Name      : MeltIce (anti-sice routine)

Target    : example.exe

Tools     : W32Dasm
            Hiew
            Brain
            
Cracker   : LW2000

Tutorial  : No.58


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---



        OK, first what is MeltIce? 
        MeltIce is a Anti-Sice routine which will find Softice
        if the vdx is installed.


        Open the file in W32Dasm and make a deadlisting.
        In this tut i'll teach you how to defeat MeltIce if the string
        is hardcoded. Maybe i'll teach you in one of my next tuts how
        to defeat non-hardcoded MeltIce strings...


        The passeges we need are easy to find, because of the strings
        "\\.\\SICE" and "\\.\\NTICE" .

        You should see something like this now:


:002214DF 6A13              push 00000013
:002214E1 68000000D0        push D0000000

* Possible StringData Ref from Data Obj ->"\\.\SICE"
                                       |
:002214E6 6828734400        push 00447328

* Reference To: KERNEL32.CreateFileA, Ord:0000h
                                  |
:002214EB E806440400        Call 004458F6      <-- Create file
:002214F0 8945FC            mov dword ptr [ebp-04], eax
:002214F3 837DFCFF          cmp dword ptr [ebp-04], FFFFFFFF <-file there?
:002214F7 7410              je 00221509   <-- no file = jmp
:002214F9 FF75FC            push [ebp-04]

* Reference To: KERNEL32.CloseHandle, Ord:0000h     <-- Close file
                                       |
:002214FC E8E3430400        Call 004458E4
:00221501 B801000000        mov eax, 00000001  <-- eax=1
:00221506 59                pop ecx
:00221507 5D                pop ebp
:00221508 C3                ret     

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:002214F7(C)                                    

:00221509 33C0              xor eax, eax   <-- ret eax=0
:0022150B 59                pop ecx
:0022150C 5D                pop ebp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:002214A2(C)

:0022150D C3                ret     



     The NTICE-part is the same and you will find the reference to it only
     few lines down our part.

     How to beat the bitch? Mhhm, change the je to jne and you
     will have no probs to run sice...



Congratulation! Now u have the knowledge to defeat
MeltIce with hardcoded strings.

FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!