Tuesday 9 August 2011

Cracking SpyEye 1.3.x


Will try to make the thing simple.
SpyEye is protected with VMProtect, so two easy ways:
- Loader

Load SpyEye into Olly and run, in theory you get this:

When you get it, just push pause and check your call stack window

Double click on the 'Called from' line who use the API MessageBoxExA
Take a breakpoint on the Return instruction and resume your SpyEye  thread, then push the OK button of 'cant find serial blahblah..'.


Step Over ! (F8)


And if you scroll down, you will see the typical VMP errors checks:

Goal is to go on the line under the JMP, when done SpyEye will load correctly
Edit your code where you want for load SpyEye.


pwned in 5 bytes modification (lame huh?)


Now for the Anti-Rapport, FF webinjects etc..
Search for all referenced text strings and look for strings who can be interesting (or if you are a real l33th4x0rz, just trace the code until you reach the Anti-rapport stuff)


Strings who are more at the top are related to the 'settings.ini'
anyway it's fun to play with it


You should have a procedure look like this:



Each time here, you have these two conditional jumps to nop


Here the basic reverse kiddie will load SpyEye and says 'hurray, it's unlocked!'
Unlocked yes, but just unlocked.
SpyEye have some 'hardcore' checks when you try to build a bin (similar to 1.2.x) in function of the license or some others parameters i've not really looked deeper.
Once again it's some more reflexion, to find that i've voluntary make SpyEye to show me some errors like 'Encryption key is too small' and tracing the rest when breaked etc...
finaly i get here and these strings seem generic on 1.3.x


Each time we got the bad flag


After that, you can says it's unlocked.
There is also a 'simple' tech for do an inlined version.


May only the challenge guide you, even if i'm borderline i will not discuss of this, remind VMProtect is a commercial application.

Edit: thanks to Groove for this funny video :)










Edit 20/08/2011: Some guys asked me how to hide the debugger...
Here is my Ollydbg configuration

:: Debugging options
- Make first pause at: System breakpoint

:: Plugins
Hide debugger v1.2.4:
- FindWindow/EnumWindows
- TerminateProcess
- Detach

Phant0m 1.54
- Change Olly caption

StrongOD v0.3.7.667:
- HidePED
- !*PatchFloat
- *KernelMode
- Remove EP one-shot
- Anti Anti_attach
- !*Kill BadPE Bug
- CreateProcess option: Normal

That all.

16 comments:

  1. Is there any "good boy message"?If it goes with the "JE",editing it to "JNE" would make it work?

    ReplyDelete
  2. Wich Jump, wich offset?
    there is no 'good boy' if the serial is ok SpyEye load end of the story, otherwise serial.txt is not found or is bad.

    ReplyDelete
  3. Hmmm ok,i thought it would say something like>version valid,serial valid etc.

    ReplyDelete
  4. Can you explain this to me:

    When you crack, using your method - is the timestamp going to be always same? Like on your screenshoot?

    Will the license owner name be wiped too "[]" ?

    btw. Offsets are same in my version. Is it standard or do we own the same builder ? :)

    ReplyDelete
  5. Dunno for the timestamp i think everyone have the same build.
    License is wiped too '[]' because there is no information related to the name owner on the license file.

    ReplyDelete
  6. where can i download the build?

    ReplyDelete
  7. Hi, i tried googling and using plugins, but when i click plugin it says debugger detected..how to fix that, and nice tut , thank you.

    ReplyDelete
  8. Hi, do you know any helpful tutorial how to bypass debugger detection ? Cause spy eye detected olly every time i try to do this.

    Thanks for this tut.

    ReplyDelete
  9. There are many techniques for anti-debug bypass, kill the monitoring thread, hook IsDebuggerPresent() to always return false, etc, etc.

    ReplyDelete
  10. How did you bypass the anti-debugger ?

    ReplyDelete
  11. Your loader does not work.... it still says: Cannot find serial.txt.

    Do you have a crack i could use.... rather than going through all that debugging to crack it manually?

    ReplyDelete
  12. I have createt a simple olly debug script!
    Save it to txt file!
    Hide your Olly debugger and run this script!
    http://pastebin.com/kgzqKC9V

    ReplyDelete
  13. post u scrtipt angain

    ReplyDelete
  14. where are some working plugins for this version all i can find is backdoors backdoors dude i have been looking to analyze them for some time now

    ReplyDelete
  15. Hello Steven, many thanks for your work!

    Anybody has an idea where I can get a clean copy for SpyEye sources? Thanks!

    ReplyDelete