Log in

View Full Version : Better hiding of Softice

Pepone
January 17th, 2004, 23:11
I like W98, I don't want to use W2k or WinXP. I use SICE 4.01, but I can't hide it from lastest packers, like ASPR 1.23 RC4 or ARM 3.00 and higher. Frogice & Icedump won't help here, so I grab some IcePatch from net. It changed VXD ID & name of Winice, Winice module name, VXD ID & name of Siwvid, vxd name for Siwdebug and INT3, INT41, INT68 signature. But still no full work with ARM 3.0. I get some message about enter some security key at app startup . I enter incorrect of course, and app quit. Isn't there something more to change/hide, so can I can use SICE 4.01 undetected ? I search forum some info and found something about splaj tutor. But searching for spalj tut, splaj detect, winice internals essay won't help. Any idea where to get that Splaj tut for hiding SICE ? Any else tips/tut/help how to hide it better ? Or is better to get some Driver Studio 2.7 or 3.0 and use it with IceExt for hiding ? But I dunno os Driver Studio works under Win98SE
evn
January 18th, 2004, 03:16
Quote:

Or is better to get some Driver Studio 2.7 or 3.0 and use it with IceExt for hiding


IceExt is a Windows NT plugin for SofticeNT. You won't be able to use it on windows 98. I'm not sure if it hides itself from these packers anyway.

You *should*be able to dump and remove the softice checks (almost 100% of the time the author relies on the packer for the anti-debug protection) by following previous versions tutorials. You could try using ollydbg to get around this, but its not the best for what you want.
Pepone
January 19th, 2004, 08:09
Evn, thanx for reply. I'm unable to find "previous versions tutorials". Any tips ?
evn
January 19th, 2004, 10:07
There are a few links in the FAQ and list at the bottom of each page, and the unpacking forum is full of tutorials. Do a search and you'll probably come up with answers, possibly even for the newer versions.
rnd
January 20th, 2004, 17:05
something else, don't be too affraid for changes. don't be so conservative

for myself i always thought that i was going to keep on using DOS forever. for 98 it took me also some time to switch to XP, but i'm glad i did it
nikolatesla20
January 20th, 2004, 17:37
How do you know your SoftIce isn't hidden?

The security key thing you talk about in Armadillo has nothing to do with detecting SoftIce. It's a key you have to enter to decrypt the program so it will run. Some protected programs use this method - i.e., they don't have a "default certificate" in Armadillo speak. If you don't know what that is, you need to download Arma and study it for yourself...

-nt20
Pepone
January 20th, 2004, 20:23
2nikolatesla20: If SICE isn't enabled, ARM runs without problems. If pached SICE loaded, ARM give me that sec.key message. So it must detect some way SICE, or maybe it's NOT SICE exactly, but some check which doesn't pass and so ask for some sec.key.
nikolatesla20
January 21st, 2004, 16:34
Ok, well that makes sense then

Unfortunately I don't use W98 anymore, only 2K / XP, cause it's easier to write drivers, etc, hack drivers, etc. in 2K, so I can't be of much help.

-nt20
evaluator
January 21st, 2004, 17:05
well, if you properly patched SICE, arma also look at INT01-03 handlers in IDT. trace & catch