I've been looking at a couple of apps this weekend, one protected with pex 0.99 and the other with exestealth 2.7?
I am running XP SP 1 with SoftICE Driver Studio 3.01 and IceExt 0.53
I basically set bpint 3 and use lordpe 'break n enter' function to break a programs entry point, from here i have been single steping through packer code to locate oep, i can get to oep of both protector ok, but whilst i've been working on these two protections i noticed they are both using int3, if i single step there int3 instrcution iceext prints out 'PROTECT:' message, actually 'ROTECT: Backdoor interface' for pex 0.99 and 'PROTECT: BoundChecker interface' for exestealth 2.7?
But problem is this, as i was about to say, when i single step there int3 iceext prints out 'PROTECT:' message, and then floods SoftICE with more 'PROTECT:' message and then causes KeBugCheck with double fault.
I tried looking at IceExt source some time, but i am not asm coder, i am C/C++ coder
@Sten Should IceExt cause double fault when single steping int3 or can protection be improved to not cause double fault?
I had to turn int3 protection off to finish the work i was doing.
ps. IceExt is best tool i use after SoftICE
--
bedrock