******************
* FrogsICE v0.43 *
******************


1) What is that?
================

FrogsICE is a VxD (Virtual device driver for Windows, just like a good old
TSR for DOS).
It intercepts programs (exe or COM, DOS/Win16 or Win32) trying to detect
if SoftICE is loaded. It is particularly useful for packed, encrypted programs.

FrogsICE runs ONLY on Win95/98 OS.

It intercepts and prevents detection right before it is executed.
Moreover, it informs of the type of detection used, shows the registers value
(eax, ebx, ecx, edx, edi, esi, ebp), the interrupt used, the address (segment:offset)
where is located this detection inside the calling program and writes all these
informations to a log file.
It can let you return false values to the program to make it believe SoftICE 
is not loaded.

FrogsICE detects also programs trying to redirect interrupts 01h and 03h.
It intercepts calls to interrupts 01h, 03h, 21h, 2Fh, 41h and 68h in V86 and PMode
(except int68h, in V86 mode only), VMM_Fault 01h, as well as some VxD service, drX access,
MeltICE, SoftICE registry Keys access, avoids deletion of SoftICE files and hides SoftICE
drivers by patching them in memory...

______________________________________________________________________________________________


2) How to use it
================

To run FrogsICE, simply put the 2 files "FPloader.exe" and "FrogsICE.VXD " in the same
directory.
Launch FPloader.exe and an icon will appear in the system tray.
Right click on it to get the menu options.
Then, run the software you suspect to have anti-SoftICE code.
To unload the VxD, just click on the 'Disable' menu or 'Exit'.

______________________________________________________________________________________________


3) Menu options
===============


   -ENABLE / DISABLE : 
      Loads/unloads FrogsICE
   
   -PROTECT SOFTICE FILES:
      Locks up all files in SoftICE directory (and subdirectories)
      to prevent any nasty application to delete them.

   -LOG TO FILE:
      Save to file each detection hooked by FrogsICE. The log file is named
      FrogsICE.log and will **always** be created in the root of your Window$
      drive (ex: c:\FrogsICE.log).
      The log will not be overwritten if it already exists, but the text will
      be appended.
      Disable it if you simply want to run an app with anti-SoftICE code and don't
      care about (or already know) details of the detection.
      
   -HIDE SOFTICE DRIVERS:
      Hide SoftICE drivers (SICE, SIWDEBUG and SIWVID) so that they cannot be detected
      in the DDB List. You must disable this feature if you want to run SoftICE Symbol
      Loader because it will report that SoftICE is NOT loaded.

   -BLUE_SCREEN_OF_DEATH:
      Display a BSOD each time FrogsICE detects anti-SoftICE code. Infos shown are useful
      to give you maximum informations about the detection (type, registers values, address
      of the detection inside the program...). Those infos are the same as those logged
      to file.
      The BlueScreenOfDeath is not available for drX hooks (see below).
      When the BSOD occures you will be prompted to:
      - Press (Y)es to fool the app : FrogsICE will do its best to hide SoftICE from
                                      the detection.
      - Press (N)o to let it run    : FrogsICE will let your soft detect SoftICE.
      - Press ESCAPE to disable BSOD: Will temporarily disable FrogsICE BSOD. This is useful
                                      is your app tries 1000 times (or more!) to detect SoftICE
                                      and you are stuck in front of a blue screen. 
                                      Note that FPLoader will not detect that you have disable
                                      the BSOD, so you'll need to either disable and then enable
                                      FrogsICE again or to click on any other options from
                                      the menu to restore correct menu state.

      When the BSOD is disabled, FrogsICE will ALWAYS try to fool the app, just like if you
      pressed the (Y)es key.

      FrogsICE BSOD will give you a code reference about the detection. For more infos about this
      detection see 'Code.txt'.

   -HOOK DRX:
      This is a powerful feature which is not active by default. Il will detect any access
      (Read/write) to Debug Registers (dr0-dr7).
      Use it with care as it may crash your computer. If SoftICE is loaded, it is safer
      to disable or clear any breakpoints.
      This option is only available for 486i+ CPU otherwise it will be grayed.
      FrogsICE will only hook 40 consecutive access to drX to avoid your system to hang just
      in case your app would play too much with VWIN32 for instance. If there are more than
      40 hooks, FrogsICE will add a "BUFFER FULL" message to the logfile.
      FrogsICE WILL NOT display a BSOD when detecting a drX access, because while hooking
      VMM_FAULT it is not possible to use non-asynchronous services. For the same reason,
      FrogsICE cannot write to its logfile when a hook occures. Instead, hooks are stored
      inside a buffer and will be written to log ONLY WHEN YOU WILL DISABLE the 'Hook drX' option.
      Note also that your app may not exit process normaly in some rare circumstances.
      If this happens, kill it (CTRL-ALT-DEL) after a while.

   -HOOK INT03H:
      Hook/Unhook int03h calls. This feature is optional because if SoftICE is not
      loaded, any soft calling this interrupt to detect SoftICE may consider FrogsICE
      as a debugger. You may try to bypass this problem with the option below if
      your app is a 32bit one.

   -FORCE INT03h EXCEPTION FILTER:
      By default, this option is disabled.
      This could be a dangerous one if you don't know what you are doing. It is only
      available for 32bit apps (don't ever attempt to use it with a 16bit app!).
      It will only work if SoftICE is **NOT** loaded.
      Some protections (like VBox, Armadillo) set up an exception filter and then will
      call int03h. FrogsICE will then be detected as a debugger (as it hooks int03) and
      your app will either crash (Armadillo) or refuse to run (VBox) :-(
      Enable this option and FrogsICE will hook the int03h and patch the program in memory
      to force it to execute the exception filter function (it will create a divide error).
      Then your app will work well and you could check if there is any other anti-SoftICE
      tricks ;-)
      For more infos about this method, check the file 'int3Except.exe' (+ ASM source)
      enclosed with FrogsICE in the 'samples' directory.
      
   -RUN...:
      Let you run any programs files (exe, com, pif and bat).

   -VIEW LOG:
      This menu is enable if FrogsICE has detected anti SoftICE code and grayed otherwise.
      It will launch Notepad to display the logfile. 
      
   -DELETE LOG:
      This menu is enable if FrogsICE has created a logfile and grayed otherwise.
      It will erase FrogsICE.log.

4) TIPS
=======

- When FrogsICE hooks anti-SoftICE code, it will add the '>' sign on the left side of
  any register used for the detection. (Ex: >eax=00000004h )

- Although FrogsICE v0.41+ fools encryptor like CodeCrypt 0.13 (which calls thousands
  of times the int68h and will crash your app), if you have to face any app using similar
  methods simply disable "Log to File" to fool it (and disable the BSOD ;-).

- It is sometimes better to disable FrogsICE's BSOD as it may cause some problems (SafeDisc...).


5) FAQ
======

   a) - "I received a 'Cannot load FrogsICE.vxd' message?"

      => This seems to apply to Win95 OSR2 users only. Ensure that FrogsICE.vxd is in the same
         directory as FPLoader.exe. Otherwise, try to copy the VxD inside you windows\system dir.
      

   b) - "FrogsICE doesn't seem to work well with SafeDisc protections..."
   
      => To run a SafeDisc app, disable 'BlueScreenOfDeath'.
         Your app will run without any problem.


   c) - "Each time I try to run FrogsICE, it crashes Windows!!"
   
      => you're wrong, FrogsICE doesn't crash window$, but window$ crashes FrogsICE :-p
   

   d) - "can I modify the code, and everything else?"
   
      => Yes do whatever you want with it but only blame yourself is case of problems...
      

   e) - "Can I load FrogsICE.vxd with another loader (vxdload from Vireo)?"
   
      => If you really want to see what a BSOD is, then do it :-(
      

______________________________________________________________________________________________


6) Greetings
============

Last but not least, thanks to :

   1) => +Spath for his work/suggestions/testings on the drX stuff which help me improving
         FrogsICE.

   2) => Elraizer and disavowed for their miscellaneous suggestions.
   
  
   3) => ( put your +name or -name here ;-P )

______________________________________________________________________________________________ 

+Frog's Print November 1999

www.thepentagon.com/frog_s_print