IceExt INT3 protection

[bedrock]

I've been looking at a couple of apps this weekend, one protected with pex 0.99 and the other with exestealth 2.7?

I am running XP SP 1 with SoftICE Driver Studio 3.01 and IceExt 0.53

I basically set bpint 3 and use lordpe 'break n enter' function to break a programs entry point, from here i have been single steping through packer code to locate oep, i can get to oep of both protector ok, but whilst i've been working on these two protections i noticed they are both using int3, if i single step there int3 instrcution iceext prints out 'PROTECT:' message, actually 'ROTECT: Backdoor interface' for pex 0.99 and 'PROTECT: BoundChecker interface' for exestealth 2.7?

But problem is this, as i was about to say, when i single step there int3 iceext prints out 'PROTECT:' message, and then floods SoftICE with more 'PROTECT:' message and then causes KeBugCheck with double fault.

I tried looking at IceExt source some time, but i am not asm coder, i am C/C++ coder

@Sten Should IceExt cause double fault when single steping int3 or can protection be improved to not cause double fault?

I had to turn int3 protection off to finish the work i was doing.

ps. IceExt is best tool i use after SoftICE

--
bedrock

just clean bpint 3, that may be help u

It's an old bug in iceext,and sten had fixed it in an old version, but i don't know why ONLY that version.
do NOT directly jump to os int 3 handler, otherwise "BPINT 3" may cause problems

[bedrock]

Ok, thanks pLayAr.

Your right, either disabling bpint 3 or turning off int3 protection solves problem, but it's strange that you say sten had fixed in old version of iceext, hopefully he will be able to also fix in newer versions.

--
bedrock

[Sten]

Yes, IceExt currently handles INT3 incorrectly.

The fix in the old version proved to be inefficient under some protections (I can not simply jmp to the system INT3 handler).