About an hour ago I managed to fully unpack SpyEye, my work was stopped due to other commitments but this morning I promised myself that I’ll try finishing the initial analysis.
The sample I have of SpyEye is triple packed with three layers of known packers, the configuration stub crypto and probably anything else is totally different topic
UPX is quite easy to unpack, basically when you hook up olly you begin at the regular “pusha” instruction
The first thing you gotta do is just scroll down until you meet lots of “db 00”
and set a breakpoint at
sub esp,-80 jmp entryPoint
This would be the last jump before you hit the entry point of the executable, in our case – we’ll hit the ep of ASPack, since my sample is triple packed
In order to get the decryptor stub, we’ll be setting a breakpoint at VirtualAlloc, as this is the function which is used to allocate the space for the function,
Once we hit VirtualAlloc, we’ll step over and return to the caller, we could see where the decryption stub will be written to by the return value of eax
So we set a memory bp on the address eax points to and run –
we hit one rep stos instrcution which copies the decrypted stub into the location and hit step over to complete the copy process
Right now we have the function which decrypt the real (packed with UPX) exectuable code, I’ll try to analyze it once I’ll finish the global analysis, in order to get to the real entrypoint, we have two possibilities:
1. Step the code and look for interesting writes and reads
2. Set a bp at the function which allocates space for the EP
The first option would work if we didn’t know which function is used to allocate the EP, however it would be tedious work.
The second option is quite easier, as assuming we don’t know which function actually writes the EP code, we set a bp on every interesting allocation function, this includes – (amongst others) – VirtualAlloc, VirtualAllocEx, NtAllocateVirtualMemory, GlobalAlloc, HeapAlloc, etc
I’ve had a few hints from friends and managed to figured that the function is ZwAllocateVirtualMemory
I’ve set a bp on ZwAllocateVirtualMemory and hit F9 in olly, the first occurrence was the routine which copies the decrypted PE.
Once the PE was written to it’s original place just hit twice “execute till return” and you’ll hit a ret that get you into ZwFreeVirtualMemory, return there and you’ll hit the EP
You’re now in the EP of the UPX packed code, as this is – once again – quite easy to unpack –
just jump to the real EP and have fun
To be continued.
Edit: the post is a bit messy, I’ll rewrite it later on