************************************
* FrogsICE v1.08.7 for win95/98/ME *
*   by +Frog's Print & +Spath      *
************************************

1) How to use it
2) Options
3) Misc features
4) Tips/infos/Warnings
5) FAQ


================
1) How to use it
================

Launch FPloader.exe and an icon will appear in the system tray.
Right or Left click on it to get the options dialog box.
Check/unchecked options, enable FrogsICE and then, run
the software you suspect to have anti-SoftICE code.
__________________________________________________________________________

==========
2) Options
==========

-BASIC OPTIONS GROUP:
--------------------

   -BLUE_SCREEN_OF_DEATH:
    Display a BSOD each time FrogsICE detects anti-SoftICE code. Infos shown
    are useful to give you maximum informations about the detection (type,
    registers values, address of the detection inside the program...).
    Those infos are the same as those logged to file.
    The BlueScreenOfDeath is not available for drX hooks.
    When the BSOD occures you will be prompted to:
    - Press (Y)es to fool the app : FrogsICE will do its best to hide SoftICE
                                    from the detection.
    - Press (N)o to let it run    : FrogsICE will let your soft detect SoftICE.
    - Press ESCAPE to disable BSOD: Will temporarily disable FrogsICE BSOD.
                                    This is useful is your app tries 1000 times
                                    (or more!) to detect SoftICE and you are
                                    stuck in front of a blue screen. FPLoader
                                    will detect that you have disabled the BSOD.

    When the BSOD is disabled, FrogsICE will ALWAYS try to fool the app, just
    like if you pressed the (Y)es key.
    FrogsICE BSOD will give you a code reference about the detection.
    For more infos about this detection see 'Code.txt'.

   -HIDE SOFTICE DRIVERS:
    Hide SoftICE drivers (SICE, SIWDEBUG and SIWVID) so that they cannot be
    detected in the DDB List.
    This option is grayed (and useless!) if SoftICE is not loaded.

   -LOG TO FILE:
    Save to file each detection hooked by FrogsICE. The log file name is
    randomly created to avoid any app to detect/erase it (although it is
    protected from deletion). It will **always** be created in the root
    of your Window$ drive (ex: c:\Fihjzpan.wga).
    The log will not be overwritten if it already exists, but the text will
    be appended.
    Disable it if you simply want to run an app with anti-SoftICE code and don't
    care about (or already know) details of the detection.
    When quitting FrogsICE, if a logfile exists it will ask you if you want to
    keep it or delete it.

   -PROTECT SOFTICE FILES:
    Locks up all files in SoftICE directory (and subdirectories) to prevent
    any nasty application to delete them.
    This option locks up FrogsICE logfile as well.

   -AUTO-SCAN ON STARTUP/EXIT:
    FrogsICE will perform some scanning tests when you load it and when you exit it.
    It will check the memory for some 'unwanted' datas occurences ('WINICE' string
    etc..., debugger flags) and clean up the memory if it finds any, and will check
    your IDT to see if there were any suspicious modifications done.
    FrogsICE will inform you about what it has found.
    You should always leave this option enabled, as the memory scanning process
    is very important. Althought it is useless to try to detect SoftICE by searching
    'WINICE.BR' in memory in win98, the string 'WINICE.EXE' for instance is most of
    the time present and could be easily detected.
    Sometimes, you may receive a warning due to Winice.exe or due to other apps you
    may use to hide SoftICE during the IDT scan.
    FrogsICE will return the list of modified interrupts. If you have any BPINT's
    set, it is safer to quit FrogsICE and disable these BPINT's, then re-run FrogsICE.

   -HIDE FPLOADER:
    FPLoader.exe will hide its process and task names from apps trying to detect it.
    You MUST RESTART FrogsICE to effect this change.

-QUICK OPTIONS GROUP:
--------------------

   -DEFAULT SETTINGS / BULLETPROOF / USER DEFINED
    Menu to restore FrogsICE default settings, set them to maximum security
    (all options enabled except 'BSOD' & 'Hide FPLoader') or to quickly check
    the current options.

   -PROTECTIONS COMBOBOX:
    You can select, edit, add or remove protections/programs with anti-SoftICE
    code. They will be saved to FrogsICE.dat which already included several
    samples.


-ADVANCED OPTIONS GROUP:
-----------------------

   -POPUP SOFTICE:
    This option forces SoftICE to break when FrogsICE hooks anti-debugger code.
    When enabling this menu, you will need to set SoftICE break on int01 command:
    => 'I1HERE ON'.
    The break will occure BEFORE FrogsICE give control back to the app and
    some useful infos will be displayed in SoftICE command windows:
    . address cs:eip of the detection
    . address of the SEH proc for int03 hooks
    . address of string datas for MeltICE tricks...
    This option is helpful with packed/ecrypted programs (Vbox, Asprotect...).
    At the break time, you can use your favorite dumper (IceDump...) to save
    the detection code to analyze it later ;-)
    Press F5 to let your app run, or press F12 twice or three times to go back
    inside you application code where the detection is located.
    Note that if your application uses a lot of anti-debugger tricks, you can
    disable this feature simply by typing 'I1HEREOFF' at SoftICE prompt.
    SoftICE versions prior to v4.00 may not popup when a program tries to access
    Debug Registers ('Hook DRx' menu enabled).
    This menu option is grayed if SoftICE is not loaded.

   -HOOK DRX:
    This is a powerful feature which is not active by default.
    Il will detect any access (Read/write) to Debug Registers (dr0-dr7).
    Use it with care as it may crash your computer. If SoftICE is loaded,
    it is safer to disable or clear BPM breakpoints.
    This option is only available for 486i+ CPU otherwise it will be grayed.
    FrogsICE WILL NOT display a BlueScreenOfDeath when detecting a drX access.
    From version 0.99, the DRx access are automatically logged to file (you do
    not need any more to desactivate this menu to create the logfile)
    Note also that your app may not exit process normaly in some rare
    circumstances. If this happens, kill it (CTRL-ALT-DEL) after a while.

   -IDT MONITOR/PROTECTOR:
    If this option is enabled, FrogsICE will prevent any application to modify
    interrupt vectors inside the IDT.

   -INT03 HOOK:
    Force FrogsICE to hook int03h **before** SoftICE hooks it.
    This applies to PMode only. By default, FrogsICE doesn't hook any call
    to int03.
    Before using this function ensure that you disabled breakpoints on execution
    (BPX) and set the IN3HERE to OFF otherwise SoftICE may crash (instead use BPM
    xxxxxxxx X, for instance "BPM MessageBoxA X") or FrogsICE could hook the 0cch
    opcode used by SoftICE to set BPX and would not give control back to SoftICE
    (FrogsICE will consider the 0cch opcode as an anti-debugger code!).
    Set SoftICE "FAULTS" command to "OFF" as well.
    FrogsICE will inform you in its logfile if it has found any SEH procedure
    which could be used by your app:
     ."SEH proc address at cs:xxxxxxxx" where xxxxxxxx is the address of
       the SEH requested
     ."SEH proc address at cs:????????" if no SEH was found (this does NOT
       mean that there is no SEH!).
    If a SEH is found it will be **automatically** executed (Armadillo, AZPR,
    VBoxed apps...).
    Note that it doesn't matter if SoftICE is loaded or not, as it will always
    work ;-)

-MISC OPTIONS GROUP:
-------------------

  -RUN APP...:
   Let you run any programs files (exe, com, pif and bat).
  
  -RUN LOADER32:
   Runs Loader32.
   FrogsICE will patch nmtrans.dll in memory so that Loader32 will run
   even if the 'Hide SoftICE Drivers' options is checked. When quitting,
   FrogsICE will kill Loader32's process as well because it couldn't work
   without FrogsICE as it was patched.

  -SCAN NOW...
   Let you perform the scanning test (as described in the Basic Options Group)
   at any time.


-EXIT:
-----
Guess!

    
-ABOUT:
------
Everything you always wanted to know about FrogsICE...


-LOGFILE GROUP:
--------------
  -VIEW LOG:
   This menu is enabled if FrogsICE has detected anti SoftICE code and grayed
   otherwise. It will launch Notepad to display the logfile.

  -DELETE LOG:
   This menu is enabled if FrogsICE has created a logfile and grayed otherwise.
   It will erase FrogsICE logfile.
  

-ACTIVATION GROUP:
-----------------
  -ENABLE / DISABLE:
   Loads/unloads FrogsICE. Note that at startup, FrogsICE is always de-activated.

______________________________________________________________________________


=================
3) Misc features:
=================


-SETTINGS:

Upon exit, FrogsICE saves its settings (menu options + protections combobox
items) inside a dat file (FrogsICE.dat).


-DOT COMMANDS:

When FrogsICE is loaded, you can get some infos from within SoftICE screen by
using the "." (dot) command.
From SoftICE type ".frogsice" and you'll get the following menu:

      ========================== FrogsICE v1.00 ready =====================
      [1]=Detections hooked
      [2]=Current settings
      [3]=Anti-debugging tricks help
      [4]=Enable/Disable FrogsICE :-(
      ============ Select menu option [1]-[4] or [ECS] to quit ============

  -[1]=Detections hooked:
   This menu is useful when you are tracing an app. At any time, it can
   tell you if FrogsICE has detected some anti-SoftICE code while you were
   debugging your soft, and will even give you the kind of detection (code #xx)
   + its location inside the program (only for the last hook found).

  -[2]=Current settings:
   Inform you about the current settings just in case you forgot to disable
   some 'dangerous' features (DRx hook, int3..) or forgot to enable others.


  -[3]=Anti-debugging tricks help
   display infos about some anti-SoftICE/debugger codes that you may need
   while tracing a software:

      ================== FROG'S PRINT ANTI-SOFTICE TRICKS HELP ================
      [a]=int03h(#01-02)  [b]=int2fh(#03-04) [c]=int41h(#05-06)  [d]=int68h(#07)
      [e]=Get_DDB(#09)    [f]=dr0-7(#0A)     [g]=MeltICE(#0B-0E) [h]=VWIN32(#0C)
      [i]=RegOpenKey(#0D) [j]=IDT(#0F)

   Note that values displayed in brackets (#01-#02...) are the code references
   returned by FrogsICE (see code.txt) as usual :-)


  -[4]=Enable/Disable FrogsICE :-(
   From this menu, you can disable FrogsICE: it will stop monitoring and
   hooking your system (all hooks will be disabled, except of course those hiding
   FrogsICE from detection and SoftICE drivers names), which could be useful in case
   of a crash during a debugging session. You can activate it again at any time
   (and it will restore your previous settings) from SoftICE, but if you forget
   to do so, FPLoader will warn you about that.
   As the scanning option is performed by the loader, it will remain unchanged.
   Note also that the 'log to file' feature will be disabled as well, of course.
   If you need to set breakpoints on execution (BPX), then use this feature
   to temporarily restore int 03 back to SoftICE.

-OTHERS:

 From v0.99, FrogsICE includes a lot of new features which are 'transparent'
 for the user. You do not have to worry or know about them (that's not secret
 but I don't want to spend 10 hours to write them down!) but they have been
 added to re-enforce detection routines, better hide SoftICE and FrogICE...

_______________________________________________________________________________

======================
3) TIPS/INFOS/WARNINGS:
======================

- This version of FrogsICE is for win32 app ONLY. If you need to check
  anti-debuggers tricks from a DOS (exe or com) file use FrogsICE v0.43
  available at frogsprint.cjb.net.

- DO NOT enable or disable BPINT's while FrogsICE is running !!! BPINT's modify
  IDT interrupts vectors and could crash your computer. Instead, enable or disable
  them BEFORE or AFTER using FrogsICE.

- When FrogsICE hooks anti-SoftICE code, it will add the '>' sign on the left side
  of any register used for the detection. (Ex: >eax=00000004h )

- It is sometimes better to disable FrogsICE's BSOD as it may cause some problems
  but don't forget that this is the best way to stop your system and to give
  you enough time to think twice before acting!

- If you are using others tools to hide/patch/embellish SoftICE (Icedump, TRW...),
  FrogsICE should not interfer with them, but the scanning process may give you
  some warnings (simply ignore them and everything should work fine -hopefully ;-). 
  However, you should consider launching such tools BEFORE or AFTER running
  FrogsICE but NEVER when FrogsICE is already running.

- From version 0.99, ASM source code is no longer included with FrogsICE.
  Lately, many commercial companies have produced softwares trying to fool/crash
  FrogsICE, so I have no reason to distribute the source to make protectionists
  life easier.
  If you're one of them and want to know how FrogsICE work, just do like I do with
  your softs: disasm and debug it :-(
  
________________________________________________________________________________


5) FAQ
======

   a) - "Each time I try to run FrogsICE, it crashes Windows!!"
   
      => you're wrong, FrogsICE doesn't crash window$, but window$ crashes FrogsICE :-p

   

   b) - "Will you ever release FrogsICE for Win2000 ??"

      => Sorry, don't know what "Win2000" is...


______________________________________________________________________________________________ 

+Frog's Print August 2000

http://frogsprint.cjb.net

Bugs report: bugs@frogsice.cjb.net