Jump to content
Tuts 4 You

Spotify vs OllyDbg


Recommended Posts

Spotify for Windows contains code so awesome that OllyDbg can't look at it without crashing.

The protection exploits, among other things, a Borland library bug that apparently has gone undetected since 1991. Let's start at the beginning.

If you haven't seen it, Spotify is a music player similar to iTunes, except that it uses a massive distributed music library. It's ad-supported (banners + occasional radio ads), but comes with a nice party mode: If you're using it as a jukebox for your party, you can pay a token $1 to disable the ads for the day.

OllyDbg is a lovely Windows debugger written by Oleh Yuschuk.

Full story

Link to comment
Share on other sites

It's just Themida. Nice workaround to the fpu bug though..

7C90120F   -------------
79B000 Modulebase: 00400000
79B000 Code & IAT Section: 00401000
7C809AFA VM is located in the Themida/Winlicense section.
6E5BF9 ---------------[Extracted info]-----------------
6E5BF9 --- Themida Professional ---
6E5BF9 --- (c)2009 Oreans Technologies ---
6E5BF9 Version; 2.062
6E5BF9 ------------------------------------------------

Ahh all advertising stuff is in codeencrypt functions. :)

To prevent non ad versions..

Edited by quosego
Link to comment
Share on other sites

Themida has been using that trick forever.

Ooops quosego beat me to it.

Edited by Loveless
Link to comment
Share on other sites

Peter Ferrie

Yeah, the FPU bug is well known, there is a second value that produces the same effect, and the fix is wrong. :-)

See my Anti-Unpacker Tricks 2 paper (http://pferrie.tripod.com) parts 1 (shows the second value) and 6 (shows the correct fix).

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...