ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Xine - issue #5 - Phile 107 ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ comment ÿ Yet another way to stop WinICE/SoftICE (in 9x). Hiya puppies, since SI uses software interrupts 1 to get control back after an opcode, and 3 for breakpoints. You can make SI useless by patching its code which is appearently writable(!). but erh, saddly this isn't true for nt/2k :( (at least, win2k isn't big very big friends with the SIDT instruction) Pretty easy: find int1 & int3 after you have the IDT, and then patching the code pointed by them to an iretd (0cfh) if you are friendly (no crash), or some other code (like a nop) and saying bye to SI. IMHO its better to use iretd, and replacing the original code back on the end of your code, so SI still works, and, you code is less suspicious because there are pretty much SI'ers in the world. i guess :) Well, look for your self, tasm this code, popup SI, bpint3, run & trace... Oh, and, don't forget the possiblity of BPM while defending, see my other article. many thanx to Marquis de Soiree, for being the best coder ever. (well, at least: pretty skilled ;) Lifewire/IKX , December 2000ÿ .386p .model flat _call macro api extrn api:proc; call api endm ;----------------------------------------------------------------------------; _CODE segment dword use32 public 'CODE' start: int 3 ;bpint 3 do "rip ip+1" push eax sidt [esp-2] pop eax mov cx,0cfcfh mov ebx,[eax+1*8+4] ;int1 mov bx,[eax+1*8] xchg byte ptr [ebx],cl nop ;start skipping from here mov edx,[eax+3*8+4] ;int3 mov dx,[eax+3*8] xchg byte ptr [edx],ch nop mov [edx],ch mov [ebx],cl nop ;here you have your best ;friend back bwuhaha :) push 0 _call ExitProcess _CODE ends ;----------------------------------------------------------------------------; ;----------------------------------------------------------------------------; _DATA segment dword use32 public 'DATA' fill db ? _DATA ends ;----------------------------------------------------------------------------; end start end