Will try to make the thing simple.
SpyEye is protected with VMProtect, so two easy ways:
- Loader
Load SpyEye into Olly and run, in theory you get this:
When you get it, just push pause and check your call stack window
Double click on the 'Called from' line who use the API MessageBoxExA
Take a breakpoint on the Return instruction and resume your SpyEye thread, then push the OK button of 'cant find serial blahblah..'.
Step Over ! (F8)
And if you scroll down, you will see the typical VMP errors checks:
Goal is to go on the line under the JMP, when done SpyEye will load correctly
Edit your code where you want for load SpyEye.
pwned in 5 bytes modification (lame huh?)
Now for the Anti-Rapport, FF webinjects etc..
Search for all referenced text strings and look for strings who can be interesting (or if you are a real l33th4x0rz, just trace the code until you reach the Anti-rapport stuff)
Strings who are more at the top are related to the 'settings.ini'
anyway it's fun to play with it
You should have a procedure look like this:
Each time here, you have these two conditional jumps to nop
Here the basic reverse kiddie will load SpyEye and says 'hurray, it's unlocked!'
Unlocked yes, but just unlocked.
SpyEye have some 'hardcore' checks when you try to build a bin (similar to 1.2.x) in function of the license or some others parameters i've not really looked deeper.
Once again it's some more reflexion, to find that i've voluntary make SpyEye to show me some errors like 'Encryption key is too small' and tracing the rest when breaked etc...
finaly i get here and these strings seem generic on 1.3.x
Each time we got the bad flag
After that, you can says it's unlocked.
There is also a 'simple' tech for do an inlined version.
May only the challenge guide you, even if i'm borderline i will not discuss of this, remind VMProtect is a commercial application.
Edit: thanks to Groove for this funny video :)
Edit 20/08/2011: Some guys asked me how to hide the debugger...
Here is my Ollydbg configuration
:: Debugging options
- Make first pause at: System breakpoint
:: Plugins
Hide debugger v1.2.4:
- FindWindow/EnumWindows
- TerminateProcess
- Detach
Phant0m 1.54
- Change Olly caption
StrongOD v0.3.7.667:
- HidePED
- !*PatchFloat
- *KernelMode
- Remove EP one-shot
- Anti Anti_attach
- !*Kill BadPE Bug
- CreateProcess option: Normal
That all.
Is there any "good boy message"?If it goes with the "JE",editing it to "JNE" would make it work?
ReplyDeleteWich Jump, wich offset?
ReplyDeletethere is no 'good boy' if the serial is ok SpyEye load end of the story, otherwise serial.txt is not found or is bad.
Hmmm ok,i thought it would say something like>version valid,serial valid etc.
ReplyDeleteCan you explain this to me:
ReplyDeleteWhen you crack, using your method - is the timestamp going to be always same? Like on your screenshoot?
Will the license owner name be wiped too "[]" ?
btw. Offsets are same in my version. Is it standard or do we own the same builder ? :)
Dunno for the timestamp i think everyone have the same build.
ReplyDeleteLicense is wiped too '[]' because there is no information related to the name owner on the license file.
where can i download the build?
ReplyDeleteHi, i tried googling and using plugins, but when i click plugin it says debugger detected..how to fix that, and nice tut , thank you.
ReplyDeleteHi, do you know any helpful tutorial how to bypass debugger detection ? Cause spy eye detected olly every time i try to do this.
ReplyDeleteThanks for this tut.
There are many techniques for anti-debug bypass, kill the monitoring thread, hook IsDebuggerPresent() to always return false, etc, etc.
ReplyDeletewonderful
ReplyDeleteHow did you bypass the anti-debugger ?
ReplyDeleteYour loader does not work.... it still says: Cannot find serial.txt.
ReplyDeleteDo you have a crack i could use.... rather than going through all that debugging to crack it manually?
I have createt a simple olly debug script!
ReplyDeleteSave it to txt file!
Hide your Olly debugger and run this script!
http://pastebin.com/kgzqKC9V
post u scrtipt angain
ReplyDeletewhere are some working plugins for this version all i can find is backdoors backdoors dude i have been looking to analyze them for some time now
ReplyDeleteHello Steven, many thanks for your work!
ReplyDeleteAnybody has an idea where I can get a clean copy for SpyEye sources? Thanks!