Shifting yourself to space

May 28, 2011

The case of the spying eyes: The third eye

Filed under: Uncategorized — shift32 @ 4:52 pm
Tags: , , , , , , ,

About an hour ago I managed to fully unpack SpyEye, my work was stopped due to other commitments but this morning I promised myself that I’ll try finishing the initial analysis.

The sample I have of SpyEye is triple packed with three layers of known packers, the configuration stub crypto and probably anything else is totally different topic

UPX is quite easy to unpack, basically when you hook up olly you begin at the regular “pusha” instruction

The first thing you gotta do is just scroll down until you meet lots of “db 00”
and set a breakpoint at

sub esp,-80
jmp entryPoint

This would be the last jump before you hit the entry point of the executable, in our case – we’ll hit the ep of ASPack, since my sample is triple packed

In order to get the decryptor stub, we’ll be setting a breakpoint at VirtualAlloc, as this is the function which is used to allocate the space for the function,

Once we hit VirtualAlloc, we’ll step over and return to the caller, we could see where the decryption stub will be written to by the return value of eax

So we set a memory bp on the address eax points to and run –
we hit one rep stos instrcution which copies the decrypted stub into the location and hit step over to complete the copy process

Right now we have the function which decrypt the real (packed with UPX) exectuable code, I’ll try to analyze it once I’ll finish the global analysis, in order to get to the real entrypoint, we have two possibilities:
1. Step the code and look for interesting writes and reads
2. Set a bp at the function which allocates space for the EP

The first option would work if we didn’t know which function is used to allocate the EP, however it would be tedious work.
The second option is quite easier, as assuming we don’t know which function actually writes the EP code, we set a bp on every interesting allocation function, this includes – (amongst others) – VirtualAlloc, VirtualAllocEx, NtAllocateVirtualMemory, GlobalAlloc, HeapAlloc, etc
I’ve had a few hints from friends and managed to figured that the function is ZwAllocateVirtualMemory

I’ve set a bp on ZwAllocateVirtualMemory and hit F9 in olly, the first occurrence was the routine which copies the decrypted PE.

Once the PE was written to it’s original place just hit twice “execute till return” and you’ll hit a ret that get you into ZwFreeVirtualMemory, return there and you’ll hit the EP
You’re now in the EP of the UPX packed code, as this is – once again – quite easy to unpack –
just jump to the real EP and have fun

To be continued.

Edit: the post is a bit messy, I’ll rewrite it later on

Advertisements

5 Comments »

  1. Hi, I’m following this series of SpyEye posts with interests as I’m going through my first malware analysis with the same sample. One problem I’m finding is that the top images in your last post are blurry/low-res so I cannot make out the text, which makes it hard to follow along especially when I don’t know all the jargon yet :-). Great series of posts by the way, this sample is a real killer for me.

    Comment by Operator — May 30, 2011 @ 8:29 pm | Reply

    • Hey

      Here are the links for the original pictures, wordpress seems to shrink them and make them low quality

      I hope it helps












      Comment by shift32 — May 30, 2011 @ 8:37 pm | Reply

  2. […] Shifting yourself to space Short bytes of life Skip to content HomeAbout ← The case of the spying eyes: The third eye […]

    Pingback by The case of the spying eyes: blizzard stubs | Shifting yourself to space — May 31, 2011 @ 11:17 pm | Reply

  3. can you please make a video about how to unpacking spyeye step by step with ida pro 6.1 or ollydbg ,i really needs it as i am reversing spyeye and have difficulty

    i appreciate your help

    mohaab007(>)(.)gmail.com

    thanks very much

    Comment by Mohamed Ramadan — June 22, 2011 @ 7:53 pm | Reply

  4. You post very interesting content here. Your blog deserves
    much more visitors. It can go viral if you give it initial
    boost, i know useful tool that can help you, just type in google: svetsern traffic tips

    Comment by Dora — January 2, 2015 @ 5:42 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.