

                     L                ZZZZZZ         RRRRR           SSSSS
                     L                    Z          R    R         S
                     L          aaa      Z      aaa  R    R  u   u  S
                     L            a     Z         a  RRRRR   u   u  SSSSS
               XX    L         aaaa    Z       aaaa  R    R  u   u       S
              XXXX   L        a   a   Z       a   a  R    R  u   u       S
             XXXXXX  LLLLLLL  aaaaa  ZZZZZZZ  aaaaa  R    R  uuuuu  SSSSSS
             XXXXXX       
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXX
             XXXXXX
              XXXX        proudly presents his 14.Cracking Tutorial (30.05.1999)
               XX                        How to detect MeltIce

I.   Tools you need for my tutorial
II.  The Crack
III. BTW

I.   Tools you need for my tutorial
     W32Dasm (get it at CrackZ page (you find a link at http://come.to/hellforge))
     It's better to have SICE and a C++ compiler, but you won't need them, only if you want to
     check, if I am telling you the truth.

II.  The Crack:
     Greetings. This time I have once more not a special target, but I want to have a look at
     a anti-SoftIce routine called MeltIce. This is a small routine whichs finds SICE when the
     SICE VXD is installed. Let's have a look at the source (C++).

     BOOL IsSoftIce95Loaded()              // Function IsSoftIce95Loaded (returns true/false)
     {
	HANDLE hFile;                      // define a Handle for a file
 
	// "\\.\SICE" without escape stuff
	hFile = CreateFile( "\\\\.\\SICE",	
						GENERIC_READ | GENERIC_WRITE,        // Looks
						FILE_SHARE_READ | FILE_SHARE_WRITE,  // for
						NULL,                                // the VXD
						OPEN_EXISTING,
						FILE_ATTRIBUTE_NORMAL,
						NULL);

	if( hFile != INVALID_HANDLE_VALUE )  // If it is there
	{
		CloseHandle(hFile);          // then Close file
		return TRUE;                 // and return TRUE
	}

	return FALSE;                        // else return FALSE
    }

     //////////////////////////////////////////////////////////////////////
     //
     // See if SoftICE version 3.x for Windows NT is loaded
     //
     BOOL IsSoftIceNTLoaded()         // Absolutely the same for the WINICE VXD 
     {
	HANDLE hFile;  
 
	// "\\.\NTICE" without escape stuff
	hFile = CreateFile( "\\\\.\\NTICE",
						GENERIC_READ | GENERIC_WRITE,
						FILE_SHARE_READ | FILE_SHARE_WRITE,
						NULL,
						OPEN_EXISTING,
						FILE_ATTRIBUTE_NORMAL,
						NULL);

	if( hFile != INVALID_HANDLE_VALUE )
	{
		CloseHandle(hFile);
		return TRUE;
	}

	return FALSE;
     }

     I implemented them in a test proggie (Borland C++ Builder 4) in this way:
     This snippet is called, when the main window is created (Form1->OnCreate)

     if( IsSoftIce95Loaded() )       // If it detects SICE fow WIN95
       Application->Terminate();     // Bye, bye
     else if( IsSoftIceNTLoaded() )  // If it detects NTICE
       Application->Terminate();     // Bye, bye
     ...

     Now I compiled it (static linker, linked packages) and had a look at the asm code in 
     W32Dasm. The correct passage were easy to detect, because the strings "\\\\.\\SICE" and 
     "\\\\.\\NTICE" are hardcoded. You find the correct passage with the help of the string
     reference.
     You will see this:

     :004014D4 6A00                    push 00000000
     :004014D6 6880000000              push 00000080
     :004014DB 6A03                    push 00000003
     :004014DD 6A00                    push 00000000
     :004014DF 6A03                    push 00000003
     :004014E1 68000000C0              push C0000000

     * Possible StringData Ref from Data Obj ->"\\.\SICE"
                                       |
     :004014E6 6828734400              push 00447328

     * Reference To: KERNEL32.CreateFileA, Ord:0000h
                                  |
     :004014EB E806440400              Call 004458F6                    // Create the file
     :004014F0 8945FC                  mov dword ptr [ebp-04], eax
     :004014F3 837DFCFF                cmp dword ptr [ebp-04], FFFFFFFF // is the file there
     :004014F7 7410                    je 00401509                      // if not, then jump
     :004014F9 FF75FC                  push [ebp-04]

     * Reference To: KERNEL32.CloseHandle, Ord:0000h                    // Close the file
                                       |
     :004014FC E8E3430400              Call 004458E4
     :00401501 B801000000              mov eax, 00000001                // return eax=1
     :00401506 59                      pop ecx
     :00401507 5D                      pop ebp
     :00401508 C3                      ret                              // Return from procedure

     * Referenced by a (U)nconditional or (C)onditional Jump at Address:
     |:004014F7(C)                                                      // File doesn't exist
     |
     :00401509 33C0                    xor eax, eax                     // return eax=0
     :0040150B 59                      pop ecx
     :0040150C 5D                      pop ebp

     * Referenced by a (U)nconditional or (C)onditional Jump at Address:
     |:004014A2(C)
     |
     :0040150D C3                      ret                              // Return from procedure

     For NTICE it is completely the same and you will find the reference only few lines farther
     down.


     That was rather easy, so let's make the conditions harder. This time the strings are not
     hardcoded anymore. (One moment I must write a proggie, but I'll be back in some minutes ;-)

     OK, I am back.
     I changed those lines for SICE:
 
     String SICE=String(char(92))+String(char(92))+String(char(92))+String(char(92))+
                 String(char(46))+String(char(92))+String(char(92))+String(char(83))+
                 String(char(73))+String(char(67))+String(char(69));     // That's \\\\.\\SICE
     hFile = CreateFile( SICE.c_str(),  // give my string to create the file

     The same for NTICE:
     String ntice=String(char(92))+String(char(92))+String(char(92))+String(char(92))+
                  String(char(46))+String(char(92))+String(char(92))+String(char(78))+
                  String(char(84))+String(char(73))+String(char(67))+String(char(69));
     hFile = CreateFile(ntice.c_str(),


     Let's have a look at the code in W32Dasm. There is no string left, we could refer to.
     But remember, our first approach gave us many parts of code that could be usefule for us
     and should be unchanged. One thing we could find rather good is the CreateFileA. This is
     our starting point. Let's search for CreateFileA until we find something comparable to
     the code we found in our first approach. In my case it was the first CreateFileA I found in
     W32Dasm. I saw this:

     :004017B0 6A00                    push 00000000
     :004017B2 6880000000              push 00000080
     :004017B7 6A03                    push 00000003
     :004017B9 6A00                    push 00000000
     :004017BB 6A03                    push 00000003
     :004017BD 68000000C0              push C0000000
     :004017C2 8D45FC                  lea eax, dword ptr [ebp-04]
     :004017C5 E88E000000              call 00401858
     :004017CA 50                      push eax

     * Reference To: KERNEL32.CreateFileA, Ord:0000h                     // Create File
                                       |
     :004017CB E8CE5B0400              Call 0044739E
     :004017D0 894584                  mov dword ptr [ebp-7C], eax
     :004017D3 837D84FF                cmp dword ptr [ebp-7C], FFFFFFFF  // Does it exist
     :004017D7 742B                    je 00401804                       // If not, then jump
     :004017D9 FF7584                  push [ebp-7C]

     * Reference To: KERNEL32.CloseHandle, Ord:0000h                     // else close file
                                       |
     :004017DC E8AB5B0400              Call 0044738C
     :004017E1 B801000000              mov eax, 00000001                 // and return eax=1
     :004017E6 50                      push eax
     :004017E7 FF4DA4                  dec [ebp-5C]
     :004017EA 8D45FC                  lea eax, dword ptr [ebp-04]
     :004017ED BA02000000              mov edx, 00000002
     :004017F2 E8F1580400              call 004470E8
     :004017F7 58                      pop eax
     :004017F8 8B5588                  mov edx, dword ptr [ebp-78]
     :004017FB 64891500000000          mov dword ptr fs:[00000000], edx
     :00401802 EB1E                    jmp 00401822                      // jump to "Back"

     * Referenced by a (U)nconditional or (C)onditional Jump at Address:
     |:004017D7(C)
     |
     :00401804 33C0                    xor eax, eax                      // return eax=0
     :00401806 50                      push eax
     :00401807 FF4DA4                  dec [ebp-5C]
     :0040180A 8D45FC                  lea eax, dword ptr [ebp-04]
     :0040180D BA02000000              mov edx, 00000002
     :00401812 E8D1580400              call 004470E8
     :00401817 58                      pop eax
     :00401818 8B5588                  mov edx, dword ptr [ebp-78]
     :0040181B 64891500000000          mov dword ptr fs:[00000000], edx

     * Referenced by a (U)nconditional or (C)onditional Jump at Address:
     |:00401802(U)                                                       // "Back"
     |
     :00401822 8BE5                    mov esp, ebp
     :00401824 5D                      pop ebp
     :00401825 C3                      ret                               // return to main


     As always, the equivalent for NTICE is located some line farther down (search for 
     CreateFileA again, it should be the next one)

     What can we learn? Good question! We can learn how to detect MeltIce and get rid of it.
     Either you can change the jump (as I prefer) or the line eax gets 1 (change that to
     mov eax, 00000000). Then a small anti SICE routine would be wasted. I don't know if MeltIce
     is often used, in fact I never experienced it and I believe I am the only guy (in my
     CrackMes) that uses it. So you have at least some starting points for my CrackMes.

     That's all folks. I hope you came until here ;-)

III. BTW
     Hope my tutorial was helpful for you and see you again in my next tutorial. 
     
     Greets to: Fravia+, tKC, ED!SON, Moral Insanity, The Sandman, Eternal Bliss, DaVinci and 
     all [hf] members


All Tutorials by LaZaRuS [hf]

 #|  date  |   name           |version|W32Dasm|Soft-Ice|kind of crack            |
--|--------|------------------|-------|-------|--------|-------------------------|
01|20.01.99|Jaylock           |1,0,0,1|  (X)  |   (X)  |serial#                  |
02|31.01.99|Goldwave          |4.02   |  (X)  |   (X)  |serial#,nag-screens      |
03|28.03.99|AxMan             |3.00   |  (X)  |   (X)  |serial#,remove date-limit|
  |        |                  |       |       |        |nag-screen, key generator|
04|29.03.99|C++Builder Strings|       |  (X)  |   (X)  |how to find strings in   |
  |        |                  |       |       |        |C++ Builder that are not |
  |        |                  |       |       |        |hardcoded                |
05|29.03.99|Better Protection |       |       |        |How to protect shareware |
  |        |                  |       |       |        |better against crackers  |
06|04.04.99|Start Clean       |1.2    |  (X)  |   (X)  |nag-screen/serial/keygen |
07|06.04.99|MP3 TO EXE        |1.02   |  (X)  |   (X)  |nag-screen/serial        |
08|06.04.99|HexDecCharEditor  |1.02   |  (X)  |        |make it registered       |
09|20.04.99|PowerZip          |4.51   |  (X)  |        |serial/time-check/...    |
10|24.04.99|eKH CrackMe       |1.0    |  (X)  |        |serial                   |
11|25.04.99|F-Secure          |4.02   |  (X)  |        |time limit/nag           |
12|29.04.99|Latido's JS       |3.0    |       |        |serial                   |
  |        |Reverse Me        |       |       |        |                         |
13|24.05.99|Italian Soccer    |1.10   | (IDA) |        |patch to remove the time |
  |        |Manager           |       |       |        |limit                    |
14|30.05.99|MeltIce           |       |  (X)  |   (X)  |how to defeat this Anti  |
  |        |                  |       |       |        |SICE trick               |

LaZaRuS [hf]
Visit Hellforge at http://come.to/hellforge for more tutorials and high quality cracking links.
If you want to mail me: lazarus666@gnwmail.com