Spotify vs OllyDbg

[Shaneyboy]

Spotify for Windows contains code so awesome that OllyDbg can't look at it without crashing.

The protection exploits, among other things, a Borland library bug that apparently has gone undetected since 1991. Let's start at the beginning.

If you haven't seen it, Spotify is a music player similar to iTunes, except that it uses a massive distributed music library. It's ad-supported (banners + occasional radio ads), but comes with a nice party mode: If you're using it as a jukebox for your party, you can pay a token $1 to disable the ads for the day.

OllyDbg is a lovely Windows debugger written by Oleh Yuschuk.

Full story

http://www.steike.com/code/spotify-vs-ollydbg/

[quosego]

It's just Themida. Nice workaround to the fpu bug though..

7C90120F   -------------
79B000	 Modulebase: 00400000
79B000	 Code & IAT Section: 00401000
7C809AFA   VM is located in the Themida/Winlicense section.
6E5BF9	 ---------------[Extracted info]-----------------
6E5BF9	 ---		  Themida Professional			---
6E5BF9	 ---	  (c)2009 Oreans Technologies		 ---
6E5BF9					Version; 2.062
6E5BF9	 ------------------------------------------------

Ahh all advertising stuff is in codeencrypt functions.

To prevent non ad versions..

Edited May 26, 2009 by quosego

[Loveless]

Themida has been using that trick forever.

Ooops quosego beat me to it.

Edited May 26, 2009 by Loveless

[Peter Ferrie]

Yeah, the FPU bug is well known, there is a second value that produces the same effect, and the fix is wrong. :-)

See my Anti-Unpacker Tricks 2 paper (http://pferrie.tripod.com) parts 1 (shows the second value) and 6 (shows the correct fix).