Log in

View Full Version : Help patch SoftICE (nt version) please :)


drak0
April 19th, 2001, 15:58
Hi,

I am using the version of ntICE from DS2.0.1 and nothing works to hide it from evil packing programs (or anything else that wants to find it)

Well, from what I gather, it's pretty easy to hide SiwvidStart in siwvid.sys and NTICE in nmtrans.dll... all you have to do is change the values in a hex editor right??

Well, I was looking at a program called Detect.exe (part of nticeset) and it tells the various ways it can detect NTICE... well, how on earth do I patch:
1. Back Door Interface
2. Int3 on UnhandledExceptionFilter
3. Int1

are there other ones i'm missing? is there any literature on this? i was unable to find any...

Any help would be appreciated....

Thanks,
Drak0

SplAj
April 20th, 2001, 05:26
Hi

use EliCZ macro set for 405 !!!! and type in the 'hide' commands (PNTICE / PUHF / UINT 0 1 / PBCHK bla bla)
rather than patching the files - VERY dangerous after version 4.01. cos 4.05 gave all sorts of shit , that pntice.ini is a nice conundrum

Play a safe game of hide and seek }>

NB:-
I posted the macros in the newbie MB a few weeks ago BUT you must have them if you DL Pntice and Nticeset ???

+SplAj

drak0
April 20th, 2001, 10:10
Quote:
SplAj (04-20-2001 03:26):
Hi

use EliCZ macro set for 405 !!!! and type in the 'hide' commands (PNTICE / PUHF / UINT 0 1 / PBCHK bla bla)
rather than patching the files - VERY dangerous after version 4.01. cos 4.05 gave all sorts of shit , that pntice.ini is a nice conundrum

Play a safe game of hide and seek }>

NB:-
I posted the macros in the newbie MB a few weeks ago BUT you must have them if you DL Pntice and Nticeset ???

+SplAj


Hi Splaj,

See, I would have no problem using Hide.exe (pntice), but it doesn't hide SI from everything... from what i can tell... just meltice. That Detect.exe (nticeset) still decets BackDoor, etc... And i'm using the SI from DS2.0.1 so NTall doesn't work either...

Any suggestions? Should Hide.exe hide from all documented SI checks?

Thanks,
drak0

drak0
April 20th, 2001, 13:56
welp, i get what pntice does now I've never used macros b4... oops

all of the macros seem to work... except "PUHF (Patch UnhandledExceptionFilter)"

Detect.exe still detects that for some reason... it says "NTice DETECTED via... INT3 on UnhandledExceptionFilter"

Any thoughts?

Thanks,
drak0

tony b.
April 21st, 2001, 20:52
Try this one for DS2.0.1 SoftICE (build 63):

macro puef="uint 3; eb (codeaddr+a)+@(codeaddr+6)+28abb eb"

(assuming you have EliCZ UINT macro installed)

Regards,

tony

+SplAj
April 22nd, 2001, 03:59
Thanks tony b.

............fully cloaked again

+SplAj

drak0
April 22nd, 2001, 22:46
Awesome! thanks

Quote:
tony b. (04-21-2001 10:52):
Try this one for DS2.0.1 SoftICE (build 63):

macro puef="uint 3; eb (codeaddr+a)+@(codeaddr+6)+28abb eb"

(assuming you have EliCZ UINT macro installed)

Regards,

tony