Log in

View Full Version : morpheus anti-sice tricks


ignatz
January 9th, 2002, 08:48
hi

i read a previous thread about morpheus. I got a working dump using DeX but that´s not all i´m interested in.

first of all i´d like to understand the anti-sice tricks used by PeX better.

i figured the int03-SEH trick (code02) as described by +Frog's Print & +Spath

after this test there is at least one more, which i cannot elude.
it works similar to the int03 seh.

the difference is that the exception is generated by an invalid
mov al, [ebx]
generatin an exception.

the exception handler will return to exitprocess ;(

if i bypass the falty instruction i end up with a messagebox
+--[PeX ...]----------------------------------+
| unable to load library |
+----------------------------------------------+
(which seems fake to me.)

and afterwards i´m pushed into exitprocess again. *darn*

any help greatly appreciated
farewell
-Ignatz

SilberFuchs
January 9th, 2002, 10:52
hi

i have found one Sice-Check, thisone you described, and nothing more, and the Progi starts without any problem...

just tracing from Entrypoint a few lines

"
Each time you'll meet this trick, you'll see:
-SI = 4647h
-DI = 4A4Dh
Which are the 'magic values' used by SoftIce.
"

i patched so: -si=0000 ......

Ciao
SilberFuchs

ignatz
January 9th, 2002, 14:02
hi

i changed the
int 03
jmp edx

to

div al (al = 0 this will generate exception)
nop
---
i also tried the si = 0 tick but morpheus won´t run.

my version is 1.3.3
strange thing.
morpheus does also recognize TRW2000 and refuses to run although the sicedetection fails.

thanks a lot
farewell
-Ignatz

XICO2KX
January 9th, 2002, 16:43
I don't know if this helps, but on the link below you'll find some info about 12 different anti-SoftIce tricks...
* http://217.128.240.230/cs/003.htm (CrackStore)

Snatch
January 9th, 2002, 17:13
Ya I just unpacked the PEX and then I had Morpheus and Kazaa running with Softice loaded without a problem. It is simply the packer that checks for Softice which is pretty cool of it if you ask me.

Snatch

ignatz
January 9th, 2002, 17:34
actually,
it´s very nice that morpheus relies on the 100% secure pex encryption

farewell
-Ignatz

SilberFuchs
January 9th, 2002, 20:35
hi

i downloaded the version 1.3.3 and the patch works fine

patch:

mov si,0000
mov di,0000

Ciao
SilberFuchs

ignatz
January 10th, 2002, 12:57
still doesn´t work for me ;(

but thanks for your big help and support !

maybe i´ll figure it out some day.

farewell
-Ignatz