Log in

View Full Version : SoftICE: CreateFile(\\.\NTICE) doesnt work with latest ver?


onebitshort
November 28th, 2006, 00:00
SoftICE v4.3.2 ... I just tried the good old simple CreateFileA method (\\.\NTICE and a few others) which worked fine on older builds but it's no longer working, anyone know why? I didnt have any luck with Google apart from one guy who asked the same question but didnt get any response except for "it should work". I know there are other ways to detect SI but I'd like to know why this no longer works (or what they new device name is)

And by the way yes i do have \system32\drivers\ntice.sys, and the "ntice" service is running which makes it even stranger why I can't call CreateFile on it. (And yes I am logged in as Admin)

Kayaker
November 28th, 2006, 02:32
Yeah, Softice provides it's own MeltIce protection. Pretty cool huh?

If you look at the SymbolicLink name of NTICE using WinObj (or Four-F's extended version, WinObjEx) under the GLOBAL?? heading, you'll see the name is now \Device\NTicexxxx, where the xxxx is a 4 character combination which is based on the serial number.

You can check out the routines in Softice. Like many other drivers, NTICE creates a Symbolic Link name during DriverEntry with IoCreateSymbolicLink, and deletes it during DriverUnload (not normally called) with IoDeleteSymbolicLink. The INIT (DriverEntry) section is mostly paged out after Softice starts but you can still check out what's happening by looking at the DriverUnload function. If interested..

The DriverUnload function just happens to be immediately after the IRP_MJ_SHUTDOWN routine.
You can find the IRP_MJ_SHUTDOWN routine by typing
DRIVER NTICE
and disassembling the address shown for IRP_MJ_SHUTDOWN. A few screens down look for the IoDeleteSymbolicLink function, you should see your serial number displayed as one of the earlier parameters.

Code:

.text:000115C0 DriverUnload proc near ; CODE XREF: start+6F7p
.text:000115C0 ; start:loc_1C57B5p
.text:000115C0
.text:000115C0 SymbolicLinkName= dword ptr -8
...
.text:00011736
.text:00011736 loc_11736: ; CODE XREF: DriverUnload+170
.text:00011736 push offset SerialNumber
.text:0001173B push offset aDosdevicesNtic ; "\\DosDevices\\NTice"
.text:00011740 mov esi, offset SymbolicNameBuffer
.text:00011745 push esi
.text:00011746 call InitializeSymbolicNameBuffer
.text:0001174B push esi ; SourceString
.text:0001174C lea eax, [ebp+SymbolicLinkName]
.text:0001174F push eax ; DestinationString
.text:00011750 call ds:RtlInitUnicodeString_0
.text:00011756 lea eax, [ebp+SymbolicLinkName]
.text:00011759 push eax ; SymbolicLinkName
.text:0001175A call ds:IoDeleteSymbolicLink
.text:00011760 push DeviceObject ; DeviceObject
.text:00011766 call ds:IoDeleteDevice
...
.text:00011779 leave
.text:0001177A retn 4
.text:0001177A DriverUnload endp


The comparable IoCreateSymbolicLink is in DriverEntry:

Code:

INIT:001C4A29 push ebp
INIT:001C4A2A mov DeviceObject, eax
INIT:001C4A2F push offset aDosdevicesNt_0 ; "\\DosDevices\\NTice"
INIT:001C4A34 mov ebx, offset SymbolicNameBuffer
INIT:001C4A39 push ebx
INIT:001C4A3A mov dword ptr [esi+38h], offset IRP_MJ_CREATE_CLOSE
INIT:001C4A41 mov dword ptr [esi+40h], offset IRP_MJ_CREATE_CLOSE
INIT:001C4A48 mov dword ptr [esi+78h], offset IRP_MJ_SHUTDOWN
INIT:001C4A4F mov dword ptr [esi+70h], offset IRP_MJ_DEVICE_CONTROL
INIT:001C4A56 mov dword ptr [esi+74h], offset IRP_MJ_INTERNAL_DEVICE_CONTROL
INIT:001C4A5D call InitializeSymbolicNameBuffer
INIT:001C4A62 push ebx ; SourceString
INIT:001C4A63 lea eax, [esp+5A4h+SymbolicLinkName]
INIT:001C4A67 push eax ; DestinationString
INIT:001C4A68 call ds:RtlInitUnicodeString_0
INIT:001C4A6E lea eax, [esp+5A0h+DeviceName]
INIT:001C4A72 push eax ; DeviceName
INIT:001C4A73 lea eax, [esp+5A4h+SymbolicLinkName]
INIT:001C4A77 push eax ; SymbolicLinkName
INIT:001C4A78 call ds:IoCreateSymbolicLink


You can see what it does is to take the basic Symbolic Link string "\\DosDevices\\NTice" and concatenate it with some algorithm based on the serial number.

In terms of the MeltIce detection, the following obviously won't work any longer:

Code:

HANDLE hFile = CreateFile( "\\\\.\\NTICE",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

if(hFile!=INVALID_HANDLE_VALUE)
{
// Softice Detected
CloseHandle(hFile);
}


One apparent solution then is to parse the names of all Symbolic Link objects and check for one which begins with "NTICE".

Kayaker

onebitshort
November 28th, 2006, 22:12
Awesome reply, thanks!

Strange - I was looking through WinObjEx\Global\ yesterday, SoftICE was definately running, but I couldn't see any NTIceanythings. Likewise I couldnt see any in Services, or Drivers, even though it was definately running. The only thing I could get CreateFile to work on was SIWVIDSTART, which is a bit useless.

But today I can see them all? lol

So I can now see NtIce in Services, I can see NtIceXXXX as a Symbolic Link in WinObj\Global?, and I can see \SystemRoot\System32\Drivers\NTice.SYS when I call EnumDeviceDrivers

Do FrogsICE or MeltICE or any of those protections change the name of either the ntice.sys file or the NTIce service?

Kayaker
November 28th, 2006, 23:22
IceExt does a couple of runtime modifications of the NTICE service name via SSDT hooking to protect against using NtCreateFile, NtQuerySystemInformation and NtQueryDirectoryObject to detect the service. This isn't absolute protection against other methods of detecting the service however such as direct registry access or using PsSetLoadImageNotifyRoutine (a la Daemon Tools/SPTD) or even DKOM access ("Direct Kernel Object Manipulation" as the buzzword is coined).

A more reliable method would be to change the service name yourself manually, though this doesn't mean Softice couldn't be detected in other ways. You can do this by editing the registry and a few Softice files. I have a VMWare image where the NTICE service has been renamed to NOICE (the file is now noice.sys). Change all pertinent entries in the registry and search for unicode string refs to "NTICE" in the files ntice.sys, siwvid.sys and bootcfg.sys (I think those are all that is required) and change the name there as well, updating the PE checksum afterwards. The unicode string refs are the ones which refer to CurrentControlSet\Services\NTICE. You could do the same with the other Softice services SIWVID and SIWSYM as well.

onebitshort
November 29th, 2006, 01:28
Ooh ... I just tried a brute-force approach - CreateFile "NTICE0000" to "NTICE9999". It successfully found mine, plus it only takes a couple milliseconds to test all 10000 combinations

The only two things I'm not sure about ...
1 - is the number in decimal or hex? (not that testing 0000 to FFFF would be much slower)
2 - is it always going to be four digits like 0000 if it's < 1000 ?

Kayaker
November 29th, 2006, 01:59
Well, I checked on 2 installations, XP and 2K, they were both 4 characters but in one case it included a letter. To truly answer your question though, forgive me saying, but that's what reversing is all about. I gave the clue that that particular answer would be found in the algo within what I called InitializeSymbolicNameBuffer.

If you check it out you'll see it contains no ring0 specific code and is a small enough string manipulation routine that could be easily "ripped". An ideal subject for what IDA can help with (save as asm file). I don't really know the answer to your question but it seems that the code could easily be duplicated in a test app and you could step through it to determine exactly what it does. If you do, please let us know, it would be interesting.

Cheers,
Kayaker

evlncrn8
November 29th, 2006, 02:23
trick is used on starforce ages ago...
softice records the serial in the registry under 'Serial'
take the last 4 chars, append those to \\.\ntice
voila...

onebitshort
November 29th, 2006, 02:24
Kayaker,
Quote:
Well, I checked on 2 installations, XP and 2K, they were both 4 characters but in one case it included a letter.

Was the letter in the hex A-F range ?

Quote:
trick is used on starforce ages ago...
softice records the serial in the registry under 'Serial'
take the last 4 chars, append those to \\.\ntice
voila...

Hmmm not quite ... but the 4byte serial does exist in the main serial, sort of ...
Assume that my HKEY_LOCAL_MACHINE\SOFTWARE\NuMega\DriverStudio\ Serial = 1234ABCD5678
The 4-byte serial that my ntice driver is running as is 6DB4, which you can see in reverse, seperated by one byte per char, which i highlighted bold

Is that the same with yours?

onebitshort
November 29th, 2006, 02:36
It looks like our usermode friend nmtrans.dll also uses that code
Code:
1001FBF5 |. 51 push ecx ; /pBufSize
1001FBF6 |. 68 343E2510 push nmtrans.10253E34 ; |Buffer = nmtrans.10253E34
1001FBFB |. 50 push eax ; |pValueType
1001FBFC |. 50 push eax ; |Reserved
1001FBFD |. 68 E4860710 push nmtrans.100786E4 ; |ValueName = "Serial"
1001FC02 |. 52 push edx ; |hKey
1001FC03 |. FF15 00C00610 call near dword ptr ds:[<&ADVAPI32.RegQueryValueExA>] ; \RegQueryValueExA
1001FC09 |. 85C0 test eax, eax
1001FC0B |. 75 0A jnz short nmtrans.1001FC17
1001FC0D |. C705 303E2510 01000000 mov dword ptr ds:[10253E30], 1
1001FC17 |> 8B4424 04 mov eax, dword ptr ss:[esp+4]
1001FC1B |. 50 push eax ; /hKey
1001FC1C |. FF15 04C00610 call near dword ptr ds:[<&ADVAPI32.RegCloseKey>] ; \RegCloseKey
1001FC22 |> 68 343E2510 push nmtrans.10253E34
1001FC27 |. 8D4C24 10 lea ecx, dword ptr ss:[esp+10]
1001FC2B |. 68 D8860710 push nmtrans.100786D8 ; ASCII "\\.\NTICE"
1001FC30 |. 51 push ecx
1001FC31 |. E8 3A000000 call nmtrans.1001FC70

...
...

1001FC70 /$ 81EC 04020000 sub esp, 204
1001FC76 |. 8A15 FC010810 mov dl, byte ptr ds:[100801FC]
1001FC7C |. 53 push ebx
1001FC7D |. 55 push ebp
1001FC7E |. 56 push esi
1001FC7F |. 57 push edi
1001FC80 |. B9 3F000000 mov ecx, 3F
1001FC85 |. 33C0 xor eax, eax
1001FC87 |. 8D7C24 15 lea edi, dword ptr ss:[esp+15]
1001FC8B |. 885424 14 mov byte ptr ss:[esp+14], dl
1001FC8F |. 889424 14010000 mov byte ptr ss:[esp+114], dl
1001FC96 |. F3:AB rep stos dword ptr es:[edi]
1001FC98 |. 66:AB stos word ptr es:[edi]
1001FC9A |. AA stos byte ptr es:[edi]
1001FC9B |. B9 3F000000 mov ecx, 3F
1001FCA0 |. 33C0 xor eax, eax
1001FCA2 |. 8DBC24 15010000 lea edi, dword ptr ss:[esp+115]
1001FCA9 |. 8BAC24 18020000 mov ebp, dword ptr ss:[esp+218]
1001FCB0 |. F3:AB rep stos dword ptr es:[edi]
1001FCB2 |. 66:AB stos word ptr es:[edi]
1001FCB4 |. AA stos byte ptr es:[edi]
1001FCB5 |. B9 40000000 mov ecx, 40
1001FCBA |. 33C0 xor eax, eax
1001FCBC |. 8BFD mov edi, ebp
1001FCBE |. 8B9424 1C020000 mov edx, dword ptr ss:[esp+21C]
1001FCC5 |. F3:AB rep stos dword ptr es:[edi]
1001FCC7 |. B9 40000000 mov ecx, 40
1001FCCC |. 8D7C24 14 lea edi, dword ptr ss:[esp+14]
1001FCD0 |. F3:AB rep stos dword ptr es:[edi]
1001FCD2 |. 8BFA mov edi, edx
1001FCD4 |. 83C9 FF or ecx, FFFFFFFF
1001FCD7 |. F2:AE repne scas byte ptr es:[edi]
1001FCD9 |. F7D1 not ecx
1001FCDB |. 49 dec ecx
1001FCDC |. 51 push ecx
1001FCDD |. 52 push edx
1001FCDE |. 55 push ebp
1001FCDF |. E8 9C2E0200 call nmtrans.10042B80
1001FCE4 |. 8BBC24 2C020000 mov edi, dword ptr ss:[esp+22C]
1001FCEB |. 83C9 FF or ecx, FFFFFFFF
1001FCEE |. 33C0 xor eax, eax
1001FCF0 |. 8D9424 20010000 lea edx, dword ptr ss:[esp+120]
1001FCF7 |. F2:AE repne scas byte ptr es:[edi]
1001FCF9 |. F7D1 not ecx
1001FCFB |. 2BF9 sub edi, ecx
1001FCFD |. 8BC1 mov eax, ecx
1001FCFF |. 8BF7 mov esi, edi
1001FD01 |. 8BFA mov edi, edx
1001FD03 |. C1E9 02 shr ecx, 2
1001FD06 |. F3:A5 rep movs dword ptr es:[edi], dword ptr ds:[esi]
1001FD08 |. 8BC8 mov ecx, eax
1001FD0A |. 83E1 03 and ecx, 3
1001FD0D |. F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi]
1001FD0F |. 8D8C24 20010000 lea ecx, dword ptr ss:[esp+120]
1001FD16 |. 51 push ecx
1001FD17 |. E8 64650400 call nmtrans.10066280
1001FD1C |. 8BD8 mov ebx, eax
1001FD1E |. 83C9 FF or ecx, FFFFFFFF
1001FD21 |. 8BFB mov edi, ebx
1001FD23 |. 33C0 xor eax, eax
1001FD25 |. 83C4 10 add esp, 10
1001FD28 |. BE 02000000 mov esi, 2
1001FD2D |. F2:AE repne scas byte ptr es:[edi]
1001FD2F |. F7D1 not ecx
1001FD31 |. 49 dec ecx
1001FD32 |. 8D7C24 14 lea edi, dword ptr ss:[esp+14]
1001FD36 |. 894C24 10 mov dword ptr ss:[esp+10], ecx
1001FD3A |> 3B7424 10 /cmp esi, dword ptr ss:[esp+10]
1001FD3E |. 7D 22 |jge short nmtrans.1001FD62
1001FD40 |. 0FBE141E |movsx edx, byte ptr ds:[esi+ebx]
1001FD44 |. 52 |push edx
1001FD45 |. E8 44500200 |call nmtrans.10044D8E
1001FD4A |. 83C4 04 |add esp, 4
1001FD4D |. 85C0 |test eax, eax
1001FD4F |. 74 09 |je short nmtrans.1001FD5A
1001FD51 |. 8A041E |mov al, byte ptr ds:[esi+ebx]
1001FD54 |. 8807 |mov byte ptr ds:[edi], al
1001FD56 |. 47 |inc edi
1001FD57 |. C607 00 |mov byte ptr ds:[edi], 0
1001FD5A |> 83C6 02 |add esi, 2
1001FD5D |. 83FE 08 |cmp esi, 8
1001FD60 |.^ 7E D8 \jle short nmtrans.1001FD3A
1001FD62 |> 8D7C24 14 lea edi, dword ptr ss:[esp+14]
1001FD66 |. 83C9 FF or ecx, FFFFFFFF
1001FD69 |. 33C0 xor eax, eax
1001FD6B |. F2:AE repne scas byte ptr es:[edi]
1001FD6D |. F7D1 not ecx
1001FD6F |. 2BF9 sub edi, ecx
1001FD71 |. 8BF7 mov esi, edi
1001FD73 |. 8BD1 mov edx, ecx
1001FD75 |. 8BFD mov edi, ebp
1001FD77 |. 83C9 FF or ecx, FFFFFFFF
1001FD7A |. F2:AE repne scas byte ptr es:[edi]
1001FD7C |. 8BCA mov ecx, edx
1001FD7E |. 4F dec edi
1001FD7F |. C1E9 02 shr ecx, 2
1001FD82 |. F3:A5 rep movs dword ptr es:[edi], dword ptr ds:[esi]
1001FD84 |. 8BCA mov ecx, edx
1001FD86 |. 83E1 03 and ecx, 3
1001FD89 |. F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi]
1001FD8B |. 5F pop edi
1001FD8C |. 5E pop esi
1001FD8D |. 5D pop ebp
1001FD8E |. 5B pop ebx
1001FD8F |. 81C4 04020000 add esp, 204
1001FD95 \. C3 retn


Geez ... that's a lot of work just to churn out 4 bytes
I might rip it later for further testing but for now I'll just try and invoke it normally and watch what it does with my valid serial

onebitshort
November 29th, 2006, 03:17
ok ...

Get a copy of nmtrans.dll from your SoftICE dir
Then LoadLibrary it ... then call NmSymIsSoftICELoaded(); (no params)
It'll return 0 if not loaded, or 1 if SoftICE is loaded. And that's all there is to it . Set a breakpoint just before the call and you can step through to see what it does with the serial

NmSymIsSoftICELoaded immediately calls nmtrans.DevIO_ConnectToSoftICE, which is simply this - first the Win9x SICE check then the NTICE check with the four extra digits:
Code:

1001FB90 nm>/$ 81EC 08010000 sub esp, 108
1001FB96 |. 56 push esi
1001FB97 |. 8B35 48C00610 mov esi, dword ptr ds:[<&KERNEL32.Create>; kernel32.CreateFileA
1001FB9D |. 6A 00 push 0 ; /hTemplateFile = NULL
1001FB9F |. 68 80000000 push 80 ; |Attributes = NORMAL
1001FBA4 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
1001FBA6 |. 6A 00 push 0 ; |pSecurity = NULL
1001FBA8 |. 6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
1001FBAA |. 68 00000080 push 80000000 ; |Access = GENERIC_READ
1001FBAF |. 68 04870710 push nmtrans.10078704 ; |FileName = "\\.\SICE"
1001FBB4 |. FFD6 call near esi ; \CreateFileA
1001FBB6 |. 83F8 FF cmp eax, -1
1001FBB9 |. 0F85 A7000000 jnz nmtrans.1001FC66
1001FBBF |. A1 303E2510 mov eax, dword ptr ds:[10253E30]
1001FBC4 |. C74424 08 000>mov dword ptr ss:[esp+8], 100
1001FBCC |. 85C0 test eax, eax
1001FBCE |. 75 52 jnz short nmtrans.1001FC22
1001FBD0 |. 8D4424 04 lea eax, dword ptr ss:[esp+4]
1001FBD4 |. 50 push eax ; /pHandle
1001FBD5 |. 6A 01 push 1 ; |Access = KEY_QUERY_VALUE
1001FBD7 |. 6A 00 push 0 ; |Reserved = 0
1001FBD9 |. 68 EC860710 push nmtrans.100786EC ; |Subkey = "Software\NuMega\SoftIce"
1001FBDE |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
1001FBE3 |. FF15 08C00610 call near dword ptr ds:[<&ADVAPI32.RegOp>; \RegOpenKeyExA
1001FBE9 |. 85C0 test eax, eax
1001FBEB |. 75 35 jnz short nmtrans.1001FC22
1001FBED |. 8B5424 04 mov edx, dword ptr ss:[esp+4]
1001FBF1 |. 8D4C24 08 lea ecx, dword ptr ss:[esp+8]
1001FBF5 |. 51 push ecx ; /pBufSize
1001FBF6 |. 68 343E2510 push nmtrans.10253E34 ; |Buffer = nmtrans.10253E34
1001FBFB |. 50 push eax ; |pValueType
1001FBFC |. 50 push eax ; |Reserved
1001FBFD |. 68 E4860710 push nmtrans.100786E4 ; |ValueName = "Serial"
1001FC02 |. 52 push edx ; |hKey
1001FC03 |. FF15 00C00610 call near dword ptr ds:[<&ADVAPI32.RegQu>; \RegQueryValueExA
1001FC09 |. 85C0 test eax, eax
1001FC0B |. 75 0A jnz short nmtrans.1001FC17
1001FC0D |. C705 303E2510>mov dword ptr ds:[10253E30], 1
1001FC17 |> 8B4424 04 mov eax, dword ptr ss:[esp+4]
1001FC1B |. 50 push eax ; /hKey
1001FC1C |. FF15 04C00610 call near dword ptr ds:[<&ADVAPI32.RegCl>; \RegCloseKey
1001FC22 |> 68 343E2510 push nmtrans.10253E34 ; Serial
1001FC27 |. 8D4C24 10 lea ecx, dword ptr ss:[esp+10]
1001FC2B |. 68 D8860710 push nmtrans.100786D8 ; ASCII "\\.\NTICE"
1001FC30 |. 51 push ecx
1001FC31 |. E8 3A000000 call nmtrans.1001FC70
1001FC36 |. 83C4 0C add esp, 0C
1001FC39 |. 8D5424 0C lea edx, dword ptr ss:[esp+C]
1001FC3D |. 6A 00 push 0
1001FC3F |. 68 80000000 push 80
1001FC44 |. 6A 03 push 3
1001FC46 |. 6A 00 push 0
1001FC48 |. 6A 03 push 3
1001FC4A |. 68 00000080 push 80000000
1001FC4F |. 52 push edx
1001FC50 |. FFD6 call near esi
1001FC52 |. 8BF0 mov esi, eax
1001FC54 |. 83FE FF cmp esi, -1
1001FC57 |. 75 0B jnz short nmtrans.1001FC64
1001FC59 |. 68 010058A6 push A6580001 ; /Error = A6580001 (-1504182271.)
1001FC5E |. FF15 C8C00610 call near dword ptr ds:[<&KERNEL32.SetLa>; \SetLastError
1001FC64 |> 8BC6 mov eax, esi
1001FC66 |> 5E pop esi
1001FC67 |. 81C4 08010000 add esp, 108
1001FC6D \. C3 retn

onebitshort
November 29th, 2006, 03:40
Kayaker, I just noticed this paragraph http://www.woodmann.com/crackz/Tutorials/Protect.htm ("http://www.woodmann.com/crackz/Tutorials/Protect.htm")
Quote:
In SoftICE v4.3.2 this detection method no longer works as internally the SymbolicLink name of NTICE has a 4 digit number appended (this is based upon the serial number used to install SoftICE), a discussion of this is available here courtesy of SoftICE guru Kayaker.
But the link is invalid (it just points to showthread.php but doesnt specify the thread) - have you got a working link for that? Many thanks

JMI
November 29th, 2006, 03:59
Try the link without the "( )" as

http://www.woodmann.com/crackz/Tutorials/Protect.htm

and it should work. Did for me, just now.

Regards,

onebitshort
November 29th, 2006, 04:03
No not that link, the one mentioned in the quote - "a discussion of this is available here, but that link is just to showthread.php without and thread ID

onebitshort
November 29th, 2006, 04:08
Only 60 references for NmSymisSoftICELoaded at Google and only 23 for DevIO_ConnectToSoftICE, but one of the more interesting ones is from a book 'Crackproof Your Software' (append .pdf to find the ebook) which mentions it:
Quote:
Detecting SoftICE by Calling the NmSymIsSoftICELoaded DLL
Function from the nmtrans.dll Library


The SoftICE DLL library nmtrans.dll contains the NmSymIsSoftICELoaded function, which we can use to see whether SoftICE is active in memory. This trick can be used in all Windows versions, and it is not used very often.

To use this trick, first load the nmtrans.dll library into memory by API− calling LoadLibraryA. Next, find its address by API−calling GetProcAddress, and then calls it. If the return value is other than 0 then SoftICE is active in memory.

The nmtrans.dll library uses an API call to CreateFileA for SoftICE detection, as shown in the section above titled "Detecting SoftICE by Opening Its Drivers and Calling the CreateFileA API Function (SICE, NTICE)." It is important to test breakpoints at API calls to the LoadLibraryA, GetProcAddress, CreateFileA, and possibly even to NmSymIsSoftICELoaded.

Because paths for Windows 9x and Windows NT are firmly set, this isn't an ideal tool, because SoftICE could be installed anywhere. In the "Using the Windows Registry to Find the Directory Where SoftICE Is Installed" section later in this chapter, I will show you how to use the Windows registers to determine where SoftICE has been installed.

JMI
November 29th, 2006, 04:10
The SEARCH Button can be your friend.

http://www.woodmann.com/forum/showthread.php?t=7237&highlight=SoftICE+v4.3.2

Maybe that's it. Nope. that's just about maping the keyboard. Guess we'll have to see if Kayaker remembers in the morning.

Regards,

onebitshort
November 29th, 2006, 04:13
I have searched, both here and Google, and no that's not it, thankyou anyway ...

JMI
November 29th, 2006, 04:23
Here's a list of 205 Threads with both Softice and Kayaker. You probably could add more words to the advanced search button and narrow it down. I'm relatively sure none of Kayaker's posts have been deleted.

http://www.woodmann.com/forum/search.php?searchid=256367

Regards,

Kayaker
November 29th, 2006, 14:09
Nice work onebitshort

Urm, if the question I'm supposed to remember in the morning concerns the link in the protect.htm file.. looks like that's been fixed and it points to THIS thread, the one of which you're part of.

Damn that CrackZ fellow is good. You almost never hear from him, you wonder if he's still around, and here he is quietly updating the updates on his classic website even while the ink is still wet. That's very reassuring!


Regards,
Kayaker

onebitshort
November 29th, 2006, 22:34
Hello Crackz!

Kayaker - I just rechecked the page and it seems Crackz has since corrected the link so that it points to this thread (when i posted here asking why it was broken it was just pointing at showthread.php), so even though I'm the one left looking like an absolute goose it was his stuffup ok?