Log in

View Full Version : Armadillo Anti-SICE


HaRdLoCk
May 17th, 2004, 04:29
whenever i tried to debug an armadillo protected app it told me "for security purposes this programm will not run while system debuggers are active" - it detected my softice, even if it was not loaded. having installed and enabled iceext does not help either, so it must check somehow for the installation of softice. after playing with the driver, registry and folders i figured out how it does detect softice and how to fix that. since i never found any article on that one, id like to share this here ;-)

armadillo checks for service ntice (no matter if running or not). the check is made using OpenSCManagerA and OpenServiceA. the call to OpenServiceA must return 0 and the extended error information MUST return ERROR_SERVICE_DOES_NOT_EXIST, else the annoying message pops up. quite evil imo, because i cannot run any armadillo protected app on a machine with installed softice ;-/

heres the code snipped:

call dword ptr [ebp-14h] ; OpenServiceA
test eax, eax
jz CannotOpenService
push eax
mov byte ptr [ebp-1], 1
call dword ptr [ebp-10h]
jmp short loc_2B

CannotOpenService:
mov esi, ds:0E460D4h
call esi ; GetLastError
cmp eax, 424h ; ERROR_SERVICE_DOES_NOT_EXIST?
jz GoodBoy

you can simply add advapi32.dll to your exports in softice and then bpx OpenServiceA. type d esp and change NTIce to something else in the data window.

evaluator
May 17th, 2004, 15:23
can't you look, what service Name it tries to open??

doug
May 17th, 2004, 18:25
Have a look at:

Rename NTice service. SuperHidden! :P : http://www.woodmann.net/forum/showthread.php?t=4636

about dillodumper (but has details on this particular anti-debug trick):
http://www.woodmann.net/forum/showthread.php?t=4697

basically a search for "softice detection", "hiding softice" brings all the big threads on anti-softice tricks on this board.

JMI
May 17th, 2004, 19:26
Oh My God.

You don't mean that the search button ACTUALLY WORKS??? Who'd a thunk it. What will they come up with next? Searching on the net?? Nah. Way too hard.

Although to be completely fair to HaRdLoCk I believe he was telling us he actually found a solution.

Regards,

nikolatesla20
May 17th, 2004, 22:05
I've found that new Armadillo still has another trick up its sleeve, I haven't found it yet. I have a fully patched and hidden SoftICE, even more so than documented on this board, and it still detects it. However, in VMWare is does not detect it. So it's definitely a hardware based detection scheme. Just haven't found it yet.

It doesn't matter much anyway, since you don't need SoftICE to do Armadillo work. A regular ring 3 debugger will do just fine.

-nt20

evaluator
May 18th, 2004, 01:36
maybe you are about that new trick with RF? i wrote about it in newbies forum.

JMI
May 18th, 2004, 03:41
Losely translated:

Review this thread:

http://www.woodmann.com/forum/showthread.php?t=5514

see if that's the check.

Regards,

evaluator
May 18th, 2004, 04:43
>>You don't mean that the search button ACTUALLY WORKS???
(

JMI
May 18th, 2004, 05:17
Great quote Eval. Yep. It ACTUALLY DOES.

"Evaluator" in user name, search in forum(s) set to "newbie forum" and "rf*" for key word(s) and there it was. Who'd a thunk it could be so easy.

Regards,

HaRdLoCk
May 18th, 2004, 06:43
ah damn i used that frickin search button but probably with wrong words ;-P

i'd be anyway interested in detailed instructions how to patch softice against that one. i tried to do so, but ended up in a non working version of course

nikolatesla20
May 18th, 2004, 09:09
Quote:
[Originally Posted by evaluator]maybe you are about that new trick with RF? i wrote about it in newbies forum.



Thanx for the info evaluator. I never saw that thread about it in the newbie forum. I knew already about it detecting iceext, but I couldn't find the hardware detection (I searched the web for every type of detection I could think of). I did know it was hardware though since SI in VMWare would let Arma run.

Dangit SoftICE stay away from modding my hardware regs ! lol.

By the way HardLock, did you remember to correct the checksum of the .sys files after you modded them? If you don't do this windows won't load it.

-nt20

evaluator
May 18th, 2004, 09:15
so you are about another detection?

Timbo
May 18th, 2004, 10:14
Quote:
[Originally Posted by evaluator]so you are about another detection?


Well there are many many other's
Unload Stens tool
voilą
A funny one : Divx Player

nikolatesla20
May 18th, 2004, 11:02
Quote:
[Originally Posted by Timbo]Well there are many many other's
Unload Stens tool
voilą
A funny one : Divx Player


A feature of new cracking tools that should be included - randomized strings on windows, class names, service names, etc.

It doesn't have to be random, it could just include another small program that would allow the user (i.e., reverse engineer) to enter his own strings and then reboot, without using hex editor. A pre-made customizing program.

Alas, this over time becomes much work and for what? Knowledge...

-nt20

Timbo
May 18th, 2004, 11:38
This tool would eat up this files for shure
bootcfg.sys, cpthook.sys, ntice.sys, siwvid.sys
would replace unneeded command's like dial or serial
with more usefull ones sumperbpm & dr7 reset
and so on