 00442F5B
:00442F53 50                      push eax

* Reference To: kernel32.CloseHandle, Ord:0000h

hmm, do u see that condiotional jump (je) over there?
let's take a look to where it leads...

Open up w32dasm, click "Goto Code location" button, and 
enter 00442F51.
now you should be on the line of the jump.
Click the jump-to button, and you are here:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00442F51(C)
|
:00442F5B 8BC3                    mov eax, ebx
:00442F5D 5B                      pop ebx
:00442F5E 5D                      pop ebp
:00442F5F C3                      ret

this code is exactly after the createfilea call location!
this means that if we change this jump, our app will simply 
skip the meltice part!

The offset is 42351, change the je (74) to jmp (EB) using 
you favourite hex-editor. i use HIEW!

reopen the crackme, and there's no more meltice!

now for the second method:
we know that MeltICE attempts to write to the VxD called "SICE",
so let's try to change the call to SICE in the crackme.
open up HIEW, and press F7 to search, and type SICE.
after the search is done, just change the SICE string to
whatever you want! (i simply earsed it).
it can't get any simple than THAT!

another method to patch it, is to look for the string data ref of 
the message given in the dialog box ('Im sorry ...'), and the code there is:

:00442FBB 741A                    je 00442FD7
:00442FBD 6A00                    push 00000000
:00442FBF 668B0DDC2F4400          mov cx, word ptr [00442FDC]
:00442FC6 B201                    mov dl, 01

* Possible StringData Ref from Code Obj ->"I'm sorry, you cannot use this "
                                        ->"lameass shareware unless the debugger "
                                        ->"is OFF!"
                                  |
:00442FC8 B8E82F4400              mov eax, 00442FE8

that jump also leads to the dlgbox, and if you chage that je to jmp,
you have also cracked meltice.


For conclusion:
Cracking can come in all sort of ways, even if it comes to hex-editing.
im sure that there are few more ways to crack this SI detection.
if you find some others, drop me a line :)

Good night!


halokshoorim@hotmail.com
greets go to you!

-WhizKiD


This file is a coursty of the Immortal Descendants 2000 (C)

