Will try to make the thing simple.
SpyEye is protected with VMProtect, so two easy ways:
Load SpyEye into Olly and run, in theory you get this:
When you get it, just push pause and check your call stack window
Double click on the 'Called from' line who use the API MessageBoxExA
Take a breakpoint on the Return instruction and resume your SpyEye thread, then push the OK button of 'cant find serial blahblah..'.
Step Over ! (F8)
And if you scroll down, you will see the typical VMP errors checks:
Goal is to go on the line under the JMP, when done SpyEye will load correctly
Edit your code where you want for load SpyEye.
pwned in 5 bytes modification (lame huh?)
Now for the Anti-Rapport, FF webinjects etc..
Search for all referenced text strings and look for strings who can be interesting (or if you are a real l33th4x0rz, just trace the code until you reach the Anti-rapport stuff)
Strings who are more at the top are related to the 'settings.ini'
anyway it's fun to play with it
You should have a procedure look like this:
Each time here, you have these two conditional jumps to nop
Here the basic reverse kiddie will load SpyEye and says 'hurray, it's unlocked!'
Unlocked yes, but just unlocked.
SpyEye have some 'hardcore' checks when you try to build a bin (similar to 1.2.x) in function of the license or some others parameters i've not really looked deeper.
Once again it's some more reflexion, to find that i've voluntary make SpyEye to show me some errors like 'Encryption key is too small' and tracing the rest when breaked etc...
finaly i get here and these strings seem generic on 1.3.x
Each time we got the bad flag
After that, you can says it's unlocked.
There is also a 'simple' tech for do an inlined version.
May only the challenge guide you, even if i'm borderline i will not discuss of this, remind VMProtect is a commercial application.
Edit: thanks to Groove for this funny video :)
Edit 20/08/2011: Some guys asked me how to hide the debugger...
Here is my Ollydbg configuration
:: Debugging options
- Make first pause at: System breakpoint
Hide debugger v1.2.4:
- Change Olly caption
- Remove EP one-shot
- Anti Anti_attach
- !*Kill BadPE Bug
- CreateProcess option: Normal