Log in

View Full Version : BitArts Titanium 3 softice detection.....


cjack
January 4th, 2002, 14:00
Hi All!!
Is there someone who can tell me how bypass softice detection of new software releases from BitArts?? (like Titanium v3....)
I'm trying to bypass detection with few classic methods but nothing to do!!! frogsice nothing..... sigh!!!
Thanks

cjack
January 4th, 2002, 16:37
hem....errata corrigge!!!! The new version of Titanium is 6 and not 3...

+SplAj
January 5th, 2002, 05:59
LOL Bi-Tarts released a new 'protection' scam, call it Titty 3 or SoftLarx 6 , whichever takes yer fancy. It don't matter.

Use Icedump for Win98/ME or WinNT4/2K/XP with SI patched to avoid the lame tricks. CreateFileA \\.\SICE is rather dated and the VXD trix don't work in WinNT4/2K/XP

Also if you unencrypt say, Fusion v3 or Crunch v3 then prepare to play a 'patch' game cos they check the PE Header for IAT and OEiP pointers a LOT. That is the so-called 'Mutation' code LOL. Just set a BPR on the PE header offset+100 and see the 'decoded' sections that you have to patch

Fusion v3 is on your favorit exe site to play with and compare

Don't bother with Cruch v3 as it makes 52k notepad into whopper 110k crap duh ?


Spl/\j

cjack
January 5th, 2002, 09:28
Thanks for the suggestions splaj (is a honor talk to you!)
I have installed Icedump (I use DriverStudio 2.6) however Titanium v6 still intercepts softice and therefore it stops the loading (better...stay in the background TaskList).

cjack
January 5th, 2002, 22:23
Thnx SplaJ....with W98 and Icedump the BitArts tricks to detect softice are fucked!!!! Under W2000 it does not work :-(

SplaJ....only another thing.... I'm trying to locate the "jump" instruction to the decrypted code...but I cannot locate it!!! Do you know how Titanium pass control to decrypted program???

+SplAj
January 6th, 2002, 02:29
The QUICK way is to bpx GetStartUpInfoA and GetVersion after the 10 secs wait to press 'Continue' . These two api are *usual* 1st API to get called by real exe's. Trace back to 55 EB EC........
If you try /Tracex in Icedump then I think you wait 2 hours with still no result ???

The titty/softlarx creates a new 'thread' insxxx.tmp and any BPX TerminateThread will get you from the insxxx.tmp to the exe eventually....

Also the 'time' control is in Netdet.ini (Windows dir) see [Routing.extent{CRITICAL ENTRY}]
NetDat%0000010101........
and also in the registry, eg Titaniumv3 =='titaniumv3EvalautionNoMeBitArts' also full of binary 0/1. If you DELETE BOTH TOGETHER, then the evaluation restarts.

For Win2K/XP DS2.6 I have created a new .ini for this version using EliCZ patcher, OR I can tell you how to manually hex NTICE.SYS etc to hide SI from detection......

Spl/\j

cjack
January 6th, 2002, 05:36
Thanks for the suggestions, they will be precious!!!
Hide softice under Windows2000 interest me A LOT because I hate Win98 and I work everytime on 2000...... Now I go to play with BI-TT-ARZ bugs......see you soon!!