Anti anti-debugging tricks..
----------------------------
Only three tricks, two against 'meltice' anti debugging,
and one against the int68 anti debugging


--int 68--------------------

INT 68,43
returns 4300 in ax if no debugger
returns F386 in ax if debugger is present

well, i just traced through an int68,43, to see where the return code came from

eventually, i ended up in winice.exe itself.. take a look

0C29:1215  B886F3              MOV     AX,F386
0C29:1218  CF                  IRET

:d eip l 10
0C29:00001215 B8 86 F3 CF 2E 83 3E 19-00 FF 0F 84 18 00 B0 0B  ......>.........

i searched these bytes in winice.exe..found them @offset 1615h in winice.exe v3.23

i patched it, rebooted, heh, windows dont work anymore :) disabled softice.. patched
it back to what it was.. and decided to memory patch..

search for these bytes in memory and then patch them 

:- b8 86 f3 cf 2e -> b8 00 43 cf 2e

:s 0 l ffffffff b8 86 f3 cf 2e 83 3e 19
Pattern found at 0030:0000D4A5 (0000D4A5)   <-- yippie, the actual code in winice.exe
:s
Pattern found at 0030:C3209A3A (C3209A3A)   <-- mirror of my search pattern..
:s
Pattern not found

the search pattern and file offset is the same for SoftICE 3.25 :D


--\\.\SICE------------------

the meltice way to detect SoftICE.. easiest way to defeat this is just by
searching for 

'SICE    ' or 'NTICE' in winice.exe 
'\\.\SICE' or '\\.\NTICE' in nmtrans.dll

and changing it to read something else.. eg. 'RICE' or 'S CE' etc...

winice.exe v3.23 offset 31724h : 'SICE    ',0,0,0,0
winice.exe v3.25 offset 31b3ch : 'SICE    ',0,0,0,0

nmtrans.dll v3.23 offset 23644h : '\\.\SICE',0,0,0,0
nmtrans.dll v3.25 offset 77b24h : '\\.\SICE',0,0,0,0

if you dont modify nmtrans.dll, symbol loader will think softice isnt loaded..
string has to be the same in nmtrans.dll as in winice.exe....


--\\.\SIWVID----------------

easiest way of defeating this meltice method, is finding the reference in memory
and altering it..

:s 0 l ffffffff 'SIWVID  ' 00 00
Pattern found at 0030:C00207F0 (C00207F0)

if you found the correct one, your data window should look like this

-----SIWVID(01)+0020-----------------------------------------------------------
0030:C00207F0 53 49 57 56 49 44 20 20-00 00 00 80 C8 8D 02 C0  SIWVID  ........
0030:C0020800 18 93 02 C0 18 93 02 C0-00 00 00 00 00 00 00 00  ................
0030:C0020810 01 08 04 00 D0 07 02 C0-05 00 00 00 00 00 00 00  ................
0030:C0020820 B0 6E 16 C0 50 00 00 00-31 76 73 52 32 76 73 52  .n..P...1vsR2vsR
0030:C0020830 33 76 73 52 28 43 29 20-43 6F 70 79 72 69 67 68  3vsR(C) Copyrigh
0030:C0020840 74 20 4E 75 2D 4D 65 67-61 20 54 65 63 68 6E 6F  t Nu-Mega Techno
-------------------------------------------------------------------------------

just alter the ascii 'SIWVID' to read soemthing else.. i prefer ' IWVID'....


--no more :(----------------

yep, i probably know no more ways to defeat anti debugging, except tracing through
the program and locating its detection code..

well, if i find out anymore easy ways to defeat anti debugging, i will ammend this
mini tutorial

R!SC - http://csir.cjb.net