*********************************
* FrogsICE v1.07.3 for win95/98 *
*   by +Frog's Print & +Spath   *
*********************************

1) How to use it
2) Menu options
3) Misc features
4) Tips/infos/Warnings
5) FAQ


================
1) How to use it
================

Launch FPloader.exe and an icon will appear in the system tray.
Right or Left click on it to get the menu options and then, run
the software you suspect to have anti-SoftICE code.
__________________________________________________________________________

===============
2) Menu options
===============

-EXIT:
 Guess!

    
-ENABLE / DISABLE:
 Loads/unloads FrogsICE


-USER DEFINED / BULLET PROOFS / DEFAULT SETTINGS
 Menu to restore FrogsICE default settings, set them to maximum security
 (all options enabled except BSOD) or to quickly check current options.

    
-OPTIONS:    

   -HOOK DRX:
    This is a powerful feature which is not active by default.
    Il will detect any access (Read/write) to Debug Registers (dr0-dr7).
    Use it with care as it may crash your computer. If SoftICE is loaded,
    it is safer to disable or clear any breakpoints.
    This option is only available for 486i+ CPU otherwise it will be grayed.
    FrogsICE WILL NOT display a BlueScreenOfDeath when detecting a drX access.
    From version 0.99, the DRx access are automatically logged to file (you do
    not need any more to desactivate this menu to create the logfile)
    Note also that your app may not exit process normaly in some rare
    circumstances. If this happens, kill it (CTRL-ALT-DEL) after a while.


   -IDT MONITOR/PROTECTOR:
    If this option is enabled, FrogsICE will prevent any application to modify
    interrupt vectors inside the IDT.


   -FORCE INT03 HOOK:
    Force FrogsICE to hook int03h **before** SoftICE hooks them.
    This applies to PMode only.
    Before using this function ensure that you disabled ALL breakpoints (BPX)
    and set the IN3HERE to OFF otherwise SoftICE may crash (instead use BPM
    xxxxxxxx X, for instance "BPM MessageBoxA X") or FrogsICE will hook the 0cch
    opcode used by SoftICE to set BPX and will not give control back to SoftICE
    (FrogsICE will consider the 0cch opcode as an anti-debugger code!).
    When using this function (and the next one) it is better to set SoftICE
    "FAULTS" command to "OFF" as well.
    FrogsICE will inform you in its logfile if it has found any SEH procedure
    which could be used by your app:
     ."SEH proc address at cs:xxxxxxxx" where xxxxxxxx is the address of
       the SEH requested
     ."SEH proc address at cs:????????" if no SEH was found (this does NOT
       mean that there is no SEH!).
    If a SEH is found (or if you suspect that it may exist), then use the next
    option to force the soft to execute it (if there's none, the soft will
    simply crash).
    
    
   -FORCE INT03H SEH:
    This option is only available when the 'Force int03h hook' menu
    is enabled, otherwise it will be grayed. It should only be used with
    32bit apps.FrogsICE will inform you in its logfile if it has detected
    a SEH (see previous menu option).
    Some protections (like VBox, Armadillo, AZPR3.0) set up an exception
    filter and call int03h. FrogsICE will then be detected as a debugger
    (as it hooks int03) and your app will either crash (Armadillo, AZPR)
    or refuse to run (VBox) :-(
    Enable this option and FrogsICE will hook the int03h and force your program
    to execute the SEH. 
    Note that it doesn't matter if SoftICE is loaded or not, as it will always
    work ;-)


   -POPUP SOFTICE:
    This option forces SoftICE to break when FrogsICE hooks anti-debugger code.
    When enabling this menu, you will need to set SoftICE break on int01 command:
    => 'I1HERE ON'.
    The break will occure BEFORE FrogsICE give control back to the app and
    some useful infos will be displayed in SoftICE command windows:
    . address cs:eip of the detection
    . address of the SEH proc for int03 hooks
    . address of string datas for MeltICE tricks...
    This option is helpful with packed/ecrypted programs (Vbox, Asprotect...).
    At the break time, you can use your favorite dumper (IceDump...) to save
    the detection code to analyze it later ;-)
    Press F5 to let your app run, or press F12 twice or three times to go back
    inside you application code where the detection is located.
    Note that if your application uses a lot of anti-debugger tricks, you can
    disable this feature simply by typing 'I1HEREOFF' at SoftICE prompt.
    SoftICE versions prior to v4.00 may not popup when a program tries to access
    Debug Registers ('Hook DRx' menu enabled).
    This menu option is grayed if SoftICE is not loaded.

   -BLUE_SCREEN_OF_DEATH:
    Display a BSOD each time FrogsICE detects anti-SoftICE code. Infos shown
    are useful to give you maximum informations about the detection (type,
    registers values, address of the detection inside the program...).
    Those infos are the same as those logged to file.
    The BlueScreenOfDeath is not available for drX hooks.
    When the BSOD occures you will be prompted to:
    - Press (Y)es to fool the app : FrogsICE will do its best to hide SoftICE
                                    from the detection.
    - Press (N)o to let it run    : FrogsICE will let your soft detect SoftICE.
    - Press ESCAPE to disable BSOD: Will temporarily disable FrogsICE BSOD.
                                    This is useful is your app tries 1000 times
                                    (or more!) to detect SoftICE and you are
                                    stuck in front of a blue screen. FPLoader
                                    will detect that you have disabled the BSOD.

    When the BSOD is disabled, FrogsICE will ALWAYS try to fool the app, just
    like if you pressed the (Y)es key.
    FrogsICE BSOD will give you a code reference about the detection.
    For more infos about this detection see 'Code.txt'.


   -HIDE SOFTICE DRIVERS:
    Hide SoftICE drivers (SICE, SIWDEBUG and SIWVID) so that they cannot be
    detected in the DDB List.
    This option is grayed (and useless!) if SoftICE is not loaded.


   -LOG TO FILE:
    Save to file each detection hooked by FrogsICE. The log file name is
    randomly created to avoid any app to detect/erase it (although it is
    protected from deletion). It will **always** be created in the root
    of your Window$ drive (ex: c:\Fihjzpan.wga).
    The log will not be overwritten if it already exists, but the text will
    be appended.
    Disable it if you simply want to run an app with anti-SoftICE code and don't
    care about (or already know) details of the detection.
    When quitting FrogsICE, if a logfile exists it will ask you if you want to
    keep it or delete it.


   -PROTECT SOFTICE FILES:
    Locks up all files in SoftICE directory (and subdirectories) to prevent
    any nasty application to delete them.
    This option locks up FrogsICE logfile as well.


   -AUTO-SCAN ON STARTUP/EXIT:
   FrogsICE will perform some scanning tests when you load it and when you exit it.
   It will check the memory for some 'unwanted' datas occurences ('WINICE' string
   etc..., debugger flags) and clean up the memory if it finds any, and will check
   your IDT to see if there were any suspicious modifications done.
   FrogsICE will inform you about what it has found.
   You should always leave this option enabled, as the memory scanning process
   is very important. Althought it is useless to try to detect SoftICE by searching
   'WINICE.BR' in memory in win98, the string 'WINICE.EXE' for instance is most of
   the time present and could be easily detected.
   Sometimes, you may receive a warning due to Winice.exe or due to other apps you
   may use to hide SoftICE during the IDT scan.
   FrogsICE will return the list of modified interrupts. If you have any BPINT's
   set, it is safer to quit FrogsICE and disable these BPINT's, then re-run FrogsICE.


-SCAN NOW...
   Let you perform the above scanning test at any time.

 
-RUN...:

  -PROGRAM...:
   Let you run any programs files (exe, com, pif and bat).
  
  -SOFTICE LOADER32:
   Runs Loader32.
   FrogsICE will patch nmtrans.dll in memory so that Loader32 will run
   even if the 'Hide SoftICE Drivers' options is checked. When quitting,
   FrogsICE will kill Loader32's process as well because it couldn't work
   without FrogsICE as it was patched.


-VIEW LOG:
 This menu is enabled if FrogsICE has detected anti SoftICE code and grayed
 otherwise. It will launch Notepad to display the logfile.

      
-DELETE LOG:
 This menu is enabled if FrogsICE has created a logfile and grayed otherwise.
 It will erase FrogsICE logfiile.


-ABOUT:
 Everything you always wanted to know about FrogsICE...

_______________________________________________________________________________


=================
3) Misc features:
=================


-SETTINGS:

Upon exit, FrogsICE saves its settings (menu options) inside
a dat file (FrogsICE.dat).



-DOT COMMANDS:

When FrogsICE is loaded, you can get some infos from within SoftICE screen by
using the "." (dot) command.
From SoftICE type ".frogsice" and you'll get the following menu:

      ========================== FrogsICE v1.00 ready =====================
      [1]=Detections hooked
      [2]=Current settings
      [3]=Anti-debugging tricks help
      [4]=Enable/Disable FrogsICE :-(
      ============ Select menu option [1]-[4] or [ECS] to quit ============


  -[1]=Detections hooked:

   This menu is useful when you are tracing an app. At any time, it can
   tell you if FrogsICE has detected some anti-SoftICE code while you were
   debugging your soft, and will even give you the kind of detection (code #xx)
   + its location inside the program (only for the last hook found).

  -[2]=Current settings:

   Inform you about the current settings just in case you forgot to disable
   some 'dangerous' features (DRx hook, int3..) or forgot to enable others.


  -[3]=Anti-debugging tricks help

   display infos about some anti-SoftICE/debugger code that you may need
   while tracing a software:

      ================== FROG'S PRINT ANTI-SOFTICE TRICKS HELP ================
      [a]=int03h(#01-02)  [b]=int2fh(#03-04) [c]=int41h(#05-06)  [d]=int68h(#07)
      [e]=Get_DDB(#09)    [f]=dr0-7(#0A)     [g]=MeltICE(#0B-0E) [h]=VWIN32(#0C)
      [i]=RegOpenKey(#0D) [j]=IDT(#0F)

   Note that values displayed in brackets (#01-#02...) are the code references
   returned by FrogsICE (see code.txt) as usual :-)


  -[4]=Enable/Disable FrogsICE :-(

   From this menu, you can disable FrogsICE: it will stop monitoring and
   hooking your system (all hooks will be disabled, except of course those hiding
   FrogsICE from detection and SoftICE drivers names), which could be useful in case
   of a crash during a debugging session. You can activate it again at any time
   (and it will restore your previous settings) from SoftICE, but if you forget
   to do so, FPLoader will warn you about that.
   As the scanning option is performed by the loader, it will remain unchanged.
   Note also that the 'log to file' feature will be disabled as well, of course.
   If you need to set breakpoints on execution (BPX), then use this feature.

-OTHERS:

 From v0.99, FrogsICE includes a lot of new features which are 'transparent'
 for the user. You do not have to worry or know about them (that's not secret
 but I don't want to spend 10 hours to write them down!) but they have been
 added to re-enforce detection routines, better hide SoftICE and FrogICE...
 New important features useful for the user are shown inside 'code.txt' with
 a "**NEW**" tag.

_______________________________________________________________________________

======================
3) TIPS/INFOS/WARNINGS:
======================

- This version of FrogsICE is for win32 app ONLY. If you need to check
  anti-debuggers tricks from a DOS (exe or com) file use FrogsICE v0.43
  available at frogsprint.cjb.net.

- DO NOT enable or disable BPINT's while FrogsICE is running !!! BPINT's modify
  IDT interrupts vectors and could crash your computer. Instead, enable or disable
  them BEFORE or AFTER using FrogsICE.

- When FrogsICE hooks anti-SoftICE code, it will add the '>' sign on the left side
  of any register used for the detection. (Ex: >eax=00000004h )

- It is sometimes better to disable FrogsICE's BSOD as it may cause some problems
  but don't forget that this is the best way to stop your system and to give
  you enough time to think twice before acting!

- If you are using others tools to hide/patch/embellish SoftICE, FrogsICE should not
  interfer with them, but the scanning process may give you some warnings (simply
  ignore them and everything should work fine -hopefully ;-). 
  However, you should consider launching such tools BEFORE or AFTER running
  FrogsICE but never when FrogsICE is already running.

- From version 0.99, ASM source code is no longer included with FrogsICE.
  Lately, many commercial companies have produced softwares trying to fool/crash
  FrogsICE, so I have no reason to distribute the source to make protectionists
  life easier.
  If you're one of them and want to know how FrogsICE work, just do like I do with
  your softs: disasm and debug it :-(
  
________________________________________________________________________________


5) FAQ
======

   a) - "I received a 'Cannot load FrogsICE.vxd' message?"

      => This seems to apply to few Win95 OSR2 users only. Ensure that FrogsICE.vxd is
         in the same directory as FPLoader.exe. Otherwise, try to copy the VxD inside
         you windows\system dir.
      


   b) - "Each time I try to run FrogsICE, it crashes Windows!!"
   
      => you're wrong, FrogsICE doesn't crash window$, but window$ crashes FrogsICE :-p

   

   c) - "Will you ever release FrogsICE for Win2000 ??"

      => Sorry, don't know what "Win2000" is...


______________________________________________________________________________________________ 

+Frog's Print June 2000

http://frogsprint.cjb.net